Grey H@t - DNS Cache Poisoning

1. DNS Cache Poisoning Christopher Grayson

2. What is DNS? • As per Wikipedia – ▫ “The Domain Name System (DNS) is a hierarchical distributed naming system for computers, services, or any resource connected to the Internet or a private network. It associates various information with domain names assigned to each of the participating entities. Most prominently, it translates domain names meaningful for users to the numerical IP addresses needed for the purpose of locating computer services and devices worldwide. By providing a worldwide, distributed keyword-based redirection service, the Domain Name System is an essential component of the functionality of the Internet.”

3. What is DNS? • In layman’s terms, DNS is the glue that maps a domain name to an IP address. • When you open up a browser and type in “Google.com” and Google’s web page comes up, “Google.com” has successfully been mapped to 74.125.137.113 (or one of their other servers) through DNS. • DNS is very insecure.

4. What is DNS? Image courtesy of Wikipedia.org

5. What is the DNS cache? • In order to reduce the load on nameservers, DNS servers implement caching. • When a DNS response comes back to an intermediate DNS server, it is returned with a field labeled TTL (for Time to Live). This indicates how long the DNS server should cache this response. • So long as the response is cached, subsequent queries to that nameserver for the same domain will be returned with the values in the cache. The response will be purged once the TTL is met.

6. What is DNS cache poisoning? • It is the act of getting your own values into a DNS server’s cache for a domain that you do not own. • There are many points at which DNS can be exploited, but this one has one of the biggest pay offs. • If the IP address of your choosing is cached in a nameserver, all sequential queries for the poisoned domain will be given it.

7. Why poison a cache? • To continue entrenching yourself in a network, one of the things you will likely have to do is get computers you DON’T have access to to contact a machine that you DO have access to. • For instance – man-in-the-middle traffic and implant reverse shells in any requests for PDF files that come through. • Firewalls tend to be more prohibitive towards things originating from OUTSIDE a network than from INSIDE.

8. How is DNS attacked? • When attacking a local machine, the HOSTS file is edited to have the desired routing effects. • When attacking a remote machine, DNS responses are forged and (hopefully) accepted as true by the target machine.

9. How can a DNS response be poisoned? • Response arrives on same UDP port from which corresponding request was sent. • The question section of the response matches that of the corresponding request. • The query ID of the response matches that of the corresponding request. • The authority and additional sections represent names that are within the same domain as the question.

10. Where can DNS be attacked? • If you have access to the machine you’d like to poison, you can attack it locally.

11. Where can DNS be attacked?

12. Where can DNS be attacked? • Between an end-user and a nameserver. • This (typically) requires being able to inject traffic into a local area network, which requires access to that local area network.

14. Where can DNS be attacked? • Between two nameservers in the DNS hierarchy. • Until the Kaminsky attack, required being able to inject traffic into a network local to the target nameserver.

16. The Kaminsky Attack • Until the Kaminsky attack surfaced, the notion of poisoning a DNS cache was regarded as not that big of an issue, as an attacker would need to get lucky in terms of cache expiration. • The Kaminsky attack effectively rid us of the caching issue, thus making remote DNS cache poisoning much, much easier. • For a more detailed guide to the Kaminsky attack - http://unixwiz.net/techtips/iguide- kaminsky-dns-vuln.html

17. The Kaminsky Attack Image courtesy of Unixwiz.net

18. Defenses against DNS cache poisoning • Query ID randomization • Port randomization • 0x20 encoding – randomly capitalizing characters in the question fields gives added entropy to check against for throwing out invalid packets • All of these are hacks!

19. DNSSEC • DNSSEC is the official response to securing DNS. • It’s been around for a while but is not widely implemented. • Changes to the internet take a long time to be adopted! • Uses asymmetric cryptography for authentication between endpoints (signing). • What do we know about the overhead of asymmetric cryptography? • Wikipedia has a great article on DNSSEC

20. Try it yourself! • With virtual machines you can set up your own DNS server, a client machine, and an attacker machine and try poisoning the DNS server’s cache on your own! • http://www.cis.syr.edu/~wedu/seed/lab_env.ht ml • DO NOT DO THIS TO MACHINES YOU DO NOT OWN • DO NOT DO THIS TO MACHINES YOU DO NOT OWN