SlideShare a Scribd company logo

0x20 hack

Download as PPTX, PDF
A
antitree

Quick talk about the 0x20 hack used by some services to defend against older DNS attacks. Presented at Rochester 2600.

Technology
1 of 13
 DNS vulnerabilities are teh shitz  The Dan Kaminskys find a way to do dns cache poisoning… on the Internet  Everyone freaks out  He gives some solutions like DNSSEC  Everyone goes… yeah right. See you in 2013  People freak out again
 Inject a fake DNS result into a caching DNS server  Clients requesting that hostname will be given the malicious response  Works for as long as TTL is set  Example: › Vulnerability in BIND exploited › Injects a cached response for www.google.com › Grandma goes to www.google.com, and is redirected
 DNSSEC (we’re getting there)  Patch your DNS server (yes of course, but not an actual solution)  Disable caching (not realistic in most cases)  Randomize Name Servers (helps limit the affect of a poison)  Prepending a nonce to queries (balls930282- fwq.www.rochester2600.com - effective but “omg what’s a nonce”)  Removing duplicate queries (mitigate birthday attack)  0x20 Hack
 Refers to the simplest hack to modify the case of a DNS requests  0x20 bit manipulation is lower CPU cost compared to for example Python to change the case of a string  Turns out every DNS server ever can handle this hack  Requests need to generate a random bitmask  Only works if the DNS server does not pay attention to case  No entropy for TLR or number domains but helps most hostnames
www.rochester2600.com WWW.ROCHESTER2600.COM wWw.rOChesTer2600.CoM wWW.ROCheSTeR2600.com WWW.roCHEsTeR2600.COM 000 0000000000000 000 111 1111111111111 111 010 0110001000000 101 011 1110011010011 000 111 0011101010000 111
 Attackers must brute force all possible combinations of upper and lower to successfully poison your cache
 I didn’t know about this and love it’s simplicity  Hipster Tor
 A and a are 0x20 apart  The 0x20 hack  No one uses this anymore…history lesson  Nothing. You’re not even looking at the screen right now.
0x20 hack

Recommended

Tên hàm
Tên hàmTên hàm
Tên hàm
huynhthanhson
 
Block buster
Block busterBlock buster
Block buster
Camilo Montes
 
Image based automation
Image based automationImage based automation
Image based automation
antitree
 
How [not] to throw a b sides
How [not] to throw a b sidesHow [not] to throw a b sides
How [not] to throw a b sides
antitree
 
28c3 in 15
28c3 in 1528c3 in 15
28c3 in 15
antitree
 
Salander v bond 2600
Salander v bond 2600Salander v bond 2600
Salander v bond 2600
antitree
 
Just Mouse Jack Init
Just Mouse Jack InitJust Mouse Jack Init
Just Mouse Jack Init
antitree
 
Docker Security
Docker SecurityDocker Security
Docker Security
antitree
 

Recommended

Tên hàm
Tên hàmTên hàm
Tên hàm
huynhthanhson
 
Block buster
Block busterBlock buster
Block buster
Camilo Montes
 
Image based automation
Image based automationImage based automation
Image based automation
antitree
 
How [not] to throw a b sides
How [not] to throw a b sidesHow [not] to throw a b sides
How [not] to throw a b sides
antitree
 
28c3 in 15
28c3 in 1528c3 in 15
28c3 in 15
antitree
 
Salander v bond 2600
Salander v bond 2600Salander v bond 2600
Salander v bond 2600
antitree
 
Just Mouse Jack Init
Just Mouse Jack InitJust Mouse Jack Init
Just Mouse Jack Init
antitree
 
Docker Security
Docker SecurityDocker Security
Docker Security
antitree
 
Reinventing anon email
Reinventing anon emailReinventing anon email
Reinventing anon email
antitree
 
Nsa and vpn
Nsa and vpnNsa and vpn
Nsa and vpn
antitree
 
Laverna vs etherpad
Laverna vs etherpadLaverna vs etherpad
Laverna vs etherpad
antitree
 
Meek and domain fronting public
Meek and domain fronting publicMeek and domain fronting public
Meek and domain fronting public
antitree
 
State of wifi_2016
State of wifi_2016State of wifi_2016
State of wifi_2016
antitree
 
Android Hacking
Android HackingAndroid Hacking
Android Hacking
antitree
 
Introduction to ethereum_public
Introduction to ethereum_publicIntroduction to ethereum_public
Introduction to ethereum_public
antitree
 
NANOG32 - DNS Anomalies and Their Impacts on DNS Cache Servers
NANOG32 - DNS Anomalies and Their Impacts on DNS Cache ServersNANOG32 - DNS Anomalies and Their Impacts on DNS Cache Servers
NANOG32 - DNS Anomalies and Their Impacts on DNS Cache Servers
Chika Yoshimura
 
DNS DDoS Attack and Risk
DNS DDoS Attack and RiskDNS DDoS Attack and Risk
DNS DDoS Attack and Risk
Sukbum Hong
 
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
Felipe Prado
 
Hands-on DNSSEC Deployment
Hands-on DNSSEC DeploymentHands-on DNSSEC Deployment
Hands-on DNSSEC Deployment
Bangladesh Network Operators Group
 
Build Dynamic DNS server from scratch in C (Part1)
Build Dynamic DNS server from scratch in C (Part1)Build Dynamic DNS server from scratch in C (Part1)
Build Dynamic DNS server from scratch in C (Part1)
Yen-Kuan Wu
 
Dns
DnsDns
Dns
hoangdinhhanh88
 
DNS.pptx
DNS.pptxDNS.pptx
DNS.pptx
EidTahir
 
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS Attacks
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS AttacksDNSSEC: The Antidote to DNS Cache Poisoning and Other DNS Attacks
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS Attacks
FindWhitePapers
 
HKNOG 5.0 - NSEC caching
HKNOG 5.0 - NSEC cachingHKNOG 5.0 - NSEC caching
HKNOG 5.0 - NSEC caching
APNIC
 
ISP Network Analyzing Tactics
ISP Network Analyzing TacticsISP Network Analyzing Tactics
ISP Network Analyzing Tactics
shamim316
 
The Internet Is a Series of Tubes
The Internet Is a Series of TubesThe Internet Is a Series of Tubes
The Internet Is a Series of Tubes
John Hobbs
 
DNS Attacks
DNS AttacksDNS Attacks
DNS Attacks
Himanshu Prabhakar
 
Bo2004
Bo2004Bo2004
Bo2004
Dan Kaminsky
 
Phreebird Suite 1.0: Introducing the Domain Key Infrastructure
Phreebird Suite 1.0: Introducing the Domain Key InfrastructurePhreebird Suite 1.0: Introducing the Domain Key Infrastructure
Phreebird Suite 1.0: Introducing the Domain Key Infrastructure
Dan Kaminsky
 
Minieri CS6262 Project Poster
Minieri CS6262 Project PosterMinieri CS6262 Project Poster
Minieri CS6262 Project Poster
Joe Minieri
 

More Related Content

Viewers also liked

Viewers also liked (7)

Reinventing anon email
Reinventing anon emailReinventing anon email
Reinventing anon email
 
Nsa and vpn
Nsa and vpnNsa and vpn
Nsa and vpn
 
Laverna vs etherpad
Laverna vs etherpadLaverna vs etherpad
Laverna vs etherpad
 
Meek and domain fronting public
Meek and domain fronting publicMeek and domain fronting public
Meek and domain fronting public
 
State of wifi_2016
State of wifi_2016State of wifi_2016
State of wifi_2016
 
Android Hacking
Android HackingAndroid Hacking
Android Hacking
 
Introduction to ethereum_public
Introduction to ethereum_publicIntroduction to ethereum_public
Introduction to ethereum_public
 

Similar to 0x20 hack

ISP Network Analyzing Tactics
ISP Network Analyzing TacticsISP Network Analyzing Tactics
ISP Network Analyzing Tactics
shamim316
 
Minieri CS6262 Project Poster
Minieri CS6262 Project PosterMinieri CS6262 Project Poster
Minieri CS6262 Project Poster
Joe Minieri
 

Similar to 0x20 hack (20)

NANOG32 - DNS Anomalies and Their Impacts on DNS Cache Servers
NANOG32 - DNS Anomalies and Their Impacts on DNS Cache ServersNANOG32 - DNS Anomalies and Their Impacts on DNS Cache Servers
NANOG32 - DNS Anomalies and Their Impacts on DNS Cache Servers
 
DNS DDoS Attack and Risk
DNS DDoS Attack and RiskDNS DDoS Attack and Risk
DNS DDoS Attack and Risk
 
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
 
Hands-on DNSSEC Deployment
Hands-on DNSSEC DeploymentHands-on DNSSEC Deployment
Hands-on DNSSEC Deployment
 
Build Dynamic DNS server from scratch in C (Part1)
Build Dynamic DNS server from scratch in C (Part1)Build Dynamic DNS server from scratch in C (Part1)
Build Dynamic DNS server from scratch in C (Part1)
 
Dns
DnsDns
Dns
 
DNS.pptx
DNS.pptxDNS.pptx
DNS.pptx
 
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS Attacks
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS AttacksDNSSEC: The Antidote to DNS Cache Poisoning and Other DNS Attacks
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS Attacks
 
HKNOG 5.0 - NSEC caching
HKNOG 5.0 - NSEC cachingHKNOG 5.0 - NSEC caching
HKNOG 5.0 - NSEC caching
 
ISP Network Analyzing Tactics
ISP Network Analyzing TacticsISP Network Analyzing Tactics
ISP Network Analyzing Tactics
 
The Internet Is a Series of Tubes
The Internet Is a Series of TubesThe Internet Is a Series of Tubes
The Internet Is a Series of Tubes
 
DNS Attacks
DNS AttacksDNS Attacks
DNS Attacks
 
Bo2004
Bo2004Bo2004
Bo2004
 
Phreebird Suite 1.0: Introducing the Domain Key Infrastructure
Phreebird Suite 1.0: Introducing the Domain Key InfrastructurePhreebird Suite 1.0: Introducing the Domain Key Infrastructure
Phreebird Suite 1.0: Introducing the Domain Key Infrastructure
 
Minieri CS6262 Project Poster
Minieri CS6262 Project PosterMinieri CS6262 Project Poster
Minieri CS6262 Project Poster
 
DNS spoofing/poisoning Attack Report (Word Document)
DNS spoofing/poisoning Attack Report (Word Document)DNS spoofing/poisoning Attack Report (Word Document)
DNS spoofing/poisoning Attack Report (Word Document)
 
Day 2 Dns Cert 4a Cache Poisoning
Day 2 Dns Cert 4a Cache PoisoningDay 2 Dns Cert 4a Cache Poisoning
Day 2 Dns Cert 4a Cache Poisoning
 
DDoS mitigation in the real world
DDoS mitigation in the real worldDDoS mitigation in the real world
DDoS mitigation in the real world
 
THOTCON - The War over your DNS Queries
THOTCON - The War over your DNS QueriesTHOTCON - The War over your DNS Queries
THOTCON - The War over your DNS Queries
 
ION Bucharest - Deploying DNSSEC
ION Bucharest - Deploying DNSSECION Bucharest - Deploying DNSSEC
ION Bucharest - Deploying DNSSEC
 

More from antitree

Salander v bond b sides detroit final v3
Salander v bond b sides detroit final v3Salander v bond b sides detroit final v3
Salander v bond b sides detroit final v3
antitree
 
Pentesting embedded
Pentesting embeddedPentesting embedded
Pentesting embedded
antitree
 

More from antitree (12)

Hardening ssh configurations
Hardening ssh configurationsHardening ssh configurations
Hardening ssh configurations
 
Salander v bond b sides detroit final v3
Salander v bond b sides detroit final v3Salander v bond b sides detroit final v3
Salander v bond b sides detroit final v3
 
Pentesting embedded
Pentesting embeddedPentesting embedded
Pentesting embedded
 
Tor
TorTor
Tor
 
Corporate Intelligence: Bridging the security and intelligence community
Corporate Intelligence: Bridging the security and intelligence communityCorporate Intelligence: Bridging the security and intelligence community
Corporate Intelligence: Bridging the security and intelligence community
 
Lock picking barcamp
Lock picking barcampLock picking barcamp
Lock picking barcamp
 
Lock picking 2600
Lock picking 2600Lock picking 2600
Lock picking 2600
 
Anti tree firesheep
Anti tree firesheepAnti tree firesheep
Anti tree firesheep
 
Hackerspaces
HackerspacesHackerspaces
Hackerspaces
 
Intro to IPv6 by Ben Woodruff
Intro to IPv6 by Ben WoodruffIntro to IPv6 by Ben Woodruff
Intro to IPv6 by Ben Woodruff
 
Anonymity Systems: Tor
Anonymity Systems: TorAnonymity Systems: Tor
Anonymity Systems: Tor
 
Dll hijacking
Dll hijackingDll hijacking
Dll hijacking
 

Recently uploaded

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Roshan Dwivedi
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 

Recently uploaded (20)

Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 

0x20 hack

  • 1.
  • 2.  DNS vulnerabilities are teh shitz  The Dan Kaminskys find a way to do dns cache poisoning… on the Internet  Everyone freaks out  He gives some solutions like DNSSEC  Everyone goes… yeah right. See you in 2013  People freak out again
  • 3.  Inject a fake DNS result into a caching DNS server  Clients requesting that hostname will be given the malicious response  Works for as long as TTL is set  Example: › Vulnerability in BIND exploited › Injects a cached response for www.google.com › Grandma goes to www.google.com, and is redirected
  • 4.
  • 5.  DNSSEC (we’re getting there)  Patch your DNS server (yes of course, but not an actual solution)  Disable caching (not realistic in most cases)  Randomize Name Servers (helps limit the affect of a poison)  Prepending a nonce to queries (balls930282- fwq.www.rochester2600.com - effective but “omg what’s a nonce”)  Removing duplicate queries (mitigate birthday attack)  0x20 Hack
  • 6.
  • 7.
  • 8.  Refers to the simplest hack to modify the case of a DNS requests  0x20 bit manipulation is lower CPU cost compared to for example Python to change the case of a string  Turns out every DNS server ever can handle this hack  Requests need to generate a random bitmask  Only works if the DNS server does not pay attention to case  No entropy for TLR or number domains but helps most hostnames
  • 10.  Attackers must brute force all possible combinations of upper and lower to successfully poison your cache
  • 11.  I didn’t know about this and love it’s simplicity  Hipster Tor
  • 12.  A and a are 0x20 apart  The 0x20 hack  No one uses this anymore…history lesson  Nothing. You’re not even looking at the screen right now.