• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Thotcon 0x5 - Retroactive Wiretapping VPN over DNS
 

Thotcon 0x5 - Retroactive Wiretapping VPN over DNS

on

  • 598 views

These are the slides of a talk by John Bambenek at THOTCON 0x5 in Chicago. ...

These are the slides of a talk by John Bambenek at THOTCON 0x5 in Chicago.

Imagine your first day at a client site and you spend your time figuring out what’s going on with the network. You query passive DNS to find tons of apparently VPN over DNS endpoints on your network. What starts as a simple incident investigation process sees the tables turned on those who used the protocol to hide their tracks. This talk will discuss reverse engineering VPN over DNS (vpnoverdns.com) and how weaknesses in using DNS tunneling makes it trivial to retroactively wiretap all communications over the protocol long after the fact.

Statistics

Views

Total Views
598
Views on SlideShare
597
Embed Views
1

Actions

Likes
0
Downloads
0
Comments
0

1 Embed 1

http://www.slideee.com 1

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Thotcon 0x5 - Retroactive Wiretapping VPN over DNS Thotcon 0x5 - Retroactive Wiretapping VPN over DNS Presentation Transcript

    • How I Turned VPNoverDNS into a Retroactive Wiretapping Tool THOTCON 0x5 John Bambenek / Bambenek Consulting jcb@bambenekconsulting.com
    • The Setup... ●Hired by a mid-sized business to increase the security posture ○Yes, it was just that open-ended… ●They had a fairly large web presence and maintain dozens of sites ○But had no authoritative list of them… ●Commence policy review and massive paper dump. ●Has some PCI, HIPAA, other private (and valuable) information...
    • The Setup Continued... ●As a way to verify the correctness of information, do various threat intel queries on a netblock… ●Has there been any breaches? Listing in blacklists? Known contact with C&Cs? ●Passive DNS will log all queries and responses a sensor sees so they can be used for later searches. ○For instance, will show all FQDNs resolved for a given IP address seen by a sensor. ●Scanning the clients /24 yields all the likely used websites (and unused IPs)
    • pDNS Example ●A historical search on thotcon.org yields: ;; first seen: 2012-09-06 22:17:09 -0000 ;; last seen: 2013-11-05 20:41:26 -0000 thotcon.org. IN A 67.195.61.65 -- ;; first seen: 2011-06-02 10:57:38 -0000 ;; last seen: 2012-09-02 02:05:33 -0000 thotcon.org. IN A 98.136.92.206 -- ;; first seen: 2013-10-30 07:04:27 -0000 ;; last seen: 2014-04-24 23:15:54 -0000 thotcon.org. IN A 98.136.187.13 -- ;; first seen: 2010-07-29 16:00:22 -0000 ;; last seen: 2010-09-20 16:58:07 -0000 thotcon.org. IN A 216.39.57.104 -- ;; first seen: 2010-08-13 02:05:21 -0000 ;; last seen: 2011-06-02 06:20:26 -0000 thotcon.org. IN A 216.39.62.189 ……
    • pDNS example... ●A historical search on 98.136.187.13 yields: ut.ae. IN A 98.136.187.13 oec.ae. IN A 98.136.187.13 meatco.ae. IN A 98.136.187.13 cpssa.com.ar. IN A 98.136.187.13 facimex.com.ar. IN A 98.136.187.13 iltinello.com.ar. IN A 98.136.187.13 tunga-tunga.com.ar. IN A 98.136.187.13 ceramicas-lourdes.com.ar. IN A 98.136.187.13 ictys.org.ar. IN A 98.136.187.13 y-yo.com.au. IN A 98.136.187.13 ……
    • A Wild Passive DNS Scan Appears Rdata results for ANY/197.1.246.0/24 Returned 280 RRs in 0.05 seconds. tunisia-sat1.no-ip.info. A 197.1.246.1 samibazoug.dyndns.ws. A 197.1.246.3 koooooko.no-ip.biz. A 197.1.246.3 only-security.no-ip.biz. A 197.1.246.3 no-hack.zapto.org. A 197.1.246.3 camfrog-ir.zapto.org. A 197.1.246.3 camfrog-2r9.zapto.org. A 197.1.246.3 gboxbest.dyndns.org. A 197.1.246.3
    • A Wild Passive DNS Scan Appears mrigel.zapto.org. A 197.1.246.4 hacked007.no-ip.org. A 197.1.246.5 tarajist1919.no-ip.biz. A 197.1.246.8 reflex.sytes.net. A 197.1.246.10 1month-5euro.sytes.net. A 197.1.246.10 gaagle.no-ip.org. A 197.1.246.10 djamelgbox.no-ip.org. A 197.1.246.12 bibitahackertn.no-ip.biz. A 197.1.246.14 kalboussa.no-ip.biz. A 197.1.246.16 njratxmoro.zapto.org. A 197.1.246.16 migalou2012.no-ip.biz. A 197.1.246.18 papu81.no-ip.biz. A 197.1.246.19
    • A Wild Passive DNS Scan Appears manortn.dyndns.biz. A 197.1.246.19 papu81.no-ip.biz. A 197.1.246.20 ln-048.rd-00000240.id-14932049.v0.tun. vpnoverdns.com. A 197.1.246.20 revenger.zapto.org. A 197.1.246.21 oscamserver.dyndns.org. A 197.1.246.24 cinefoot.selfip.com. A 197.1.246.28 proxysat.selfip.com. A 197.1.246.28 …… tun.vpnoverdns.com????
    • What is this VPNoverDNS you speak of? ●From vpnoverdns.com: ○ “In a few words, it lets you tunnel data through a DNS server. Data exfiltration, for those times when everything else is blocked.” ●At the point I first started seeing this, no one seemed to know anything about it aside of the obvious… “it looks like a tunnel endpoint” ●One oddity: to install it on a PC you FIRST have to install the Android app to create a login… ○As an unapologetic iPhone user, this displeases me.
    • Data Exfiltration You Say? ZOMG!! IT’S AN APT! MOMMY HELP! MUCH SCARED!
    • So how prevalent is VPNoverDNS? ●pDNS dump of *.tun.vpnverdns.com yields almost 6 million entries. ●“Endpoints” seen on educational, government, business and military ASNs. ○And some unassigned IP addresses… ●Looks prevalent but… ○No one knows about it… ○Would it so obviously be sitting on NATO IP addresses? ○Why would a data exfiltration tool require an Android device?
    • Seriously, who uses Adobe AIR for this? ●After finding an Android device, downloaded to that device and then created a VM to install PC version which uses Adobe AIR. ●Provides a web browser and an email client to send/receive e-mail. ○This is not looking like data exfiltration… ○Much disappoint… :( ●Time to fire up Wireshark and see what the traffic looks like...
    • Got Packets?
    • A Closer Look...
    • Got Packets? ●Query a specific FQDN and it returns multiple A records. ●rd- Byte Offset ●id- Session ID ●A records start at 192. and sequentially get higher. ●This explains why pDNS shows what it does, in effect, it poisons the data. The only REAL traffic is DNS to the network resolver (and the resolver to vpnoverdns.com’s DNS servers).
    • Can we parse this response? Looking at the hex of the packet... The last three octets of the A record DNS responses are the HTTP response… in the clear.
    • Did you know gzip is 1337 crypto? ●So now to rebuild an entire session across all the queries for a given session ID… xœ õï 0§OK HTTP/1.1 200 OK Date: Sat, 05 Jan 2013 18:08:05 GMT Content-Type: text/html;c:Accept-Encoding Content-Encoding: gzip ---- gzip’d content ----
    • What about HTML requests? ●HTML requests are made by querying FQDN’s starting with bf-: ●Example: bf-1b3132313330363734c2a7536f636b657444617461c2a734303436304745.wr- 00000000.id-00912196.v0.tun.vpnoverdns.com. IN A 128.69.0.255 bf-5420687474703a2f2f616e64726f69642e636c69656e74732e676f6f676c.wr- 00000030.id-00912196.v0.tun.vpnoverdns.com. IN A 128.69.0.255 bf-652e636f6d2f70726f78792f677361737567676573742f7365617263683f.wr- 00000060.id-00912196.v0.tun.vpnoverdns.com. IN A 128.69.0.255 ●Syntax: wr- byte offset, id- session ID ●Is the bf- content just ASCII text in hex form? ● 12130674§SocketData§40460GET http://android.clients.google. com/proxy/gsasuggest/search?client=qsb-android&hl=en&gl=us
    • The Incident that Never was... ●Nothing is quite as depressing as finding a cool incident that really wasn’t. ●Takeaway: Passive DNS operators probably should ignore this domain as the data isn’t real DNS, it’s actually HTTP/Mail traffic.
    • The Truth About VPN over DNS ●This is not data exfiltration, it’s a way to surf the web behind WiFi hotspot paywalls (because DNS isn’t blocked even if you haven’t authenticated). ○Take that Marriott and your $10/day Internet fee. ●This will also bypass any web proxies you have. ●In theory you COULD use if for data exfiltration, but it’s pretty easy to spot ○Any DNS queries for *.tun.vpnoverdns.com? You are bad and you should feel bad.
    • Then Evil Genius Struck ●I was able to rebuild traffic in Wireshark… what if I dumped the entire pDNS database for tun. vpnoverdns.com? ○Remember, pDNS is just a big log of all DNS queries and responses it sees. $ python dnsdb_query.py *.tun.vpnoverdns.com | wc -l 5799244
    • Look Mom, I Built PRISM for Script Kiddies ●Looking at just the timestamps I have data from, there are records back from May 2013. ●Since the sensor is in between the VPNoverDNS user and their DNS server, if it captures any traffic it likely has the ENTIRE session in its logs. ●So what websites do you think VPN over DNS users like to view? ○Let’s check those bf- records
    • Wait for it... ●Some are not surprising: Host: m.facebook.com:443 Host: profile.ak.fbcdn.net Host: i2.cdn.turner.com Host: googleads.g.doubleclick.net ● This had to be a fun listening experience: Host: stats.pandora.com
    • And what is the Internet for? ●And of course, there was this... Host: metaltoys.co.za Host: www.youngleafs.com Host: myshortskirt.com Host: www.bravotube.net Host: promo.badoink.com Host: www.coedcherry.com Host: cdn-z3.perfectgirls.net Host: cdn-z4.perfectgirls.net
    • Y U NO ENCRYPT?
    • But it gets worse... Referer: http://127.0.0.1:8888/mail4hotspot/app/navigation?url=https://accounts.google. com/ServiceLoginAuth^M User-Agent: Mozilla/5.0 (Linux; U; Android 2.3.5; en-us; N860 Build/GINGERBREAD) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1^M Origin: http://127.0.0.1:8888^M Accept: application/xml,application/vnd.wap.xhtml+xml,application/xhtml+xml;profile='http://www.wapforum. org/xhtml',text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5^M Content-Type: application/x-www-form-urlencoded^M x-wap-proxy-cookie: none^M Cache-Control: no-transform^M Content-Length: 197^M ^M url=https%3A%2F%2Faccounts.google.com%2FServiceLoginAuth&GALX=bAmxoTJR_XY&_utf8=%26% 239731%3B&bgresponse=&Email=XXXXXXXXX%40gmail.com&Passwd=XXXXXXX ……. Yes, kids, this sends HTTPS requests over DNS **IN THE CLEAR** (Oh, and this guys username was the same as his password)
    • The Fail is Strong With This One...
    • DISCLAIMERS I’ve asked pDNS operators to purge this data. There should also be a rule to detect clients using this on your networks in the Emerging Threats open snort rules soon.
    • No Applause please. Throw money. jcb@bambenekconsulting.com Questions?