SlideShare a Scribd company logo

Thotcon 0x5 - Retroactive Wiretapping VPN over DNS

John Bambenek
John Bambenek

These are the slides of a talk by John Bambenek at THOTCON 0x5 in Chicago. Imagine your first day at a client site and you spend your time figuring out what’s going on with the network. You query passive DNS to find tons of apparently VPN over DNS endpoints on your network. What starts as a simple incident investigation process sees the tables turned on those who used the protocol to hide their tracks. This talk will discuss reverse engineering VPN over DNS (vpnoverdns.com) and how weaknesses in using DNS tunneling makes it trivial to retroactively wiretap all communications over the protocol long after the fact.

Technology
1 of 29
Download to read offline
How I Turned VPNoverDNS into a Retroactive Wiretapping Tool THOTCON 0x5 John Bambenek / Bambenek Consulting jcb@bambenekconsulting.com
The Setup... ●Hired by a mid-sized business to increase the security posture ○Yes, it was just that open-ended… ●They had a fairly large web presence and maintain dozens of sites ○But had no authoritative list of them… ●Commence policy review and massive paper dump. ●Has some PCI, HIPAA, other private (and valuable) information...
The Setup Continued... ●As a way to verify the correctness of information, do various threat intel queries on a netblock… ●Has there been any breaches? Listing in blacklists? Known contact with C&Cs? ●Passive DNS will log all queries and responses a sensor sees so they can be used for later searches. ○For instance, will show all FQDNs resolved for a given IP address seen by a sensor. ●Scanning the clients /24 yields all the likely used websites (and unused IPs)
pDNS Example ●A historical search on thotcon.org yields: ;; first seen: 2012-09-06 22:17:09 -0000 ;; last seen: 2013-11-05 20:41:26 -0000 thotcon.org. IN A 67.195.61.65 -- ;; first seen: 2011-06-02 10:57:38 -0000 ;; last seen: 2012-09-02 02:05:33 -0000 thotcon.org. IN A 98.136.92.206 -- ;; first seen: 2013-10-30 07:04:27 -0000 ;; last seen: 2014-04-24 23:15:54 -0000 thotcon.org. IN A 98.136.187.13 -- ;; first seen: 2010-07-29 16:00:22 -0000 ;; last seen: 2010-09-20 16:58:07 -0000 thotcon.org. IN A 216.39.57.104 -- ;; first seen: 2010-08-13 02:05:21 -0000 ;; last seen: 2011-06-02 06:20:26 -0000 thotcon.org. IN A 216.39.62.189 ……
pDNS example... ●A historical search on 98.136.187.13 yields: ut.ae. IN A 98.136.187.13 oec.ae. IN A 98.136.187.13 meatco.ae. IN A 98.136.187.13 cpssa.com.ar. IN A 98.136.187.13 facimex.com.ar. IN A 98.136.187.13 iltinello.com.ar. IN A 98.136.187.13 tunga-tunga.com.ar. IN A 98.136.187.13 ceramicas-lourdes.com.ar. IN A 98.136.187.13 ictys.org.ar. IN A 98.136.187.13 y-yo.com.au. IN A 98.136.187.13 ……
A Wild Passive DNS Scan Appears Rdata results for ANY/197.1.246.0/24 Returned 280 RRs in 0.05 seconds. tunisia-sat1.no-ip.info. A 197.1.246.1 samibazoug.dyndns.ws. A 197.1.246.3 koooooko.no-ip.biz. A 197.1.246.3 only-security.no-ip.biz. A 197.1.246.3 no-hack.zapto.org. A 197.1.246.3 camfrog-ir.zapto.org. A 197.1.246.3 camfrog-2r9.zapto.org. A 197.1.246.3 gboxbest.dyndns.org. A 197.1.246.3
A Wild Passive DNS Scan Appears mrigel.zapto.org. A 197.1.246.4 hacked007.no-ip.org. A 197.1.246.5 tarajist1919.no-ip.biz. A 197.1.246.8 reflex.sytes.net. A 197.1.246.10 1month-5euro.sytes.net. A 197.1.246.10 gaagle.no-ip.org. A 197.1.246.10 djamelgbox.no-ip.org. A 197.1.246.12 bibitahackertn.no-ip.biz. A 197.1.246.14 kalboussa.no-ip.biz. A 197.1.246.16 njratxmoro.zapto.org. A 197.1.246.16 migalou2012.no-ip.biz. A 197.1.246.18 papu81.no-ip.biz. A 197.1.246.19
A Wild Passive DNS Scan Appears manortn.dyndns.biz. A 197.1.246.19 papu81.no-ip.biz. A 197.1.246.20 ln-048.rd-00000240.id-14932049.v0.tun. vpnoverdns.com. A 197.1.246.20 revenger.zapto.org. A 197.1.246.21 oscamserver.dyndns.org. A 197.1.246.24 cinefoot.selfip.com. A 197.1.246.28 proxysat.selfip.com. A 197.1.246.28 …… tun.vpnoverdns.com????
What is this VPNoverDNS you speak of? ●From vpnoverdns.com: ○ “In a few words, it lets you tunnel data through a DNS server. Data exfiltration, for those times when everything else is blocked.” ●At the point I first started seeing this, no one seemed to know anything about it aside of the obvious… “it looks like a tunnel endpoint” ●One oddity: to install it on a PC you FIRST have to install the Android app to create a login… ○As an unapologetic iPhone user, this displeases me.
Data Exfiltration You Say? ZOMG!! IT’S AN APT! MOMMY HELP! MUCH SCARED!
So how prevalent is VPNoverDNS? ●pDNS dump of *.tun.vpnverdns.com yields almost 6 million entries. ●“Endpoints” seen on educational, government, business and military ASNs. ○And some unassigned IP addresses… ●Looks prevalent but… ○No one knows about it… ○Would it so obviously be sitting on NATO IP addresses? ○Why would a data exfiltration tool require an Android device?
Seriously, who uses Adobe AIR for this? ●After finding an Android device, downloaded to that device and then created a VM to install PC version which uses Adobe AIR. ●Provides a web browser and an email client to send/receive e-mail. ○This is not looking like data exfiltration… ○Much disappoint… :( ●Time to fire up Wireshark and see what the traffic looks like...
Got Packets?
A Closer Look...
Got Packets? ●Query a specific FQDN and it returns multiple A records. ●rd- Byte Offset ●id- Session ID ●A records start at 192. and sequentially get higher. ●This explains why pDNS shows what it does, in effect, it poisons the data. The only REAL traffic is DNS to the network resolver (and the resolver to vpnoverdns.com’s DNS servers).
Can we parse this response? Looking at the hex of the packet... The last three octets of the A record DNS responses are the HTTP response… in the clear.
Did you know gzip is 1337 crypto? ●So now to rebuild an entire session across all the queries for a given session ID… xœ õï 0§OK HTTP/1.1 200 OK Date: Sat, 05 Jan 2013 18:08:05 GMT Content-Type: text/html;c:Accept-Encoding Content-Encoding: gzip ---- gzip’d content ----
What about HTML requests? ●HTML requests are made by querying FQDN’s starting with bf-: ●Example: bf-1b3132313330363734c2a7536f636b657444617461c2a734303436304745.wr- 00000000.id-00912196.v0.tun.vpnoverdns.com. IN A 128.69.0.255 bf-5420687474703a2f2f616e64726f69642e636c69656e74732e676f6f676c.wr- 00000030.id-00912196.v0.tun.vpnoverdns.com. IN A 128.69.0.255 bf-652e636f6d2f70726f78792f677361737567676573742f7365617263683f.wr- 00000060.id-00912196.v0.tun.vpnoverdns.com. IN A 128.69.0.255 ●Syntax: wr- byte offset, id- session ID ●Is the bf- content just ASCII text in hex form? ● 12130674§SocketData§40460GET http://android.clients.google. com/proxy/gsasuggest/search?client=qsb-android&hl=en&gl=us
The Incident that Never was... ●Nothing is quite as depressing as finding a cool incident that really wasn’t. ●Takeaway: Passive DNS operators probably should ignore this domain as the data isn’t real DNS, it’s actually HTTP/Mail traffic.
The Truth About VPN over DNS ●This is not data exfiltration, it’s a way to surf the web behind WiFi hotspot paywalls (because DNS isn’t blocked even if you haven’t authenticated). ○Take that Marriott and your $10/day Internet fee. ●This will also bypass any web proxies you have. ●In theory you COULD use if for data exfiltration, but it’s pretty easy to spot ○Any DNS queries for *.tun.vpnoverdns.com? You are bad and you should feel bad.
Then Evil Genius Struck ●I was able to rebuild traffic in Wireshark… what if I dumped the entire pDNS database for tun. vpnoverdns.com? ○Remember, pDNS is just a big log of all DNS queries and responses it sees. $ python dnsdb_query.py *.tun.vpnoverdns.com | wc -l 5799244
Look Mom, I Built PRISM for Script Kiddies ●Looking at just the timestamps I have data from, there are records back from May 2013. ●Since the sensor is in between the VPNoverDNS user and their DNS server, if it captures any traffic it likely has the ENTIRE session in its logs. ●So what websites do you think VPN over DNS users like to view? ○Let’s check those bf- records
Wait for it... ●Some are not surprising: Host: m.facebook.com:443 Host: profile.ak.fbcdn.net Host: i2.cdn.turner.com Host: googleads.g.doubleclick.net ● This had to be a fun listening experience: Host: stats.pandora.com
And what is the Internet for? ●And of course, there was this... Host: metaltoys.co.za Host: www.youngleafs.com Host: myshortskirt.com Host: www.bravotube.net Host: promo.badoink.com Host: www.coedcherry.com Host: cdn-z3.perfectgirls.net Host: cdn-z4.perfectgirls.net
Y U NO ENCRYPT?
But it gets worse... Referer: http://127.0.0.1:8888/mail4hotspot/app/navigation?url=https://accounts.google. com/ServiceLoginAuth^M User-Agent: Mozilla/5.0 (Linux; U; Android 2.3.5; en-us; N860 Build/GINGERBREAD) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1^M Origin: http://127.0.0.1:8888^M Accept: application/xml,application/vnd.wap.xhtml+xml,application/xhtml+xml;profile='http://www.wapforum. org/xhtml',text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5^M Content-Type: application/x-www-form-urlencoded^M x-wap-proxy-cookie: none^M Cache-Control: no-transform^M Content-Length: 197^M ^M url=https%3A%2F%2Faccounts.google.com%2FServiceLoginAuth&GALX=bAmxoTJR_XY&_utf8=%26% 239731%3B&bgresponse=&Email=XXXXXXXXX%40gmail.com&Passwd=XXXXXXX ……. Yes, kids, this sends HTTPS requests over DNS **IN THE CLEAR** (Oh, and this guys username was the same as his password)
The Fail is Strong With This One...
DISCLAIMERS I’ve asked pDNS operators to purge this data. There should also be a rule to detect clients using this on your networks in the Emerging Threats open snort rules soon.
No Applause please. Throw money. jcb@bambenekconsulting.com Questions?

Recommended

THOTCON 0x6: Going Kinetic on Electronic Crime Networks
THOTCON 0x6: Going Kinetic on Electronic Crime NetworksTHOTCON 0x6: Going Kinetic on Electronic Crime Networks
THOTCON 0x6: Going Kinetic on Electronic Crime NetworksJohn Bambenek
 
HITCON 2015 - DGAs, DNS and Threat Intelligence
HITCON 2015 - DGAs, DNS and Threat IntelligenceHITCON 2015 - DGAs, DNS and Threat Intelligence
HITCON 2015 - DGAs, DNS and Threat IntelligenceJohn Bambenek
 
ANALYZE'15 - Bulk Malware Analysis at Scale
ANALYZE'15 - Bulk Malware Analysis at ScaleANALYZE'15 - Bulk Malware Analysis at Scale
ANALYZE'15 - Bulk Malware Analysis at ScaleJohn Bambenek
 
SANSFIRE18: War Stories on Using Automated Threat Intelligence for Defense
SANSFIRE18: War Stories on Using Automated Threat Intelligence for DefenseSANSFIRE18: War Stories on Using Automated Threat Intelligence for Defense
SANSFIRE18: War Stories on Using Automated Threat Intelligence for DefenseJohn Bambenek
 
PHDAYS: DGAs and Threat Intelligence
PHDAYS: DGAs and Threat IntelligencePHDAYS: DGAs and Threat Intelligence
PHDAYS: DGAs and Threat IntelligenceJohn Bambenek
 
THOTCON - The War over your DNS Queries
THOTCON - The War over your DNS QueriesTHOTCON - The War over your DNS Queries
THOTCON - The War over your DNS QueriesJohn Bambenek
 
HITCON 2017: Building a Public RPZ Service to Protect the World's Consumers
HITCON 2017: Building a Public RPZ Service to Protect the World's ConsumersHITCON 2017: Building a Public RPZ Service to Protect the World's Consumers
HITCON 2017: Building a Public RPZ Service to Protect the World's ConsumersJohn Bambenek
 
Defcon Crypto Village - OPSEC Concerns in Using Crypto
Defcon Crypto Village - OPSEC Concerns in Using CryptoDefcon Crypto Village - OPSEC Concerns in Using Crypto
Defcon Crypto Village - OPSEC Concerns in Using CryptoJohn Bambenek
 

Recommended

THOTCON 0x6: Going Kinetic on Electronic Crime Networks
THOTCON 0x6: Going Kinetic on Electronic Crime NetworksTHOTCON 0x6: Going Kinetic on Electronic Crime Networks
THOTCON 0x6: Going Kinetic on Electronic Crime NetworksJohn Bambenek
 
HITCON 2015 - DGAs, DNS and Threat Intelligence
HITCON 2015 - DGAs, DNS and Threat IntelligenceHITCON 2015 - DGAs, DNS and Threat Intelligence
HITCON 2015 - DGAs, DNS and Threat IntelligenceJohn Bambenek
 
ANALYZE'15 - Bulk Malware Analysis at Scale
ANALYZE'15 - Bulk Malware Analysis at ScaleANALYZE'15 - Bulk Malware Analysis at Scale
ANALYZE'15 - Bulk Malware Analysis at ScaleJohn Bambenek
 
SANSFIRE18: War Stories on Using Automated Threat Intelligence for Defense
SANSFIRE18: War Stories on Using Automated Threat Intelligence for DefenseSANSFIRE18: War Stories on Using Automated Threat Intelligence for Defense
SANSFIRE18: War Stories on Using Automated Threat Intelligence for DefenseJohn Bambenek
 
PHDAYS: DGAs and Threat Intelligence
PHDAYS: DGAs and Threat IntelligencePHDAYS: DGAs and Threat Intelligence
PHDAYS: DGAs and Threat IntelligenceJohn Bambenek
 
THOTCON - The War over your DNS Queries
THOTCON - The War over your DNS QueriesTHOTCON - The War over your DNS Queries
THOTCON - The War over your DNS QueriesJohn Bambenek
 
HITCON 2017: Building a Public RPZ Service to Protect the World's Consumers
HITCON 2017: Building a Public RPZ Service to Protect the World's ConsumersHITCON 2017: Building a Public RPZ Service to Protect the World's Consumers
HITCON 2017: Building a Public RPZ Service to Protect the World's ConsumersJohn Bambenek
 
Defcon Crypto Village - OPSEC Concerns in Using Crypto
Defcon Crypto Village - OPSEC Concerns in Using CryptoDefcon Crypto Village - OPSEC Concerns in Using Crypto
Defcon Crypto Village - OPSEC Concerns in Using CryptoJohn Bambenek
 
DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...
DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...
DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...EC-Council
 
GreyNoise - Lowering Signal To Noise
GreyNoise - Lowering Signal To NoiseGreyNoise - Lowering Signal To Noise
GreyNoise - Lowering Signal To NoiseAndrew Morris
 
Incident Response for the Work-from-home Workforce
Incident Response for the Work-from-home WorkforceIncident Response for the Work-from-home Workforce
Incident Response for the Work-from-home WorkforceChristopher Gerritz
 
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...Andrew Morris
 
Breaking Smart [Bank] Statements – Hacker Halted 2019 – Manuel Nader
Breaking Smart [Bank] Statements – Hacker Halted 2019 – Manuel NaderBreaking Smart [Bank] Statements – Hacker Halted 2019 – Manuel Nader
Breaking Smart [Bank] Statements – Hacker Halted 2019 – Manuel NaderEC-Council
 
Are your cloud servers under attack?– Hacker Halted 2019 – Brian Hileman
Are your cloud servers under attack?– Hacker Halted 2019 – Brian HilemanAre your cloud servers under attack?– Hacker Halted 2019 – Brian Hileman
Are your cloud servers under attack?– Hacker Halted 2019 – Brian HilemanEC-Council
 
Cryptolocker Webcast
Cryptolocker WebcastCryptolocker Webcast
Cryptolocker WebcastOpenDNS
 
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg dayCSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg dayCanSecWest
 
Security Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training ProgramSecurity Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training ProgramOpenDNS
 
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...EC-Council
 
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse TeamsUsing GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse TeamsAndrew Morris
 
"There's a pot of Bitcoins behind the ransomware rainbow"
"There's a pot of Bitcoins behind the ransomware rainbow""There's a pot of Bitcoins behind the ransomware rainbow"
"There's a pot of Bitcoins behind the ransomware rainbow"Christiaan Beek
 
Four years of breaking HTTPS with BGP hijacking
Four years of breaking HTTPS with BGP hijackingFour years of breaking HTTPS with BGP hijacking
Four years of breaking HTTPS with BGP hijackingAPNIC
 
Angler talk
Angler talkAngler talk
Angler talkArtsiom Holub
 
Mo and Tao 魔与道
Mo and Tao 魔与道Mo and Tao 魔与道
Mo and Tao 魔与道Austin Chou
 
Does a Bear Leak in the Woods?
Does a Bear Leak in the Woods?Does a Bear Leak in the Woods?
Does a Bear Leak in the Woods?ThreatConnect
 
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...OpenDNS
 
Blackhat USA 2014 - The New Scourge of Ransomware
Blackhat USA 2014 - The New Scourge of RansomwareBlackhat USA 2014 - The New Scourge of Ransomware
Blackhat USA 2014 - The New Scourge of RansomwareJohn Bambenek
 
BSides Philly Finding a Company's BreakPoint
BSides Philly Finding a Company's BreakPointBSides Philly Finding a Company's BreakPoint
BSides Philly Finding a Company's BreakPointAndrew McNicol
 
Passwords
PasswordsPasswords
PasswordsKevin OBrien
 
May The Data Stay with U! Network Data Exfiltration Techniques - Brucon 2017.
May The Data Stay with U! Network Data Exfiltration Techniques - Brucon 2017.May The Data Stay with U! Network Data Exfiltration Techniques - Brucon 2017.
May The Data Stay with U! Network Data Exfiltration Techniques - Brucon 2017.Leszek Mi?
 
Malware vs Big Data
Malware vs Big DataMalware vs Big Data
Malware vs Big DataFrank Denis
 

More Related Content

What's hot

DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...
DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...
DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...EC-Council
 
GreyNoise - Lowering Signal To Noise
GreyNoise - Lowering Signal To NoiseGreyNoise - Lowering Signal To Noise
GreyNoise - Lowering Signal To NoiseAndrew Morris
 
Incident Response for the Work-from-home Workforce
Incident Response for the Work-from-home WorkforceIncident Response for the Work-from-home Workforce
Incident Response for the Work-from-home WorkforceChristopher Gerritz
 
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...Andrew Morris
 
Breaking Smart [Bank] Statements – Hacker Halted 2019 – Manuel Nader
Breaking Smart [Bank] Statements – Hacker Halted 2019 – Manuel NaderBreaking Smart [Bank] Statements – Hacker Halted 2019 – Manuel Nader
Breaking Smart [Bank] Statements – Hacker Halted 2019 – Manuel NaderEC-Council
 
Are your cloud servers under attack?– Hacker Halted 2019 – Brian Hileman
Are your cloud servers under attack?– Hacker Halted 2019 – Brian HilemanAre your cloud servers under attack?– Hacker Halted 2019 – Brian Hileman
Are your cloud servers under attack?– Hacker Halted 2019 – Brian HilemanEC-Council
 
Cryptolocker Webcast
Cryptolocker WebcastCryptolocker Webcast
Cryptolocker WebcastOpenDNS
 
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg dayCSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg dayCanSecWest
 
Security Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training ProgramSecurity Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training ProgramOpenDNS
 
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...EC-Council
 
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse TeamsUsing GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse TeamsAndrew Morris
 
"There's a pot of Bitcoins behind the ransomware rainbow"
"There's a pot of Bitcoins behind the ransomware rainbow""There's a pot of Bitcoins behind the ransomware rainbow"
"There's a pot of Bitcoins behind the ransomware rainbow"Christiaan Beek
 
Four years of breaking HTTPS with BGP hijacking
Four years of breaking HTTPS with BGP hijackingFour years of breaking HTTPS with BGP hijacking
Four years of breaking HTTPS with BGP hijackingAPNIC
 
Mo and Tao 魔与道
Mo and Tao 魔与道Mo and Tao 魔与道
Mo and Tao 魔与道Austin Chou
 
Does a Bear Leak in the Woods?
Does a Bear Leak in the Woods?Does a Bear Leak in the Woods?
Does a Bear Leak in the Woods?ThreatConnect
 
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...OpenDNS
 
Blackhat USA 2014 - The New Scourge of Ransomware
Blackhat USA 2014 - The New Scourge of RansomwareBlackhat USA 2014 - The New Scourge of Ransomware
Blackhat USA 2014 - The New Scourge of RansomwareJohn Bambenek
 
BSides Philly Finding a Company's BreakPoint
BSides Philly Finding a Company's BreakPointBSides Philly Finding a Company's BreakPoint
BSides Philly Finding a Company's BreakPointAndrew McNicol
 

What's hot (20)

DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...
DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...
DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...
 
GreyNoise - Lowering Signal To Noise
GreyNoise - Lowering Signal To NoiseGreyNoise - Lowering Signal To Noise
GreyNoise - Lowering Signal To Noise
 
Incident Response for the Work-from-home Workforce
Incident Response for the Work-from-home WorkforceIncident Response for the Work-from-home Workforce
Incident Response for the Work-from-home Workforce
 
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
 
Breaking Smart [Bank] Statements – Hacker Halted 2019 – Manuel Nader
Breaking Smart [Bank] Statements – Hacker Halted 2019 – Manuel NaderBreaking Smart [Bank] Statements – Hacker Halted 2019 – Manuel Nader
Breaking Smart [Bank] Statements – Hacker Halted 2019 – Manuel Nader
 
Are your cloud servers under attack?– Hacker Halted 2019 – Brian Hileman
Are your cloud servers under attack?– Hacker Halted 2019 – Brian HilemanAre your cloud servers under attack?– Hacker Halted 2019 – Brian Hileman
Are your cloud servers under attack?– Hacker Halted 2019 – Brian Hileman
 
Cryptolocker Webcast
Cryptolocker WebcastCryptolocker Webcast
Cryptolocker Webcast
 
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg dayCSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
 
Security Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training ProgramSecurity Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training Program
 
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...
 
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse TeamsUsing GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
 
"There's a pot of Bitcoins behind the ransomware rainbow"
"There's a pot of Bitcoins behind the ransomware rainbow""There's a pot of Bitcoins behind the ransomware rainbow"
"There's a pot of Bitcoins behind the ransomware rainbow"
 
Four years of breaking HTTPS with BGP hijacking
Four years of breaking HTTPS with BGP hijackingFour years of breaking HTTPS with BGP hijacking
Four years of breaking HTTPS with BGP hijacking
 
Angler talk
Angler talkAngler talk
Angler talk
 
Mo and Tao 魔与道
Mo and Tao 魔与道Mo and Tao 魔与道
Mo and Tao 魔与道
 
Does a Bear Leak in the Woods?
Does a Bear Leak in the Woods?Does a Bear Leak in the Woods?
Does a Bear Leak in the Woods?
 
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
 
Blackhat USA 2014 - The New Scourge of Ransomware
Blackhat USA 2014 - The New Scourge of RansomwareBlackhat USA 2014 - The New Scourge of Ransomware
Blackhat USA 2014 - The New Scourge of Ransomware
 
BSides Philly Finding a Company's BreakPoint
BSides Philly Finding a Company's BreakPointBSides Philly Finding a Company's BreakPoint
BSides Philly Finding a Company's BreakPoint
 
Passwords
PasswordsPasswords
Passwords
 

Similar to Thotcon 0x5 - Retroactive Wiretapping VPN over DNS

May The Data Stay with U! Network Data Exfiltration Techniques - Brucon 2017.
May The Data Stay with U! Network Data Exfiltration Techniques - Brucon 2017.May The Data Stay with U! Network Data Exfiltration Techniques - Brucon 2017.
May The Data Stay with U! Network Data Exfiltration Techniques - Brucon 2017.Leszek Mi?
 
Malware vs Big Data
Malware vs Big DataMalware vs Big Data
Malware vs Big DataFrank Denis
 
Hitbkl 2012
Hitbkl 2012Hitbkl 2012
Hitbkl 2012F _
 
An EyeWitness View into your Network
An EyeWitness View into your NetworkAn EyeWitness View into your Network
An EyeWitness View into your NetworkCTruncer
 
DNS Over HTTPS by Michael Casadevall
DNS Over HTTPS by Michael CasadevallDNS Over HTTPS by Michael Casadevall
DNS Over HTTPS by Michael CasadevallGlenn McKnight
 
dns-sec-4-slides
dns-sec-4-slidesdns-sec-4-slides
dns-sec-4-slideskj teoh
 
Hacker Halted 2014 - Why Botnet Takedowns Never Work, Unless It’s a SmackDown!
Hacker Halted 2014 - Why Botnet Takedowns Never Work, Unless It’s a SmackDown!Hacker Halted 2014 - Why Botnet Takedowns Never Work, Unless It’s a SmackDown!
Hacker Halted 2014 - Why Botnet Takedowns Never Work, Unless It’s a SmackDown!EC-Council
 
A curious case of broken DNS responses (Coloclue Presents - Nov 2019)
A curious case of broken DNS responses (Coloclue Presents - Nov 2019)A curious case of broken DNS responses (Coloclue Presents - Nov 2019)
A curious case of broken DNS responses (Coloclue Presents - Nov 2019)Babak Farrokhi
 
Tim eberhard bajug3_talk
Tim eberhard bajug3_talkTim eberhard bajug3_talk
Tim eberhard bajug3_talkTim Eberhard
 
BSides Rochester 2018: Chris Partridge: Turning Domain Data Into Domain Intel...
BSides Rochester 2018: Chris Partridge: Turning Domain Data Into Domain Intel...BSides Rochester 2018: Chris Partridge: Turning Domain Data Into Domain Intel...
BSides Rochester 2018: Chris Partridge: Turning Domain Data Into Domain Intel...JosephTesta9
 
DoS and DDoS mitigations with eBPF, XDP and DPDK
DoS and DDoS mitigations with eBPF, XDP and DPDKDoS and DDoS mitigations with eBPF, XDP and DPDK
DoS and DDoS mitigations with eBPF, XDP and DPDKMarian Marinov
 
DEF CON 27 - D4KRM4TTER MIKE SPICER - I know what you did last summer
DEF CON 27 - D4KRM4TTER MIKE SPICER - I know what you did last summerDEF CON 27 - D4KRM4TTER MIKE SPICER - I know what you did last summer
DEF CON 27 - D4KRM4TTER MIKE SPICER - I know what you did last summerFelipe Prado
 
Cybercrime in the Deep Web (BHEU 2015)
Cybercrime in the Deep Web (BHEU 2015)Cybercrime in the Deep Web (BHEU 2015)
Cybercrime in the Deep Web (BHEU 2015)Marco Balduzzi
 
Cybercrime In The Deep Web
Cybercrime In The Deep WebCybercrime In The Deep Web
Cybercrime In The Deep WebTrend Micro
 
FastNetMonを試してみた
FastNetMonを試してみたFastNetMonを試してみた
FastNetMonを試してみたYutaka Ishizaki
 
Janog 39: speech about FastNetMon by Yutaka Ishizaki
Janog 39: speech about FastNetMon by Yutaka IshizakiJanog 39: speech about FastNetMon by Yutaka Ishizaki
Janog 39: speech about FastNetMon by Yutaka IshizakiPavel Odintsov
 

Similar to Thotcon 0x5 - Retroactive Wiretapping VPN over DNS (20)

May The Data Stay with U! Network Data Exfiltration Techniques - Brucon 2017.
May The Data Stay with U! Network Data Exfiltration Techniques - Brucon 2017.May The Data Stay with U! Network Data Exfiltration Techniques - Brucon 2017.
May The Data Stay with U! Network Data Exfiltration Techniques - Brucon 2017.
 
Malware vs Big Data
Malware vs Big DataMalware vs Big Data
Malware vs Big Data
 
Hitbkl 2012
Hitbkl 2012Hitbkl 2012
Hitbkl 2012
 
An EyeWitness View into your Network
An EyeWitness View into your NetworkAn EyeWitness View into your Network
An EyeWitness View into your Network
 
DNS Over HTTPS by Michael Casadevall
DNS Over HTTPS by Michael CasadevallDNS Over HTTPS by Michael Casadevall
DNS Over HTTPS by Michael Casadevall
 
dns-sec-4-slides
dns-sec-4-slidesdns-sec-4-slides
dns-sec-4-slides
 
Hacker Halted 2014 - Why Botnet Takedowns Never Work, Unless It’s a SmackDown!
Hacker Halted 2014 - Why Botnet Takedowns Never Work, Unless It’s a SmackDown!Hacker Halted 2014 - Why Botnet Takedowns Never Work, Unless It’s a SmackDown!
Hacker Halted 2014 - Why Botnet Takedowns Never Work, Unless It’s a SmackDown!
 
A curious case of broken DNS responses (Coloclue Presents - Nov 2019)
A curious case of broken DNS responses (Coloclue Presents - Nov 2019)A curious case of broken DNS responses (Coloclue Presents - Nov 2019)
A curious case of broken DNS responses (Coloclue Presents - Nov 2019)
 
Make the internet safe with DNS Firewall
Make the internet safe with DNS FirewallMake the internet safe with DNS Firewall
Make the internet safe with DNS Firewall
 
Tim eberhard bajug3_talk
Tim eberhard bajug3_talkTim eberhard bajug3_talk
Tim eberhard bajug3_talk
 
BSides Rochester 2018: Chris Partridge: Turning Domain Data Into Domain Intel...
BSides Rochester 2018: Chris Partridge: Turning Domain Data Into Domain Intel...BSides Rochester 2018: Chris Partridge: Turning Domain Data Into Domain Intel...
BSides Rochester 2018: Chris Partridge: Turning Domain Data Into Domain Intel...
 
DoS and DDoS mitigations with eBPF, XDP and DPDK
DoS and DDoS mitigations with eBPF, XDP and DPDKDoS and DDoS mitigations with eBPF, XDP and DPDK
DoS and DDoS mitigations with eBPF, XDP and DPDK
 
Tcpdump hunter
Tcpdump hunterTcpdump hunter
Tcpdump hunter
 
DEF CON 27 - D4KRM4TTER MIKE SPICER - I know what you did last summer
DEF CON 27 - D4KRM4TTER MIKE SPICER - I know what you did last summerDEF CON 27 - D4KRM4TTER MIKE SPICER - I know what you did last summer
DEF CON 27 - D4KRM4TTER MIKE SPICER - I know what you did last summer
 
R bernardino hand_in_assignment_week_1
R bernardino hand_in_assignment_week_1R bernardino hand_in_assignment_week_1
R bernardino hand_in_assignment_week_1
 
Cybercrime in the Deep Web (BHEU 2015)
Cybercrime in the Deep Web (BHEU 2015)Cybercrime in the Deep Web (BHEU 2015)
Cybercrime in the Deep Web (BHEU 2015)
 
Cybercrime In The Deep Web
Cybercrime In The Deep WebCybercrime In The Deep Web
Cybercrime In The Deep Web
 
FastNetMonを試してみた
FastNetMonを試してみたFastNetMonを試してみた
FastNetMonを試してみた
 
Janog 39: speech about FastNetMon by Yutaka Ishizaki
Janog 39: speech about FastNetMon by Yutaka IshizakiJanog 39: speech about FastNetMon by Yutaka Ishizaki
Janog 39: speech about FastNetMon by Yutaka Ishizaki
 
12 Years in DNS Security As a Defender
12 Years in DNS Security As a Defender12 Years in DNS Security As a Defender
12 Years in DNS Security As a Defender
 

More from John Bambenek

I'm All Up in Your Blockchain - Hunting Down the Nazis
I'm All Up in Your Blockchain - Hunting Down the NazisI'm All Up in Your Blockchain - Hunting Down the Nazis
I'm All Up in Your Blockchain - Hunting Down the NazisJohn Bambenek
 
MISP Summit 2018: Barncat: Using MISP for Bulk Malware Surveillance
MISP Summit 2018: Barncat: Using MISP for Bulk Malware SurveillanceMISP Summit 2018: Barncat: Using MISP for Bulk Malware Surveillance
MISP Summit 2018: Barncat: Using MISP for Bulk Malware SurveillanceJohn Bambenek
 
SANSFIRE - Elections, Deceptions and Political Breaches
SANSFIRE - Elections, Deceptions and Political BreachesSANSFIRE - Elections, Deceptions and Political Breaches
SANSFIRE - Elections, Deceptions and Political BreachesJohn Bambenek
 
Tracking Exploit Kits - Virus Bulletin 2016
Tracking Exploit Kits - Virus Bulletin 2016Tracking Exploit Kits - Virus Bulletin 2016
Tracking Exploit Kits - Virus Bulletin 2016John Bambenek
 
Corporate Espionage without the Hassle of Committing Felonies
Corporate Espionage without the Hassle of Committing FeloniesCorporate Espionage without the Hassle of Committing Felonies
Corporate Espionage without the Hassle of Committing FeloniesJohn Bambenek
 
IESBGA 2014 Cybercrime Seminar by John Bambenek
IESBGA 2014 Cybercrime Seminar by John BambenekIESBGA 2014 Cybercrime Seminar by John Bambenek
IESBGA 2014 Cybercrime Seminar by John BambenekJohn Bambenek
 
Champaign EDC Cybersecurity Seminar by John Bambenek - March 25, 2014
Champaign EDC Cybersecurity Seminar by John Bambenek - March 25, 2014Champaign EDC Cybersecurity Seminar by John Bambenek - March 25, 2014
Champaign EDC Cybersecurity Seminar by John Bambenek - March 25, 2014John Bambenek
 
Cybercrime and Computer Forensics Seminar - Chicago Bar Association CLE May 2...
Cybercrime and Computer Forensics Seminar - Chicago Bar Association CLE May 2...Cybercrime and Computer Forensics Seminar - Chicago Bar Association CLE May 2...
Cybercrime and Computer Forensics Seminar - Chicago Bar Association CLE May 2...John Bambenek
 
Cybercrime & Computer Forensics - ISBA Master Series CLE, Nov 18, 2011
Cybercrime & Computer Forensics - ISBA Master Series CLE, Nov 18, 2011Cybercrime & Computer Forensics - ISBA Master Series CLE, Nov 18, 2011
Cybercrime & Computer Forensics - ISBA Master Series CLE, Nov 18, 2011John Bambenek
 
Introduction to Computer Crime - John Bambenek talk to Champaign Seniors Poli...
Introduction to Computer Crime - John Bambenek talk to Champaign Seniors Poli...Introduction to Computer Crime - John Bambenek talk to Champaign Seniors Poli...
Introduction to Computer Crime - John Bambenek talk to Champaign Seniors Poli...John Bambenek
 

More from John Bambenek (10)

I'm All Up in Your Blockchain - Hunting Down the Nazis
I'm All Up in Your Blockchain - Hunting Down the NazisI'm All Up in Your Blockchain - Hunting Down the Nazis
I'm All Up in Your Blockchain - Hunting Down the Nazis
 
MISP Summit 2018: Barncat: Using MISP for Bulk Malware Surveillance
MISP Summit 2018: Barncat: Using MISP for Bulk Malware SurveillanceMISP Summit 2018: Barncat: Using MISP for Bulk Malware Surveillance
MISP Summit 2018: Barncat: Using MISP for Bulk Malware Surveillance
 
SANSFIRE - Elections, Deceptions and Political Breaches
SANSFIRE - Elections, Deceptions and Political BreachesSANSFIRE - Elections, Deceptions and Political Breaches
SANSFIRE - Elections, Deceptions and Political Breaches
 
Tracking Exploit Kits - Virus Bulletin 2016
Tracking Exploit Kits - Virus Bulletin 2016Tracking Exploit Kits - Virus Bulletin 2016
Tracking Exploit Kits - Virus Bulletin 2016
 
Corporate Espionage without the Hassle of Committing Felonies
Corporate Espionage without the Hassle of Committing FeloniesCorporate Espionage without the Hassle of Committing Felonies
Corporate Espionage without the Hassle of Committing Felonies
 
IESBGA 2014 Cybercrime Seminar by John Bambenek
IESBGA 2014 Cybercrime Seminar by John BambenekIESBGA 2014 Cybercrime Seminar by John Bambenek
IESBGA 2014 Cybercrime Seminar by John Bambenek
 
Champaign EDC Cybersecurity Seminar by John Bambenek - March 25, 2014
Champaign EDC Cybersecurity Seminar by John Bambenek - March 25, 2014Champaign EDC Cybersecurity Seminar by John Bambenek - March 25, 2014
Champaign EDC Cybersecurity Seminar by John Bambenek - March 25, 2014
 
Cybercrime and Computer Forensics Seminar - Chicago Bar Association CLE May 2...
Cybercrime and Computer Forensics Seminar - Chicago Bar Association CLE May 2...Cybercrime and Computer Forensics Seminar - Chicago Bar Association CLE May 2...
Cybercrime and Computer Forensics Seminar - Chicago Bar Association CLE May 2...
 
Cybercrime & Computer Forensics - ISBA Master Series CLE, Nov 18, 2011
Cybercrime & Computer Forensics - ISBA Master Series CLE, Nov 18, 2011Cybercrime & Computer Forensics - ISBA Master Series CLE, Nov 18, 2011
Cybercrime & Computer Forensics - ISBA Master Series CLE, Nov 18, 2011
 
Introduction to Computer Crime - John Bambenek talk to Champaign Seniors Poli...
Introduction to Computer Crime - John Bambenek talk to Champaign Seniors Poli...Introduction to Computer Crime - John Bambenek talk to Champaign Seniors Poli...
Introduction to Computer Crime - John Bambenek talk to Champaign Seniors Poli...
 

Recently uploaded

How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rick Flair
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESmohitsingh558521
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 

Recently uploaded (20)

How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 

Thotcon 0x5 - Retroactive Wiretapping VPN over DNS

  • 1. How I Turned VPNoverDNS into a Retroactive Wiretapping Tool THOTCON 0x5 John Bambenek / Bambenek Consulting jcb@bambenekconsulting.com
  • 2. The Setup... ●Hired by a mid-sized business to increase the security posture ○Yes, it was just that open-ended… ●They had a fairly large web presence and maintain dozens of sites ○But had no authoritative list of them… ●Commence policy review and massive paper dump. ●Has some PCI, HIPAA, other private (and valuable) information...
  • 3. The Setup Continued... ●As a way to verify the correctness of information, do various threat intel queries on a netblock… ●Has there been any breaches? Listing in blacklists? Known contact with C&Cs? ●Passive DNS will log all queries and responses a sensor sees so they can be used for later searches. ○For instance, will show all FQDNs resolved for a given IP address seen by a sensor. ●Scanning the clients /24 yields all the likely used websites (and unused IPs)
  • 4. pDNS Example ●A historical search on thotcon.org yields: ;; first seen: 2012-09-06 22:17:09 -0000 ;; last seen: 2013-11-05 20:41:26 -0000 thotcon.org. IN A 67.195.61.65 -- ;; first seen: 2011-06-02 10:57:38 -0000 ;; last seen: 2012-09-02 02:05:33 -0000 thotcon.org. IN A 98.136.92.206 -- ;; first seen: 2013-10-30 07:04:27 -0000 ;; last seen: 2014-04-24 23:15:54 -0000 thotcon.org. IN A 98.136.187.13 -- ;; first seen: 2010-07-29 16:00:22 -0000 ;; last seen: 2010-09-20 16:58:07 -0000 thotcon.org. IN A 216.39.57.104 -- ;; first seen: 2010-08-13 02:05:21 -0000 ;; last seen: 2011-06-02 06:20:26 -0000 thotcon.org. IN A 216.39.62.189 ……
  • 5. pDNS example... ●A historical search on 98.136.187.13 yields: ut.ae. IN A 98.136.187.13 oec.ae. IN A 98.136.187.13 meatco.ae. IN A 98.136.187.13 cpssa.com.ar. IN A 98.136.187.13 facimex.com.ar. IN A 98.136.187.13 iltinello.com.ar. IN A 98.136.187.13 tunga-tunga.com.ar. IN A 98.136.187.13 ceramicas-lourdes.com.ar. IN A 98.136.187.13 ictys.org.ar. IN A 98.136.187.13 y-yo.com.au. IN A 98.136.187.13 ……
  • 6. A Wild Passive DNS Scan Appears Rdata results for ANY/197.1.246.0/24 Returned 280 RRs in 0.05 seconds. tunisia-sat1.no-ip.info. A 197.1.246.1 samibazoug.dyndns.ws. A 197.1.246.3 koooooko.no-ip.biz. A 197.1.246.3 only-security.no-ip.biz. A 197.1.246.3 no-hack.zapto.org. A 197.1.246.3 camfrog-ir.zapto.org. A 197.1.246.3 camfrog-2r9.zapto.org. A 197.1.246.3 gboxbest.dyndns.org. A 197.1.246.3
  • 7. A Wild Passive DNS Scan Appears mrigel.zapto.org. A 197.1.246.4 hacked007.no-ip.org. A 197.1.246.5 tarajist1919.no-ip.biz. A 197.1.246.8 reflex.sytes.net. A 197.1.246.10 1month-5euro.sytes.net. A 197.1.246.10 gaagle.no-ip.org. A 197.1.246.10 djamelgbox.no-ip.org. A 197.1.246.12 bibitahackertn.no-ip.biz. A 197.1.246.14 kalboussa.no-ip.biz. A 197.1.246.16 njratxmoro.zapto.org. A 197.1.246.16 migalou2012.no-ip.biz. A 197.1.246.18 papu81.no-ip.biz. A 197.1.246.19
  • 8. A Wild Passive DNS Scan Appears manortn.dyndns.biz. A 197.1.246.19 papu81.no-ip.biz. A 197.1.246.20 ln-048.rd-00000240.id-14932049.v0.tun. vpnoverdns.com. A 197.1.246.20 revenger.zapto.org. A 197.1.246.21 oscamserver.dyndns.org. A 197.1.246.24 cinefoot.selfip.com. A 197.1.246.28 proxysat.selfip.com. A 197.1.246.28 …… tun.vpnoverdns.com????
  • 9. What is this VPNoverDNS you speak of? ●From vpnoverdns.com: ○ “In a few words, it lets you tunnel data through a DNS server. Data exfiltration, for those times when everything else is blocked.” ●At the point I first started seeing this, no one seemed to know anything about it aside of the obvious… “it looks like a tunnel endpoint” ●One oddity: to install it on a PC you FIRST have to install the Android app to create a login… ○As an unapologetic iPhone user, this displeases me.
  • 10. Data Exfiltration You Say? ZOMG!! IT’S AN APT! MOMMY HELP! MUCH SCARED!
  • 11. So how prevalent is VPNoverDNS? ●pDNS dump of *.tun.vpnverdns.com yields almost 6 million entries. ●“Endpoints” seen on educational, government, business and military ASNs. ○And some unassigned IP addresses… ●Looks prevalent but… ○No one knows about it… ○Would it so obviously be sitting on NATO IP addresses? ○Why would a data exfiltration tool require an Android device?
  • 12. Seriously, who uses Adobe AIR for this? ●After finding an Android device, downloaded to that device and then created a VM to install PC version which uses Adobe AIR. ●Provides a web browser and an email client to send/receive e-mail. ○This is not looking like data exfiltration… ○Much disappoint… :( ●Time to fire up Wireshark and see what the traffic looks like...
  • 15. Got Packets? ●Query a specific FQDN and it returns multiple A records. ●rd- Byte Offset ●id- Session ID ●A records start at 192. and sequentially get higher. ●This explains why pDNS shows what it does, in effect, it poisons the data. The only REAL traffic is DNS to the network resolver (and the resolver to vpnoverdns.com’s DNS servers).
  • 16. Can we parse this response? Looking at the hex of the packet... The last three octets of the A record DNS responses are the HTTP response… in the clear.
  • 17. Did you know gzip is 1337 crypto? ●So now to rebuild an entire session across all the queries for a given session ID… xœ õï 0§OK HTTP/1.1 200 OK Date: Sat, 05 Jan 2013 18:08:05 GMT Content-Type: text/html;c:Accept-Encoding Content-Encoding: gzip ---- gzip’d content ----
  • 18. What about HTML requests? ●HTML requests are made by querying FQDN’s starting with bf-: ●Example: bf-1b3132313330363734c2a7536f636b657444617461c2a734303436304745.wr- 00000000.id-00912196.v0.tun.vpnoverdns.com. IN A 128.69.0.255 bf-5420687474703a2f2f616e64726f69642e636c69656e74732e676f6f676c.wr- 00000030.id-00912196.v0.tun.vpnoverdns.com. IN A 128.69.0.255 bf-652e636f6d2f70726f78792f677361737567676573742f7365617263683f.wr- 00000060.id-00912196.v0.tun.vpnoverdns.com. IN A 128.69.0.255 ●Syntax: wr- byte offset, id- session ID ●Is the bf- content just ASCII text in hex form? ● 12130674§SocketData§40460GET http://android.clients.google. com/proxy/gsasuggest/search?client=qsb-android&hl=en&gl=us
  • 19. The Incident that Never was... ●Nothing is quite as depressing as finding a cool incident that really wasn’t. ●Takeaway: Passive DNS operators probably should ignore this domain as the data isn’t real DNS, it’s actually HTTP/Mail traffic.
  • 20. The Truth About VPN over DNS ●This is not data exfiltration, it’s a way to surf the web behind WiFi hotspot paywalls (because DNS isn’t blocked even if you haven’t authenticated). ○Take that Marriott and your $10/day Internet fee. ●This will also bypass any web proxies you have. ●In theory you COULD use if for data exfiltration, but it’s pretty easy to spot ○Any DNS queries for *.tun.vpnoverdns.com? You are bad and you should feel bad.
  • 21. Then Evil Genius Struck ●I was able to rebuild traffic in Wireshark… what if I dumped the entire pDNS database for tun. vpnoverdns.com? ○Remember, pDNS is just a big log of all DNS queries and responses it sees. $ python dnsdb_query.py *.tun.vpnoverdns.com | wc -l 5799244
  • 22. Look Mom, I Built PRISM for Script Kiddies ●Looking at just the timestamps I have data from, there are records back from May 2013. ●Since the sensor is in between the VPNoverDNS user and their DNS server, if it captures any traffic it likely has the ENTIRE session in its logs. ●So what websites do you think VPN over DNS users like to view? ○Let’s check those bf- records
  • 23. Wait for it... ●Some are not surprising: Host: m.facebook.com:443 Host: profile.ak.fbcdn.net Host: i2.cdn.turner.com Host: googleads.g.doubleclick.net ● This had to be a fun listening experience: Host: stats.pandora.com
  • 24. And what is the Internet for? ●And of course, there was this... Host: metaltoys.co.za Host: www.youngleafs.com Host: myshortskirt.com Host: www.bravotube.net Host: promo.badoink.com Host: www.coedcherry.com Host: cdn-z3.perfectgirls.net Host: cdn-z4.perfectgirls.net
  • 25. Y U NO ENCRYPT?
  • 26. But it gets worse... Referer: http://127.0.0.1:8888/mail4hotspot/app/navigation?url=https://accounts.google. com/ServiceLoginAuth^M User-Agent: Mozilla/5.0 (Linux; U; Android 2.3.5; en-us; N860 Build/GINGERBREAD) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1^M Origin: http://127.0.0.1:8888^M Accept: application/xml,application/vnd.wap.xhtml+xml,application/xhtml+xml;profile='http://www.wapforum. org/xhtml',text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5^M Content-Type: application/x-www-form-urlencoded^M x-wap-proxy-cookie: none^M Cache-Control: no-transform^M Content-Length: 197^M ^M url=https%3A%2F%2Faccounts.google.com%2FServiceLoginAuth&GALX=bAmxoTJR_XY&_utf8=%26% 239731%3B&bgresponse=&Email=XXXXXXXXX%40gmail.com&Passwd=XXXXXXX ……. Yes, kids, this sends HTTPS requests over DNS **IN THE CLEAR** (Oh, and this guys username was the same as his password)
  • 27. The Fail is Strong With This One...
  • 28. DISCLAIMERS I’ve asked pDNS operators to purge this data. There should also be a rule to detect clients using this on your networks in the Emerging Threats open snort rules soon.
  • 29. No Applause please. Throw money. jcb@bambenekconsulting.com Questions?