Evil DNS tricks
Pentesting with DNS�
Ron Bowes, SkullSecurity
@iagox86
Source: http://xkcd.com/1361/
Bored? dig -t TXT instructions.skullseclabs.org
dig -t TXT instructions.skullseclabs.org
Just do a TXT lookup for my domain
Can play in a browser / mobile, just TXT lookups
I have a really, really, really dumb prize for the winner!
Bored? dig -t TXT instructions.skullseclabs.org
ron@skullsecurity.net @iagox86
Wow!
Such BSides
Wow!
Much SkullSpace
Many Google
Wow!
Yes, I know doge isn't cool anymore. It was when I made this slide. I'm taking it back!
Bored? dig -t TXT instructions.skullseclabs.org
You know the drill...
...but I have to say it.
The stuff I talk about here does not reflect the views of my employer, nor do does my employer necessarily condone anything I've done.
Information is provided without warranty, obligation, or consent. All sales final. See your pentester if symptoms persist for more than 3 days.
Bored? dig -t TXT instructions.skullseclabs.org
How DNS works
...in 10 5 2 minutes, or your money back
Bored? dig -t TXT instructions.skullseclabs.org
DNS requests (recursive)
Is it cached?
Yes: respond
No: send to 8.8.8.8
Is it cached?
Yes: respond
No: send to�X.root-servers.net
Is it cached?
Yes: respond
No: send to authoritative server
dig @192.168.0.1 test.skullseclabs.org
Return anything we want
X.root-servers.net
8.8.8.8
192.168.0.1
skullseclabs.org
Bored? dig -t TXT instructions.skullseclabs.org
Notice…
The end user never sent me a packet!
In fact, the endpoint didn't send a �single packet that left their �network!��(the router did)
Bored? dig -t TXT instructions.skullseclabs.org
DNS tunneling
Starring: dnscat2
Photo credit: me!
Bored? dig -t TXT instructions.skullseclabs.org
DNS is awesome...
...because it can bypass most firewalls / security!
Internet
Most traffic gets blocked
Router
DNS traffic goes through the router
Bored? dig -t TXT instructions.skullseclabs.org
Challenges with using DNS
Bored? dig -t TXT instructions.skullseclabs.org
Challenge: DNS is stateless
This may be the most annoying problem
All requests come on the same port, from random upstream servers
It's impossible to know who sent which packet
Bored? dig -t TXT instructions.skullseclabs.org
Solution: session_id field
A field in the dnscat2 header that uniquely identifies a "connection"
Always sent in cleartext at the start of a packet, even encrypted packets (unfortunately, there's no alternative)
Transparent to the user; looks like a separate "connection"
Bored? dig -t TXT instructions.skullseclabs.org
Challenge: DNS is one way
The client can ask the server a question
But the server can't ask the client anything
In fact, the server doesn't know who the client is!
Bored? dig -t TXT instructions.skullseclabs.org
Solution: two-way communication
Solution: The client polls the server occasionally
What's the TXT record of "42494e474f0a.skullseclabs.org"?
It's "57617320686973206e616d652d6f0a"
Bored? dig -t TXT instructions.skullseclabs.org
The client even sends blank messages when it has no data
It's "77686f2773207468657265"
TXT for "656666"?
It's "6566662077686f3f"
TXT for "65666620796f7521"?
It's ""
TXT for ""?
It's "474554204954213f"
TXT for ""?
It's ""
TXT for ""?
It's ""
TXT for "6b6e6f636b206b6e6f636b.skullseclabs.org"?
Bored? dig -t TXT instructions.skullseclabs.org
Simple, right?
In reality, it works a little more like:
TXT for "6b6e6f636b206b6e6f636b.skullseclabs.org"?
It's "6566662077686f3f"
TXT for "6b6e6f636b206b6e6f636b.skullseclabs.org"?
It's "6566662077686f3f"
It's "6566662077686f3f"
Screw it. I'm getting a beer.
TXT for "6b6e6f636b206b6e6f636b.skullseclabs.org"?
TXT for "6b6e6f636b206b6e6f636b.skullseclabs.org"?
Bored? dig -t TXT instructions.skullseclabs.org
Challenge: DNS is damn unreliable
Retransmissions and drops are common
In fact, many DNS clients / relays will gratuitously retransmit, like it's a motherf***ing game or something!
Bored? dig -t TXT instructions.skullseclabs.org
Solution: A custom protocol
Uses a simple TCP-like protocol, designed with one-way communication mind
Has SYN/FIN packets to start/end sessions like TCP, and has MSG packets in the middle
Also has an encryption layer by default!
Check out docs/protocol.md if you're curious :)
Bored? dig -t TXT instructions.skullseclabs.org
Encryption!
All sessions are now encrypted - by default!
They can also be authenticated (to prevent man-in-the-middle attacks) with a pre-shared secret
Note: I'm not a cryptographer, but it should be reasonably difficult to attack!
Bored? dig -t TXT instructions.skullseclabs.org
Tunnels
Metasploit, etc
dnscat2� server
Owned client
Vulnerable server
Listens on port 1234
Connects on port 445
Bored? dig -t TXT instructions.skullseclabs.org
Future plans
More tunneling
Speed improvements: base32 + compression
DNS-based shellcode / exploit payload
Updated UI (ncurses and/or Ember.js)
Bored? dig -t TXT instructions.skullseclabs.org
DEMO!
Bored? dig -t TXT instructions.skullseclabs.org
Questions?
(Sorry for probably going too long!)
Ron Bowes <ron@skullsecurity.net>
https://www.skullsecurity.org/
Twitter: @iagox86
Github: iagox86
tinyurl.com/dnsfiretalk2016
Bored? dig -t TXT instructions.skullseclabs.org