Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
DNS and You A primer K. Reid Wightman Digital Bond Labs
Two talks in one • DNS squatting and malware • DNS in deployment
But first - Terminology • DNS – Domain Name System • Resolve hostname, like ‘digitalbond.com’ to IP like 45.33.22.182 • DN...
More Terminology • Typosquatting – Mistyping a domain name, many types – Transpositions: Gogole.com instead of google.com ...
On bitsquatting • Fantastic talk on the topic at Defcon 19 – https://www.youtube.com/watch?v=lZ8s1JwtNas – (Or, Artem Dina...
Squatting Motivations • Phishing • Advertising revenue • Offer/install Malware (adware/spyware, RATs, etc) • Sell the doma...
Manufacturer Survey • 11 Mfrs in survey
Survey of 11 Industrial Mfrs Basic Stats • Focused on just ‘industrial’ domains • 433 ‘squat’ domains Replacement Insertio...
Survey of 11 Industrial Mfrs ‘MX’ Records • 195/433 domains have MX records • Of these, 22 accepted email to arbitrary use...
Phishing Example: SlEMENS.COM • Sent emails to the slemens.com domain, received phish to custom source address – Incredibl...
Survey of 11 Mfrs ‘A’ (and ‘AAAA’) Records • Only tried ‘www.typodomain.com’ • 254 ‘live’ hosts • 42% (107 hosts) advertis...
Siemsns.com redirect (1)
Siemsns.com redirect (2)
Siemsns.com redirect (3)
More on Malware Hosting • Windows Malware generally found on VirusTotal – All ‘Adware/Spyware/RAT’ – No apparent ICS targe...
(Brief Update on that Malware)
The Future of Squatting • Prediction: clone websites hosting malware – Already (sort of) happened to Schneider Electric, b...
Limitations • For A records, can be difficult/impossible to know ‘who’ or ‘why’ – Ex: load one squat domain 5 times, get 5...
Challenge • Legally, it is difficult to ‘clean up’ a squatter – Have to prove harm/trademark violation – Legal options tak...
Tools & Tips • Dnstwist to quickly see who owns domains similar to yours – https://github.com/elceef/dnstwist – Usage: ‘dn...
Further Research • Rent redirect time – 11% of sites have changing redirects – Majority of malware/helpdesk sites add to t...
One down, one to go! • DNS squatting and malware • DNS in deployment
DNS in Deployment • Two sub-areas to this topic – Internal network map leaking – Data exfiltration via DNS • Let’s dive in
DNS Network Mapping • DNS Zone Transfer *still* an issue – Allows internet-users to retrieve hostname list – 2014, ‘blindl...
DNS Network Mapping • Hostnames often reveal purpose – vpn.yourcompany.com: what could this be? – *gw.yourcompany.com: gat...
DNS Network Mapping • Example 1: dow.com – Zone transfer returned 50,785 hosts – Note: Dow has ~51,000 employees. Hmmmm. 1...
Further Reading • Rob Fuller (Twitter: @mubix) runs Deep Magic – Indexes tons of DNS info – http://www.deepmagic.com – Gre...
DNS for Data Exfiltration • For attackers: wonderful way to get data out of an ‘isolated’ network • For defenders: painful...
DNS is Recursive • Example: we want to know what computer is ‘mail.google.com’ – First, ask local DNS server – Assuming it...
DNS is Recursive Client Workstation Corporate DNS Server ISP DNS Server Google DNS Server COM DNS Server google.com mail m...
DNS is Recursive • …so you actually sent a request (via the local DNS server) to a Google server • You controlled the requ...
Tunneling Data • Bad guys can run a special DNS server, meant for bidirectional communication – Ex: we own a domain for th...
DNS Tunneling
Tunneling foobarbazbax. evildomain.com ICS LAN Client Workstation Local DNS Server Corporate DNS Server ISP DNS Server Hac...
Other DNS Exfiltration • IP over DNS tunnel: – Iodine, http://code.kryo.se/iodine/ • Generic ‘data over DNS’ tool (like ne...
Challenge • Blocking DNS entirely is best security option • Next best: prevent your control system from ‘looking up’ exter...
Blocking External Lookups foobarbazbax. evildomain.com ICS LAN Client Workstation Forward corpdomain.com Reject * Corporat...
Q&A Contact: Email: wightman@digitalbond.com Twitter: @ReverseICS
Upcoming SlideShare
Loading in …5
×

DNS, the hidden ICS attack vector

1,041 views

Published on

This is three talks in one, as we look at several issues with DNS that affect control systems.
First we look at DNS squatting, which affects many ICS vendors. Then we look at two DNS issues that we frequently see on deployed control systems.

Published in: Internet
no profile picture user

  • Be the first to comment

  • Be the first to like this

DNS, the hidden ICS attack vector

  1. 1. DNS and You A primer K. Reid Wightman Digital Bond Labs
  2. 2. Two talks in one • DNS squatting and malware • DNS in deployment
  3. 3. But first - Terminology • DNS – Domain Name System • Resolve hostname, like ‘digitalbond.com’ to IP like 45.33.22.182 • DNS contains many record types • NS, Name Server • MX, Mail eXchange • A, Name records • PTR, Reverse name records • There are others, but less interesting to this talk
  4. 4. More Terminology • Typosquatting – Mistyping a domain name, many types – Transpositions: Gogole.com instead of google.com – Ommissions: gogle.com – Insertions/repetitions: gooogle.com – Replacements: goofle.com • Homoglyphs: go0gle.com (GO0GLE.COM) • Bitsquatting – Bit error in a computer or router without ECC – Googme.com < ‘l’ and ‘m’ are 1 bit difference, 0b01101100 versus 0b01101101
  5. 5. On bitsquatting • Fantastic talk on the topic at Defcon 19 – https://www.youtube.com/watch?v=lZ8s1JwtNas – (Or, Artem Dinaburg, blog post at http://dinaburg.org/bitsquatting.html ) • Fantastic followup on the topic at Defcon 23 with more exploitation – https://www.youtube.com/watch?v=4b5disac9g4 – (Or, look at Luke Young’s site: http://bitfl1p.com ) • Neat technique for big content distribution networks (Facebook, Akamai, etc)
  6. 6. Squatting Motivations • Phishing • Advertising revenue • Offer/install Malware (adware/spyware, RATs, etc) • Sell the domain for $$$ to trademark holder
  7. 7. Manufacturer Survey • 11 Mfrs in survey
  8. 8. Survey of 11 Industrial Mfrs Basic Stats • Focused on just ‘industrial’ domains • 433 ‘squat’ domains Replacement Insertions Bitsquatting Omission Repetition Transposition Homoglyph
  9. 9. Survey of 11 Industrial Mfrs ‘MX’ Records • 195/433 domains have MX records • Of these, 22 accepted email to arbitrary users at the domain – Tested by emailing ‘joe.engineer@domain’ and ‘zatoichi@domain’ from custom source address – This means someone may intercept your email if a client typos an address • What happens to these emails? – One case of phishing! – Not targeted though
  10. 10. Phishing Example: SlEMENS.COM • Sent emails to the slemens.com domain, received phish to custom source address – Incredibly unlikely that this was coincidence – This was only example out of all domains tested • This domain’s website previously hosted malware; now it is just a park – Note: domain owner is private, domain registered via fabulous.com – Note 2: domain register has not changed between malware hosting and phishing (same privacy shield in place)
  11. 11. Survey of 11 Mfrs ‘A’ (and ‘AAAA’) Records • Only tried ‘www.typodomain.com’ • 254 ‘live’ hosts • 42% (107 hosts) advertising/for sale • 11% (28 hosts) ‘suspicious redirect’ (changes daily) • 4% (10 hosts) hosting direct malware downloads – Malware usually targets user-agent string (Windows, OS X) – Many sites use redirection network, target changes frequently – Tracking cookies often used to determine behavior – New/’0-day’ discovered for OS X • 4% (10 hosts) hosting RAT pre-installers (popup window saying, ‘call tech support/you have a virus’) • 1% (2 hosts) hosting pornography • 1% (2 hosts) ‘legit redirect’ (redirects to intended host) • Remainder: ‘Under construction’ or Legit Business with similar name
  12. 12. Siemsns.com redirect (1)
  13. 13. Siemsns.com redirect (2)
  14. 14. Siemsns.com redirect (3)
  15. 15. More on Malware Hosting • Windows Malware generally found on VirusTotal – All ‘Adware/Spyware/RAT’ – No apparent ICS target (yet) • OS X Malware:
  16. 16. (Brief Update on that Malware)
  17. 17. The Future of Squatting • Prediction: clone websites hosting malware – Already (sort of) happened to Schneider Electric, but website is gone now (was at schneide-electric.com [note missing ‘r’]). – Domain /was/ owned by individual in China (Shenzhen) – Domain now owned by Schneider Electric (good job!)
  18. 18. Limitations • For A records, can be difficult/impossible to know ‘who’ or ‘why’ – Ex: load one squat domain 5 times, get 5 different redirects/payloads – Many squats serve up pages based on User-Agent, Referer, possibly more targeted info (country of origin?) • Could host interesting files for deep links, e.g. support.industry.siemsns.com/path/to/software/ update
  19. 19. Challenge • Legally, it is difficult to ‘clean up’ a squatter – Have to prove harm/trademark violation – Legal options take a long time – Legal options take lawyers, cost €€€ – Buying domain from squatter will probably cost €€€ • Often cheaper to just register all bitsquat/typosquat domains – Costs only a few k€ per year to do this – May save a Big Problem in the future
  20. 20. Tools & Tips • Dnstwist to quickly see who owns domains similar to yours – https://github.com/elceef/dnstwist – Usage: ‘dnstwist.py <domainname>’ to display all squats • Scour vendor sites for domain name typos – We built a tool based on Scrapy – Uses dnstwist to build bit-error/typo list, scrapes website for links to bogon domains – Watch https://github.com/digitalbond/scripts/
  21. 21. Further Research • Rent redirect time – 11% of sites have changing redirects – Majority of malware/helpdesk sites add to this number – Domain owners sometimes ‘rent time’ – Research idea: rent time and see how many potential victims we could get
  22. 22. One down, one to go! • DNS squatting and malware • DNS in deployment
  23. 23. DNS in Deployment • Two sub-areas to this topic – Internal network map leaking – Data exfiltration via DNS • Let’s dive in
  24. 24. DNS Network Mapping • DNS Zone Transfer *still* an issue – Allows internet-users to retrieve hostname list – 2014, ‘blindly’ coordinated with dow.com to reconfigure their servers • ~50,000 computer names+IP addresses being leaked • Interior network layout revealed – Can differentiate interior servers, cellular-hosted servers, internet-facing servers – Spend enough time, determine field site naming convention • 1990s are calling us home
  25. 25. DNS Network Mapping • Hostnames often reveal purpose – vpn.yourcompany.com: what could this be? – *gw.yourcompany.com: gateways and perimeters – dc*.yourcompany.com: domain controllers? – Numbering conventions often reveal purpose separation (10.0.0.0/8 vs 192.168.0.0/16 vs 172.16.0.0/20) – etc • IPv6 is often misconfigured – Few firewalls block access – Having these records exposed may be a problem
  26. 26. DNS Network Mapping • Example 1: dow.com – Zone transfer returned 50,785 hosts – Note: Dow has ~51,000 employees. Hmmmm. 192.168.0.0/16 (39790) 10.0.0.0/8 (5868) 172.16.0.0/20 (2437) External IPv4 (1118) External IPv6 (1572)
  27. 27. Further Reading • Rob Fuller (Twitter: @mubix) runs Deep Magic – Indexes tons of DNS info – http://www.deepmagic.com – Great talks on DNS zone transfer and other issues by Rob, look him up
  28. 28. DNS for Data Exfiltration • For attackers: wonderful way to get data out of an ‘isolated’ network • For defenders: painful thing to block
  29. 29. DNS is Recursive • Example: we want to know what computer is ‘mail.google.com’ – First, ask local DNS server – Assuming it is not cached, local DNS must find the answer
  30. 30. DNS is Recursive Client Workstation Corporate DNS Server ISP DNS Server Google DNS Server COM DNS Server google.com mail mail.google.com Root DNS Server com 1 2 3,4 5,6 7
  31. 31. DNS is Recursive • …so you actually sent a request (via the local DNS server) to a Google server • You controlled the request data (‘mail’) • Google controlled the response data (ip address)
  32. 32. Tunneling Data • Bad guys can run a special DNS server, meant for bidirectional communication – Ex: we own a domain for this purpose – Special subdomain runs IP over DNS tunnel – Queries == encoded data – Responses == encoded data – Great for free Internet access (expired prepaid 3G SIM card, in-flight WiFi, or expensive hotel WiFi often vulnerable)
  33. 33. DNS Tunneling
  34. 34. Tunneling foobarbazbax. evildomain.com ICS LAN Client Workstation Local DNS Server Corporate DNS Server ISP DNS Server Hacker DNS Server COM DNS Server evildomain.com foobarbazbax.evildomain.com
  35. 35. Other DNS Exfiltration • IP over DNS tunnel: – Iodine, http://code.kryo.se/iodine/ • Generic ‘data over DNS’ tool (like netcat, but uses DNS instead of IP) by Ron Bowes: – dnscat2, https://github.com/iagox86/dnscat2 • Metasploit even includes DNS tunnels – See payloads/windows/*/*dns, reverse shells and meterpreter payloads available
  36. 36. Challenge • Blocking DNS entirely is best security option • Next best: prevent your control system from ‘looking up’ external domains – Most DNS servers can be configured to only forward DNS requests for a fixed list of domains – Example: Control zone DNS forwards requests for corpdomain.com to corporate DNS, and rejects queries for any other domain. • Opportunity: IDS rules testing…
  37. 37. Blocking External Lookups foobarbazbax. evildomain.com ICS LAN Client Workstation Forward corpdomain.com Reject * Corporate DNS Server evildomain.com request never forwarded
  38. 38. Q&A Contact: Email: wightman@digitalbond.com Twitter: @ReverseICS

×