SlideShare una empresa de Scribd logo

Day 2 Dns Cert 4a Cache Poisoning

V
vngundi

Presentation by ICANN

Tecnología
1 de 18
Descargar para leer sin conexión
DNS Security for CERTs - Attack Scenarios & Demonstrations – Cache Poisoning Chris Evans Delta Risk, LLC 7 March 2010 1
What You Will Need for the Exercise • Your Ubuntu VM – VMWare Web Console Access – SSH with X11 Forwarding (for Advanced Users) • Do a query for www.tld1 and verify its IP address before the attack is launched: – 192.168.101.50 2
Description • A Change in Recursive DNS Server Causes Spoofed or Incorrect Resolutions – Attack Doesn’t Target Registry Architecture DNS Google.com ISP 1 DNS Fake Google ISP 2 Resolves Differently Than 3
Description • Cache poisoning attacks target a specific DNS server, and therefore, only the users which use that DNS server – This doesn’t fit the “get most bang for the buck” of typical hackers out for fame and glory – BUT, the attack can be very insidious, difficult to detect and completely transparent to the victim • These attacks occur infrequently, or, are just not being detected and reported. 4
Case Study – External Poisoning • Unverified report of a Brazilian bank victimized by cache poisoning attack. • Attack targeted local ISP DNS server • ISP reported only “1%” of its users were affected Eweek.com 4/22/09 5
Case Study – External Poisoning • Hackers poisoned local ISP DNS server and redirected users to a login page that looked just like the Bank’s login page • Solicited usernames, passwords, and other information not normally asked for by the Bank at login Actual Bradesco Login Page 6
Case Study – Internal Poisoning • Partido Colorado – political statement made by one organization against another during an election Attacker Modifies Upstream DNS Records www.partidocolorado.org. 3600 IN A 66.249.01.121 7
Case Study – Internal Poisoning • The local ISP (Copaco) modified its own recursive name servers to redirect users looking for partidocolorado.org to a state-run news service 201.217.51.114 Attacker Modified Upstream DNS Records www.partidocolorado.org. 3600 IN A 66.249.01.121 8
Attack Demonstration External Poisoning DNS Cache Web Server DNS Server Hacker Normal Request Poisoned Request Victim Web Server 9
Demonstration – Attacker View _ _ _ | | (_)_ ____ ____| |_ ____ ___ ____ | | ___ _| |_ | / _ ) _)/ _ |/___) _ | |/ _ | | _) | | | ( (/ /| |_( ( | |___ | | | | | |_| | | |__ |_|_|_|____)___)_||_(___/| ||_/|_|___/|_|___) |_| =[ msf v3.2-release + -- --=[ 320 exploits - 217 payloads + -- --=[ 20 encoders - 6 nops =[ 99 aux msf auxiliary(bailiwicked_host) > Name: DNS BailiWicked Host Attack Version: 5794 Provided by: I)ruid <druid@caughq.org> hdm <hdm@metasploit.com> Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- HOSTNAME www.tld1 yes Hostname to hijack NEWADDR 192.168.85.5 yes New address for hostname RECONS 192.168.101.10 yes The nameserver used for recon RHOST 192.168.80.10 yes The target address SRCADDR Real yes The source address to use for SRCPORT 53 yes The target server's source TTL 37620 yes The TTL for the malicious host XIDS 0 yes The number of XIDs to try for 10
Demonstration – Attacker View (cont.) [*] Targeting nameserver 192.168.80.10 for injection of www.tld1. as 192.168.85.5 [*] Querying recon nameserver for tld1.'s nameservers... [*] Got an NS record: tld1. 180 IN NS ns1.tld1. [*] Querying recon nameserver for address of ns1.tld1.... [*] Got an A record: ns1.tld1. 180 IN A 192.168.101.10 [*] Checking Authoritativeness: Querying 192.168.101.10 for tld1.... [*] ns1.tld1. is authoritative for tld1., adding to list of nameservers to spoof as [*] Calculating the number of spoofed replies to send per query... [*] race calc: 100 queries | min/max/avg time: 0.0/0.06/0.0 | min/max/avg replies: 0/6/3 [*] Sending 4 spoofed replies from each nameserver (1) for each query [*] Attempting to inject a poison record for www.tld1. into 192.168.80.10:53... ... ... ... ... [*] Poisoning successful after 61000 queries and 250000 responses: www.tld1 == 192.168.85.5 [*] TTL: 37619 DATA: #<Resolv::DNS::Resource::IN::A:0xb6b28688> [*] Auxiliary module execution completed Attack Successful!!!!! 11
Demonstration – Server View • Wireshark Capture – Note the queries like “031PtyJamG6o.tld1” 12
Demonstration – User View • Please open a browser and connect to the webmail server: http://192.168.101.50/squirrelmail – Login as: studentX – Password: password • Examine the message in your inbox – Looks realistic? ( Use your imagination  ) – The URL certainly does – it matches the web registry system URL. • Click on the link (it won’t hurt you!) – Does this look like the login page of the web registry system? 13
Demonstration – User View 1 3 2 May look legit but is the hacker’s IP and webserver!!!!! 14
Impact • Users are dependent on the answers from the DNS being accurate and legitimate • Cache Poisoning can be used to create very realistic phishing attacks, that are more likely to succeed, because they appear to use real URLs. – Users are more attune to “strange” URLs now than several years ago, but cache poisoning allows an attacker to use a “normal” URL 15
Mitigation & Response Strategies • DNSSEC – will mitigate effect of external poisoning attacks, but will not address content “issues” at the authoritative server • SSL-Based Logins – but subject to user participation! • Server validation techniques like “site keys” – but again, subject to user participation! • Proactive monitoring of recursive servers – not necessarily tractable – but maybe useful for High Value Domains 16
Mitigation & Response Strategies • Know WHO to contact at the ISPs within your span of control • Know the procedures for flushing the DNS cache – you may have to instruct operators how to do this! • Information Sharing – if you’re the victim of an attack – share the details of the attack within the community – you may prevent someone else from becoming a victim 17
Questions? ? 18

Recomendados

Grey H@t - DNS Cache Poisoning
Grey H@t - DNS Cache PoisoningGrey H@t - DNS Cache Poisoning
Grey H@t - DNS Cache Poisoning
Christopher Grayson
 
There's no place like 127.0.0.1 - Achieving "reliable" DNS rebinding in moder...
There's no place like 127.0.0.1 - Achieving "reliable" DNS rebinding in moder...There's no place like 127.0.0.1 - Achieving "reliable" DNS rebinding in moder...
There's no place like 127.0.0.1 - Achieving "reliable" DNS rebinding in moder...
Luke Young
 
Namespaces for Local Networks
Namespaces for Local NetworksNamespaces for Local Networks
Namespaces for Local Networks
Men and Mice
 
DNS/DNSSEC by Nurul Islam
DNS/DNSSEC by Nurul IslamDNS/DNSSEC by Nurul Islam
DNS/DNSSEC by Nurul Islam
MyNOG
 
Part 2 - Local Name Resolution in Windows Networks
Part 2 - Local Name Resolution in Windows NetworksPart 2 - Local Name Resolution in Windows Networks
Part 2 - Local Name Resolution in Windows Networks
Men and Mice
 
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOS
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOSPart 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOS
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOS
Men and Mice
 
Windows 2012 and DNSSEC
Windows 2012 and DNSSECWindows 2012 and DNSSEC
Windows 2012 and DNSSEC
Men and Mice
 
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
APNIC
 

Recomendados

Grey H@t - DNS Cache Poisoning
Grey H@t - DNS Cache PoisoningGrey H@t - DNS Cache Poisoning
Grey H@t - DNS Cache Poisoning
Christopher Grayson
 
There's no place like 127.0.0.1 - Achieving "reliable" DNS rebinding in moder...
There's no place like 127.0.0.1 - Achieving "reliable" DNS rebinding in moder...There's no place like 127.0.0.1 - Achieving "reliable" DNS rebinding in moder...
There's no place like 127.0.0.1 - Achieving "reliable" DNS rebinding in moder...
Luke Young
 
Namespaces for Local Networks
Namespaces for Local NetworksNamespaces for Local Networks
Namespaces for Local Networks
Men and Mice
 
DNS/DNSSEC by Nurul Islam
DNS/DNSSEC by Nurul IslamDNS/DNSSEC by Nurul Islam
DNS/DNSSEC by Nurul Islam
MyNOG
 
Part 2 - Local Name Resolution in Windows Networks
Part 2 - Local Name Resolution in Windows NetworksPart 2 - Local Name Resolution in Windows Networks
Part 2 - Local Name Resolution in Windows Networks
Men and Mice
 
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOS
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOSPart 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOS
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOS
Men and Mice
 
Windows 2012 and DNSSEC
Windows 2012 and DNSSECWindows 2012 and DNSSEC
Windows 2012 and DNSSEC
Men and Mice
 
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
APNIC
 
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
APNIC
 
RHCE FINAL Questions and Answers
RHCE FINAL Questions and AnswersRHCE FINAL Questions and Answers
RHCE FINAL Questions and Answers
Radien software
 
[India Merge World Tour] Meru Networks
[India Merge World Tour] Meru Networks[India Merge World Tour] Meru Networks
[India Merge World Tour] Meru Networks
Perforce
 
HKNOG 5.0 - NSEC caching
HKNOG 5.0 - NSEC cachingHKNOG 5.0 - NSEC caching
HKNOG 5.0 - NSEC caching
APNIC
 
Troubleshooting Tips from a Docker Support Engineer
Troubleshooting Tips from a Docker Support EngineerTroubleshooting Tips from a Docker Support Engineer
Troubleshooting Tips from a Docker Support Engineer
Jeff Anderson
 
Yeti DNS - Experimenting at the root
Yeti DNS - Experimenting at the rootYeti DNS - Experimenting at the root
Yeti DNS - Experimenting at the root
Men and Mice
 
Cloudstone - Sharpening Your Weapons Through Big Data
Cloudstone - Sharpening Your Weapons Through Big DataCloudstone - Sharpening Your Weapons Through Big Data
Cloudstone - Sharpening Your Weapons Through Big Data
Christopher Grayson
 
2016 JavaOne Deconstructing REST Security
2016 JavaOne Deconstructing REST Security2016 JavaOne Deconstructing REST Security
2016 JavaOne Deconstructing REST Security
David Blevins
 
How to send DNS over anything encrypted
How to send DNS over anything encryptedHow to send DNS over anything encrypted
How to send DNS over anything encrypted
Men and Mice
 
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
Shakacon
 
2017 dev nexus_deconstructing_rest_security
2017 dev nexus_deconstructing_rest_security2017 dev nexus_deconstructing_rest_security
2017 dev nexus_deconstructing_rest_security
David Blevins
 
Keeping DNS server up-and-running with “runit
Keeping DNS server up-and-running with “runitKeeping DNS server up-and-running with “runit
Keeping DNS server up-and-running with “runit
Men and Mice
 
Windows Server 2016 Webinar
Windows Server 2016 WebinarWindows Server 2016 Webinar
Windows Server 2016 Webinar
Men and Mice
 
Mens jan piet_dnssec-in-practice
Mens jan piet_dnssec-in-practiceMens jan piet_dnssec-in-practice
Mens jan piet_dnssec-in-practice
kuchinskaya
 
Database Hardware Benchmarking
Database Hardware BenchmarkingDatabase Hardware Benchmarking
Database Hardware Benchmarking
Command Prompt., Inc
 
Putting Wings on the Elephant
Putting Wings on the ElephantPutting Wings on the Elephant
Putting Wings on the Elephant
DataWorks Summit
 
Collaborate instant cloning_kyle
Collaborate instant cloning_kyleCollaborate instant cloning_kyle
Collaborate instant cloning_kyle
Kyle Hailey
 
Apache Wizardry - Ohio Linux 2011
Apache Wizardry - Ohio Linux 2011Apache Wizardry - Ohio Linux 2011
Apache Wizardry - Ohio Linux 2011
Rich Bowen
 
End-to-End Analysis of a Domain Generating Algorithm Malware Family
End-to-End Analysis of a Domain Generating Algorithm Malware FamilyEnd-to-End Analysis of a Domain Generating Algorithm Malware Family
End-to-End Analysis of a Domain Generating Algorithm Malware Family
CrowdStrike
 
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
OpenDNS
 
Day 2 Dns Cert 4c Malicious Use
Day 2 Dns Cert 4c Malicious UseDay 2 Dns Cert 4c Malicious Use
Day 2 Dns Cert 4c Malicious Use
vngundi
 
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
Felipe Prado
 

Más contenido relacionado

La actualidad más candente

2016 JavaOne Deconstructing REST Security
2016 JavaOne Deconstructing REST Security2016 JavaOne Deconstructing REST Security
2016 JavaOne Deconstructing REST Security
David Blevins
 
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
Shakacon
 
2017 dev nexus_deconstructing_rest_security
2017 dev nexus_deconstructing_rest_security2017 dev nexus_deconstructing_rest_security
2017 dev nexus_deconstructing_rest_security
David Blevins
 
Mens jan piet_dnssec-in-practice
Mens jan piet_dnssec-in-practiceMens jan piet_dnssec-in-practice
Mens jan piet_dnssec-in-practice
kuchinskaya
 
Putting Wings on the Elephant
Putting Wings on the ElephantPutting Wings on the Elephant
Putting Wings on the Elephant
DataWorks Summit
 
Collaborate instant cloning_kyle
Collaborate instant cloning_kyleCollaborate instant cloning_kyle
Collaborate instant cloning_kyle
Kyle Hailey
 
Apache Wizardry - Ohio Linux 2011
Apache Wizardry - Ohio Linux 2011Apache Wizardry - Ohio Linux 2011
Apache Wizardry - Ohio Linux 2011
Rich Bowen
 
End-to-End Analysis of a Domain Generating Algorithm Malware Family
End-to-End Analysis of a Domain Generating Algorithm Malware FamilyEnd-to-End Analysis of a Domain Generating Algorithm Malware Family
End-to-End Analysis of a Domain Generating Algorithm Malware Family
CrowdStrike
 
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
OpenDNS
 

La actualidad más candente (20)

Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
 
RHCE FINAL Questions and Answers
RHCE FINAL Questions and AnswersRHCE FINAL Questions and Answers
RHCE FINAL Questions and Answers
 
[India Merge World Tour] Meru Networks
[India Merge World Tour] Meru Networks[India Merge World Tour] Meru Networks
[India Merge World Tour] Meru Networks
 
HKNOG 5.0 - NSEC caching
HKNOG 5.0 - NSEC cachingHKNOG 5.0 - NSEC caching
HKNOG 5.0 - NSEC caching
 
Troubleshooting Tips from a Docker Support Engineer
Troubleshooting Tips from a Docker Support EngineerTroubleshooting Tips from a Docker Support Engineer
Troubleshooting Tips from a Docker Support Engineer
 
Yeti DNS - Experimenting at the root
Yeti DNS - Experimenting at the rootYeti DNS - Experimenting at the root
Yeti DNS - Experimenting at the root
 
Cloudstone - Sharpening Your Weapons Through Big Data
Cloudstone - Sharpening Your Weapons Through Big DataCloudstone - Sharpening Your Weapons Through Big Data
Cloudstone - Sharpening Your Weapons Through Big Data
 
2016 JavaOne Deconstructing REST Security
2016 JavaOne Deconstructing REST Security2016 JavaOne Deconstructing REST Security
2016 JavaOne Deconstructing REST Security
 
How to send DNS over anything encrypted
How to send DNS over anything encryptedHow to send DNS over anything encrypted
How to send DNS over anything encrypted
 
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
 
2017 dev nexus_deconstructing_rest_security
2017 dev nexus_deconstructing_rest_security2017 dev nexus_deconstructing_rest_security
2017 dev nexus_deconstructing_rest_security
 
Keeping DNS server up-and-running with “runit
Keeping DNS server up-and-running with “runitKeeping DNS server up-and-running with “runit
Keeping DNS server up-and-running with “runit
 
Windows Server 2016 Webinar
Windows Server 2016 WebinarWindows Server 2016 Webinar
Windows Server 2016 Webinar
 
Mens jan piet_dnssec-in-practice
Mens jan piet_dnssec-in-practiceMens jan piet_dnssec-in-practice
Mens jan piet_dnssec-in-practice
 
Database Hardware Benchmarking
Database Hardware BenchmarkingDatabase Hardware Benchmarking
Database Hardware Benchmarking
 
Putting Wings on the Elephant
Putting Wings on the ElephantPutting Wings on the Elephant
Putting Wings on the Elephant
 
Collaborate instant cloning_kyle
Collaborate instant cloning_kyleCollaborate instant cloning_kyle
Collaborate instant cloning_kyle
 
Apache Wizardry - Ohio Linux 2011
Apache Wizardry - Ohio Linux 2011Apache Wizardry - Ohio Linux 2011
Apache Wizardry - Ohio Linux 2011
 
End-to-End Analysis of a Domain Generating Algorithm Malware Family
End-to-End Analysis of a Domain Generating Algorithm Malware FamilyEnd-to-End Analysis of a Domain Generating Algorithm Malware Family
End-to-End Analysis of a Domain Generating Algorithm Malware Family
 
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
 

Similar a Day 2 Dns Cert 4a Cache Poisoning

Whalebone-UKNOF44security992_new_impl.pptx
Whalebone-UKNOF44security992_new_impl.pptxWhalebone-UKNOF44security992_new_impl.pptx
Whalebone-UKNOF44security992_new_impl.pptx
Ans Sembiring
 
The latest news in the DNS resolution: DNSSEC
The latest news in the DNS resolution: DNSSECThe latest news in the DNS resolution: DNSSEC
The latest news in the DNS resolution: DNSSEC
Whalebone, s.r.o.
 
DNS_Tutorial 2.pptx
DNS_Tutorial 2.pptxDNS_Tutorial 2.pptx
DNS_Tutorial 2.pptx
viditsir
 

Similar a Day 2 Dns Cert 4a Cache Poisoning (20)

Day 2 Dns Cert 4c Malicious Use
Day 2 Dns Cert 4c Malicious UseDay 2 Dns Cert 4c Malicious Use
Day 2 Dns Cert 4c Malicious Use
 
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
 
Day 2 Dns Cert 4b Name Server Redirection
Day 2 Dns Cert 4b Name Server RedirectionDay 2 Dns Cert 4b Name Server Redirection
Day 2 Dns Cert 4b Name Server Redirection
 
3: DNS vulnerabilities
3: DNS vulnerabilities 3: DNS vulnerabilities
3: DNS vulnerabilities
 
No more ARP : Another MiTm Attacks
No more ARP : Another MiTm AttacksNo more ARP : Another MiTm Attacks
No more ARP : Another MiTm Attacks
 
ION Islamabad - Deploying DNSSEC
ION Islamabad - Deploying DNSSECION Islamabad - Deploying DNSSEC
ION Islamabad - Deploying DNSSEC
 
NANOG32 - DNS Anomalies and Their Impacts on DNS Cache Servers
NANOG32 - DNS Anomalies and Their Impacts on DNS Cache ServersNANOG32 - DNS Anomalies and Their Impacts on DNS Cache Servers
NANOG32 - DNS Anomalies and Their Impacts on DNS Cache Servers
 
CNIT 40: 3: DNS vulnerabilities
CNIT 40: 3: DNS vulnerabilitiesCNIT 40: 3: DNS vulnerabilities
CNIT 40: 3: DNS vulnerabilities
 
Dns security
Dns securityDns security
Dns security
 
DNS spoofing/poisoning Attack Report (Word Document)
DNS spoofing/poisoning Attack Report (Word Document)DNS spoofing/poisoning Attack Report (Word Document)
DNS spoofing/poisoning Attack Report (Word Document)
 
Whalebone-UKNOF44security992_new_impl.pptx
Whalebone-UKNOF44security992_new_impl.pptxWhalebone-UKNOF44security992_new_impl.pptx
Whalebone-UKNOF44security992_new_impl.pptx
 
The latest news in the DNS resolution: DNSSEC
The latest news in the DNS resolution: DNSSECThe latest news in the DNS resolution: DNSSEC
The latest news in the DNS resolution: DNSSEC
 
DNS Rebinding Attack
DNS Rebinding AttackDNS Rebinding Attack
DNS Rebinding Attack
 
PLNOG14: DNS, czyli co nowego w świecie DNS-ozaurów - Adam Obszyński
PLNOG14: DNS, czyli co nowego w świecie DNS-ozaurów - Adam ObszyńskiPLNOG14: DNS, czyli co nowego w świecie DNS-ozaurów - Adam Obszyński
PLNOG14: DNS, czyli co nowego w świecie DNS-ozaurów - Adam Obszyński
 
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS Attacks
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS AttacksDNSSEC: The Antidote to DNS Cache Poisoning and Other DNS Attacks
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS Attacks
 
Drilling Down Into DNS DDoS
Drilling Down Into DNS DDoSDrilling Down Into DNS DDoS
Drilling Down Into DNS DDoS
 
Re-Engineering the DNS – One Resolver at a Time
Re-Engineering the DNS – One Resolver at a Time Re-Engineering the DNS – One Resolver at a Time
Re-Engineering the DNS – One Resolver at a Time
 
DNS Attacks
DNS AttacksDNS Attacks
DNS Attacks
 
bdNOG 7 - Re-engineering the DNS - one resolver at a time
bdNOG 7 - Re-engineering the DNS - one resolver at a timebdNOG 7 - Re-engineering the DNS - one resolver at a time
bdNOG 7 - Re-engineering the DNS - one resolver at a time
 
DNS_Tutorial 2.pptx
DNS_Tutorial 2.pptxDNS_Tutorial 2.pptx
DNS_Tutorial 2.pptx
 

Más de vngundi

Anatomy of a CERT - Gordon Love, Symantec
Anatomy of a CERT - Gordon Love, SymantecAnatomy of a CERT - Gordon Love, Symantec
Anatomy of a CERT - Gordon Love, Symantec
vngundi
 

Más de vngundi (9)

Anatomy of a CERT - Gordon Love, Symantec
Anatomy of a CERT - Gordon Love, SymantecAnatomy of a CERT - Gordon Love, Symantec
Anatomy of a CERT - Gordon Love, Symantec
 
Dealing With Security Threats
Dealing With Security ThreatsDealing With Security Threats
Dealing With Security Threats
 
Cyber Security Strategies and Approaches
Cyber Security Strategies and ApproachesCyber Security Strategies and Approaches
Cyber Security Strategies and Approaches
 
Day 2 Dns Cert 4 Scenarios
Day 2 Dns Cert 4 ScenariosDay 2 Dns Cert 4 Scenarios
Day 2 Dns Cert 4 Scenarios
 
Day 2 Dns Cert 3 Dns Organizations
Day 2 Dns Cert 3 Dns OrganizationsDay 2 Dns Cert 3 Dns Organizations
Day 2 Dns Cert 3 Dns Organizations
 
Day 1 Large Scale Attacks
Day 1 Large Scale AttacksDay 1 Large Scale Attacks
Day 1 Large Scale Attacks
 
Day 1 From CERT To NCSC
Day 1 From CERT To NCSCDay 1 From CERT To NCSC
Day 1 From CERT To NCSC
 
Day 1 Enisa Setting Up A Csirt
Day 1 Enisa Setting Up A CsirtDay 1 Enisa Setting Up A Csirt
Day 1 Enisa Setting Up A Csirt
 
Day 1 Coop Banks
Day 1 Coop BanksDay 1 Coop Banks
Day 1 Coop Banks
 

Último

EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
Earley Information Science
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
Enterprise Knowledge
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
Delhi Call girls
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
Delhi Call girls
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 

Último (20)

EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 

Day 2 Dns Cert 4a Cache Poisoning

  • 1. DNS Security for CERTs - Attack Scenarios & Demonstrations – Cache Poisoning Chris Evans Delta Risk, LLC 7 March 2010 1
  • 2. What You Will Need for the Exercise • Your Ubuntu VM – VMWare Web Console Access – SSH with X11 Forwarding (for Advanced Users) • Do a query for www.tld1 and verify its IP address before the attack is launched: – 192.168.101.50 2
  • 3. Description • A Change in Recursive DNS Server Causes Spoofed or Incorrect Resolutions – Attack Doesn’t Target Registry Architecture DNS Google.com ISP 1 DNS Fake Google ISP 2 Resolves Differently Than 3
  • 4. Description • Cache poisoning attacks target a specific DNS server, and therefore, only the users which use that DNS server – This doesn’t fit the “get most bang for the buck” of typical hackers out for fame and glory – BUT, the attack can be very insidious, difficult to detect and completely transparent to the victim • These attacks occur infrequently, or, are just not being detected and reported. 4
  • 5. Case Study – External Poisoning • Unverified report of a Brazilian bank victimized by cache poisoning attack. • Attack targeted local ISP DNS server • ISP reported only “1%” of its users were affected Eweek.com 4/22/09 5
  • 6. Case Study – External Poisoning • Hackers poisoned local ISP DNS server and redirected users to a login page that looked just like the Bank’s login page • Solicited usernames, passwords, and other information not normally asked for by the Bank at login Actual Bradesco Login Page 6
  • 7. Case Study – Internal Poisoning • Partido Colorado – political statement made by one organization against another during an election Attacker Modifies Upstream DNS Records www.partidocolorado.org. 3600 IN A 66.249.01.121 7
  • 8. Case Study – Internal Poisoning • The local ISP (Copaco) modified its own recursive name servers to redirect users looking for partidocolorado.org to a state-run news service 201.217.51.114 Attacker Modified Upstream DNS Records www.partidocolorado.org. 3600 IN A 66.249.01.121 8
  • 9. Attack Demonstration External Poisoning DNS Cache Web Server DNS Server Hacker Normal Request Poisoned Request Victim Web Server 9
  • 10. Demonstration – Attacker View _ _ _ | | (_)_ ____ ____| |_ ____ ___ ____ | | ___ _| |_ | / _ ) _)/ _ |/___) _ | |/ _ | | _) | | | ( (/ /| |_( ( | |___ | | | | | |_| | | |__ |_|_|_|____)___)_||_(___/| ||_/|_|___/|_|___) |_| =[ msf v3.2-release + -- --=[ 320 exploits - 217 payloads + -- --=[ 20 encoders - 6 nops =[ 99 aux msf auxiliary(bailiwicked_host) > Name: DNS BailiWicked Host Attack Version: 5794 Provided by: I)ruid <druid@caughq.org> hdm <hdm@metasploit.com> Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- HOSTNAME www.tld1 yes Hostname to hijack NEWADDR 192.168.85.5 yes New address for hostname RECONS 192.168.101.10 yes The nameserver used for recon RHOST 192.168.80.10 yes The target address SRCADDR Real yes The source address to use for SRCPORT 53 yes The target server's source TTL 37620 yes The TTL for the malicious host XIDS 0 yes The number of XIDs to try for 10
  • 11. Demonstration – Attacker View (cont.) [*] Targeting nameserver 192.168.80.10 for injection of www.tld1. as 192.168.85.5 [*] Querying recon nameserver for tld1.'s nameservers... [*] Got an NS record: tld1. 180 IN NS ns1.tld1. [*] Querying recon nameserver for address of ns1.tld1.... [*] Got an A record: ns1.tld1. 180 IN A 192.168.101.10 [*] Checking Authoritativeness: Querying 192.168.101.10 for tld1.... [*] ns1.tld1. is authoritative for tld1., adding to list of nameservers to spoof as [*] Calculating the number of spoofed replies to send per query... [*] race calc: 100 queries | min/max/avg time: 0.0/0.06/0.0 | min/max/avg replies: 0/6/3 [*] Sending 4 spoofed replies from each nameserver (1) for each query [*] Attempting to inject a poison record for www.tld1. into 192.168.80.10:53... ... ... ... ... [*] Poisoning successful after 61000 queries and 250000 responses: www.tld1 == 192.168.85.5 [*] TTL: 37619 DATA: #<Resolv::DNS::Resource::IN::A:0xb6b28688> [*] Auxiliary module execution completed Attack Successful!!!!! 11
  • 12. Demonstration – Server View • Wireshark Capture – Note the queries like “031PtyJamG6o.tld1” 12
  • 13. Demonstration – User View • Please open a browser and connect to the webmail server: http://192.168.101.50/squirrelmail – Login as: studentX – Password: password • Examine the message in your inbox – Looks realistic? ( Use your imagination  ) – The URL certainly does – it matches the web registry system URL. • Click on the link (it won’t hurt you!) – Does this look like the login page of the web registry system? 13
  • 14. Demonstration – User View 1 3 2 May look legit but is the hacker’s IP and webserver!!!!! 14
  • 15. Impact • Users are dependent on the answers from the DNS being accurate and legitimate • Cache Poisoning can be used to create very realistic phishing attacks, that are more likely to succeed, because they appear to use real URLs. – Users are more attune to “strange” URLs now than several years ago, but cache poisoning allows an attacker to use a “normal” URL 15
  • 16. Mitigation & Response Strategies • DNSSEC – will mitigate effect of external poisoning attacks, but will not address content “issues” at the authoritative server • SSL-Based Logins – but subject to user participation! • Server validation techniques like “site keys” – but again, subject to user participation! • Proactive monitoring of recursive servers – not necessarily tractable – but maybe useful for High Value Domains 16
  • 17. Mitigation & Response Strategies • Know WHO to contact at the ISPs within your span of control • Know the procedures for flushing the DNS cache – you may have to instruct operators how to do this! • Information Sharing – if you’re the victim of an attack – share the details of the attack within the community – you may prevent someone else from becoming a victim 17
  • 18. Questions? ? 18