SlideShare a Scribd company logo
DNS Tunnelling,
  its all in the name!




                    Arron “finux” Finnon

                         finux@finux.co.uk

                  http://www.finux.co.uk
Okay, DNS Tunnelling sounds a little
 complicated. You won't need a hard hat, a
  shovel or a drill, but you will need a shell
account on a system which allows you control
                 over port 53
However, it is very likely that it is illegal unless
     it is in your own test environment
So who am I, and why am I here?

I ask the question every morning, I still haven't answered it,
            but I maybe able to answer it for you

My Name is Arron, I have been involved in ethical hacking
 for a number of years. I'm currently at The University of
Abertay Dundee as a student. I have spent sometime as a
security consultant, and independent researcher. I have a
 reputation as being a little bit of a media/attention whore.

I agree with that statement, so much so that I have a weekly
   podcast talking about geeky things: Finux Tech Weekly

I have over the years gave a number of talks on a range of
          things related to hacking and security.
So where can you find me?


     Email – finux@finux.co.uk

 Twitter – www.twitter.com/f1nux &
  www.twitter.com/finuxtechweekly

Facebook – www.facebook.com/finux

  Podcast Site – www.finux.co.uk

          Skype – finux1
Talk Out Line
The History Involved

Technical Overview

Tools Available

Those that “Bob” told me are effected

A short how to on one set-up/configuration option

Other potential uses for DNS Tunnelling

Countermeasures

Links

Q&A
Disclaimer
Without doubt the legal implications of using the discussed techniques
are immense. If you use this to obtain “Free Internet”, I would point out
that if you go to JAIL its not very free, and of course it could quite
possibly cost you a career too.

If you have any doubt about the legalities of what you are doing then
STOP it.

If you do use this to break the law, and you do get caught. Your totally
on your own, this is for educational purposes only. Feel free to let me
know though, it will make a great anicdote and I'm happy to write to you
during your stay.

However as usual to defend we must know how to attack.

“The art of war teaches us to rely not on the likelihood of the enemy's not
 coming, but on our own readiness to receive him; not on the chance of
 his not attacking, but rather on the fact that we have made our position
                          unassailable.” - Sun Tzu

Not if the hacker comes, but when they come......
Intended Audience
Here's the shock! Hackers! However I mean the playful advocates of
technology when I use that term. I tend not to buy into the media
definition of it.

What I mean by hacker is;

playful advocates of technology. If technical things excite you, then this
is for you.

I love security, i love hacking, i love taking things apart and i believe its a
prerequisite for our trade.

As a good friend of mine, who is now the chief of operations for first base.

A long haired geek that goes by the name of Pete Wood; if you wern't
electoricuted by the age of 10 this might not be the trade for you. I'm
proud to say i was shocked by 6, and I'll hazard a guess I'm not the only
one in this room.
A Small Intro
In September 2000 a post came across the Slashdot website informing
its readers of an interesting use of DNS tunnelling for breaking out of
locked down networks. It utilises that most networks regardless of their
firewall, or their Access Controls Lists, would allow DNS look ups.
Researchers found with crafted packets that they could in fact establish
bi-direction IP traffic, they delivered a protocol named NSTX.

However this concept became more widely established when the
respected DNS security researcher Dan Kaminsky, released his Ozyman
tool at Black hat in 2005, Kaminsky who in 2010 became one of ICANN's
Trusted Community Representatives for the DNSSEC root certificate, has
an unparalleled reputation when it comes to DNS security and it
insecurities. Needless to say this release caught the attention of many
security researchers, however worrying nearly 11 years after the
discovery and 6 years since Kaminsky's Ozyman tool release, this
vulnerability still lives on in a number of networks.

All though DNS tunnelling could be seen as way to obtain free Internet on
captive portals, it is also an effective tool in data theft. However it is hard
to imagine the limitations when this is mixed with shellcode's. DNS
tunnelling could be used to reverse connect a shellcode from target to
attacker, the tunnel's effectiveness of traversing NAT makes it a worthy
deployment.
Some History
So 1987 the the domain name protocol basically came into life, it was
defined in the the RFC 1035. It superseded RFCs 882, 883, and 973.

Around 13 years later a group of hackers started playing around with the
concept of DNS tunnelling. Mainly due to gain free internet from a
Microsoft update PPP dailin's. Most of these Microsoft PPP dialins allow
you to use a Name server.

These hackers later developed "NSTX Protocol", meaning "Name server
Transfer Protocol" in doing so they finally managed to use one of
Microsoft toll free numbers in Germany and tunnel their net connection
over it.

Iodine later became popular due to its password authentication however
it was still very similar to NSTX.

However as i have said i think it fair to say that the concept grabbed more
attention when respected breaker of DNS Dan Kaminsky released a set
of scripts at Black Hat 2005 which were written in perl and in reality very
easy to deploy. For the purpose of today's talk i will focus on
OzymanDNS
Technical Overview
Now we could take this from the stand point of a captive portal, which
normally intercepts all web traffic until some sort of authentication is
achieved.

However we see regularly that a they still enable DNS enquiries. I way to
check this on a captive portal would be to use either dig or nslookup if
your running windows. If you are issued a private address then your out
of luck, however if you receive the IP address of the domain name in
question then DNS requests are allowed out.

So if we revisit the Domain Name Systems set-up, we'll see that it has 13
root domain name servers responsible for the .com's, .org's, so on and so
forth known as the Top Level Domain names or TLD for short. They are
responsible down to the root domain such as example.com, then from
there sub domains are delegated to their own server. Such as
test.example.com. Each domain is configured in a zone file, and each
zone file has a number of records configured within it. So an example
would be an A record which stands for an address record, or a CNAME
alias for an A record, we could see a MX record for handling mail, a NS
record which points to a new DNS Server for that sub-domain, or a TXT
record which handles text descriptions. It is the last two records that
interest us.
Technical Overview
A hostname can only be 255 octets long, or 255 bytes. In addition a TXT
record can also only be 255 bytes.

So it lies within these 255 byte TXT records the potential for us to deliver
a payload of data back within one of these records.

If we could encode a formatted domain name request up to a maximum
of 255 bytes, and then have that decoded back at our fake domain name
server.

Our fake domain name server could encode our response back and
deliver that via a TXT record we now see the very plausible avenue of
transmitting data.
Technical Overview
So what we would need in this situation is a fake domain name server
listening on port 53, which will respond to requests, and a hostname
which is in fact a delegated NS record pointing to a fake DNS Server. An
example would be;

inbound.example.com would point to server.inbound.example.com

The zone file could look like this;

inbound.example.com               NS    server.inbound.example.com
server.inbound.example.com        A     92.35.18.118

The A record would point to our fake domain name server, and our client
would make its requests to the inbound sub-domain.

Of course if you where using DynDNS.org it could be a simple as

inbound.example.com               NS    finux.dyndns.org
Technical Overview
Now a free account at DynDNS.org does not allow you to delegate Name
Servers. However freedns.afraid.org does. I happen to prefer the update
client(s) on DynDNS, so I personally go for a freedns.afraid.org and point
it to a DynDNS account. Personally I think this makes the set-up slightly
more easier, and gives it an edge of portability.

Now all DNS Tunnelling set-ups in some way use the delegated Name
Servers. Now I admit I'm a Linux jock and so this configuration is based
on my experience with Linux, there is some links on how to do this with a
Windows set-up at the end. My advice to you would be to build a Virtual
Machine either running Ubuntu/Debian which of course will make its
deployment in your test environment pretty easy.
Technical Overview
As I have said for today's purpose we'll be looking at Kaminsky's
OzymanDNS tool, in fact its a revised revision of it. OzymanDNS is
broken down into 4 perl scripts. The server script is named nomde.pl
which listens on a privileged port and in doing so requires sufficient
permissions to do it;

sudo ./nomde.pl -i 0.0.0.0 inbound.example.com

The above command would set OzymanDNS server section to listen to
all requests on the sub-domain inbound.example.com
Technical Overview
Now the OzymanDNS client is written to encode/decode and send the
responses back via STDOUT which isn't overly useful however combined
with the SSH config option "ProxyCommand" enables the ease of use
this set of scripts has become renowned for.

ssh -o ProxyCommand="./droute.pl sshdns.inbound.example.com"
user@localhost

The upstream data sent out will be encoded using Base32. After the data
has been transmitted, there is a unique ID due to some DNS requests
taking longer than others, the UDP protocol has no methods to check
this. and either one of the keywords up or down, indicating whether the
traffic's up- or downstream. Here is what an example request could look
like;

ntez375sy2qk7jsg2og3eswo2jujscb3r43as6m6hl2wsxobm7h2olu4tmaq.ly
azbf2e2rdynrd3fldvdy2w3tifigy2csrx3cqczxyhnxygor72a7fx47uo.nwqy4o
a3v5rx66b4aek5krzkdm5btgz6jbiwd57ubnohnknpcuybg7py.63026-0.id-
32227.up.sshdns.inbound.example.com
Technical Overview
The response comes as a DNS TXT record. A TXT record can hold
arbitrary ASCII data and can hold upper-case letters as well as lower-
case letters and numbers. So the responses come encoded with Base64
encoded. Such a response might look like the this.

695-8859.id-39201.down.sshdns.inbound.example.com. 0         IN
TXT

"AAAAlAgfAAAAgQDKrd3sFmf8aLX6FdU8ThUy3SRWGhotR6EsAavqH
gBzH2khqsQHQjEf355jS7cT
G+4a8kAmFVQ4mpEEJeBE6IyDWbAQ9a0rgOKcsaWwJ7GdngGm9jpv
ReXX7S/2oqAIUFCn0M8="
"MHw9tR0kkDVZB7RCfCOpjfHrir7yuiCbt7FpyX8AAAABBQAAAAAAAAA
A"
Technical Overview
So a quick recap of what is needed on our Debian like system.

We we need to install some perl packages;

sudo apt-get install screen libnet-dns-perl libmime-base32-perl

In addition you may want to install ddclient as well and configure your
dynamic sub-domain to point to the server.

You'll also need to set-up SSH as well

You will want to download the OzymanDNS scripts, I have made the
latest version available on my site.

wget
http://finux.co.uk/demos/software/OzymanDNS-Splitbrain-Version.tar.gz

Now as I have said the version of OzymanDNS is revised and the code
cleaned up by Andreas Gohr of the Splitbrain.org website

http://www.splitbrain.org/blog/2008-11/02-dns_tunneling_made_simple
Technical Overview
Our client configuration is as follows;

sudo apt-get install libnet-dns-perl libmime-base32-perl

And then a simple command command

ssh -o ProxyCommand="./droute.pl sshdns.inbound.example.com"
user@localhost
Tools Available
Iodine is based on NSTX as i have mentioned is a Linux only tool,
however it works via producing a virtual network interface on the server
and client, and those two virtual interfaces communicate with each other.

Netcross is a little modular tool that might be useful in restricted network
connections

DNSCat is the basically NetCat for DNS
Those that “Bob” told me are effected
The Cloud Network – Such as the one's that cover Weatherspoons pubs
and McDonald's

BT Open Zone

A certain University in North East Scotland – Which will soon be fixed

Interestingly over 3g it has been reported that T-Mobile allow unfettered
DNS queries. This could in fact be false, however if its true then really
quite scary.

Eastern Trains

Remember its easily tested, a nslookup or a dig should tell you within
seconds. Even if ping is blocked there is a good chance you could use
that to determine if the next work is vulnerable to attack, as it will still
obtain an IP address
Other potential uses of DNS Tunnelling
As discussed covert communications over an otherwise restricted
channel.

Data theft, as in you do not allow any SSH, FTP, SFTP so on and so
forth. scp works with the OzymanDNS set-up

By far the craziest I have seen is to deliver shell code via DNS Tunnel's.

The interesting concept with tunnelling a shellcode over DNS is for
starters this happens to null in void any potential NAT issues

There is already a fair few PoC that highlight this concept. I have been
reading of recent how we could use some of the Metasploit payloads,
combined with DNSCat

I have not had time to play anywhere near as much with this as I would
have liked too. But needless to say I'm sure I'll get my chance
Countermeasures
The best way of detecting DNS tunnelling is by performing statistical
anomaly detection on the network.

Some characteristics of a DNS tunnel include:

High volume of DNS requests from internal clients where little usually
take place

Significant difference in the format of these lookups as compared to
regular ones i.e. Base32 and Base64

The total amount of data transferred over port 53 is much higher than
usual

DNS Tunnelling could actually be one of the best covert channels ever
designed. In general, it proves quite challenging to stop this traffic, as
there is no specific indication that it concerns IP over DNS tunnelling.
There are however a number of ways to mitigate the threat to a certain
degree.
Countermeasures
If you are running a for-a-fee access point, consider having your DNS
server answer all queries with a local IP address until payment has been
completed. Only afterwards should a client be able to perform DNS
lookups that your server resolves to the internet.

Many organizations do this currently by having HTTP requests rewritten
to a local web server on which payment is due. This however still allows
the client to resolve external domains, and as such, does not alleviate the
covert channel.

A potential solution is to set up a BIND server which has a local entry for
all TLD's: get lists here and here.

Set up a wildcard entry for each of these domains that points to your local
web server that processes payments.

Requests to any other domains or zones should not be handled
recursively.
Countermeasures
One solution which is sometimes considered is to deny all queries for
TXT records.

The impact of this will in most cases would be limited, although certain
functionality (such as SPF) may break.

In general, only your incoming mail server will need to perform these
lookups: taken a general split-DNS service on multiple servers, it should
be feasible to work around this issue.

There are precious little reasons why the average internal client should
be able to perform lookups for TXT records.

This approach is however fairly naive as tunnelling will still be possible
through other record types.

You will not be able to disable these others, such as CNAME, due to the
heavy production impact.

Remember blocking a domain name with X amount of calls within a
period seems a good idea, until you think about the lookups your
organisation makes to google in an hour
Conclusions
In conclusion I haven't really scratched the surface of what can be done
here.

The reality of it is, if your not looking at DNS traffic then someone may
well be doing so.

Its has the potential to be still one of the best covert channel's going and
can be very technically difficult to detect.

The uses for this are really limited by your imagination.

If you can use this with 3g technology then this could make somewhat of
a lethal weapon.

However some pre-thought of what you could and should expect on your
network

You may think this connection would be slow, but within my links is a
paper showing that speeds of up to 110 kilobytes a second
Links
Slashdot article on NSTX.
http://slashdot.org/articles/00/09/10/2230242.shtml

Kaminsky's Wikipedia page
http://en.wikipedia.org/wiki/Dan_Kaminsky

Kaminsky Release of the Tools he developed
http://dankaminsky.com/2004/07/29/51/

Kaminsky's Black Hat paper
http://www.doxpara.com/slides/BH_EU_05-Kaminsky.pdf

Dan Kaminsky's 2005 Black hat talk
http://www.splitbrain.org/blog/2008-11/02-dns_tunneling_made_simple

Very good guide on setting up DNS Tunnels
http://dnstunnel.de/

IVC Wikipedia article on DNS tunnelling
http://beta.ivc.no/wiki/index.php/DNS_Tunneling
Links
Another further guide to tunnelling DNS
http://www.h-i-r.net/2010/03/dns-tunneling-part-1-intro-and.html

PDF paper from Black hat
http://www.blackhat.com/presentations/bh-usa-08/Miller/BH_US_08_Ty_Miller_Reverse_DNS_Tunneling_Shellcode.pdf


Heyoka paper
http://shakacon.org/talks/Revelli-Leidecker_Heyoka.pdf

Further guide to making to configuring OzymanDNS, however for
Windows type systems
http://cyberphob1a.wordpress.com/2008/02/10/dns-tunneling-part-i/
http://cyberphob1a.wordpress.com/2008/02/11/speeding-up-dns-tunneling/
http://cyberphob1a.wordpress.com/2008/03/08/dns-tunneling-updated-source/


DNS RFC
ftp://ftp.rfc-editor.org/in-notes/rfc1035.txt
Links
Another set of software for TCP over DNS this one using Java instead of
perl
http://analogbit.com/tcp-over-dns_howto

For Presentation Side Notes – Speeding Firefox for Low Bandwidth
carriers
http://www.ghacks.net/2008/07/13/optimize-firefox-for-low-traffic-volumes/


DNScat as a Payload with Metasploit
http://www.skullsecurity.org/blog/2010/weaponizing-dnscat-with-shellcode-and-metasploit


Reverse DNS Tunneling Shellcode (v0.3) Technical Details
http://projectshellcode.com/?q=node/2

In the following tutorial, we will use the tool dns2tcp written by two guys
working for HSC, a French security company.
http://blog.rootshell.be/2007/03/22/dns2tcp-how-to-bypass-firewalls-or-captive-portals/
http://www.hsc.fr/ressources/outils/dns2tcp/download/


Traffic analysis approach to detecting DNS tunnels
http://blog.vorant.com/2006/05/traffic-analysis-approach-to-detecting.html


Tunneling shit over DNS
http://www.modacity.net/forums/showthread.php?19755-Tunneling-shit-over-DNS
Questions & Answers




  ?
Thank You For Your Time

        I hope it has been of interest

Please feel free to come grab me later for a
                     chat

      Don't forget to listen to the show
              www.finux.co.uk

On a side note, I have never been on a night
               out in London.

    So I'll apologise for tonight tomorrow
                    morning

More Related Content

What's hot

Footprinting and reconnaissance
Footprinting and reconnaissanceFootprinting and reconnaissance
Footprinting and reconnaissance
NishaYadav177
 
Footprinting
FootprintingFootprinting
Footprinting
Duah John
 
Denial of Service Attacks (DoS/DDoS)
Denial of Service Attacks (DoS/DDoS)Denial of Service Attacks (DoS/DDoS)
Denial of Service Attacks (DoS/DDoS)
Gaurav Sharma
 
Intrusion Detection Systems and Intrusion Prevention Systems
Intrusion Detection Systems  and Intrusion Prevention Systems Intrusion Detection Systems  and Intrusion Prevention Systems
Intrusion Detection Systems and Intrusion Prevention Systems
Cleverence Kombe
 
Password Cracking
Password CrackingPassword Cracking
Password Cracking
Sagar Verma
 
Wi-FI Hacking
Wi-FI Hacking Wi-FI Hacking
Wi-FI Hacking
Mehul Jariwala
 
CNIT 123 Ch 10: Hacking Web Servers
CNIT 123 Ch 10: Hacking Web ServersCNIT 123 Ch 10: Hacking Web Servers
CNIT 123 Ch 10: Hacking Web Servers
Sam Bowne
 
Password craking techniques
Password craking techniques Password craking techniques
Password craking techniques
أحلام انصارى
 
Carlos García - Pentesting Active Directory [rooted2018]
Carlos García - Pentesting Active Directory [rooted2018]Carlos García - Pentesting Active Directory [rooted2018]
Carlos García - Pentesting Active Directory [rooted2018]
RootedCON
 
Dos attack
Dos attackDos attack
Dos attack
Manjushree Mashal
 
CNIT 121: 8 Forensic Duplication
CNIT 121: 8 Forensic DuplicationCNIT 121: 8 Forensic Duplication
CNIT 121: 8 Forensic Duplication
Sam Bowne
 
IDS and IPS
IDS and IPSIDS and IPS
IDS and IPS
Santosh Khadsare
 
Network forensics and investigating logs
Network forensics and investigating logsNetwork forensics and investigating logs
Network forensics and investigating logs
anilinvns
 
Denial of service attack
Denial of service attackDenial of service attack
Denial of service attack
Ahmed Ghazey
 
01 Computer Forensics Fundamentals - Notes
01 Computer Forensics Fundamentals - Notes01 Computer Forensics Fundamentals - Notes
01 Computer Forensics Fundamentals - Notes
Kranthi
 
Osint presentation nov 2019
Osint presentation nov 2019Osint presentation nov 2019
Osint presentation nov 2019
Priyanka Aash
 
Understanding NMAP
Understanding NMAPUnderstanding NMAP
Understanding NMAP
Phannarith Ou, G-CISO
 
Bir Ransomware Saldırısının Anatomisi. A'dan Z'ye Ransomware Saldırıları
Bir Ransomware Saldırısının Anatomisi. A'dan Z'ye Ransomware SaldırılarıBir Ransomware Saldırısının Anatomisi. A'dan Z'ye Ransomware Saldırıları
Bir Ransomware Saldırısının Anatomisi. A'dan Z'ye Ransomware Saldırıları
BGA Cyber Security
 
Basics of Denial of Service Attacks
Basics of Denial of Service AttacksBasics of Denial of Service Attacks
Basics of Denial of Service Attacks
Hansa Nidushan
 
DDoS - Distributed Denial of Service
DDoS - Distributed Denial of ServiceDDoS - Distributed Denial of Service
DDoS - Distributed Denial of Service
Er. Shiva K. Shrestha
 

What's hot (20)

Footprinting and reconnaissance
Footprinting and reconnaissanceFootprinting and reconnaissance
Footprinting and reconnaissance
 
Footprinting
FootprintingFootprinting
Footprinting
 
Denial of Service Attacks (DoS/DDoS)
Denial of Service Attacks (DoS/DDoS)Denial of Service Attacks (DoS/DDoS)
Denial of Service Attacks (DoS/DDoS)
 
Intrusion Detection Systems and Intrusion Prevention Systems
Intrusion Detection Systems  and Intrusion Prevention Systems Intrusion Detection Systems  and Intrusion Prevention Systems
Intrusion Detection Systems and Intrusion Prevention Systems
 
Password Cracking
Password CrackingPassword Cracking
Password Cracking
 
Wi-FI Hacking
Wi-FI Hacking Wi-FI Hacking
Wi-FI Hacking
 
CNIT 123 Ch 10: Hacking Web Servers
CNIT 123 Ch 10: Hacking Web ServersCNIT 123 Ch 10: Hacking Web Servers
CNIT 123 Ch 10: Hacking Web Servers
 
Password craking techniques
Password craking techniques Password craking techniques
Password craking techniques
 
Carlos García - Pentesting Active Directory [rooted2018]
Carlos García - Pentesting Active Directory [rooted2018]Carlos García - Pentesting Active Directory [rooted2018]
Carlos García - Pentesting Active Directory [rooted2018]
 
Dos attack
Dos attackDos attack
Dos attack
 
CNIT 121: 8 Forensic Duplication
CNIT 121: 8 Forensic DuplicationCNIT 121: 8 Forensic Duplication
CNIT 121: 8 Forensic Duplication
 
IDS and IPS
IDS and IPSIDS and IPS
IDS and IPS
 
Network forensics and investigating logs
Network forensics and investigating logsNetwork forensics and investigating logs
Network forensics and investigating logs
 
Denial of service attack
Denial of service attackDenial of service attack
Denial of service attack
 
01 Computer Forensics Fundamentals - Notes
01 Computer Forensics Fundamentals - Notes01 Computer Forensics Fundamentals - Notes
01 Computer Forensics Fundamentals - Notes
 
Osint presentation nov 2019
Osint presentation nov 2019Osint presentation nov 2019
Osint presentation nov 2019
 
Understanding NMAP
Understanding NMAPUnderstanding NMAP
Understanding NMAP
 
Bir Ransomware Saldırısının Anatomisi. A'dan Z'ye Ransomware Saldırıları
Bir Ransomware Saldırısının Anatomisi. A'dan Z'ye Ransomware SaldırılarıBir Ransomware Saldırısının Anatomisi. A'dan Z'ye Ransomware Saldırıları
Bir Ransomware Saldırısının Anatomisi. A'dan Z'ye Ransomware Saldırıları
 
Basics of Denial of Service Attacks
Basics of Denial of Service AttacksBasics of Denial of Service Attacks
Basics of Denial of Service Attacks
 
DDoS - Distributed Denial of Service
DDoS - Distributed Denial of ServiceDDoS - Distributed Denial of Service
DDoS - Distributed Denial of Service
 

Viewers also liked

Network tunneling techniques
Network tunneling techniquesNetwork tunneling techniques
Network tunneling techniques
inbroker
 
Advanced DNS Protection
Advanced DNS ProtectionAdvanced DNS Protection
Advanced DNS Protection
Srikrupa Srivatsan
 
Drilling Down Into DNS DDoS
Drilling Down Into DNS DDoSDrilling Down Into DNS DDoS
Drilling Down Into DNS DDoS
APNIC
 
The DNS Tunneling Blindspot
The DNS Tunneling BlindspotThe DNS Tunneling Blindspot
The DNS Tunneling Blindspot
Brian A. McHenry
 
DNS Security
DNS SecurityDNS Security
DNS Security
inbroker
 
Security of DNS
Security of DNSSecurity of DNS
Security of DNS
Philippe Camacho, Ph.D.
 
CNIT 40: 1: The Importance of DNS Security
CNIT 40: 1: The Importance of DNS SecurityCNIT 40: 1: The Importance of DNS Security
CNIT 40: 1: The Importance of DNS Security
Sam Bowne
 
DNS Security Presentation ISSA
DNS Security Presentation ISSADNS Security Presentation ISSA
DNS Security Presentation ISSA
Srikrupa Srivatsan
 
Tunneling configuration
Tunneling configurationTunneling configuration
Tunneling configuration
Naranont Atima
 
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS Attacks
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS AttacksDNSSEC: The Antidote to DNS Cache Poisoning and Other DNS Attacks
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS Attacks
FindWhitePapers
 
Pseudo Random DNS Query Attacks and Resolver Mitigation Approaches
Pseudo Random DNS Query Attacks and Resolver Mitigation ApproachesPseudo Random DNS Query Attacks and Resolver Mitigation Approaches
Pseudo Random DNS Query Attacks and Resolver Mitigation Approaches
APNIC
 
I pv6 for cmu
I pv6 for cmuI pv6 for cmu
I pv6 for cmu
Naranont Atima
 
Fast flux hosting and DNS
Fast flux hosting and DNSFast flux hosting and DNS
Fast flux hosting and DNS
amiable_indian
 
Fast flux
Fast fluxFast flux
Fast flux
Swapnil Patil
 
Botconf 2013 - DNS-based Botnet C2 Server Detection
Botconf 2013 - DNS-based Botnet C2 Server DetectionBotconf 2013 - DNS-based Botnet C2 Server Detection
Botconf 2013 - DNS-based Botnet C2 Server Detection
SensePost
 
Water Torture: A Slow Drip DNS DDoS Attack on QTNet by Kei Nishida [APRICOT 2...
Water Torture: A Slow Drip DNS DDoS Attack on QTNet by Kei Nishida [APRICOT 2...Water Torture: A Slow Drip DNS DDoS Attack on QTNet by Kei Nishida [APRICOT 2...
Water Torture: A Slow Drip DNS DDoS Attack on QTNet by Kei Nishida [APRICOT 2...
APNIC
 
OpenDNS Whitepaper: DNS's Role in Botnet C&C
OpenDNS Whitepaper: DNS's Role in Botnet C&COpenDNS Whitepaper: DNS's Role in Botnet C&C
OpenDNS Whitepaper: DNS's Role in Botnet C&C
Courtland Smith
 
DNS Security
DNS SecurityDNS Security
DNS Security
johnmcclure00
 
Early Detection of Malicious Flux Networks via Large Scale Passive DNS Traffi...
Early Detection of Malicious Flux Networks via Large Scale Passive DNS Traffi...Early Detection of Malicious Flux Networks via Large Scale Passive DNS Traffi...
Early Detection of Malicious Flux Networks via Large Scale Passive DNS Traffi...
Paladion Networks
 
Introduction of Mirai Translate, Inc.
Introduction of Mirai Translate, Inc. Introduction of Mirai Translate, Inc.
Introduction of Mirai Translate, Inc.
Osaka University
 

Viewers also liked (20)

Network tunneling techniques
Network tunneling techniquesNetwork tunneling techniques
Network tunneling techniques
 
Advanced DNS Protection
Advanced DNS ProtectionAdvanced DNS Protection
Advanced DNS Protection
 
Drilling Down Into DNS DDoS
Drilling Down Into DNS DDoSDrilling Down Into DNS DDoS
Drilling Down Into DNS DDoS
 
The DNS Tunneling Blindspot
The DNS Tunneling BlindspotThe DNS Tunneling Blindspot
The DNS Tunneling Blindspot
 
DNS Security
DNS SecurityDNS Security
DNS Security
 
Security of DNS
Security of DNSSecurity of DNS
Security of DNS
 
CNIT 40: 1: The Importance of DNS Security
CNIT 40: 1: The Importance of DNS SecurityCNIT 40: 1: The Importance of DNS Security
CNIT 40: 1: The Importance of DNS Security
 
DNS Security Presentation ISSA
DNS Security Presentation ISSADNS Security Presentation ISSA
DNS Security Presentation ISSA
 
Tunneling configuration
Tunneling configurationTunneling configuration
Tunneling configuration
 
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS Attacks
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS AttacksDNSSEC: The Antidote to DNS Cache Poisoning and Other DNS Attacks
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS Attacks
 
Pseudo Random DNS Query Attacks and Resolver Mitigation Approaches
Pseudo Random DNS Query Attacks and Resolver Mitigation ApproachesPseudo Random DNS Query Attacks and Resolver Mitigation Approaches
Pseudo Random DNS Query Attacks and Resolver Mitigation Approaches
 
I pv6 for cmu
I pv6 for cmuI pv6 for cmu
I pv6 for cmu
 
Fast flux hosting and DNS
Fast flux hosting and DNSFast flux hosting and DNS
Fast flux hosting and DNS
 
Fast flux
Fast fluxFast flux
Fast flux
 
Botconf 2013 - DNS-based Botnet C2 Server Detection
Botconf 2013 - DNS-based Botnet C2 Server DetectionBotconf 2013 - DNS-based Botnet C2 Server Detection
Botconf 2013 - DNS-based Botnet C2 Server Detection
 
Water Torture: A Slow Drip DNS DDoS Attack on QTNet by Kei Nishida [APRICOT 2...
Water Torture: A Slow Drip DNS DDoS Attack on QTNet by Kei Nishida [APRICOT 2...Water Torture: A Slow Drip DNS DDoS Attack on QTNet by Kei Nishida [APRICOT 2...
Water Torture: A Slow Drip DNS DDoS Attack on QTNet by Kei Nishida [APRICOT 2...
 
OpenDNS Whitepaper: DNS's Role in Botnet C&C
OpenDNS Whitepaper: DNS's Role in Botnet C&COpenDNS Whitepaper: DNS's Role in Botnet C&C
OpenDNS Whitepaper: DNS's Role in Botnet C&C
 
DNS Security
DNS SecurityDNS Security
DNS Security
 
Early Detection of Malicious Flux Networks via Large Scale Passive DNS Traffi...
Early Detection of Malicious Flux Networks via Large Scale Passive DNS Traffi...Early Detection of Malicious Flux Networks via Large Scale Passive DNS Traffi...
Early Detection of Malicious Flux Networks via Large Scale Passive DNS Traffi...
 
Introduction of Mirai Translate, Inc.
Introduction of Mirai Translate, Inc. Introduction of Mirai Translate, Inc.
Introduction of Mirai Translate, Inc.
 

Similar to Dns tunnelling its all in the name

Domain Name System
Domain Name SystemDomain Name System
Domain Name System
WhoisXML API
 
Domain Key Infrastructure (From Black Hat USA)
Domain Key Infrastructure (From Black Hat USA)Domain Key Infrastructure (From Black Hat USA)
Domain Key Infrastructure (From Black Hat USA)
Dan Kaminsky
 
Phreebird Suite 1.0: Introducing the Domain Key Infrastructure
Phreebird Suite 1.0:  Introducing the Domain Key InfrastructurePhreebird Suite 1.0:  Introducing the Domain Key Infrastructure
Phreebird Suite 1.0: Introducing the Domain Key Infrastructure
Dan Kaminsky
 
DDoS mitigation in the real world
DDoS mitigation in the real worldDDoS mitigation in the real world
DDoS mitigation in the real world
Michael Renner
 
Black Ops of Fundamental Defense:
Black Ops of Fundamental Defense:Black Ops of Fundamental Defense:
Black Ops of Fundamental Defense:
Recursion Ventures
 
Dmk Bo2 K7 Web
Dmk Bo2 K7 WebDmk Bo2 K7 Web
Dmk Bo2 K7 Web
royans
 
Design Reviewing The Web
Design Reviewing The WebDesign Reviewing The Web
Design Reviewing The Web
amiable_indian
 
Lecture17
Lecture17Lecture17
Lecture17
Alok Tripathi
 
DNS Over HTTPS by Michael Casadevall
DNS Over HTTPS by Michael CasadevallDNS Over HTTPS by Michael Casadevall
DNS Over HTTPS by Michael Casadevall
Glenn McKnight
 
Is DNS a Part of Your Cyber Security Strategy?
Is DNS a Part of Your Cyber Security Strategy? Is DNS a Part of Your Cyber Security Strategy?
Is DNS a Part of Your Cyber Security Strategy?
Digital Transformation EXPO Event Series
 
Understanding DNS Security
Understanding DNS SecurityUnderstanding DNS Security
Understanding DNS Security
Nihal Pasham, CISSP
 
DNSSEC and VoIP: Who are you really calling?
DNSSEC and VoIP: Who are you really calling?DNSSEC and VoIP: Who are you really calling?
DNSSEC and VoIP: Who are you really calling?
Deploy360 Programme (Internet Society)
 
(SACON) Sudarshan Pisupati & Sahir Hidayatullah - active deception sacon
(SACON) Sudarshan Pisupati & Sahir Hidayatullah - active deception sacon(SACON) Sudarshan Pisupati & Sahir Hidayatullah - active deception sacon
(SACON) Sudarshan Pisupati & Sahir Hidayatullah - active deception sacon
Priyanka Aash
 
Bo2004
Bo2004Bo2004
Bo2004
Dan Kaminsky
 
Network Security R U Secure???
Network Security R U Secure???Network Security R U Secure???
Network Security R U Secure???
trendy updates
 
Detecting dns-tunneling-34152
Detecting dns-tunneling-34152Detecting dns-tunneling-34152
Detecting dns-tunneling-34152
huynhvanphuc
 
DNS как линия защиты/DNS as a Defense Vector
DNS как линия защиты/DNS as a Defense VectorDNS как линия защиты/DNS as a Defense Vector
DNS как линия защиты/DNS as a Defense Vector
Positive Hack Days
 
5.Dns Rpc Nfs 2
5.Dns Rpc Nfs 25.Dns Rpc Nfs 2
5.Dns Rpc Nfs 2
phanleson
 
5.Dns Rpc Nfs
5.Dns Rpc Nfs5.Dns Rpc Nfs
5.Dns Rpc Nfs
phanleson
 
Dns and irc
Dns and ircDns and irc
Dns and irc
ZekriaMuzafar
 

Similar to Dns tunnelling its all in the name (20)

Domain Name System
Domain Name SystemDomain Name System
Domain Name System
 
Domain Key Infrastructure (From Black Hat USA)
Domain Key Infrastructure (From Black Hat USA)Domain Key Infrastructure (From Black Hat USA)
Domain Key Infrastructure (From Black Hat USA)
 
Phreebird Suite 1.0: Introducing the Domain Key Infrastructure
Phreebird Suite 1.0:  Introducing the Domain Key InfrastructurePhreebird Suite 1.0:  Introducing the Domain Key Infrastructure
Phreebird Suite 1.0: Introducing the Domain Key Infrastructure
 
DDoS mitigation in the real world
DDoS mitigation in the real worldDDoS mitigation in the real world
DDoS mitigation in the real world
 
Black Ops of Fundamental Defense:
Black Ops of Fundamental Defense:Black Ops of Fundamental Defense:
Black Ops of Fundamental Defense:
 
Dmk Bo2 K7 Web
Dmk Bo2 K7 WebDmk Bo2 K7 Web
Dmk Bo2 K7 Web
 
Design Reviewing The Web
Design Reviewing The WebDesign Reviewing The Web
Design Reviewing The Web
 
Lecture17
Lecture17Lecture17
Lecture17
 
DNS Over HTTPS by Michael Casadevall
DNS Over HTTPS by Michael CasadevallDNS Over HTTPS by Michael Casadevall
DNS Over HTTPS by Michael Casadevall
 
Is DNS a Part of Your Cyber Security Strategy?
Is DNS a Part of Your Cyber Security Strategy? Is DNS a Part of Your Cyber Security Strategy?
Is DNS a Part of Your Cyber Security Strategy?
 
Understanding DNS Security
Understanding DNS SecurityUnderstanding DNS Security
Understanding DNS Security
 
DNSSEC and VoIP: Who are you really calling?
DNSSEC and VoIP: Who are you really calling?DNSSEC and VoIP: Who are you really calling?
DNSSEC and VoIP: Who are you really calling?
 
(SACON) Sudarshan Pisupati & Sahir Hidayatullah - active deception sacon
(SACON) Sudarshan Pisupati & Sahir Hidayatullah - active deception sacon(SACON) Sudarshan Pisupati & Sahir Hidayatullah - active deception sacon
(SACON) Sudarshan Pisupati & Sahir Hidayatullah - active deception sacon
 
Bo2004
Bo2004Bo2004
Bo2004
 
Network Security R U Secure???
Network Security R U Secure???Network Security R U Secure???
Network Security R U Secure???
 
Detecting dns-tunneling-34152
Detecting dns-tunneling-34152Detecting dns-tunneling-34152
Detecting dns-tunneling-34152
 
DNS как линия защиты/DNS as a Defense Vector
DNS как линия защиты/DNS as a Defense VectorDNS как линия защиты/DNS as a Defense Vector
DNS как линия защиты/DNS as a Defense Vector
 
5.Dns Rpc Nfs 2
5.Dns Rpc Nfs 25.Dns Rpc Nfs 2
5.Dns Rpc Nfs 2
 
5.Dns Rpc Nfs
5.Dns Rpc Nfs5.Dns Rpc Nfs
5.Dns Rpc Nfs
 
Dns and irc
Dns and ircDns and irc
Dns and irc
 

More from Security BSides London

Security YMCA
Security YMCASecurity YMCA
Security YMCA
Security BSides London
 
Penetration testing must die
Penetration testing must diePenetration testing must die
Penetration testing must die
Security BSides London
 
Your money, your media a DRMtastic (reverse|re) eng. tutorial
Your money, your media a DRMtastic (reverse|re) eng. tutorialYour money, your media a DRMtastic (reverse|re) eng. tutorial
Your money, your media a DRMtastic (reverse|re) eng. tutorial
Security BSides London
 
You built a security castle and forgot the bridge…now users are climbing your...
You built a security castle and forgot the bridge…now users are climbing your...You built a security castle and forgot the bridge…now users are climbing your...
You built a security castle and forgot the bridge…now users are climbing your...
Security BSides London
 
Agnitio: its static analysis, but not as we know it
Agnitio: its static analysis, but not as we know itAgnitio: its static analysis, but not as we know it
Agnitio: its static analysis, but not as we know it
Security BSides London
 
The Funny Thing About Information Security
The Funny Thing About Information SecurityThe Funny Thing About Information Security
The Funny Thing About Information Security
Security BSides London
 
Breaking out of restricted RDP
Breaking out of restricted RDPBreaking out of restricted RDP
Breaking out of restricted RDP
Security BSides London
 
Breaking, Entering and Pentesting
Breaking, Entering and Pentesting Breaking, Entering and Pentesting
Breaking, Entering and Pentesting
Security BSides London
 
All your logs are belong to you!
All your logs are belong to you!All your logs are belong to you!
All your logs are belong to you!
Security BSides London
 
Practical Crypto Attacks Against Web Applications
Practical Crypto Attacks Against Web Applications Practical Crypto Attacks Against Web Applications
Practical Crypto Attacks Against Web Applications
Security BSides London
 
Jedi mind tricks for building application security programs
Jedi mind tricks for building application security programsJedi mind tricks for building application security programs
Jedi mind tricks for building application security programs
Security BSides London
 
Cloud computing due diligence WTF?
Cloud computing due diligence WTF?Cloud computing due diligence WTF?
Cloud computing due diligence WTF?
Security BSides London
 

More from Security BSides London (12)

Security YMCA
Security YMCASecurity YMCA
Security YMCA
 
Penetration testing must die
Penetration testing must diePenetration testing must die
Penetration testing must die
 
Your money, your media a DRMtastic (reverse|re) eng. tutorial
Your money, your media a DRMtastic (reverse|re) eng. tutorialYour money, your media a DRMtastic (reverse|re) eng. tutorial
Your money, your media a DRMtastic (reverse|re) eng. tutorial
 
You built a security castle and forgot the bridge…now users are climbing your...
You built a security castle and forgot the bridge…now users are climbing your...You built a security castle and forgot the bridge…now users are climbing your...
You built a security castle and forgot the bridge…now users are climbing your...
 
Agnitio: its static analysis, but not as we know it
Agnitio: its static analysis, but not as we know itAgnitio: its static analysis, but not as we know it
Agnitio: its static analysis, but not as we know it
 
The Funny Thing About Information Security
The Funny Thing About Information SecurityThe Funny Thing About Information Security
The Funny Thing About Information Security
 
Breaking out of restricted RDP
Breaking out of restricted RDPBreaking out of restricted RDP
Breaking out of restricted RDP
 
Breaking, Entering and Pentesting
Breaking, Entering and Pentesting Breaking, Entering and Pentesting
Breaking, Entering and Pentesting
 
All your logs are belong to you!
All your logs are belong to you!All your logs are belong to you!
All your logs are belong to you!
 
Practical Crypto Attacks Against Web Applications
Practical Crypto Attacks Against Web Applications Practical Crypto Attacks Against Web Applications
Practical Crypto Attacks Against Web Applications
 
Jedi mind tricks for building application security programs
Jedi mind tricks for building application security programsJedi mind tricks for building application security programs
Jedi mind tricks for building application security programs
 
Cloud computing due diligence WTF?
Cloud computing due diligence WTF?Cloud computing due diligence WTF?
Cloud computing due diligence WTF?
 

Recently uploaded

How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdfHow to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
Chart Kalyan
 
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development ProvidersYour One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
akankshawande
 
Leveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and StandardsLeveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and Standards
Neo4j
 
WeTestAthens: Postman's AI & Automation Techniques
WeTestAthens: Postman's AI & Automation TechniquesWeTestAthens: Postman's AI & Automation Techniques
WeTestAthens: Postman's AI & Automation Techniques
Postman
 
The Microsoft 365 Migration Tutorial For Beginner.pptx
The Microsoft 365 Migration Tutorial For Beginner.pptxThe Microsoft 365 Migration Tutorial For Beginner.pptx
The Microsoft 365 Migration Tutorial For Beginner.pptx
operationspcvita
 
Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |
AstuteBusiness
 
What is an RPA CoE? Session 1 – CoE Vision
What is an RPA CoE?  Session 1 – CoE VisionWhat is an RPA CoE?  Session 1 – CoE Vision
What is an RPA CoE? Session 1 – CoE Vision
DianaGray10
 
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success StoryDriving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Safe Software
 
5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides
DanBrown980551
 
Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS  at Code Europe 2024Introduction of Cybersecurity with OSS  at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024
Hiroshi SHIBATA
 
Skybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoptionSkybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoption
Tatiana Kojar
 
Generating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and MilvusGenerating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and Milvus
Zilliz
 
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
Jason Yip
 
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup SlidesProgramming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
Zilliz
 
GNSS spoofing via SDR (Criptored Talks 2024)
GNSS spoofing via SDR (Criptored Talks 2024)GNSS spoofing via SDR (Criptored Talks 2024)
GNSS spoofing via SDR (Criptored Talks 2024)
Javier Junquera
 
"Choosing proper type of scaling", Olena Syrota
"Choosing proper type of scaling", Olena Syrota"Choosing proper type of scaling", Olena Syrota
"Choosing proper type of scaling", Olena Syrota
Fwdays
 
Taking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdfTaking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdf
ssuserfac0301
 
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-EfficiencyFreshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
ScyllaDB
 
Best 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERPBest 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERP
Pixlogix Infotech
 
June Patch Tuesday
June Patch TuesdayJune Patch Tuesday
June Patch Tuesday
Ivanti
 

Recently uploaded (20)

How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdfHow to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
 
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development ProvidersYour One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
 
Leveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and StandardsLeveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and Standards
 
WeTestAthens: Postman's AI & Automation Techniques
WeTestAthens: Postman's AI & Automation TechniquesWeTestAthens: Postman's AI & Automation Techniques
WeTestAthens: Postman's AI & Automation Techniques
 
The Microsoft 365 Migration Tutorial For Beginner.pptx
The Microsoft 365 Migration Tutorial For Beginner.pptxThe Microsoft 365 Migration Tutorial For Beginner.pptx
The Microsoft 365 Migration Tutorial For Beginner.pptx
 
Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |
 
What is an RPA CoE? Session 1 – CoE Vision
What is an RPA CoE?  Session 1 – CoE VisionWhat is an RPA CoE?  Session 1 – CoE Vision
What is an RPA CoE? Session 1 – CoE Vision
 
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success StoryDriving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
 
5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides
 
Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS  at Code Europe 2024Introduction of Cybersecurity with OSS  at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024
 
Skybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoptionSkybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoption
 
Generating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and MilvusGenerating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and Milvus
 
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
 
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup SlidesProgramming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
 
GNSS spoofing via SDR (Criptored Talks 2024)
GNSS spoofing via SDR (Criptored Talks 2024)GNSS spoofing via SDR (Criptored Talks 2024)
GNSS spoofing via SDR (Criptored Talks 2024)
 
"Choosing proper type of scaling", Olena Syrota
"Choosing proper type of scaling", Olena Syrota"Choosing proper type of scaling", Olena Syrota
"Choosing proper type of scaling", Olena Syrota
 
Taking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdfTaking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdf
 
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-EfficiencyFreshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
 
Best 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERPBest 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERP
 
June Patch Tuesday
June Patch TuesdayJune Patch Tuesday
June Patch Tuesday
 

Dns tunnelling its all in the name

  • 1. DNS Tunnelling, its all in the name! Arron “finux” Finnon finux@finux.co.uk http://www.finux.co.uk
  • 2. Okay, DNS Tunnelling sounds a little complicated. You won't need a hard hat, a shovel or a drill, but you will need a shell account on a system which allows you control over port 53
  • 3. However, it is very likely that it is illegal unless it is in your own test environment
  • 4. So who am I, and why am I here? I ask the question every morning, I still haven't answered it, but I maybe able to answer it for you My Name is Arron, I have been involved in ethical hacking for a number of years. I'm currently at The University of Abertay Dundee as a student. I have spent sometime as a security consultant, and independent researcher. I have a reputation as being a little bit of a media/attention whore. I agree with that statement, so much so that I have a weekly podcast talking about geeky things: Finux Tech Weekly I have over the years gave a number of talks on a range of things related to hacking and security.
  • 5. So where can you find me? Email – finux@finux.co.uk Twitter – www.twitter.com/f1nux & www.twitter.com/finuxtechweekly Facebook – www.facebook.com/finux Podcast Site – www.finux.co.uk Skype – finux1
  • 6. Talk Out Line The History Involved Technical Overview Tools Available Those that “Bob” told me are effected A short how to on one set-up/configuration option Other potential uses for DNS Tunnelling Countermeasures Links Q&A
  • 7. Disclaimer Without doubt the legal implications of using the discussed techniques are immense. If you use this to obtain “Free Internet”, I would point out that if you go to JAIL its not very free, and of course it could quite possibly cost you a career too. If you have any doubt about the legalities of what you are doing then STOP it. If you do use this to break the law, and you do get caught. Your totally on your own, this is for educational purposes only. Feel free to let me know though, it will make a great anicdote and I'm happy to write to you during your stay. However as usual to defend we must know how to attack. “The art of war teaches us to rely not on the likelihood of the enemy's not coming, but on our own readiness to receive him; not on the chance of his not attacking, but rather on the fact that we have made our position unassailable.” - Sun Tzu Not if the hacker comes, but when they come......
  • 8. Intended Audience Here's the shock! Hackers! However I mean the playful advocates of technology when I use that term. I tend not to buy into the media definition of it. What I mean by hacker is; playful advocates of technology. If technical things excite you, then this is for you. I love security, i love hacking, i love taking things apart and i believe its a prerequisite for our trade. As a good friend of mine, who is now the chief of operations for first base. A long haired geek that goes by the name of Pete Wood; if you wern't electoricuted by the age of 10 this might not be the trade for you. I'm proud to say i was shocked by 6, and I'll hazard a guess I'm not the only one in this room.
  • 9. A Small Intro In September 2000 a post came across the Slashdot website informing its readers of an interesting use of DNS tunnelling for breaking out of locked down networks. It utilises that most networks regardless of their firewall, or their Access Controls Lists, would allow DNS look ups. Researchers found with crafted packets that they could in fact establish bi-direction IP traffic, they delivered a protocol named NSTX. However this concept became more widely established when the respected DNS security researcher Dan Kaminsky, released his Ozyman tool at Black hat in 2005, Kaminsky who in 2010 became one of ICANN's Trusted Community Representatives for the DNSSEC root certificate, has an unparalleled reputation when it comes to DNS security and it insecurities. Needless to say this release caught the attention of many security researchers, however worrying nearly 11 years after the discovery and 6 years since Kaminsky's Ozyman tool release, this vulnerability still lives on in a number of networks. All though DNS tunnelling could be seen as way to obtain free Internet on captive portals, it is also an effective tool in data theft. However it is hard to imagine the limitations when this is mixed with shellcode's. DNS tunnelling could be used to reverse connect a shellcode from target to attacker, the tunnel's effectiveness of traversing NAT makes it a worthy deployment.
  • 10. Some History So 1987 the the domain name protocol basically came into life, it was defined in the the RFC 1035. It superseded RFCs 882, 883, and 973. Around 13 years later a group of hackers started playing around with the concept of DNS tunnelling. Mainly due to gain free internet from a Microsoft update PPP dailin's. Most of these Microsoft PPP dialins allow you to use a Name server. These hackers later developed "NSTX Protocol", meaning "Name server Transfer Protocol" in doing so they finally managed to use one of Microsoft toll free numbers in Germany and tunnel their net connection over it. Iodine later became popular due to its password authentication however it was still very similar to NSTX. However as i have said i think it fair to say that the concept grabbed more attention when respected breaker of DNS Dan Kaminsky released a set of scripts at Black Hat 2005 which were written in perl and in reality very easy to deploy. For the purpose of today's talk i will focus on OzymanDNS
  • 11. Technical Overview Now we could take this from the stand point of a captive portal, which normally intercepts all web traffic until some sort of authentication is achieved. However we see regularly that a they still enable DNS enquiries. I way to check this on a captive portal would be to use either dig or nslookup if your running windows. If you are issued a private address then your out of luck, however if you receive the IP address of the domain name in question then DNS requests are allowed out. So if we revisit the Domain Name Systems set-up, we'll see that it has 13 root domain name servers responsible for the .com's, .org's, so on and so forth known as the Top Level Domain names or TLD for short. They are responsible down to the root domain such as example.com, then from there sub domains are delegated to their own server. Such as test.example.com. Each domain is configured in a zone file, and each zone file has a number of records configured within it. So an example would be an A record which stands for an address record, or a CNAME alias for an A record, we could see a MX record for handling mail, a NS record which points to a new DNS Server for that sub-domain, or a TXT record which handles text descriptions. It is the last two records that interest us.
  • 12. Technical Overview A hostname can only be 255 octets long, or 255 bytes. In addition a TXT record can also only be 255 bytes. So it lies within these 255 byte TXT records the potential for us to deliver a payload of data back within one of these records. If we could encode a formatted domain name request up to a maximum of 255 bytes, and then have that decoded back at our fake domain name server. Our fake domain name server could encode our response back and deliver that via a TXT record we now see the very plausible avenue of transmitting data.
  • 13. Technical Overview So what we would need in this situation is a fake domain name server listening on port 53, which will respond to requests, and a hostname which is in fact a delegated NS record pointing to a fake DNS Server. An example would be; inbound.example.com would point to server.inbound.example.com The zone file could look like this; inbound.example.com NS server.inbound.example.com server.inbound.example.com A 92.35.18.118 The A record would point to our fake domain name server, and our client would make its requests to the inbound sub-domain. Of course if you where using DynDNS.org it could be a simple as inbound.example.com NS finux.dyndns.org
  • 14. Technical Overview Now a free account at DynDNS.org does not allow you to delegate Name Servers. However freedns.afraid.org does. I happen to prefer the update client(s) on DynDNS, so I personally go for a freedns.afraid.org and point it to a DynDNS account. Personally I think this makes the set-up slightly more easier, and gives it an edge of portability. Now all DNS Tunnelling set-ups in some way use the delegated Name Servers. Now I admit I'm a Linux jock and so this configuration is based on my experience with Linux, there is some links on how to do this with a Windows set-up at the end. My advice to you would be to build a Virtual Machine either running Ubuntu/Debian which of course will make its deployment in your test environment pretty easy.
  • 15. Technical Overview As I have said for today's purpose we'll be looking at Kaminsky's OzymanDNS tool, in fact its a revised revision of it. OzymanDNS is broken down into 4 perl scripts. The server script is named nomde.pl which listens on a privileged port and in doing so requires sufficient permissions to do it; sudo ./nomde.pl -i 0.0.0.0 inbound.example.com The above command would set OzymanDNS server section to listen to all requests on the sub-domain inbound.example.com
  • 16. Technical Overview Now the OzymanDNS client is written to encode/decode and send the responses back via STDOUT which isn't overly useful however combined with the SSH config option "ProxyCommand" enables the ease of use this set of scripts has become renowned for. ssh -o ProxyCommand="./droute.pl sshdns.inbound.example.com" user@localhost The upstream data sent out will be encoded using Base32. After the data has been transmitted, there is a unique ID due to some DNS requests taking longer than others, the UDP protocol has no methods to check this. and either one of the keywords up or down, indicating whether the traffic's up- or downstream. Here is what an example request could look like; ntez375sy2qk7jsg2og3eswo2jujscb3r43as6m6hl2wsxobm7h2olu4tmaq.ly azbf2e2rdynrd3fldvdy2w3tifigy2csrx3cqczxyhnxygor72a7fx47uo.nwqy4o a3v5rx66b4aek5krzkdm5btgz6jbiwd57ubnohnknpcuybg7py.63026-0.id- 32227.up.sshdns.inbound.example.com
  • 17. Technical Overview The response comes as a DNS TXT record. A TXT record can hold arbitrary ASCII data and can hold upper-case letters as well as lower- case letters and numbers. So the responses come encoded with Base64 encoded. Such a response might look like the this. 695-8859.id-39201.down.sshdns.inbound.example.com. 0 IN TXT "AAAAlAgfAAAAgQDKrd3sFmf8aLX6FdU8ThUy3SRWGhotR6EsAavqH gBzH2khqsQHQjEf355jS7cT G+4a8kAmFVQ4mpEEJeBE6IyDWbAQ9a0rgOKcsaWwJ7GdngGm9jpv ReXX7S/2oqAIUFCn0M8=" "MHw9tR0kkDVZB7RCfCOpjfHrir7yuiCbt7FpyX8AAAABBQAAAAAAAAA A"
  • 18. Technical Overview So a quick recap of what is needed on our Debian like system. We we need to install some perl packages; sudo apt-get install screen libnet-dns-perl libmime-base32-perl In addition you may want to install ddclient as well and configure your dynamic sub-domain to point to the server. You'll also need to set-up SSH as well You will want to download the OzymanDNS scripts, I have made the latest version available on my site. wget http://finux.co.uk/demos/software/OzymanDNS-Splitbrain-Version.tar.gz Now as I have said the version of OzymanDNS is revised and the code cleaned up by Andreas Gohr of the Splitbrain.org website http://www.splitbrain.org/blog/2008-11/02-dns_tunneling_made_simple
  • 19. Technical Overview Our client configuration is as follows; sudo apt-get install libnet-dns-perl libmime-base32-perl And then a simple command command ssh -o ProxyCommand="./droute.pl sshdns.inbound.example.com" user@localhost
  • 20. Tools Available Iodine is based on NSTX as i have mentioned is a Linux only tool, however it works via producing a virtual network interface on the server and client, and those two virtual interfaces communicate with each other. Netcross is a little modular tool that might be useful in restricted network connections DNSCat is the basically NetCat for DNS
  • 21. Those that “Bob” told me are effected The Cloud Network – Such as the one's that cover Weatherspoons pubs and McDonald's BT Open Zone A certain University in North East Scotland – Which will soon be fixed Interestingly over 3g it has been reported that T-Mobile allow unfettered DNS queries. This could in fact be false, however if its true then really quite scary. Eastern Trains Remember its easily tested, a nslookup or a dig should tell you within seconds. Even if ping is blocked there is a good chance you could use that to determine if the next work is vulnerable to attack, as it will still obtain an IP address
  • 22. Other potential uses of DNS Tunnelling As discussed covert communications over an otherwise restricted channel. Data theft, as in you do not allow any SSH, FTP, SFTP so on and so forth. scp works with the OzymanDNS set-up By far the craziest I have seen is to deliver shell code via DNS Tunnel's. The interesting concept with tunnelling a shellcode over DNS is for starters this happens to null in void any potential NAT issues There is already a fair few PoC that highlight this concept. I have been reading of recent how we could use some of the Metasploit payloads, combined with DNSCat I have not had time to play anywhere near as much with this as I would have liked too. But needless to say I'm sure I'll get my chance
  • 23. Countermeasures The best way of detecting DNS tunnelling is by performing statistical anomaly detection on the network. Some characteristics of a DNS tunnel include: High volume of DNS requests from internal clients where little usually take place Significant difference in the format of these lookups as compared to regular ones i.e. Base32 and Base64 The total amount of data transferred over port 53 is much higher than usual DNS Tunnelling could actually be one of the best covert channels ever designed. In general, it proves quite challenging to stop this traffic, as there is no specific indication that it concerns IP over DNS tunnelling. There are however a number of ways to mitigate the threat to a certain degree.
  • 24. Countermeasures If you are running a for-a-fee access point, consider having your DNS server answer all queries with a local IP address until payment has been completed. Only afterwards should a client be able to perform DNS lookups that your server resolves to the internet. Many organizations do this currently by having HTTP requests rewritten to a local web server on which payment is due. This however still allows the client to resolve external domains, and as such, does not alleviate the covert channel. A potential solution is to set up a BIND server which has a local entry for all TLD's: get lists here and here. Set up a wildcard entry for each of these domains that points to your local web server that processes payments. Requests to any other domains or zones should not be handled recursively.
  • 25. Countermeasures One solution which is sometimes considered is to deny all queries for TXT records. The impact of this will in most cases would be limited, although certain functionality (such as SPF) may break. In general, only your incoming mail server will need to perform these lookups: taken a general split-DNS service on multiple servers, it should be feasible to work around this issue. There are precious little reasons why the average internal client should be able to perform lookups for TXT records. This approach is however fairly naive as tunnelling will still be possible through other record types. You will not be able to disable these others, such as CNAME, due to the heavy production impact. Remember blocking a domain name with X amount of calls within a period seems a good idea, until you think about the lookups your organisation makes to google in an hour
  • 26. Conclusions In conclusion I haven't really scratched the surface of what can be done here. The reality of it is, if your not looking at DNS traffic then someone may well be doing so. Its has the potential to be still one of the best covert channel's going and can be very technically difficult to detect. The uses for this are really limited by your imagination. If you can use this with 3g technology then this could make somewhat of a lethal weapon. However some pre-thought of what you could and should expect on your network You may think this connection would be slow, but within my links is a paper showing that speeds of up to 110 kilobytes a second
  • 27. Links Slashdot article on NSTX. http://slashdot.org/articles/00/09/10/2230242.shtml Kaminsky's Wikipedia page http://en.wikipedia.org/wiki/Dan_Kaminsky Kaminsky Release of the Tools he developed http://dankaminsky.com/2004/07/29/51/ Kaminsky's Black Hat paper http://www.doxpara.com/slides/BH_EU_05-Kaminsky.pdf Dan Kaminsky's 2005 Black hat talk http://www.splitbrain.org/blog/2008-11/02-dns_tunneling_made_simple Very good guide on setting up DNS Tunnels http://dnstunnel.de/ IVC Wikipedia article on DNS tunnelling http://beta.ivc.no/wiki/index.php/DNS_Tunneling
  • 28. Links Another further guide to tunnelling DNS http://www.h-i-r.net/2010/03/dns-tunneling-part-1-intro-and.html PDF paper from Black hat http://www.blackhat.com/presentations/bh-usa-08/Miller/BH_US_08_Ty_Miller_Reverse_DNS_Tunneling_Shellcode.pdf Heyoka paper http://shakacon.org/talks/Revelli-Leidecker_Heyoka.pdf Further guide to making to configuring OzymanDNS, however for Windows type systems http://cyberphob1a.wordpress.com/2008/02/10/dns-tunneling-part-i/ http://cyberphob1a.wordpress.com/2008/02/11/speeding-up-dns-tunneling/ http://cyberphob1a.wordpress.com/2008/03/08/dns-tunneling-updated-source/ DNS RFC ftp://ftp.rfc-editor.org/in-notes/rfc1035.txt
  • 29. Links Another set of software for TCP over DNS this one using Java instead of perl http://analogbit.com/tcp-over-dns_howto For Presentation Side Notes – Speeding Firefox for Low Bandwidth carriers http://www.ghacks.net/2008/07/13/optimize-firefox-for-low-traffic-volumes/ DNScat as a Payload with Metasploit http://www.skullsecurity.org/blog/2010/weaponizing-dnscat-with-shellcode-and-metasploit Reverse DNS Tunneling Shellcode (v0.3) Technical Details http://projectshellcode.com/?q=node/2 In the following tutorial, we will use the tool dns2tcp written by two guys working for HSC, a French security company. http://blog.rootshell.be/2007/03/22/dns2tcp-how-to-bypass-firewalls-or-captive-portals/ http://www.hsc.fr/ressources/outils/dns2tcp/download/ Traffic analysis approach to detecting DNS tunnels http://blog.vorant.com/2006/05/traffic-analysis-approach-to-detecting.html Tunneling shit over DNS http://www.modacity.net/forums/showthread.php?19755-Tunneling-shit-over-DNS
  • 31. Thank You For Your Time I hope it has been of interest Please feel free to come grab me later for a chat Don't forget to listen to the show www.finux.co.uk On a side note, I have never been on a night out in London. So I'll apologise for tonight tomorrow morning