Leonardo Nve Egea, profile picture
Uploaded byLeonardo Nve Egea
PPTX, PDF22,881 views

OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014

This document discusses exploiting changes to DNS server configurations to intercept network traffic. It begins by introducing the speaker and their background in security research. Then it outlines normal exploitation procedures like CSRF, default passwords, and rogue DSLAMs. The document explores using tools like Metasploit, Dnsmasq and Bind to hijack DNS servers and redirect traffic. It discusses obstacles like SSL certificates and ways to improve attacks using features like DNS load balancing. The document demonstrates a proof of concept tool called dns2proxy that can spoof and redirect DNS responses. It also discusses defeating protections like HSTS and exploring attacks using protocols like UDP. In conclusion, the document advocates that improved DNS hijacking using multiple tools can capture more information than

Embed presentation

Downloaded 469 times
OFFENSIVE: Exploiting changes on DNS server configuration Leonardo Nve Egea lnve@s21sec.com @leonardonve
• Security researcher since… (a lot of time) in SPAIN. • Pentester, Incident investigator & security researcher. • At the Offensive side (more funny). • I love protocol level. About me
INTRODUCTION
What.
Why.
EXPLOITATION (I) NORMAL PROCEDURE
• CSRF/XSS. • Insufficient authorization. • SNMP/TFTP. • Default password + external administration. • Cracking wifi passwords + default password. • Command line DNS change. • Rogue DSLAM. • Malware. How.
What.
• Metasploit. • Dnsmasq. • Bind server. Tools.
• Invisible proxy. – Burp suite, mitmproxy • SSLstrip. • HTML injection. – BeEF – Exploit kits • Bouncing to known servers. – SSLsplit • Fake web servers. – defacing. – Phishing • Sniffing data. Then.
OBSTACLES OF NORMAL EXPLOITATION
• SSL certificates (Critical). Obstacles.
• SSL certificate pinning / EMET (Critical). Obstacles.
• HSTS + Preloaded HSTS sites (Non critical). Obstacles.
• SSH signatures failure (Critical). Obstacles.
• POP3/SMTP Banner (Non critical problem). • FTP Banner (This can be critical). • Limited host interception. • Limited protocol interception. Obstacles.
• Limited of hosts interception. • Time to study IP communication manners. • Limited cleartext protocols interception. • HTTPS. • Accept the loose a lot of information. Limitations.
EXPLOITATION (II) IMPROVE THE ATTACK PROCEDURE
• Discretion. • Improve data acquisitions from time 0. Objectives.
• A DNS feature for high availability and Load Balancing: Improve the attack.
Improve the attack. DHCP REQ DHCP RESP with Fake DNS Server DNS A Request DNS A Request DNS Response DNS Response = IP attacker server1 + IP attacker server2 + DNS Resp Short TTL SYN port=xxx RST ACK port =xxx SYN port=xxx SYN port=xxx SYN ACK port=xxx SYN ACK port=xxx DATA DATA
• On port 80 the attacker can put a invisible proxy. • The attacker can reject SSL ports always because the client will later connect to the real server. • Other connections data will be forward through the evil server since the first moment. • And there is a tool. Improve the attack.
• dns2proxy (still in beta). • Full in python (PyDNS). • Permit spoof, direct forwarding and add IPs to the response. • Interact directly with iptables to forward connections. https://github.com/LeonardoNve/dns2proxy Tool.
Improve the attack.
DEMO (or video if demo effect ;)
• Limited of hosts interception. • Time to study IP communication manners. • Limited cleartext protocol interception. • HTTPS. • Accept the loose a lot of information. Previous limitations.
SSLStrip vs HSTS.
Common SSLStrip usage
• HSTS + Preloaded HSTS sites (Non critical). Obstacles.
• Strict Transport Security based in domain names predefined or not. • Change HTTPS to HTTP. • Also change domain names to connect based on predefined rules. • DNS Server can resolve based on these predefined rules. • HSTS. https://github.com/LeonardoNve/sslstrip2.git SSLStrip+ to defeat HSTS.
DEMO (or video if demo effect…)
SSL in general • You must take advantage with other factors/vulnerabilities
• Downgrade attacks. • JavaScript infections. http://media.blackhat.com/bh-us- 12/Briefings/Alonso/BH_US_12_Alonso_Owning_Bad_Guys_Slides.pdf • For decoding ciphered protocols, go there: More posibilities.
• With UDP the application have the control over the communication not the OS. • If this application resend a lost UDP packet, we have it! If not…  • Dns2proxy is a PoC and only control TCP but it is really easy extend it too UDP. UDP?
Other scenario.
• Improve DNS server configurations hijacks with two tools. • Much information capture than typical attacks. • Old protocols – Old security. • New protocols + Old protocols – Old security+ • Solutions… DNSSEC. Conclusions.
THANKs. Miguel Hernandez The man who first thought `Let’s put a default password. Then they can change it `

More Related Content

PDF
Hunting for Privilege Escalation in Windows Environment
byTeymur Kheirkhabarov
 
PPTX
SSRF For Bug Bounties
byOWASP Nagpur
 
PDF
Windows Threat Hunting
byGIBIN JOHN
 
PDF
Super Easy Memory Forensics
byIIJ
 
PPTX
Catch Me If You Can: PowerShell Red vs Blue
byWill Schroeder
 
PDF
A Threat Hunter Himself
bySergey Soldatov
 
PDF
Fantastic Red Team Attacks and How to Find Them
byRoss Wolf
 
PDF
A Threat Hunter Himself
byTeymur Kheirkhabarov
 
Hunting for Privilege Escalation in Windows Environment
byTeymur Kheirkhabarov
 
SSRF For Bug Bounties
byOWASP Nagpur
 
Windows Threat Hunting
byGIBIN JOHN
 
Super Easy Memory Forensics
byIIJ
 
Catch Me If You Can: PowerShell Red vs Blue
byWill Schroeder
 
A Threat Hunter Himself
bySergey Soldatov
 
Fantastic Red Team Attacks and How to Find Them
byRoss Wolf
 
A Threat Hunter Himself
byTeymur Kheirkhabarov
 

What's hot

PDF
How MITRE ATT&CK helps security operations
bySergey Soldatov
 
PDF
HTTP Request Smuggling via higher HTTP versions
byneexemil
 
PPTX
SSRF exploit the trust relationship
byn|u - The Open Security Community
 
PPTX
Kheirkhabarov24052017_phdays7
byTeymur Kheirkhabarov
 
PPTX
Waf bypassing Techniques
byAvinash Thapa
 
PPTX
(Ab)Using GPOs for Active Directory Pwnage
byPetros Koutroumpis
 
PDF
Hunting for Credentials Dumping in Windows Environment
byTeymur Kheirkhabarov
 
PPTX
Abusing Microsoft Kerberos - Sorry you guys don't get it
byBenjamin Delpy
 
PDF
Windows attacks - AT is the new black
byChris Gates
 
PDF
HDC2022:Track A - 脅威ハンティング
byTomohisa Ishikawa, CISSP, CSSLP, CISA, CISM, CFE
 
PDF
How fun of privilege escalation Red Pill2017
byAmmarit Thongthua ,CISSP CISM GXPN CSSLP CCNP
 
PDF
No Easy Breach DerbyCon 2016
byMatthew Dunwoody
 
PDF
How to Hunt for Lateral Movement on Your Network
bySqrrl
 
PDF
Ekoparty 2017 - The Bug Hunter's Methodology
bybugcrowd
 
PDF
PHDays 2018 Threat Hunting Hands-On Lab
byTeymur Kheirkhabarov
 
PPTX
Thick client pentesting_the-hackers_meetup_version1.0pptx
byAnurag Srivastava
 
PDF
MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; ...
byMITRE - ATT&CKcon
 
PPTX
A Forgotten HTTP Invisibility Cloak
bySoroush Dalili
 
PPTX
PowerShell for Penetration Testers
byNikhil Mittal
 
PPTX
Hacking_SharePoint_FINAL
byIan Naumenko, CISSP, CRISC
 
How MITRE ATT&CK helps security operations
bySergey Soldatov
 
HTTP Request Smuggling via higher HTTP versions
byneexemil
 
SSRF exploit the trust relationship
byn|u - The Open Security Community
 
Kheirkhabarov24052017_phdays7
byTeymur Kheirkhabarov
 
Waf bypassing Techniques
byAvinash Thapa
 
(Ab)Using GPOs for Active Directory Pwnage
byPetros Koutroumpis
 
Hunting for Credentials Dumping in Windows Environment
byTeymur Kheirkhabarov
 
Abusing Microsoft Kerberos - Sorry you guys don't get it
byBenjamin Delpy
 
Windows attacks - AT is the new black
byChris Gates
 
HDC2022:Track A - 脅威ハンティング
byTomohisa Ishikawa, CISSP, CSSLP, CISA, CISM, CFE
 
How fun of privilege escalation Red Pill2017
byAmmarit Thongthua ,CISSP CISM GXPN CSSLP CCNP
 
No Easy Breach DerbyCon 2016
byMatthew Dunwoody
 
How to Hunt for Lateral Movement on Your Network
bySqrrl
 
Ekoparty 2017 - The Bug Hunter's Methodology
bybugcrowd
 
PHDays 2018 Threat Hunting Hands-On Lab
byTeymur Kheirkhabarov
 
Thick client pentesting_the-hackers_meetup_version1.0pptx
byAnurag Srivastava
 
MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; ...
byMITRE - ATT&CKcon
 
A Forgotten HTTP Invisibility Cloak
bySoroush Dalili
 
PowerShell for Penetration Testers
byNikhil Mittal
 
Hacking_SharePoint_FINAL
byIan Naumenko, CISSP, CRISC
 

Viewers also liked

KEY
Netscreen Policy Based Routing
byBart Jansens
 
PDF
IP Routing Tutorial
byShortestPathFirst
 
PPT
Linux Based Advanced Routing with Firewall and Traffic Control
bysandy_vasan
 
PPT
Tunnel & vpn1
byariesubagyo
 
PDF
Mikrotik load balansing
byКирилл Кекер
 
PDF
DNS rehabilitation Concept
byAlenamudr
 
PDF
Presentation on Domain Name System
byChinmay Joshi
 
Netscreen Policy Based Routing
byBart Jansens
 
IP Routing Tutorial
byShortestPathFirst
 
Linux Based Advanced Routing with Firewall and Traffic Control
bysandy_vasan
 
Tunnel & vpn1
byariesubagyo
 
Mikrotik load balansing
byКирилл Кекер
 
DNS rehabilitation Concept
byAlenamudr
 
Presentation on Domain Name System
byChinmay Joshi
 

Similar to OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014

PDF
NotaCon 2011 - Networking for Pentesters
byRob Fuller
 
PPT
Dmk bo2 k7_web
byDan Kaminsky
 
PDF
Minieri CS6262 Project Poster
byJoe Minieri
 
PDF
Black hat usa_2015-bypass_surgery-6_aug2015
bya4202655
 
PDF
Comprehensive Overview of Network Security Threats, Protocols, and Recovery M...
bysu92bssemf220701
 
PPTX
Network tunneling techniques
byinbroker
 
PDF
08 tcp-dns
bypantu_1961
 
PDF
Information System Security
byElijah Konzo
 
PPT
Design Reviewing The Web
byamiable_indian
 
PPT
Dmk Bo2 K7 Web
byroyans
 
PPTX
External service interaction
byPawan Phogat
 
PDF
May The Data Stay with U! Network Data Exfiltration Techniques - Brucon 2017.
byLeszek Mi?
 
PPT
gofortution
bygofortution
 
PDF
Computer network (2)
byNYversity
 
PPTX
lecture5.pptx
byLlobarro2
 
PPTX
lecture5Ch03-bufferOverFlow-attack.ppt.pptx
byDavid Vera Olivera, PMP®, ITIL, SCM®
 
PPTX
lecture5.pptxJHKGJFHDGTFGYIUOIUIPIOIPUOHIYGUYFGIH
byAbodahab
 
PPT
Introduction to Web Server Security
byJITENDRA KUMAR PATEL
 
PPT
Inside Out Hacking - Bypassing Firewall
byamiable_indian
 
PPTX
Network And Application Layer Attacks
byArun Modi
 
NotaCon 2011 - Networking for Pentesters
byRob Fuller
 
Dmk bo2 k7_web
byDan Kaminsky
 
Minieri CS6262 Project Poster
byJoe Minieri
 
Black hat usa_2015-bypass_surgery-6_aug2015
bya4202655
 
Comprehensive Overview of Network Security Threats, Protocols, and Recovery M...
bysu92bssemf220701
 
Network tunneling techniques
byinbroker
 
08 tcp-dns
bypantu_1961
 
Information System Security
byElijah Konzo
 
Design Reviewing The Web
byamiable_indian
 
Dmk Bo2 K7 Web
byroyans
 
External service interaction
byPawan Phogat
 
May The Data Stay with U! Network Data Exfiltration Techniques - Brucon 2017.
byLeszek Mi?
 
gofortution
bygofortution
 
Computer network (2)
byNYversity
 
lecture5.pptx
byLlobarro2
 
lecture5Ch03-bufferOverFlow-attack.ppt.pptx
byDavid Vera Olivera, PMP®, ITIL, SCM®
 
lecture5.pptxJHKGJFHDGTFGYIUOIUIPIOIPUOHIYGUYFGIH
byAbodahab
 
Introduction to Web Server Security
byJITENDRA KUMAR PATEL
 
Inside Out Hacking - Bypassing Firewall
byamiable_indian
 
Network And Application Layer Attacks
byArun Modi
 

Recently uploaded

PDF
automobili.pdf panini album slicice ......
byStefanFilipovic9
 
PPTX
Creating content that converts into leads.
bySEONutri
 
PPTX
Social_Media_Good_or_Bad_B2Plus_Lesson.pptx
byJuliaRutkowska4
 
PDF
alfred jonatan kvak panini album.pdf slicice
byStefanFilipovic9
 
PDF
Batman Forever album sličice.pdf panini album
byStefanFilipovic9
 
PDF
anastasia panini album.pdf album sa slicicama
byStefanFilipovic9
 
PDF
Angry Birds film (2016).pdf panini album
byStefanFilipovic9
 
PDF
Tour & Travel App Development Explained- Features, Costs, and Technologies Us...
byMike Brown
 
PDF
album panini Evoksi.pdf panini album slicice
byStefanFilipovic9
 
PDF
investor pitch - iapploud | independent music platform
byVenkat Subramanian
 
PDF
action man.pdf album sa slicicama panini...
byStefanFilipovic9
 
automobili.pdf panini album slicice ......
byStefanFilipovic9
 
Creating content that converts into leads.
bySEONutri
 
Social_Media_Good_or_Bad_B2Plus_Lesson.pptx
byJuliaRutkowska4
 
alfred jonatan kvak panini album.pdf slicice
byStefanFilipovic9
 
Batman Forever album sličice.pdf panini album
byStefanFilipovic9
 
anastasia panini album.pdf album sa slicicama
byStefanFilipovic9
 
Angry Birds film (2016).pdf panini album
byStefanFilipovic9
 
Tour & Travel App Development Explained- Features, Costs, and Technologies Us...
byMike Brown
 
album panini Evoksi.pdf panini album slicice
byStefanFilipovic9
 
investor pitch - iapploud | independent music platform
byVenkat Subramanian
 
action man.pdf album sa slicicama panini...
byStefanFilipovic9
 

OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014

  • 1.
    OFFENSIVE: Exploiting changes onDNS server configuration Leonardo Nve Egea lnve@s21sec.com @leonardonve
  • 2.
    • Security researchersince… (a lot of time) in SPAIN. • Pentester, Incident investigator & security researcher. • At the Offensive side (more funny). • I love protocol level. About me
  • 3.
  • 4.
  • 5.
  • 6.
  • 7.
    • CSRF/XSS. • Insufficientauthorization. • SNMP/TFTP. • Default password + external administration. • Cracking wifi passwords + default password. • Command line DNS change. • Rogue DSLAM. • Malware. How.
  • 8.
  • 9.
  • 10.
    • Invisible proxy. –Burp suite, mitmproxy • SSLstrip. • HTML injection. – BeEF – Exploit kits • Bouncing to known servers. – SSLsplit • Fake web servers. – defacing. – Phishing • Sniffing data. Then.
  • 11.
  • 12.
    • SSL certificates(Critical). Obstacles.
  • 13.
    • SSL certificatepinning / EMET (Critical). Obstacles.
  • 14.
    • HSTS +Preloaded HSTS sites (Non critical). Obstacles.
  • 15.
    • SSH signaturesfailure (Critical). Obstacles.
  • 16.
    • POP3/SMTP Banner(Non critical problem). • FTP Banner (This can be critical). • Limited host interception. • Limited protocol interception. Obstacles.
  • 17.
    • Limited ofhosts interception. • Time to study IP communication manners. • Limited cleartext protocols interception. • HTTPS. • Accept the loose a lot of information. Limitations.
  • 18.
  • 19.
    • Discretion. • Improvedata acquisitions from time 0. Objectives.
  • 20.
    • A DNSfeature for high availability and Load Balancing: Improve the attack.
  • 21.
    Improve the attack. DHCPREQ DHCP RESP with Fake DNS Server DNS A Request DNS A Request DNS Response DNS Response = IP attacker server1 + IP attacker server2 + DNS Resp Short TTL SYN port=xxx RST ACK port =xxx SYN port=xxx SYN port=xxx SYN ACK port=xxx SYN ACK port=xxx DATA DATA
  • 22.
    • On port80 the attacker can put a invisible proxy. • The attacker can reject SSL ports always because the client will later connect to the real server. • Other connections data will be forward through the evil server since the first moment. • And there is a tool. Improve the attack.
  • 23.
    • dns2proxy (stillin beta). • Full in python (PyDNS). • Permit spoof, direct forwarding and add IPs to the response. • Interact directly with iptables to forward connections. https://github.com/LeonardoNve/dns2proxy Tool.
  • 24.
  • 25.
    DEMO (or video ifdemo effect ;)
  • 26.
    • Limited ofhosts interception. • Time to study IP communication manners. • Limited cleartext protocol interception. • HTTPS. • Accept the loose a lot of information. Previous limitations.
  • 27.
  • 28.
  • 29.
    • HSTS +Preloaded HSTS sites (Non critical). Obstacles.
  • 30.
    • Strict TransportSecurity based in domain names predefined or not. • Change HTTPS to HTTP. • Also change domain names to connect based on predefined rules. • DNS Server can resolve based on these predefined rules. • HSTS. https://github.com/LeonardoNve/sslstrip2.git SSLStrip+ to defeat HSTS.
  • 31.
    DEMO (or video ifdemo effect…)
  • 32.
    SSL in general •You must take advantage with other factors/vulnerabilities
  • 33.
    • Downgrade attacks. •JavaScript infections. http://media.blackhat.com/bh-us- 12/Briefings/Alonso/BH_US_12_Alonso_Owning_Bad_Guys_Slides.pdf • For decoding ciphered protocols, go there: More posibilities.
  • 34.
    • With UDPthe application have the control over the communication not the OS. • If this application resend a lost UDP packet, we have it! If not…  • Dns2proxy is a PoC and only control TCP but it is really easy extend it too UDP. UDP?
  • 35.
  • 36.
    • Improve DNSserver configurations hijacks with two tools. • Much information capture than typical attacks. • Old protocols – Old security. • New protocols + Old protocols – Old security+ • Solutions… DNSSEC. Conclusions.
  • 37.
    THANKs. Miguel Hernandez The manwho first thought `Let’s put a default password. Then they can change it `