This document summarizes a talk about DNS injection by internet service providers (ISPs) showing ads for typosquatted domains. The speaker demonstrates how a malicious subdomain injected by an ISP could steal cookies, spoof any website, and even inject content into the parent domain via script. Though the immediate risk was fixed, the speaker argues that ISP interception undermines web security by allowing arbitrary content injection and bypass of encryption. Legal restrictions are needed to establish that ISPs cannot alter or inject traffic.
Why isn't infosec working? Did you turn it off and back on again?Rob Fuller
BruCon 2019 Keynote -=> My name is Rob Fuller, I've been around a bit, not as long as some but longer than others. From the US military to government contracting, consulting, large companies, tiny startups and silicon valley behemoths, from podcasting to television, I've had a storied and humbling career in infosec. Let’s get past complaining about blinky lights and users. Let’s talk about what actually works and what doesn't.
Rooting your internals - Exploiting Internal Network Vulns via the Browser Us...Michele Orru
Browser exploits are a primary attack vector to compromise a victims internal network, but they have major restrictions including; limited current browser exploits; the huge price for 0-day browser exploits; and exploit complexity due to sandboxing. So, instead of exploiting the victims browser, what if the victims browser exploited internal systems for you?
The new "BeEF Bind Exploit Proxy" module does this! This BeEF (Browser Exploitation Framework) module will allow penetration testers to proxy exploits through a victims web browser to compromise internal services. Not only this, but the new "BeEF Bind" shellcode also enables the communication channel to the attacker to pass back through the existing browser session.
This attack technique (Inter-protocol Exploitation) removes browser-based attacks from being dependent upon browser vulnerabilities. It increases the number of potential exploits to include many service vulnerabilities throughout the internal corporate network. This includes whatever service can be contacted via a browser request. This increases the success rate of client-side exploitation attempts by dramatically increasing the number of vulnerabilities accessible to the attacker.
So how does the new BeEF Bind Exploit Proxy work? BeEF is configured to use the BeEF Bind Exploit Proxy, and is set as the payload for XSS exploits or Phishing attacks. Once the victim visits the malicious site, their web browser becomes hooked and performs JavaScript port scanning across the internal corporate network looking for chosen open ports. Once a server has been identified, the BeEF server is notified and begins to send exploits through the hooked web browser to the service on the internal server. Each of these exploits are configured to use the new BeEF Bind shellcode.
Once an exploit has successfully triggered a vulnerability within the internal service, the BeEF Bind shellcode is executed. This shellcode is designed to setup a web-listener that proxies commands through to a shell on the compromised server. This allows the attacker to send commands through the hooked web browser to the BeEF Bind payload. The command is executed on the compromised server and returned to the web browser in HTTP responses. The hooked web browser is then able to receive the command output and proxy it back to the attacker at the BeEF server.
Penetration testers can now inject steroids into their XSS exploits by replacing simple alert boxes with demonstrations of actual compromised internal machines. They can also now increase the scope and success rate of their Phishing attacks to compromise internal servers. This new approach also minimizes the likelihood of IDS/IPS detection, and does not require an additional socket open back to the attacker via the firewall.
Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEFMichele Orru
Inter-protocol Exploitation removes browser-based attacks from being
dependent upon browser vulnerabilities.
It increases the number of potential exploits to include many service
vulnerabilities throughout the internal corporate network.
This includes whatever service can be contacted via a browser request.
Multiple protocols like IMAP, SMTP, POP, SIP, IRC and others are "tolerant"
to errors, and they don't reset the connection with the client if they
receive
data that is not compliant with the protocol grammar.
This leads to the possibility of interacting with such protocols with
HTTP requests,
even without the need of a SOP bypass.
During the talk, we will see a demonstration on how to compromise an
IMAP server that sits in the victim's internal network through its
browser hooked
in BeEF.
This will include disabling the browser's PortBanning, identifying the
victim's internal network IP and the live hosts in the subnet,
followed by a port scan and finally sending the custom BeEF Bind
shellcode after the IMAP service
has been localized.
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Rob Fuller
This talk (hopefully) provides some new pentesters tools and tricks. Basically a continuation of last year’s Dirty Little Secrets they didn’t teach you in Pentest class. Topics include; OSINT and APIs, certificate stealing, F**king with Incident Response Teams, 10 ways to psexec, and more. Yes, mostly using metasploit.
Presentation by Haroon Meer, Marco Slaviero and Nicholas Arvanitis at Black hat USA in 2009.
This presentation is about security in the cloud. Cloud security issues such as privacy, monoculture and vendor lock-in are discussed. The cloud offerings from Amazon, Salesforce and Apple as well as their security were examined.
Why isn't infosec working? Did you turn it off and back on again?Rob Fuller
BruCon 2019 Keynote -=> My name is Rob Fuller, I've been around a bit, not as long as some but longer than others. From the US military to government contracting, consulting, large companies, tiny startups and silicon valley behemoths, from podcasting to television, I've had a storied and humbling career in infosec. Let’s get past complaining about blinky lights and users. Let’s talk about what actually works and what doesn't.
Rooting your internals - Exploiting Internal Network Vulns via the Browser Us...Michele Orru
Browser exploits are a primary attack vector to compromise a victims internal network, but they have major restrictions including; limited current browser exploits; the huge price for 0-day browser exploits; and exploit complexity due to sandboxing. So, instead of exploiting the victims browser, what if the victims browser exploited internal systems for you?
The new "BeEF Bind Exploit Proxy" module does this! This BeEF (Browser Exploitation Framework) module will allow penetration testers to proxy exploits through a victims web browser to compromise internal services. Not only this, but the new "BeEF Bind" shellcode also enables the communication channel to the attacker to pass back through the existing browser session.
This attack technique (Inter-protocol Exploitation) removes browser-based attacks from being dependent upon browser vulnerabilities. It increases the number of potential exploits to include many service vulnerabilities throughout the internal corporate network. This includes whatever service can be contacted via a browser request. This increases the success rate of client-side exploitation attempts by dramatically increasing the number of vulnerabilities accessible to the attacker.
So how does the new BeEF Bind Exploit Proxy work? BeEF is configured to use the BeEF Bind Exploit Proxy, and is set as the payload for XSS exploits or Phishing attacks. Once the victim visits the malicious site, their web browser becomes hooked and performs JavaScript port scanning across the internal corporate network looking for chosen open ports. Once a server has been identified, the BeEF server is notified and begins to send exploits through the hooked web browser to the service on the internal server. Each of these exploits are configured to use the new BeEF Bind shellcode.
Once an exploit has successfully triggered a vulnerability within the internal service, the BeEF Bind shellcode is executed. This shellcode is designed to setup a web-listener that proxies commands through to a shell on the compromised server. This allows the attacker to send commands through the hooked web browser to the BeEF Bind payload. The command is executed on the compromised server and returned to the web browser in HTTP responses. The hooked web browser is then able to receive the command output and proxy it back to the attacker at the BeEF server.
Penetration testers can now inject steroids into their XSS exploits by replacing simple alert boxes with demonstrations of actual compromised internal machines. They can also now increase the scope and success rate of their Phishing attacks to compromise internal servers. This new approach also minimizes the likelihood of IDS/IPS detection, and does not require an additional socket open back to the attacker via the firewall.
Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEFMichele Orru
Inter-protocol Exploitation removes browser-based attacks from being
dependent upon browser vulnerabilities.
It increases the number of potential exploits to include many service
vulnerabilities throughout the internal corporate network.
This includes whatever service can be contacted via a browser request.
Multiple protocols like IMAP, SMTP, POP, SIP, IRC and others are "tolerant"
to errors, and they don't reset the connection with the client if they
receive
data that is not compliant with the protocol grammar.
This leads to the possibility of interacting with such protocols with
HTTP requests,
even without the need of a SOP bypass.
During the talk, we will see a demonstration on how to compromise an
IMAP server that sits in the victim's internal network through its
browser hooked
in BeEF.
This will include disabling the browser's PortBanning, identifying the
victim's internal network IP and the live hosts in the subnet,
followed by a port scan and finally sending the custom BeEF Bind
shellcode after the IMAP service
has been localized.
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Rob Fuller
This talk (hopefully) provides some new pentesters tools and tricks. Basically a continuation of last year’s Dirty Little Secrets they didn’t teach you in Pentest class. Topics include; OSINT and APIs, certificate stealing, F**king with Incident Response Teams, 10 ways to psexec, and more. Yes, mostly using metasploit.
Presentation by Haroon Meer, Marco Slaviero and Nicholas Arvanitis at Black hat USA in 2009.
This presentation is about security in the cloud. Cloud security issues such as privacy, monoculture and vendor lock-in are discussed. The cloud offerings from Amazon, Salesforce and Apple as well as their security were examined.
Sucuri Webinar: How to identify and clean a hacked Joomla! websiteSucuri
Website compromises can happen to any CMS and fixing them can be a daunting task.
Sucuri Remediation Team Lead, Ben Martin provided in this webinar a step by step guide to fixing your hacked Joomla! site.
This webinar is helpful if your website becomes compromised minimizing the attack time and stress.
Video here: https://youtu.be/3BEUQ0X9IBo
Thoughts on Defensive Development for SitecorePINT Inc
Presentation given by Thomas Powell (tpowell@pint.com) and Joe Lima (jlima@port80software.com) - 2-15-2012 covering WebAppSec issues with an emphasis on concerns with the Sitecore CMS platform.
Sorry for any small quirks in slideshare conversion.
Humorous discussion presenting some of the kids of risks that face public facing Web sites for corporations ranging from hacking to legal to social media scares. Slides are illustrative in nature and the aim of the talk is more awareness than anything else.
Yetizen (https://www.linkedin.com/company/yetizen/about/) was a gaming incubator that existed in San Francisco, roughly between 2011 and 2015. I thought it was an interesting experiment, and was happy to give a series of talks there, and advise the portfolio companies.
This talk, from 2012, is an intro to "How to think about Vendor Management" -- most gaming startups rely on dozens of vendors, but don't really know what's involved. At the end of the day, if your game relies on a third-party service, it's important to ask the right questions, and it's very important to have a contract in place that has specific representations and specific liabilities in the case of breach.
Account Entrapment: Forcing a Victim into an Attacker's Account. This talk answers the questions: why would anyone do this, wouldn't the victim notice, how does it work, and how do we protect against it.
Account Entrapment - Forcing a Victim into an Attacker’s AccountDenim Group
Account Entrapment: Forcing a Victim into an Attacker's Account. This talk answers the questions: why would anyone do this, wouldn't the victim notice, how does it work, and how do we protect against it. Presented by Ben Broussard, CISSP of Denim Group
With the proliferation of cheap bandwidth and vulnerable systems the DDoS attack volume has increased tremendously over the last years. The talk will cover current threat models and possible countermeasures to mitigate the attacks when they should happen
Sucuri Webinar: How to clean hacked WordPress sitesSucuri
Discovering if your site has been compromised and fixing your site can be quite a tedious and overwhelming task.
Sucuri Remediation Team Lead, Ben Martin presented here the key indicators you should look for when assessing the security of your WordPress site and steps to take to clean your site. Ben provided a guide that is sure to be helpful if your website becomes compromised and minimize the attack time.
THOTCON - The War over your DNS QueriesJohn Bambenek
Talk given at THOTCON on October 9, 2021 entitled the War over your DNS queries and what to do about it. Covers DNS security and privacy and the importance of running your own DNS resolver.
Basic Security for Digital Companies - #MarketersUnbound (2014)Justin Bull
Speaking about how to go about taking security seriously in a digital company. Be it from scratch, or fixing a legacy codebase, learn from Canada Revenue Agency's Heartbleed mess-up and advice from a white-hat hacker.
In this slides i have mentioned some hacking tricks which are interesting to know.. You will able to know how the sites are blocked, how to get rid of them.You will also able to crack the passwords...And some useful tricks related to facebook and mobile hacking.. i hope,You will like it...But one thing ,the tricks are old...But what i think is Old is Gold. :p
1. copyright IOActive, Inc. 2006, all rights
reserved.
h0h0h0h0
Dan Kaminsky
Director of Penetration Testing
IOActive, Inc.
2. H0h0h0h0?
• Well, y’all wanted me stop titling things Black Ops
– Hikari, you got any idea what I’m here talking about?
• What are we not here to talk about
– DNS Rebinding
• Can rebind to home router
• Have video
• Go change passwords.
• Got questions? Find me later.
• So what are we here to talk about?
– What happens when Jason Larsen and I finally get some
time to break some stuff together ;)
3. Typos.
• Typos?
– Typos in DNS.
• Relax. It’s worth it.
– Basic profit model
• Humans don’t type so good
– Fcebook.com
– Microsoft.co
– Torcon.org
• Sometimes miss keys
• When they miss keys, they tell their browser to go
somewhere that doesn’t exist
– Could just get a “No Such Server Error”, or…
– Could get ads!
4. Typosquatting
• Static Registration
– Guess what might get clicked, buy that name
– Must pay per guess, might be wrong
• Dynamic Registration
– Sitefinder by Verisign
• Unveiled in 2003
• Unregistered names suddenly start returning
an ad server, instead of NXDOMAIN
• Reveiled in 2003, never to return
5. The New Era Of Typosquatting
• Son Of Sitefinder: ISP Injection
– DNS is hierarchal
• Client asks the local name server.
• Local name server asks the root, is sent to .com
• Local name server asks .com, is given NXDOMAIN
– Sitefinder used to inject here…
• Normal: Local name server returns NXDOMAIN to client
– $ nslookup nxdomain--.com 4.2.2.1
*** vnsc-pri.sys.gtei.net can't find nxdomain--.com:
Non-existent domain
• Son Of Sitefinder: Local name server returns NOERROR to
client, with ads attached
– $ nslookup nxdomain--.com 207.217.126.81
…
Name: nxdomain--.com
Addresses: 209.86.66.92, 209.86.66.93, 209.86.66.94,
209.86.66.95 209.86.66.90, 209.86.66.91
6. The Problem: They’re Spoofing
Subdomains Too.
• DNS is hierarchal
– Client asks the local name server.
– Local name server asks the root, is sent to .com
– Local name server asks .com, is given foo.com
– Local name server asks foo.com, is given NXDOMAIN
– Normal: Local name server returns NXDOMAIN to client
• nslookup nonexistent.www.bar.com 4.2.2.1
*** vnsc-pri.sys.gtei.net can't find nonexistent.www.bar.com:
Non-existent domain
– Son Of Sitefinder: Local name server returns NOERROR to
client, with ads attached
– $ nslookup nonexistent.www.bar.com 207.217.126.81
Name: nonexistent.www.bar.com
Addresses: 209.86.66.94, 209.86.66.95, 209.86.66.90,
209.86.66.91 209.86.66.92, 209.86.66.93
• NXDOMAIN was supposed to mean “No Such Domain”
– There is such a domain. There’s just not this subdomain in it.
7. Intent
• We don’t think this behavior is intentional
– Just so happens that subdomain
NXDOMAINs look exactly like domain
NXDOMAINs
• Only difference is the source
• Identical effects in the browser
• Well, it’s not unintentional for everyone…
9. Parent Of Son Of Sitefinder Returns!
• April 8th
, becomes clear that Network
Solutions injects subdomains into their
customers’ domains
– Small print in a 53 page contract
– Stay classy, NetSol
• But heh, at least there’s a contract
10. Times Square Effect: Told Ya
• Times Square Effect
– When you see Times Square in a movie,
that’s not Times Square. All ads have
been replaced, because there’s no
contractual obligation not to replace
them
– No contractual obligation between ISP
and Web Sites not to replace traffic
11. But What About Trademark Law?
• # dig in.ur.www.facebook.com
• ;; QUESTION SECTION:
• ;in.ur.www.facebook.com. IN A
• ;; ANSWER SECTION:
• in.ur.www.facebook.com™. 300 IN A 209.86.66.90 [adserver]
• in.ur.www.facebook.com™. 300 IN A 209.86.66.91 [adserver]
• in.ur.www.facebook.com™. 300 IN A 209.86.66.92 [adserver]
• in.ur.www.facebook.com™. 300 IN A 209.86.66.93 [adserver]
• in.ur.www.facebook.com™. 300 IN A 209.86.66.94 [adserver]
• in.ur.www.facebook.com™. 300 IN A 209.86.66.95 [adserver]
•
Doesn’t that qualify as Trademark Violation, with Use In Commerce?
– I don’t know. I’m not a lawyer. The hordes seem to think so, however.
– I am, however, a hacker…
12. Beautiful Synchrony
• Trademark Policy: Trust the good, as it possesses the
protected mark.
• Same Origin Policy: Trust the subdomain, as it possesses
the protected domain
– Local Name Server asks bar.com, is sent to
www.bar.com.
– Local Name Server asks www.bar.com, is told
foo.www.bar.com is at 1.2.3.4
– Foo.www.bar.com was thus “vouched for” by
www.bar.com
• Trademark controls human trust, Same Origin controls
browser trust. The two policies are actually synchronized.
– Both are under attack.
13. Injection
• Anything goes wrong on a subdomain, it is an
element of the parent
– Can access cookies
– Can do…other things
• Normally, a subdomain is trusted by its parent…
– But in this case, the subdomain is some
random server run by a bunch of advertisers
– …and if this random server, happened to
possess a cross site scripting vulnerability…
15. Welcome to Barefruit.
• Popular DNS Ad Injection Company
• Notable customers
– Earthlink/Mindspring -- everywhere
– Comcast
• Outsourced to Earthlink, probably didn’t even know
• No idea how outsourced
– Others
• Cox
– At least partial deployment, probably small. Finder.cox.com
resolves to their servers.
• Qwest
– Trial deployment only
• Verizon
– Has multiple ad networks.
– Barefruit appears to be used in ~20 regions
• Time Warner also does DNS injection, but not through Barefruit
16. They’re Not Alone
• For each name server, ask for a nonexistent
domain.
– For each nameserver that provides an answer,
ask for an existing domain.
– If the answer is correct, it’s an NXDOMAIN
injector
• Appears to be ~72 ISPs doing some sort of
injection. Lots of big names. This is spreading.
17. Now, this is only a subdomain…what
can you really do with a subdomain?
• Obligatory attack: Grab Cookies
– Credentials to many sites
– PII for some
– Can also get any “supercookies”
• Flash Storage
• DOM Storage
• etc
20. Can Also Fake Subdomains
• There is no legitimate subdomain
– But a page comes back with arbitrary script…
– So you can populate anything, on any domain,
anywhere.
• Perfect for phishing
• You get a link to your bank, you see in the address
bar, server2.www.yourbank.com, you type credentials
• You see a banner ad to join a beta program at
Microsoft, you click through, download what you think
is the latest build…
– Actually malware
24. But That’s Just Not Enough
• Cookie Excuses
– But cookies are often tied to Source IP!
– But cookies can use HTTP Only so they aren’t readable from
script!
– But cookies might be just secure cookies!
• Fake Site Excuses
– But you’re not actually logged in
– You don’t know the content of the site to spoof
• Can we do anything better?
– We’re a malicious subdomain
– Can’t we just script into our parent?
• Pop-under windows: They’re not just for annoying ads
anymore
• Document.domain is our friend…
• DOM element that specifically allows children to inject into
parent
25. Choosing The Demo
• Needed to be generic to all sites
• Needed to express the distance between
what you expected to happen, and what
actually did
• Needed to be…recognizable…without
being terrifying.
36. Coming Clean
• This was only a simulation.
– BFF_DNS.PL
• BAREFRUIT FOREVA!
• We got through to Barefruit before this talk
– Crystal Williams got me through to Earthlink
– Earthlink got me through to Barefruit
– Barefruit fixed the bug in ~27 minutes once they
understood the bug
– All were awesome, thanks!
• All ISP’s were redirecting to Barefruit’s servers, so we’re
OK…or are we?
37. So Now What
• Barefruit is still injecting into trademarked subdomains.
• The immediate crisis is over, but the security of the web (at these
ISPs) is basically limited by the security of these ad servers
– Don’t attack Facebook, attack the ad server
– Don’t attack MySpace, attack the ad server
– Don’t attack PayPal, attack the ad server
• I am not a lawyer, I am a security engineer
– I cannot secure the web if ISP’s will change the bytes I send
– Need legal and PR support to stop PITMA’s
• Provider In The Middle Attacks
– Brad Hill pointed out that MITM isn’t exactly theoretical
anymore…
– Neither is Ad Injection
– Luckily, the counsel I’ve spoken to does not appear to be
amused.
38. Conclusions
• Even small amounts of failed net neutrality can lead to
catastrophic side effects on Internet security
– Intent is not required to really break everything
• Security needs the lawyers
– Even if everything was 100% SSL, if the ISP could
require code on the box, they could still bypass the
crypto, and alter the content
– We need the precedent: You can host nothing. You
can host something. But you can’t host something
else.