SlideShare a Scribd company logo
1 of 38
Download to read offline
copyright IOActive, Inc. 2006, all rights
reserved.
h0h0h0h0
Dan Kaminsky
Director of Penetration Testing
IOActive, Inc.
H0h0h0h0?
• Well, y’all wanted me stop titling things Black Ops 
– Hikari, you got any idea what I’m here talking about?
• What are we not here to talk about
– DNS Rebinding
• Can rebind to home router
• Have video
• Go change passwords.
• Got questions? Find me later.
• So what are we here to talk about?
– What happens when Jason Larsen and I finally get some
time to break some stuff together ;)
Typos.
• Typos?
– Typos in DNS.
• Relax. It’s worth it.
– Basic profit model
• Humans don’t type so good
– Fcebook.com
– Microsoft.co
– Torcon.org
• Sometimes miss keys
• When they miss keys, they tell their browser to go
somewhere that doesn’t exist
– Could just get a “No Such Server Error”, or…
– Could get ads!
Typosquatting
• Static Registration
– Guess what might get clicked, buy that name
– Must pay per guess, might be wrong
• Dynamic Registration
– Sitefinder by Verisign
• Unveiled in 2003
• Unregistered names suddenly start returning
an ad server, instead of NXDOMAIN
• Reveiled in 2003, never to return
The New Era Of Typosquatting
• Son Of Sitefinder: ISP Injection
– DNS is hierarchal
• Client asks the local name server.
• Local name server asks the root, is sent to .com
• Local name server asks .com, is given NXDOMAIN
– Sitefinder used to inject here…
• Normal: Local name server returns NXDOMAIN to client
– $ nslookup nxdomain--.com 4.2.2.1
*** vnsc-pri.sys.gtei.net can't find nxdomain--.com:
Non-existent domain
• Son Of Sitefinder: Local name server returns NOERROR to
client, with ads attached
– $ nslookup nxdomain--.com 207.217.126.81
…
Name: nxdomain--.com
Addresses: 209.86.66.92, 209.86.66.93, 209.86.66.94,
209.86.66.95 209.86.66.90, 209.86.66.91
The Problem: They’re Spoofing
Subdomains Too.
• DNS is hierarchal
– Client asks the local name server.
– Local name server asks the root, is sent to .com
– Local name server asks .com, is given foo.com
– Local name server asks foo.com, is given NXDOMAIN
– Normal: Local name server returns NXDOMAIN to client
• nslookup nonexistent.www.bar.com 4.2.2.1
*** vnsc-pri.sys.gtei.net can't find nonexistent.www.bar.com:
Non-existent domain
– Son Of Sitefinder: Local name server returns NOERROR to
client, with ads attached
– $ nslookup nonexistent.www.bar.com 207.217.126.81
Name: nonexistent.www.bar.com
Addresses: 209.86.66.94, 209.86.66.95, 209.86.66.90,
209.86.66.91 209.86.66.92, 209.86.66.93
• NXDOMAIN was supposed to mean “No Such Domain”
– There is such a domain. There’s just not this subdomain in it.
Intent
• We don’t think this behavior is intentional
– Just so happens that subdomain
NXDOMAINs look exactly like domain
NXDOMAINs
• Only difference is the source
• Identical effects in the browser
• Well, it’s not unintentional for everyone…
This Should Seem Familiar
Parent Of Son Of Sitefinder Returns!
• April 8th
, becomes clear that Network
Solutions injects subdomains into their
customers’ domains
– Small print in a 53 page contract
– Stay classy, NetSol
• But heh, at least there’s a contract
Times Square Effect: Told Ya
• Times Square Effect
– When you see Times Square in a movie,
that’s not Times Square. All ads have
been replaced, because there’s no
contractual obligation not to replace
them
– No contractual obligation between ISP
and Web Sites not to replace traffic
But What About Trademark Law?
• # dig in.ur.www.facebook.com
• ;; QUESTION SECTION:
• ;in.ur.www.facebook.com. IN A
• ;; ANSWER SECTION:
• in.ur.www.facebook.com™. 300 IN A 209.86.66.90 [adserver]
• in.ur.www.facebook.com™. 300 IN A 209.86.66.91 [adserver]
• in.ur.www.facebook.com™. 300 IN A 209.86.66.92 [adserver]
• in.ur.www.facebook.com™. 300 IN A 209.86.66.93 [adserver]
• in.ur.www.facebook.com™. 300 IN A 209.86.66.94 [adserver]
• in.ur.www.facebook.com™. 300 IN A 209.86.66.95 [adserver]
•
Doesn’t that qualify as Trademark Violation, with Use In Commerce?
– I don’t know. I’m not a lawyer. The hordes seem to think so, however.
– I am, however, a hacker…
Beautiful Synchrony
• Trademark Policy: Trust the good, as it possesses the
protected mark.
• Same Origin Policy: Trust the subdomain, as it possesses
the protected domain
– Local Name Server asks bar.com, is sent to
www.bar.com.
– Local Name Server asks www.bar.com, is told
foo.www.bar.com is at 1.2.3.4
– Foo.www.bar.com was thus “vouched for” by
www.bar.com
• Trademark controls human trust, Same Origin controls
browser trust. The two policies are actually synchronized.
– Both are under attack.
Injection
• Anything goes wrong on a subdomain, it is an
element of the parent
– Can access cookies
– Can do…other things
• Normally, a subdomain is trusted by its parent…
– But in this case, the subdomain is some
random server run by a bunch of advertisers
– …and if this random server, happened to
possess a cross site scripting vulnerability…
If?
• # curl
http://in.ur.www.facebook.com/foo<script>alert('x
DNS Error:
http://in.ur.www.facebook.com/foo<script>alert('x
>
– YES IT ACTUALLY PREFACES THE
XSS WITH DNS ERROR I AM NOT
JOKING
Welcome to Barefruit.
• Popular DNS Ad Injection Company
• Notable customers
– Earthlink/Mindspring -- everywhere
– Comcast
• Outsourced to Earthlink, probably didn’t even know
• No idea how outsourced
– Others
• Cox
– At least partial deployment, probably small. Finder.cox.com
resolves to their servers.
• Qwest
– Trial deployment only
• Verizon
– Has multiple ad networks.
– Barefruit appears to be used in ~20 regions
• Time Warner also does DNS injection, but not through Barefruit
They’re Not Alone
• For each name server, ask for a nonexistent
domain.
– For each nameserver that provides an answer,
ask for an existing domain.
– If the answer is correct, it’s an NXDOMAIN
injector
• Appears to be ~72 ISPs doing some sort of
injection. Lots of big names. This is spreading.
Now, this is only a subdomain…what
can you really do with a subdomain?
• Obligatory attack: Grab Cookies
– Credentials to many sites
– PII for some
– Can also get any “supercookies”
• Flash Storage
• DOM Storage
• etc
Cookie Grab (Pre)
Cookie Grab (Post)
Can Also Fake Subdomains
• There is no legitimate subdomain
– But a page comes back with arbitrary script…
– So you can populate anything, on any domain,
anywhere.
• Perfect for phishing
• You get a link to your bank, you see in the address
bar, server2.www.yourbank.com, you type credentials
• You see a banner ad to join a beta program at
Microsoft, you click through, download what you think
is the latest build…
– Actually malware 
Fake Site (pre)
Fake Site (Post)
Fake Site (Post2)
But That’s Just Not Enough
• Cookie Excuses
– But cookies are often tied to Source IP!
– But cookies can use HTTP Only so they aren’t readable from
script!
– But cookies might be just secure cookies!
• Fake Site Excuses
– But you’re not actually logged in
– You don’t know the content of the site to spoof
• Can we do anything better?
– We’re a malicious subdomain
– Can’t we just script into our parent?
• Pop-under windows: They’re not just for annoying ads
anymore
• Document.domain is our friend…
• DOM element that specifically allows children to inject into
parent
Choosing The Demo
• Needed to be generic to all sites
• Needed to express the distance between
what you expected to happen, and what
actually did
• Needed to be…recognizable…without
being terrifying.
H0h0h0h0…and it ain’t just Facebook
MySpace
.Mac
Apple
Microsoft
Ebay
ToorCon
FOX NEWS
The Associated Press
In Case You’re Curious
• THE LAWYERS ARE NOT AMUSED
Coming Clean
• This was only a simulation.
– BFF_DNS.PL
• BAREFRUIT FOREVA!
• We got through to Barefruit before this talk
– Crystal Williams got me through to Earthlink
– Earthlink got me through to Barefruit
– Barefruit fixed the bug in ~27 minutes once they
understood the bug
– All were awesome, thanks!
• All ISP’s were redirecting to Barefruit’s servers, so we’re
OK…or are we?
So Now What
• Barefruit is still injecting into trademarked subdomains.
• The immediate crisis is over, but the security of the web (at these
ISPs) is basically limited by the security of these ad servers
– Don’t attack Facebook, attack the ad server
– Don’t attack MySpace, attack the ad server
– Don’t attack PayPal, attack the ad server
• I am not a lawyer, I am a security engineer
– I cannot secure the web if ISP’s will change the bytes I send
– Need legal and PR support to stop PITMA’s
• Provider In The Middle Attacks
– Brad Hill pointed out that MITM isn’t exactly theoretical
anymore… 
– Neither is Ad Injection
– Luckily, the counsel I’ve spoken to does not appear to be
amused.
Conclusions
• Even small amounts of failed net neutrality can lead to
catastrophic side effects on Internet security
– Intent is not required to really break everything
• Security needs the lawyers
– Even if everything was 100% SSL, if the ISP could
require code on the box, they could still bypass the
crypto, and alter the content
– We need the precedent: You can host nothing. You
can host something. But you can’t host something
else.

More Related Content

What's hot

A Technical Dive into Defensive Trickery
A Technical Dive into Defensive TrickeryA Technical Dive into Defensive Trickery
A Technical Dive into Defensive TrickeryDan Kaminsky
 
Dmk sb2010 web_defense
Dmk sb2010 web_defenseDmk sb2010 web_defense
Dmk sb2010 web_defenseDan Kaminsky
 
Some Thoughts On Bitcoin
Some Thoughts On BitcoinSome Thoughts On Bitcoin
Some Thoughts On BitcoinDan Kaminsky
 
Why isn't infosec working? Did you turn it off and back on again?
Why isn't infosec working? Did you turn it off and back on again?Why isn't infosec working? Did you turn it off and back on again?
Why isn't infosec working? Did you turn it off and back on again?Rob Fuller
 
Active Https Cookie Stealing
Active Https Cookie StealingActive Https Cookie Stealing
Active Https Cookie StealingSecurityTube.Net
 
A @textfiles approach to gathering the world's DNS
A @textfiles approach to gathering the world's DNSA @textfiles approach to gathering the world's DNS
A @textfiles approach to gathering the world's DNSRob Fuller
 
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2Chris Gates
 
NotaCon 2011 - Networking for Pentesters
NotaCon 2011 - Networking for PentestersNotaCon 2011 - Networking for Pentesters
NotaCon 2011 - Networking for PentestersRob Fuller
 
Biting into the forbidden fruit. Lessons from trusting Javascript crypto.
Biting into the forbidden fruit. Lessons from trusting Javascript crypto.Biting into the forbidden fruit. Lessons from trusting Javascript crypto.
Biting into the forbidden fruit. Lessons from trusting Javascript crypto.Krzysztof Kotowicz
 
Rooting your internals - Exploiting Internal Network Vulns via the Browser Us...
Rooting your internals - Exploiting Internal Network Vulns via the Browser Us...Rooting your internals - Exploiting Internal Network Vulns via the Browser Us...
Rooting your internals - Exploiting Internal Network Vulns via the Browser Us...Michele Orru
 
Practical Phishing Automation with PhishLulz - KiwiCon X
Practical Phishing Automation with PhishLulz - KiwiCon XPractical Phishing Automation with PhishLulz - KiwiCon X
Practical Phishing Automation with PhishLulz - KiwiCon XMichele Orru
 
Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF
 Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF
Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEFMichele Orru
 
ZeroNights2012_BeEF_Workshop_antisnatchor
ZeroNights2012_BeEF_Workshop_antisnatchorZeroNights2012_BeEF_Workshop_antisnatchor
ZeroNights2012_BeEF_Workshop_antisnatchorMichele Orru
 
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Rob Fuller
 
Clobbering the Cloud
Clobbering the CloudClobbering the Cloud
Clobbering the CloudSensePost
 
Don't make me wait! or Building High-Performance Web Applications
Don't make me wait! or Building High-Performance Web ApplicationsDon't make me wait! or Building High-Performance Web Applications
Don't make me wait! or Building High-Performance Web ApplicationsStoyan Stefanov
 
Domino Security - not knowing is not an option (2016 edition)
Domino Security - not knowing is not an option (2016 edition)Domino Security - not knowing is not an option (2016 edition)
Domino Security - not knowing is not an option (2016 edition)Darren Duke
 

What's hot (20)

Dmk bo2 k8_bh_fed
Dmk bo2 k8_bh_fedDmk bo2 k8_bh_fed
Dmk bo2 k8_bh_fed
 
Dmk bo2 k8
Dmk bo2 k8Dmk bo2 k8
Dmk bo2 k8
 
A Technical Dive into Defensive Trickery
A Technical Dive into Defensive TrickeryA Technical Dive into Defensive Trickery
A Technical Dive into Defensive Trickery
 
Dmk sb2010 web_defense
Dmk sb2010 web_defenseDmk sb2010 web_defense
Dmk sb2010 web_defense
 
Some Thoughts On Bitcoin
Some Thoughts On BitcoinSome Thoughts On Bitcoin
Some Thoughts On Bitcoin
 
Dmk bo2 k8_ccc
Dmk bo2 k8_cccDmk bo2 k8_ccc
Dmk bo2 k8_ccc
 
Why isn't infosec working? Did you turn it off and back on again?
Why isn't infosec working? Did you turn it off and back on again?Why isn't infosec working? Did you turn it off and back on again?
Why isn't infosec working? Did you turn it off and back on again?
 
Active Https Cookie Stealing
Active Https Cookie StealingActive Https Cookie Stealing
Active Https Cookie Stealing
 
A @textfiles approach to gathering the world's DNS
A @textfiles approach to gathering the world's DNSA @textfiles approach to gathering the world's DNS
A @textfiles approach to gathering the world's DNS
 
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
 
NotaCon 2011 - Networking for Pentesters
NotaCon 2011 - Networking for PentestersNotaCon 2011 - Networking for Pentesters
NotaCon 2011 - Networking for Pentesters
 
Biting into the forbidden fruit. Lessons from trusting Javascript crypto.
Biting into the forbidden fruit. Lessons from trusting Javascript crypto.Biting into the forbidden fruit. Lessons from trusting Javascript crypto.
Biting into the forbidden fruit. Lessons from trusting Javascript crypto.
 
Rooting your internals - Exploiting Internal Network Vulns via the Browser Us...
Rooting your internals - Exploiting Internal Network Vulns via the Browser Us...Rooting your internals - Exploiting Internal Network Vulns via the Browser Us...
Rooting your internals - Exploiting Internal Network Vulns via the Browser Us...
 
Practical Phishing Automation with PhishLulz - KiwiCon X
Practical Phishing Automation with PhishLulz - KiwiCon XPractical Phishing Automation with PhishLulz - KiwiCon X
Practical Phishing Automation with PhishLulz - KiwiCon X
 
Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF
 Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF
Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF
 
ZeroNights2012_BeEF_Workshop_antisnatchor
ZeroNights2012_BeEF_Workshop_antisnatchorZeroNights2012_BeEF_Workshop_antisnatchor
ZeroNights2012_BeEF_Workshop_antisnatchor
 
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
 
Clobbering the Cloud
Clobbering the CloudClobbering the Cloud
Clobbering the Cloud
 
Don't make me wait! or Building High-Performance Web Applications
Don't make me wait! or Building High-Performance Web ApplicationsDon't make me wait! or Building High-Performance Web Applications
Don't make me wait! or Building High-Performance Web Applications
 
Domino Security - not knowing is not an option (2016 edition)
Domino Security - not knowing is not an option (2016 edition)Domino Security - not knowing is not an option (2016 edition)
Domino Security - not knowing is not an option (2016 edition)
 

Viewers also liked

Bh fed-03-kaminsky
Bh fed-03-kaminskyBh fed-03-kaminsky
Bh fed-03-kaminskyDan Kaminsky
 
232 md5-considered-harmful-slides
232 md5-considered-harmful-slides232 md5-considered-harmful-slides
232 md5-considered-harmful-slidesDan Kaminsky
 
Black ops of tcp2005 japan
Black ops of tcp2005 japanBlack ops of tcp2005 japan
Black ops of tcp2005 japanDan Kaminsky
 
Bh us-02-kaminsky-blackops
Bh us-02-kaminsky-blackopsBh us-02-kaminsky-blackops
Bh us-02-kaminsky-blackopsDan Kaminsky
 

Viewers also liked (10)

Dmk blackops2006
Dmk blackops2006Dmk blackops2006
Dmk blackops2006
 
Interpolique
InterpoliqueInterpolique
Interpolique
 
Dmk bo2 k7_web
Dmk bo2 k7_webDmk bo2 k7_web
Dmk bo2 k7_web
 
Bh fed-03-kaminsky
Bh fed-03-kaminskyBh fed-03-kaminsky
Bh fed-03-kaminsky
 
232 md5-considered-harmful-slides
232 md5-considered-harmful-slides232 md5-considered-harmful-slides
232 md5-considered-harmful-slides
 
Confidence web
Confidence webConfidence web
Confidence web
 
Bh eu 05-kaminsky
Bh eu 05-kaminskyBh eu 05-kaminsky
Bh eu 05-kaminsky
 
Black ops of tcp2005 japan
Black ops of tcp2005 japanBlack ops of tcp2005 japan
Black ops of tcp2005 japan
 
Bh us-02-kaminsky-blackops
Bh us-02-kaminsky-blackopsBh us-02-kaminsky-blackops
Bh us-02-kaminsky-blackops
 
Advanced open ssh
Advanced open sshAdvanced open ssh
Advanced open ssh
 

Similar to Dmk neut toor

ISP Network Analyzing Tactics
ISP Network Analyzing TacticsISP Network Analyzing Tactics
ISP Network Analyzing Tacticsshamim316
 
Sucuri Webinar: How to identify and clean a hacked Joomla! website
Sucuri Webinar: How to identify and clean a hacked Joomla! websiteSucuri Webinar: How to identify and clean a hacked Joomla! website
Sucuri Webinar: How to identify and clean a hacked Joomla! websiteSucuri
 
Thoughts on Defensive Development for Sitecore
Thoughts on Defensive Development for SitecoreThoughts on Defensive Development for Sitecore
Thoughts on Defensive Development for SitecorePINT Inc
 
Hunt for the red DA
Hunt for the red DAHunt for the red DA
Hunt for the red DANeil Lines
 
Corp Web Risks and Concerns
Corp Web Risks and ConcernsCorp Web Risks and Concerns
Corp Web Risks and ConcernsPINT Inc
 
Maxims for Multiplayer Games
Maxims for Multiplayer GamesMaxims for Multiplayer Games
Maxims for Multiplayer GamesWilliam Grosso
 
Account Entrapment - Forcing a Victim into an Attacker’s Account
Account Entrapment - Forcing a Victim into an Attacker’s AccountAccount Entrapment - Forcing a Victim into an Attacker’s Account
Account Entrapment - Forcing a Victim into an Attacker’s AccountDenim Group
 
Black Ops 2008: It’s The End Of The Cache As We Know It by Dan Kaminsky
Black Ops 2008: It’s The End Of The Cache As We Know It by Dan KaminskyBlack Ops 2008: It’s The End Of The Cache As We Know It by Dan Kaminsky
Black Ops 2008: It’s The End Of The Cache As We Know It by Dan Kaminskyclaytonnarcis
 
It's the end of the cache as we know it
It's the end of the cache as we know itIt's the end of the cache as we know it
It's the end of the cache as we know itguest790c30
 
Why it's not your host's fault
Why it's not your host's faultWhy it's not your host's fault
Why it's not your host's faultchadmow03
 
Alan kakareka. insight into russian black market
Alan kakareka. insight into russian black marketAlan kakareka. insight into russian black market
Alan kakareka. insight into russian black marketYury Chemerkin
 
DDoS mitigation in the real world
DDoS mitigation in the real worldDDoS mitigation in the real world
DDoS mitigation in the real worldMichael Renner
 
Sucuri Webinar: How to clean hacked WordPress sites
Sucuri Webinar: How to clean hacked WordPress sitesSucuri Webinar: How to clean hacked WordPress sites
Sucuri Webinar: How to clean hacked WordPress sitesSucuri
 
THOTCON - The War over your DNS Queries
THOTCON - The War over your DNS QueriesTHOTCON - The War over your DNS Queries
THOTCON - The War over your DNS QueriesJohn Bambenek
 
Basic Security for Digital Companies - #MarketersUnbound (2014)
Basic Security for Digital Companies - #MarketersUnbound (2014)Basic Security for Digital Companies - #MarketersUnbound (2014)
Basic Security for Digital Companies - #MarketersUnbound (2014)Justin Bull
 
Blue Team on a Budget: Defending Your Network with Free Tools
Blue Team on a Budget: Defending Your Network with Free ToolsBlue Team on a Budget: Defending Your Network with Free Tools
Blue Team on a Budget: Defending Your Network with Free ToolsBrian Johnson
 
Complex things explained easily
Complex things explained easilyComplex things explained easily
Complex things explained easilyLuca Tumedei
 

Similar to Dmk neut toor (20)

ISP Network Analyzing Tactics
ISP Network Analyzing TacticsISP Network Analyzing Tactics
ISP Network Analyzing Tactics
 
Sucuri Webinar: How to identify and clean a hacked Joomla! website
Sucuri Webinar: How to identify and clean a hacked Joomla! websiteSucuri Webinar: How to identify and clean a hacked Joomla! website
Sucuri Webinar: How to identify and clean a hacked Joomla! website
 
Thoughts on Defensive Development for Sitecore
Thoughts on Defensive Development for SitecoreThoughts on Defensive Development for Sitecore
Thoughts on Defensive Development for Sitecore
 
Hunt for the red DA
Hunt for the red DAHunt for the red DA
Hunt for the red DA
 
Corp Web Risks and Concerns
Corp Web Risks and ConcernsCorp Web Risks and Concerns
Corp Web Risks and Concerns
 
Maxims for Multiplayer Games
Maxims for Multiplayer GamesMaxims for Multiplayer Games
Maxims for Multiplayer Games
 
Account entrapment
Account entrapmentAccount entrapment
Account entrapment
 
Account Entrapment - Forcing a Victim into an Attacker’s Account
Account Entrapment - Forcing a Victim into an Attacker’s AccountAccount Entrapment - Forcing a Victim into an Attacker’s Account
Account Entrapment - Forcing a Victim into an Attacker’s Account
 
Black Ops 2008: It’s The End Of The Cache As We Know It by Dan Kaminsky
Black Ops 2008: It’s The End Of The Cache As We Know It by Dan KaminskyBlack Ops 2008: It’s The End Of The Cache As We Know It by Dan Kaminsky
Black Ops 2008: It’s The End Of The Cache As We Know It by Dan Kaminsky
 
It's the end of the cache as we know it
It's the end of the cache as we know itIt's the end of the cache as we know it
It's the end of the cache as we know it
 
Why it's not your host's fault
Why it's not your host's faultWhy it's not your host's fault
Why it's not your host's fault
 
Alan kakareka. insight into russian black market
Alan kakareka. insight into russian black marketAlan kakareka. insight into russian black market
Alan kakareka. insight into russian black market
 
DDoS mitigation in the real world
DDoS mitigation in the real worldDDoS mitigation in the real world
DDoS mitigation in the real world
 
Sucuri Webinar: How to clean hacked WordPress sites
Sucuri Webinar: How to clean hacked WordPress sitesSucuri Webinar: How to clean hacked WordPress sites
Sucuri Webinar: How to clean hacked WordPress sites
 
THOTCON - The War over your DNS Queries
THOTCON - The War over your DNS QueriesTHOTCON - The War over your DNS Queries
THOTCON - The War over your DNS Queries
 
Web identity part1
Web identity part1Web identity part1
Web identity part1
 
Basic Security for Digital Companies - #MarketersUnbound (2014)
Basic Security for Digital Companies - #MarketersUnbound (2014)Basic Security for Digital Companies - #MarketersUnbound (2014)
Basic Security for Digital Companies - #MarketersUnbound (2014)
 
Blue Team on a Budget: Defending Your Network with Free Tools
Blue Team on a Budget: Defending Your Network with Free ToolsBlue Team on a Budget: Defending Your Network with Free Tools
Blue Team on a Budget: Defending Your Network with Free Tools
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hacking
 
Complex things explained easily
Complex things explained easilyComplex things explained easily
Complex things explained easily
 

More from Dan Kaminsky

Chicken Chicken Chicken Chicken
Chicken Chicken Chicken ChickenChicken Chicken Chicken Chicken
Chicken Chicken Chicken ChickenDan Kaminsky
 
Showing How Security Has (And Hasn't) Improved, After Ten Years Of Trying
Showing How Security Has (And Hasn't) Improved, After Ten Years Of TryingShowing How Security Has (And Hasn't) Improved, After Ten Years Of Trying
Showing How Security Has (And Hasn't) Improved, After Ten Years Of TryingDan Kaminsky
 
Domain Key Infrastructure (From Black Hat USA)
Domain Key Infrastructure (From Black Hat USA)Domain Key Infrastructure (From Black Hat USA)
Domain Key Infrastructure (From Black Hat USA)Dan Kaminsky
 

More from Dan Kaminsky (10)

Chicken
ChickenChicken
Chicken
 
Chicken Chicken Chicken Chicken
Chicken Chicken Chicken ChickenChicken Chicken Chicken Chicken
Chicken Chicken Chicken Chicken
 
Black ops 2012
Black ops 2012Black ops 2012
Black ops 2012
 
Showing How Security Has (And Hasn't) Improved, After Ten Years Of Trying
Showing How Security Has (And Hasn't) Improved, After Ten Years Of TryingShowing How Security Has (And Hasn't) Improved, After Ten Years Of Trying
Showing How Security Has (And Hasn't) Improved, After Ten Years Of Trying
 
Domain Key Infrastructure (From Black Hat USA)
Domain Key Infrastructure (From Black Hat USA)Domain Key Infrastructure (From Black Hat USA)
Domain Key Infrastructure (From Black Hat USA)
 
Interpolique
InterpoliqueInterpolique
Interpolique
 
Bh eu 05-kaminsky
Bh eu 05-kaminskyBh eu 05-kaminsky
Bh eu 05-kaminsky
 
Dmk audioviz
Dmk audiovizDmk audioviz
Dmk audioviz
 
Bo2004
Bo2004Bo2004
Bo2004
 
Gwc3
Gwc3Gwc3
Gwc3
 

Dmk neut toor

  • 1. copyright IOActive, Inc. 2006, all rights reserved. h0h0h0h0 Dan Kaminsky Director of Penetration Testing IOActive, Inc.
  • 2. H0h0h0h0? • Well, y’all wanted me stop titling things Black Ops  – Hikari, you got any idea what I’m here talking about? • What are we not here to talk about – DNS Rebinding • Can rebind to home router • Have video • Go change passwords. • Got questions? Find me later. • So what are we here to talk about? – What happens when Jason Larsen and I finally get some time to break some stuff together ;)
  • 3. Typos. • Typos? – Typos in DNS. • Relax. It’s worth it. – Basic profit model • Humans don’t type so good – Fcebook.com – Microsoft.co – Torcon.org • Sometimes miss keys • When they miss keys, they tell their browser to go somewhere that doesn’t exist – Could just get a “No Such Server Error”, or… – Could get ads!
  • 4. Typosquatting • Static Registration – Guess what might get clicked, buy that name – Must pay per guess, might be wrong • Dynamic Registration – Sitefinder by Verisign • Unveiled in 2003 • Unregistered names suddenly start returning an ad server, instead of NXDOMAIN • Reveiled in 2003, never to return
  • 5. The New Era Of Typosquatting • Son Of Sitefinder: ISP Injection – DNS is hierarchal • Client asks the local name server. • Local name server asks the root, is sent to .com • Local name server asks .com, is given NXDOMAIN – Sitefinder used to inject here… • Normal: Local name server returns NXDOMAIN to client – $ nslookup nxdomain--.com 4.2.2.1 *** vnsc-pri.sys.gtei.net can't find nxdomain--.com: Non-existent domain • Son Of Sitefinder: Local name server returns NOERROR to client, with ads attached – $ nslookup nxdomain--.com 207.217.126.81 … Name: nxdomain--.com Addresses: 209.86.66.92, 209.86.66.93, 209.86.66.94, 209.86.66.95 209.86.66.90, 209.86.66.91
  • 6. The Problem: They’re Spoofing Subdomains Too. • DNS is hierarchal – Client asks the local name server. – Local name server asks the root, is sent to .com – Local name server asks .com, is given foo.com – Local name server asks foo.com, is given NXDOMAIN – Normal: Local name server returns NXDOMAIN to client • nslookup nonexistent.www.bar.com 4.2.2.1 *** vnsc-pri.sys.gtei.net can't find nonexistent.www.bar.com: Non-existent domain – Son Of Sitefinder: Local name server returns NOERROR to client, with ads attached – $ nslookup nonexistent.www.bar.com 207.217.126.81 Name: nonexistent.www.bar.com Addresses: 209.86.66.94, 209.86.66.95, 209.86.66.90, 209.86.66.91 209.86.66.92, 209.86.66.93 • NXDOMAIN was supposed to mean “No Such Domain” – There is such a domain. There’s just not this subdomain in it.
  • 7. Intent • We don’t think this behavior is intentional – Just so happens that subdomain NXDOMAINs look exactly like domain NXDOMAINs • Only difference is the source • Identical effects in the browser • Well, it’s not unintentional for everyone…
  • 8. This Should Seem Familiar
  • 9. Parent Of Son Of Sitefinder Returns! • April 8th , becomes clear that Network Solutions injects subdomains into their customers’ domains – Small print in a 53 page contract – Stay classy, NetSol • But heh, at least there’s a contract
  • 10. Times Square Effect: Told Ya • Times Square Effect – When you see Times Square in a movie, that’s not Times Square. All ads have been replaced, because there’s no contractual obligation not to replace them – No contractual obligation between ISP and Web Sites not to replace traffic
  • 11. But What About Trademark Law? • # dig in.ur.www.facebook.com • ;; QUESTION SECTION: • ;in.ur.www.facebook.com. IN A • ;; ANSWER SECTION: • in.ur.www.facebook.com™. 300 IN A 209.86.66.90 [adserver] • in.ur.www.facebook.com™. 300 IN A 209.86.66.91 [adserver] • in.ur.www.facebook.com™. 300 IN A 209.86.66.92 [adserver] • in.ur.www.facebook.com™. 300 IN A 209.86.66.93 [adserver] • in.ur.www.facebook.com™. 300 IN A 209.86.66.94 [adserver] • in.ur.www.facebook.com™. 300 IN A 209.86.66.95 [adserver] • Doesn’t that qualify as Trademark Violation, with Use In Commerce? – I don’t know. I’m not a lawyer. The hordes seem to think so, however. – I am, however, a hacker…
  • 12. Beautiful Synchrony • Trademark Policy: Trust the good, as it possesses the protected mark. • Same Origin Policy: Trust the subdomain, as it possesses the protected domain – Local Name Server asks bar.com, is sent to www.bar.com. – Local Name Server asks www.bar.com, is told foo.www.bar.com is at 1.2.3.4 – Foo.www.bar.com was thus “vouched for” by www.bar.com • Trademark controls human trust, Same Origin controls browser trust. The two policies are actually synchronized. – Both are under attack.
  • 13. Injection • Anything goes wrong on a subdomain, it is an element of the parent – Can access cookies – Can do…other things • Normally, a subdomain is trusted by its parent… – But in this case, the subdomain is some random server run by a bunch of advertisers – …and if this random server, happened to possess a cross site scripting vulnerability…
  • 14. If? • # curl http://in.ur.www.facebook.com/foo<script>alert('x DNS Error: http://in.ur.www.facebook.com/foo<script>alert('x > – YES IT ACTUALLY PREFACES THE XSS WITH DNS ERROR I AM NOT JOKING
  • 15. Welcome to Barefruit. • Popular DNS Ad Injection Company • Notable customers – Earthlink/Mindspring -- everywhere – Comcast • Outsourced to Earthlink, probably didn’t even know • No idea how outsourced – Others • Cox – At least partial deployment, probably small. Finder.cox.com resolves to their servers. • Qwest – Trial deployment only • Verizon – Has multiple ad networks. – Barefruit appears to be used in ~20 regions • Time Warner also does DNS injection, but not through Barefruit
  • 16. They’re Not Alone • For each name server, ask for a nonexistent domain. – For each nameserver that provides an answer, ask for an existing domain. – If the answer is correct, it’s an NXDOMAIN injector • Appears to be ~72 ISPs doing some sort of injection. Lots of big names. This is spreading.
  • 17. Now, this is only a subdomain…what can you really do with a subdomain? • Obligatory attack: Grab Cookies – Credentials to many sites – PII for some – Can also get any “supercookies” • Flash Storage • DOM Storage • etc
  • 20. Can Also Fake Subdomains • There is no legitimate subdomain – But a page comes back with arbitrary script… – So you can populate anything, on any domain, anywhere. • Perfect for phishing • You get a link to your bank, you see in the address bar, server2.www.yourbank.com, you type credentials • You see a banner ad to join a beta program at Microsoft, you click through, download what you think is the latest build… – Actually malware 
  • 24. But That’s Just Not Enough • Cookie Excuses – But cookies are often tied to Source IP! – But cookies can use HTTP Only so they aren’t readable from script! – But cookies might be just secure cookies! • Fake Site Excuses – But you’re not actually logged in – You don’t know the content of the site to spoof • Can we do anything better? – We’re a malicious subdomain – Can’t we just script into our parent? • Pop-under windows: They’re not just for annoying ads anymore • Document.domain is our friend… • DOM element that specifically allows children to inject into parent
  • 25. Choosing The Demo • Needed to be generic to all sites • Needed to express the distance between what you expected to happen, and what actually did • Needed to be…recognizable…without being terrifying.
  • 26. H0h0h0h0…and it ain’t just Facebook
  • 28. .Mac
  • 29. Apple
  • 31. Ebay
  • 35. In Case You’re Curious • THE LAWYERS ARE NOT AMUSED
  • 36. Coming Clean • This was only a simulation. – BFF_DNS.PL • BAREFRUIT FOREVA! • We got through to Barefruit before this talk – Crystal Williams got me through to Earthlink – Earthlink got me through to Barefruit – Barefruit fixed the bug in ~27 minutes once they understood the bug – All were awesome, thanks! • All ISP’s were redirecting to Barefruit’s servers, so we’re OK…or are we?
  • 37. So Now What • Barefruit is still injecting into trademarked subdomains. • The immediate crisis is over, but the security of the web (at these ISPs) is basically limited by the security of these ad servers – Don’t attack Facebook, attack the ad server – Don’t attack MySpace, attack the ad server – Don’t attack PayPal, attack the ad server • I am not a lawyer, I am a security engineer – I cannot secure the web if ISP’s will change the bytes I send – Need legal and PR support to stop PITMA’s • Provider In The Middle Attacks – Brad Hill pointed out that MITM isn’t exactly theoretical anymore…  – Neither is Ad Injection – Luckily, the counsel I’ve spoken to does not appear to be amused.
  • 38. Conclusions • Even small amounts of failed net neutrality can lead to catastrophic side effects on Internet security – Intent is not required to really break everything • Security needs the lawyers – Even if everything was 100% SSL, if the ISP could require code on the box, they could still bypass the crypto, and alter the content – We need the precedent: You can host nothing. You can host something. But you can’t host something else.