Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.
OFFENSIVE:
Exploiting changes on DNS server
configuration
Leonardo Nve Egea
lnve@s21sec.com
@leonardonve
• Security researcher since… (a lot of time) in
SPAIN.
• Pentester, Incident investigator & security
researcher.
• At the ...
INTRODUCTION
What.
Why.
EXPLOITATION (I)
NORMAL PROCEDURE
• CSRF/XSS.
• Insufficient authorization.
• SNMP/TFTP.
• Default password + external administration.
• Cracking wifi passw...
What.
• Metasploit.
• Dnsmasq.
• Bind server.
Tools.
• Invisible proxy.
– Burp suite, mitmproxy
• SSLstrip.
• HTML injection.
– BeEF
– Exploit kits
• Bouncing to known servers...
OBSTACLES OF
NORMAL EXPLOITATION
• SSL certificates (Critical).
Obstacles.
• SSL certificate pinning / EMET (Critical).
Obstacles.
• HSTS + Preloaded HSTS sites (Non critical).
Obstacles.
• SSH signatures failure (Critical).
Obstacles.
• POP3/SMTP Banner (Non critical problem).
• FTP Banner (This can be critical).
• Limited host interception.
• Limited pro...
• Limited of hosts interception.
• Time to study IP communication manners.
• Limited cleartext protocols interception.
• H...
EXPLOITATION (II)
IMPROVE THE ATTACK PROCEDURE
• Discretion.
• Improve data acquisitions from time 0.
Objectives.
• A DNS feature for high availability and Load Balancing:
Improve the attack.
Improve the attack.
DHCP REQ
DHCP RESP with Fake DNS Server
DNS A Request
DNS A Request
DNS Response
DNS Response = IP att...
• On port 80 the attacker can put a invisible proxy.
• The attacker can reject SSL ports always because the client
will la...
• dns2proxy (still in beta).
• Full in python (PyDNS).
• Permit spoof, direct forwarding and add IPs to
the response.
• In...
Improve the attack.
DEMO
(or video if demo effect ;)
• Limited of hosts interception.
• Time to study IP communication manners.
• Limited cleartext protocol interception.
• HT...
SSLStrip vs HSTS.
Common SSLStrip usage
• HSTS + Preloaded HSTS sites (Non critical).
Obstacles.
• Strict Transport Security based in domain names
predefined or not.
• Change HTTPS to HTTP.
• Also change domain names to...
DEMO
(or video if demo effect…)
SSL in general
• You must take advantage with other factors/vulnerabilities
• Downgrade attacks.
• JavaScript infections.
http://media.blackhat.com/bh-us-
12/Briefings/Alonso/BH_US_12_Alonso_Owning_...
• With UDP the application have the control
over the communication not the OS.
• If this application resend a lost UDP pac...
Other scenario.
• Improve DNS server configurations hijacks
with two tools.
• Much information capture than typical
attacks.
• Old protoco...
THANKs.
Miguel Hernandez
The man who first thought `Let’s put a default password. Then
they can change it `
Prochain SlideShare
Chargement dans…5
×

OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014

Efective exploiting the changes of the DNS Server of a computer (via router hacking or other way...)

  • Soyez le premier à commenter

OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014

  1. 1. OFFENSIVE: Exploiting changes on DNS server configuration Leonardo Nve Egea lnve@s21sec.com @leonardonve
  2. 2. • Security researcher since… (a lot of time) in SPAIN. • Pentester, Incident investigator & security researcher. • At the Offensive side (more funny). • I love protocol level. About me
  3. 3. INTRODUCTION
  4. 4. What.
  5. 5. Why.
  6. 6. EXPLOITATION (I) NORMAL PROCEDURE
  7. 7. • CSRF/XSS. • Insufficient authorization. • SNMP/TFTP. • Default password + external administration. • Cracking wifi passwords + default password. • Command line DNS change. • Rogue DSLAM. • Malware. How.
  8. 8. What.
  9. 9. • Metasploit. • Dnsmasq. • Bind server. Tools.
  10. 10. • Invisible proxy. – Burp suite, mitmproxy • SSLstrip. • HTML injection. – BeEF – Exploit kits • Bouncing to known servers. – SSLsplit • Fake web servers. – defacing. – Phishing • Sniffing data. Then.
  11. 11. OBSTACLES OF NORMAL EXPLOITATION
  12. 12. • SSL certificates (Critical). Obstacles.
  13. 13. • SSL certificate pinning / EMET (Critical). Obstacles.
  14. 14. • HSTS + Preloaded HSTS sites (Non critical). Obstacles.
  15. 15. • SSH signatures failure (Critical). Obstacles.
  16. 16. • POP3/SMTP Banner (Non critical problem). • FTP Banner (This can be critical). • Limited host interception. • Limited protocol interception. Obstacles.
  17. 17. • Limited of hosts interception. • Time to study IP communication manners. • Limited cleartext protocols interception. • HTTPS. • Accept the loose a lot of information. Limitations.
  18. 18. EXPLOITATION (II) IMPROVE THE ATTACK PROCEDURE
  19. 19. • Discretion. • Improve data acquisitions from time 0. Objectives.
  20. 20. • A DNS feature for high availability and Load Balancing: Improve the attack.
  21. 21. Improve the attack. DHCP REQ DHCP RESP with Fake DNS Server DNS A Request DNS A Request DNS Response DNS Response = IP attacker server1 + IP attacker server2 + DNS Resp Short TTL SYN port=xxx RST ACK port =xxx SYN port=xxx SYN port=xxx SYN ACK port=xxx SYN ACK port=xxx DATA DATA
  22. 22. • On port 80 the attacker can put a invisible proxy. • The attacker can reject SSL ports always because the client will later connect to the real server. • Other connections data will be forward through the evil server since the first moment. • And there is a tool. Improve the attack.
  23. 23. • dns2proxy (still in beta). • Full in python (PyDNS). • Permit spoof, direct forwarding and add IPs to the response. • Interact directly with iptables to forward connections. https://github.com/LeonardoNve/dns2proxy Tool.
  24. 24. Improve the attack.
  25. 25. DEMO (or video if demo effect ;)
  26. 26. • Limited of hosts interception. • Time to study IP communication manners. • Limited cleartext protocol interception. • HTTPS. • Accept the loose a lot of information. Previous limitations.
  27. 27. SSLStrip vs HSTS.
  28. 28. Common SSLStrip usage
  29. 29. • HSTS + Preloaded HSTS sites (Non critical). Obstacles.
  30. 30. • Strict Transport Security based in domain names predefined or not. • Change HTTPS to HTTP. • Also change domain names to connect based on predefined rules. • DNS Server can resolve based on these predefined rules. • HSTS. https://github.com/LeonardoNve/sslstrip2.git SSLStrip+ to defeat HSTS.
  31. 31. DEMO (or video if demo effect…)
  32. 32. SSL in general • You must take advantage with other factors/vulnerabilities
  33. 33. • Downgrade attacks. • JavaScript infections. http://media.blackhat.com/bh-us- 12/Briefings/Alonso/BH_US_12_Alonso_Owning_Bad_Guys_Slides.pdf • For decoding ciphered protocols, go there: More posibilities.
  34. 34. • With UDP the application have the control over the communication not the OS. • If this application resend a lost UDP packet, we have it! If not…  • Dns2proxy is a PoC and only control TCP but it is really easy extend it too UDP. UDP?
  35. 35. Other scenario.
  36. 36. • Improve DNS server configurations hijacks with two tools. • Much information capture than typical attacks. • Old protocols – Old security. • New protocols + Old protocols – Old security+ • Solutions… DNSSEC. Conclusions.
  37. 37. THANKs. Miguel Hernandez The man who first thought `Let’s put a default password. Then they can change it `

    Soyez le premier à commenter

    Identifiez-vous pour voir les commentaires

  • ThierryZoller

    Aug. 10, 2014
  • mrpa

    Aug. 10, 2014
  • ulissescastro

    Oct. 14, 2014
  • ThiagoSimonin

    Oct. 15, 2014
  • JuanPlaza3

    Nov. 22, 2014
  • omar146

    Dec. 30, 2014
  • udomsakc

    Apr. 8, 2015
  • Ricksondpenha

    Jun. 21, 2015
  • Brandon24

    Oct. 24, 2015
  • codedebug

    Aug. 2, 2016
  • RudrakshKhanna1

    Oct. 25, 2016
  • JournalistsOnnet

    Dec. 12, 2016
  • fusebob

    May. 10, 2017
  • JackHsu16

    Jul. 30, 2017
  • HussainVohra2

    Dec. 26, 2017
  • AndieMcCallum

    Aug. 14, 2018
  • xiyang70

    Jun. 12, 2019
  • cccold

    Dec. 9, 2019
  • dav1d1uu

    May. 16, 2020
  • gtin00b

    Jun. 6, 2020

Efective exploiting the changes of the DNS Server of a computer (via router hacking or other way...)

Vues

Nombre de vues

20 748

Sur Slideshare

0

À partir des intégrations

0

Nombre d'intégrations

292

Actions

Téléchargements

464

Partages

0

Commentaires

0

Mentions J'aime

24

×