Thotcon 0x5 - Retroactive Wiretapping VPN over DNS


Published on

These are the slides of a talk by John Bambenek at THOTCON 0x5 in Chicago.

Imagine your first day at a client site and you spend your time figuring out what’s going on with the network. You query passive DNS to find tons of apparently VPN over DNS endpoints on your network. What starts as a simple incident investigation process sees the tables turned on those who used the protocol to hide their tracks. This talk will discuss reverse engineering VPN over DNS ( and how weaknesses in using DNS tunneling makes it trivial to retroactively wiretap all communications over the protocol long after the fact.

Published in: Technology
  • Be the first to comment

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Thotcon 0x5 - Retroactive Wiretapping VPN over DNS

  1. 1. How I Turned VPNoverDNS into a Retroactive Wiretapping Tool THOTCON 0x5 John Bambenek / Bambenek Consulting
  2. 2. The Setup... ●Hired by a mid-sized business to increase the security posture ○Yes, it was just that open-ended… ●They had a fairly large web presence and maintain dozens of sites ○But had no authoritative list of them… ●Commence policy review and massive paper dump. ●Has some PCI, HIPAA, other private (and valuable) information...
  3. 3. The Setup Continued... ●As a way to verify the correctness of information, do various threat intel queries on a netblock… ●Has there been any breaches? Listing in blacklists? Known contact with C&Cs? ●Passive DNS will log all queries and responses a sensor sees so they can be used for later searches. ○For instance, will show all FQDNs resolved for a given IP address seen by a sensor. ●Scanning the clients /24 yields all the likely used websites (and unused IPs)
  4. 4. pDNS Example ●A historical search on yields: ;; first seen: 2012-09-06 22:17:09 -0000 ;; last seen: 2013-11-05 20:41:26 -0000 IN A -- ;; first seen: 2011-06-02 10:57:38 -0000 ;; last seen: 2012-09-02 02:05:33 -0000 IN A -- ;; first seen: 2013-10-30 07:04:27 -0000 ;; last seen: 2014-04-24 23:15:54 -0000 IN A -- ;; first seen: 2010-07-29 16:00:22 -0000 ;; last seen: 2010-09-20 16:58:07 -0000 IN A -- ;; first seen: 2010-08-13 02:05:21 -0000 ;; last seen: 2011-06-02 06:20:26 -0000 IN A ……
  5. 5. pDNS example... ●A historical search on yields: IN A IN A IN A IN A IN A IN A IN A IN A IN A IN A ……
  6. 6. A Wild Passive DNS Scan Appears Rdata results for ANY/ Returned 280 RRs in 0.05 seconds. A A A A A A A A
  7. 7. A Wild Passive DNS Scan Appears A A A A A A A A A A A A
  8. 8. A Wild Passive DNS Scan Appears A A A A A A A ……
  9. 9. What is this VPNoverDNS you speak of? ●From ○ “In a few words, it lets you tunnel data through a DNS server. Data exfiltration, for those times when everything else is blocked.” ●At the point I first started seeing this, no one seemed to know anything about it aside of the obvious… “it looks like a tunnel endpoint” ●One oddity: to install it on a PC you FIRST have to install the Android app to create a login… ○As an unapologetic iPhone user, this displeases me.
  10. 10. Data Exfiltration You Say? ZOMG!! IT’S AN APT! MOMMY HELP! MUCH SCARED!
  11. 11. So how prevalent is VPNoverDNS? ●pDNS dump of * yields almost 6 million entries. ●“Endpoints” seen on educational, government, business and military ASNs. ○And some unassigned IP addresses… ●Looks prevalent but… ○No one knows about it… ○Would it so obviously be sitting on NATO IP addresses? ○Why would a data exfiltration tool require an Android device?
  12. 12. Seriously, who uses Adobe AIR for this? ●After finding an Android device, downloaded to that device and then created a VM to install PC version which uses Adobe AIR. ●Provides a web browser and an email client to send/receive e-mail. ○This is not looking like data exfiltration… ○Much disappoint… :( ●Time to fire up Wireshark and see what the traffic looks like...
  13. 13. Got Packets?
  14. 14. A Closer Look...
  15. 15. Got Packets? ●Query a specific FQDN and it returns multiple A records. ●rd- Byte Offset ●id- Session ID ●A records start at 192. and sequentially get higher. ●This explains why pDNS shows what it does, in effect, it poisons the data. The only REAL traffic is DNS to the network resolver (and the resolver to’s DNS servers).
  16. 16. Can we parse this response? Looking at the hex of the packet... The last three octets of the A record DNS responses are the HTTP response… in the clear.
  17. 17. Did you know gzip is 1337 crypto? ●So now to rebuild an entire session across all the queries for a given session ID… xœ õï 0§OK HTTP/1.1 200 OK Date: Sat, 05 Jan 2013 18:08:05 GMT Content-Type: text/html;c:Accept-Encoding Content-Encoding: gzip ---- gzip’d content ----
  18. 18. What about HTML requests? ●HTML requests are made by querying FQDN’s starting with bf-: ●Example: bf-1b3132313330363734c2a7536f636b657444617461c2a734303436304745.wr- IN A bf-5420687474703a2f2f616e64726f69642e636c69656e74732e676f6f676c.wr- IN A bf-652e636f6d2f70726f78792f677361737567676573742f7365617263683f.wr- IN A ●Syntax: wr- byte offset, id- session ID ●Is the bf- content just ASCII text in hex form? ● 12130674§SocketData§40460GET com/proxy/gsasuggest/search?client=qsb-android&hl=en&gl=us
  19. 19. The Incident that Never was... ●Nothing is quite as depressing as finding a cool incident that really wasn’t. ●Takeaway: Passive DNS operators probably should ignore this domain as the data isn’t real DNS, it’s actually HTTP/Mail traffic.
  20. 20. The Truth About VPN over DNS ●This is not data exfiltration, it’s a way to surf the web behind WiFi hotspot paywalls (because DNS isn’t blocked even if you haven’t authenticated). ○Take that Marriott and your $10/day Internet fee. ●This will also bypass any web proxies you have. ●In theory you COULD use if for data exfiltration, but it’s pretty easy to spot ○Any DNS queries for * You are bad and you should feel bad.
  21. 21. Then Evil Genius Struck ●I was able to rebuild traffic in Wireshark… what if I dumped the entire pDNS database for tun. ○Remember, pDNS is just a big log of all DNS queries and responses it sees. $ python * | wc -l 5799244
  22. 22. Look Mom, I Built PRISM for Script Kiddies ●Looking at just the timestamps I have data from, there are records back from May 2013. ●Since the sensor is in between the VPNoverDNS user and their DNS server, if it captures any traffic it likely has the ENTIRE session in its logs. ●So what websites do you think VPN over DNS users like to view? ○Let’s check those bf- records
  23. 23. Wait for it... ●Some are not surprising: Host: Host: Host: Host: ● This had to be a fun listening experience: Host:
  24. 24. And what is the Internet for? ●And of course, there was this... Host: Host: Host: Host: Host: Host: Host: Host:
  25. 25. Y U NO ENCRYPT?
  26. 26. But it gets worse... Referer: com/ServiceLoginAuth^M User-Agent: Mozilla/5.0 (Linux; U; Android 2.3.5; en-us; N860 Build/GINGERBREAD) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1^M Origin:^M Accept: application/xml,application/vnd.wap.xhtml+xml,application/xhtml+xml;profile='http://www.wapforum. org/xhtml',text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5^M Content-Type: application/x-www-form-urlencoded^M x-wap-proxy-cookie: none^M Cache-Control: no-transform^M Content-Length: 197^M ^M 239731%3B&bgresponse=& ……. Yes, kids, this sends HTTPS requests over DNS **IN THE CLEAR** (Oh, and this guys username was the same as his password)
  27. 27. The Fail is Strong With This One...
  28. 28. DISCLAIMERS I’ve asked pDNS operators to purge this data. There should also be a rule to detect clients using this on your networks in the Emerging Threats open snort rules soon.
  29. 29. No Applause please. Throw money. Questions?
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.