SlideShare uma empresa Scribd logo

Day 2 Dns Cert 4a Cache Poisoning

V
vngundi

Presentation by ICANN

Tecnologia
1 de 18
Baixar para ler offline
DNS Security for CERTs - Attack Scenarios & Demonstrations – Cache Poisoning Chris Evans Delta Risk, LLC 7 March 2010 1
What You Will Need for the Exercise • Your Ubuntu VM – VMWare Web Console Access – SSH with X11 Forwarding (for Advanced Users) • Do a query for www.tld1 and verify its IP address before the attack is launched: – 192.168.101.50 2
Description • A Change in Recursive DNS Server Causes Spoofed or Incorrect Resolutions – Attack Doesn’t Target Registry Architecture DNS Google.com ISP 1 DNS Fake Google ISP 2 Resolves Differently Than 3
Description • Cache poisoning attacks target a specific DNS server, and therefore, only the users which use that DNS server – This doesn’t fit the “get most bang for the buck” of typical hackers out for fame and glory – BUT, the attack can be very insidious, difficult to detect and completely transparent to the victim • These attacks occur infrequently, or, are just not being detected and reported. 4
Case Study – External Poisoning • Unverified report of a Brazilian bank victimized by cache poisoning attack. • Attack targeted local ISP DNS server • ISP reported only “1%” of its users were affected Eweek.com 4/22/09 5
Case Study – External Poisoning • Hackers poisoned local ISP DNS server and redirected users to a login page that looked just like the Bank’s login page • Solicited usernames, passwords, and other information not normally asked for by the Bank at login Actual Bradesco Login Page 6
Case Study – Internal Poisoning • Partido Colorado – political statement made by one organization against another during an election Attacker Modifies Upstream DNS Records www.partidocolorado.org. 3600 IN A 66.249.01.121 7
Case Study – Internal Poisoning • The local ISP (Copaco) modified its own recursive name servers to redirect users looking for partidocolorado.org to a state-run news service 201.217.51.114 Attacker Modified Upstream DNS Records www.partidocolorado.org. 3600 IN A 66.249.01.121 8
Attack Demonstration External Poisoning DNS Cache Web Server DNS Server Hacker Normal Request Poisoned Request Victim Web Server 9
Demonstration – Attacker View _ _ _ | | (_)_ ____ ____| |_ ____ ___ ____ | | ___ _| |_ | / _ ) _)/ _ |/___) _ | |/ _ | | _) | | | ( (/ /| |_( ( | |___ | | | | | |_| | | |__ |_|_|_|____)___)_||_(___/| ||_/|_|___/|_|___) |_| =[ msf v3.2-release + -- --=[ 320 exploits - 217 payloads + -- --=[ 20 encoders - 6 nops =[ 99 aux msf auxiliary(bailiwicked_host) > Name: DNS BailiWicked Host Attack Version: 5794 Provided by: I)ruid <druid@caughq.org> hdm <hdm@metasploit.com> Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- HOSTNAME www.tld1 yes Hostname to hijack NEWADDR 192.168.85.5 yes New address for hostname RECONS 192.168.101.10 yes The nameserver used for recon RHOST 192.168.80.10 yes The target address SRCADDR Real yes The source address to use for SRCPORT 53 yes The target server's source TTL 37620 yes The TTL for the malicious host XIDS 0 yes The number of XIDs to try for 10
Demonstration – Attacker View (cont.) [*] Targeting nameserver 192.168.80.10 for injection of www.tld1. as 192.168.85.5 [*] Querying recon nameserver for tld1.'s nameservers... [*] Got an NS record: tld1. 180 IN NS ns1.tld1. [*] Querying recon nameserver for address of ns1.tld1.... [*] Got an A record: ns1.tld1. 180 IN A 192.168.101.10 [*] Checking Authoritativeness: Querying 192.168.101.10 for tld1.... [*] ns1.tld1. is authoritative for tld1., adding to list of nameservers to spoof as [*] Calculating the number of spoofed replies to send per query... [*] race calc: 100 queries | min/max/avg time: 0.0/0.06/0.0 | min/max/avg replies: 0/6/3 [*] Sending 4 spoofed replies from each nameserver (1) for each query [*] Attempting to inject a poison record for www.tld1. into 192.168.80.10:53... ... ... ... ... [*] Poisoning successful after 61000 queries and 250000 responses: www.tld1 == 192.168.85.5 [*] TTL: 37619 DATA: #<Resolv::DNS::Resource::IN::A:0xb6b28688> [*] Auxiliary module execution completed Attack Successful!!!!! 11
Demonstration – Server View • Wireshark Capture – Note the queries like “031PtyJamG6o.tld1” 12
Demonstration – User View • Please open a browser and connect to the webmail server: http://192.168.101.50/squirrelmail – Login as: studentX – Password: password • Examine the message in your inbox – Looks realistic? ( Use your imagination  ) – The URL certainly does – it matches the web registry system URL. • Click on the link (it won’t hurt you!) – Does this look like the login page of the web registry system? 13
Demonstration – User View 1 3 2 May look legit but is the hacker’s IP and webserver!!!!! 14
Impact • Users are dependent on the answers from the DNS being accurate and legitimate • Cache Poisoning can be used to create very realistic phishing attacks, that are more likely to succeed, because they appear to use real URLs. – Users are more attune to “strange” URLs now than several years ago, but cache poisoning allows an attacker to use a “normal” URL 15
Mitigation & Response Strategies • DNSSEC – will mitigate effect of external poisoning attacks, but will not address content “issues” at the authoritative server • SSL-Based Logins – but subject to user participation! • Server validation techniques like “site keys” – but again, subject to user participation! • Proactive monitoring of recursive servers – not necessarily tractable – but maybe useful for High Value Domains 16
Mitigation & Response Strategies • Know WHO to contact at the ISPs within your span of control • Know the procedures for flushing the DNS cache – you may have to instruct operators how to do this! • Information Sharing – if you’re the victim of an attack – share the details of the attack within the community – you may prevent someone else from becoming a victim 17
Questions? ? 18

Recomendados

Grey H@t - DNS Cache Poisoning
Grey H@t - DNS Cache PoisoningGrey H@t - DNS Cache Poisoning
Grey H@t - DNS Cache PoisoningChristopher Grayson
 
There's no place like 127.0.0.1 - Achieving "reliable" DNS rebinding in moder...
There's no place like 127.0.0.1 - Achieving "reliable" DNS rebinding in moder...There's no place like 127.0.0.1 - Achieving "reliable" DNS rebinding in moder...
There's no place like 127.0.0.1 - Achieving "reliable" DNS rebinding in moder...Luke Young
 
Namespaces for Local Networks
Namespaces for Local NetworksNamespaces for Local Networks
Namespaces for Local NetworksMen and Mice
 
DNS/DNSSEC by Nurul Islam
DNS/DNSSEC by Nurul IslamDNS/DNSSEC by Nurul Islam
DNS/DNSSEC by Nurul IslamMyNOG
 
Part 2 - Local Name Resolution in Windows Networks
Part 2 - Local Name Resolution in Windows NetworksPart 2 - Local Name Resolution in Windows Networks
Part 2 - Local Name Resolution in Windows NetworksMen and Mice
 
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOS
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOSPart 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOS
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOSMen and Mice
 
Windows 2012 and DNSSEC
Windows 2012 and DNSSECWindows 2012 and DNSSEC
Windows 2012 and DNSSECMen and Mice
 
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]APNIC
 

Recomendados

Grey H@t - DNS Cache Poisoning
Grey H@t - DNS Cache PoisoningGrey H@t - DNS Cache Poisoning
Grey H@t - DNS Cache PoisoningChristopher Grayson
 
There's no place like 127.0.0.1 - Achieving "reliable" DNS rebinding in moder...
There's no place like 127.0.0.1 - Achieving "reliable" DNS rebinding in moder...There's no place like 127.0.0.1 - Achieving "reliable" DNS rebinding in moder...
There's no place like 127.0.0.1 - Achieving "reliable" DNS rebinding in moder...Luke Young
 
Namespaces for Local Networks
Namespaces for Local NetworksNamespaces for Local Networks
Namespaces for Local NetworksMen and Mice
 
DNS/DNSSEC by Nurul Islam
DNS/DNSSEC by Nurul IslamDNS/DNSSEC by Nurul Islam
DNS/DNSSEC by Nurul IslamMyNOG
 
Part 2 - Local Name Resolution in Windows Networks
Part 2 - Local Name Resolution in Windows NetworksPart 2 - Local Name Resolution in Windows Networks
Part 2 - Local Name Resolution in Windows NetworksMen and Mice
 
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOS
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOSPart 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOS
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOSMen and Mice
 
Windows 2012 and DNSSEC
Windows 2012 and DNSSECWindows 2012 and DNSSEC
Windows 2012 and DNSSECMen and Mice
 
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]APNIC
 
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]APNIC
 
RHCE FINAL Questions and Answers
RHCE FINAL Questions and AnswersRHCE FINAL Questions and Answers
RHCE FINAL Questions and AnswersRadien software
 
[India Merge World Tour] Meru Networks
[India Merge World Tour] Meru Networks[India Merge World Tour] Meru Networks
[India Merge World Tour] Meru NetworksPerforce
 
HKNOG 5.0 - NSEC caching
HKNOG 5.0 - NSEC cachingHKNOG 5.0 - NSEC caching
HKNOG 5.0 - NSEC cachingAPNIC
 
Troubleshooting Tips from a Docker Support Engineer
Troubleshooting Tips from a Docker Support EngineerTroubleshooting Tips from a Docker Support Engineer
Troubleshooting Tips from a Docker Support EngineerJeff Anderson
 
Yeti DNS - Experimenting at the root
Yeti DNS - Experimenting at the rootYeti DNS - Experimenting at the root
Yeti DNS - Experimenting at the rootMen and Mice
 
Cloudstone - Sharpening Your Weapons Through Big Data
Cloudstone - Sharpening Your Weapons Through Big DataCloudstone - Sharpening Your Weapons Through Big Data
Cloudstone - Sharpening Your Weapons Through Big DataChristopher Grayson
 
2016 JavaOne Deconstructing REST Security
2016 JavaOne Deconstructing REST Security2016 JavaOne Deconstructing REST Security
2016 JavaOne Deconstructing REST SecurityDavid Blevins
 
How to send DNS over anything encrypted
How to send DNS over anything encryptedHow to send DNS over anything encrypted
How to send DNS over anything encryptedMen and Mice
 
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...Shakacon
 
2017 dev nexus_deconstructing_rest_security
2017 dev nexus_deconstructing_rest_security2017 dev nexus_deconstructing_rest_security
2017 dev nexus_deconstructing_rest_securityDavid Blevins
 
Keeping DNS server up-and-running with “runit
Keeping DNS server up-and-running with “runitKeeping DNS server up-and-running with “runit
Keeping DNS server up-and-running with “runitMen and Mice
 
Windows Server 2016 Webinar
Windows Server 2016 WebinarWindows Server 2016 Webinar
Windows Server 2016 WebinarMen and Mice
 
Mens jan piet_dnssec-in-practice
Mens jan piet_dnssec-in-practiceMens jan piet_dnssec-in-practice
Mens jan piet_dnssec-in-practicekuchinskaya
 
Database Hardware Benchmarking
Database Hardware BenchmarkingDatabase Hardware Benchmarking
Database Hardware BenchmarkingCommand Prompt., Inc
 
Putting Wings on the Elephant
Putting Wings on the ElephantPutting Wings on the Elephant
Putting Wings on the ElephantDataWorks Summit
 
Collaborate instant cloning_kyle
Collaborate instant cloning_kyleCollaborate instant cloning_kyle
Collaborate instant cloning_kyleKyle Hailey
 
Apache Wizardry - Ohio Linux 2011
Apache Wizardry - Ohio Linux 2011Apache Wizardry - Ohio Linux 2011
Apache Wizardry - Ohio Linux 2011Rich Bowen
 
End-to-End Analysis of a Domain Generating Algorithm Malware Family
End-to-End Analysis of a Domain Generating Algorithm Malware FamilyEnd-to-End Analysis of a Domain Generating Algorithm Malware Family
End-to-End Analysis of a Domain Generating Algorithm Malware FamilyCrowdStrike
 
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...OpenDNS
 
Day 2 Dns Cert 4c Malicious Use
Day 2 Dns Cert 4c Malicious UseDay 2 Dns Cert 4c Malicious Use
Day 2 Dns Cert 4c Malicious Usevngundi
 
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...Felipe Prado
 

Mais conteúdo relacionado

Mais procurados

Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]APNIC
 
RHCE FINAL Questions and Answers
RHCE FINAL Questions and AnswersRHCE FINAL Questions and Answers
RHCE FINAL Questions and AnswersRadien software
 
[India Merge World Tour] Meru Networks
[India Merge World Tour] Meru Networks[India Merge World Tour] Meru Networks
[India Merge World Tour] Meru NetworksPerforce
 
HKNOG 5.0 - NSEC caching
HKNOG 5.0 - NSEC cachingHKNOG 5.0 - NSEC caching
HKNOG 5.0 - NSEC cachingAPNIC
 
Troubleshooting Tips from a Docker Support Engineer
Troubleshooting Tips from a Docker Support EngineerTroubleshooting Tips from a Docker Support Engineer
Troubleshooting Tips from a Docker Support EngineerJeff Anderson
 
Yeti DNS - Experimenting at the root
Yeti DNS - Experimenting at the rootYeti DNS - Experimenting at the root
Yeti DNS - Experimenting at the rootMen and Mice
 
Cloudstone - Sharpening Your Weapons Through Big Data
Cloudstone - Sharpening Your Weapons Through Big DataCloudstone - Sharpening Your Weapons Through Big Data
Cloudstone - Sharpening Your Weapons Through Big DataChristopher Grayson
 
2016 JavaOne Deconstructing REST Security
2016 JavaOne Deconstructing REST Security2016 JavaOne Deconstructing REST Security
2016 JavaOne Deconstructing REST SecurityDavid Blevins
 
How to send DNS over anything encrypted
How to send DNS over anything encryptedHow to send DNS over anything encrypted
How to send DNS over anything encryptedMen and Mice
 
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...Shakacon
 
2017 dev nexus_deconstructing_rest_security
2017 dev nexus_deconstructing_rest_security2017 dev nexus_deconstructing_rest_security
2017 dev nexus_deconstructing_rest_securityDavid Blevins
 
Keeping DNS server up-and-running with “runit
Keeping DNS server up-and-running with “runitKeeping DNS server up-and-running with “runit
Keeping DNS server up-and-running with “runitMen and Mice
 
Windows Server 2016 Webinar
Windows Server 2016 WebinarWindows Server 2016 Webinar
Windows Server 2016 WebinarMen and Mice
 
Mens jan piet_dnssec-in-practice
Mens jan piet_dnssec-in-practiceMens jan piet_dnssec-in-practice
Mens jan piet_dnssec-in-practicekuchinskaya
 
Putting Wings on the Elephant
Putting Wings on the ElephantPutting Wings on the Elephant
Putting Wings on the ElephantDataWorks Summit
 
Collaborate instant cloning_kyle
Collaborate instant cloning_kyleCollaborate instant cloning_kyle
Collaborate instant cloning_kyleKyle Hailey
 
Apache Wizardry - Ohio Linux 2011
Apache Wizardry - Ohio Linux 2011Apache Wizardry - Ohio Linux 2011
Apache Wizardry - Ohio Linux 2011Rich Bowen
 
End-to-End Analysis of a Domain Generating Algorithm Malware Family
End-to-End Analysis of a Domain Generating Algorithm Malware FamilyEnd-to-End Analysis of a Domain Generating Algorithm Malware Family
End-to-End Analysis of a Domain Generating Algorithm Malware FamilyCrowdStrike
 
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...OpenDNS
 

Mais procurados (20)

Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
 
RHCE FINAL Questions and Answers
RHCE FINAL Questions and AnswersRHCE FINAL Questions and Answers
RHCE FINAL Questions and Answers
 
[India Merge World Tour] Meru Networks
[India Merge World Tour] Meru Networks[India Merge World Tour] Meru Networks
[India Merge World Tour] Meru Networks
 
HKNOG 5.0 - NSEC caching
HKNOG 5.0 - NSEC cachingHKNOG 5.0 - NSEC caching
HKNOG 5.0 - NSEC caching
 
Troubleshooting Tips from a Docker Support Engineer
Troubleshooting Tips from a Docker Support EngineerTroubleshooting Tips from a Docker Support Engineer
Troubleshooting Tips from a Docker Support Engineer
 
Yeti DNS - Experimenting at the root
Yeti DNS - Experimenting at the rootYeti DNS - Experimenting at the root
Yeti DNS - Experimenting at the root
 
Cloudstone - Sharpening Your Weapons Through Big Data
Cloudstone - Sharpening Your Weapons Through Big DataCloudstone - Sharpening Your Weapons Through Big Data
Cloudstone - Sharpening Your Weapons Through Big Data
 
2016 JavaOne Deconstructing REST Security
2016 JavaOne Deconstructing REST Security2016 JavaOne Deconstructing REST Security
2016 JavaOne Deconstructing REST Security
 
How to send DNS over anything encrypted
How to send DNS over anything encryptedHow to send DNS over anything encrypted
How to send DNS over anything encrypted
 
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
 
2017 dev nexus_deconstructing_rest_security
2017 dev nexus_deconstructing_rest_security2017 dev nexus_deconstructing_rest_security
2017 dev nexus_deconstructing_rest_security
 
Keeping DNS server up-and-running with “runit
Keeping DNS server up-and-running with “runitKeeping DNS server up-and-running with “runit
Keeping DNS server up-and-running with “runit
 
Windows Server 2016 Webinar
Windows Server 2016 WebinarWindows Server 2016 Webinar
Windows Server 2016 Webinar
 
Mens jan piet_dnssec-in-practice
Mens jan piet_dnssec-in-practiceMens jan piet_dnssec-in-practice
Mens jan piet_dnssec-in-practice
 
Database Hardware Benchmarking
Database Hardware BenchmarkingDatabase Hardware Benchmarking
Database Hardware Benchmarking
 
Putting Wings on the Elephant
Putting Wings on the ElephantPutting Wings on the Elephant
Putting Wings on the Elephant
 
Collaborate instant cloning_kyle
Collaborate instant cloning_kyleCollaborate instant cloning_kyle
Collaborate instant cloning_kyle
 
Apache Wizardry - Ohio Linux 2011
Apache Wizardry - Ohio Linux 2011Apache Wizardry - Ohio Linux 2011
Apache Wizardry - Ohio Linux 2011
 
End-to-End Analysis of a Domain Generating Algorithm Malware Family
End-to-End Analysis of a Domain Generating Algorithm Malware FamilyEnd-to-End Analysis of a Domain Generating Algorithm Malware Family
End-to-End Analysis of a Domain Generating Algorithm Malware Family
 
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
 

Semelhante a Day 2 Dns Cert 4a Cache Poisoning

Day 2 Dns Cert 4c Malicious Use
Day 2 Dns Cert 4c Malicious UseDay 2 Dns Cert 4c Malicious Use
Day 2 Dns Cert 4c Malicious Usevngundi
 
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...Felipe Prado
 
Day 2 Dns Cert 4b Name Server Redirection
Day 2 Dns Cert 4b Name Server RedirectionDay 2 Dns Cert 4b Name Server Redirection
Day 2 Dns Cert 4b Name Server Redirectionvngundi
 
3: DNS vulnerabilities
3: DNS vulnerabilities 3: DNS vulnerabilities
3: DNS vulnerabilities Sam Bowne
 
No more ARP : Another MiTm Attacks
No more ARP : Another MiTm AttacksNo more ARP : Another MiTm Attacks
No more ARP : Another MiTm AttacksKhajornchol Puwarang
 
NANOG32 - DNS Anomalies and Their Impacts on DNS Cache Servers
NANOG32 - DNS Anomalies and Their Impacts on DNS Cache ServersNANOG32 - DNS Anomalies and Their Impacts on DNS Cache Servers
NANOG32 - DNS Anomalies and Their Impacts on DNS Cache ServersChika Yoshimura
 
CNIT 40: 3: DNS vulnerabilities
CNIT 40: 3: DNS vulnerabilitiesCNIT 40: 3: DNS vulnerabilities
CNIT 40: 3: DNS vulnerabilitiesSam Bowne
 
DNS spoofing/poisoning Attack Report (Word Document)
DNS spoofing/poisoning Attack Report (Word Document)DNS spoofing/poisoning Attack Report (Word Document)
DNS spoofing/poisoning Attack Report (Word Document)Fatima Qayyum
 
Whalebone-UKNOF44security992_new_impl.pptx
Whalebone-UKNOF44security992_new_impl.pptxWhalebone-UKNOF44security992_new_impl.pptx
Whalebone-UKNOF44security992_new_impl.pptxAns Sembiring
 
The latest news in the DNS resolution: DNSSEC
The latest news in the DNS resolution: DNSSECThe latest news in the DNS resolution: DNSSEC
The latest news in the DNS resolution: DNSSECWhalebone, s.r.o.
 
DNS Rebinding Attack
DNS Rebinding AttackDNS Rebinding Attack
DNS Rebinding AttackFelipe Japm
 
PLNOG14: DNS, czyli co nowego w świecie DNS-ozaurów - Adam Obszyński
PLNOG14: DNS, czyli co nowego w świecie DNS-ozaurów - Adam ObszyńskiPLNOG14: DNS, czyli co nowego w świecie DNS-ozaurów - Adam Obszyński
PLNOG14: DNS, czyli co nowego w świecie DNS-ozaurów - Adam ObszyńskiPROIDEA
 
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS Attacks
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS AttacksDNSSEC: The Antidote to DNS Cache Poisoning and Other DNS Attacks
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS AttacksFindWhitePapers
 
Drilling Down Into DNS DDoS
Drilling Down Into DNS DDoSDrilling Down Into DNS DDoS
Drilling Down Into DNS DDoSAPNIC
 
bdNOG 7 - Re-engineering the DNS - one resolver at a time
bdNOG 7 - Re-engineering the DNS - one resolver at a timebdNOG 7 - Re-engineering the DNS - one resolver at a time
bdNOG 7 - Re-engineering the DNS - one resolver at a timeAPNIC
 
DNS_Tutorial 2.pptx
DNS_Tutorial 2.pptxDNS_Tutorial 2.pptx
DNS_Tutorial 2.pptxviditsir
 

Semelhante a Day 2 Dns Cert 4a Cache Poisoning (20)

Day 2 Dns Cert 4c Malicious Use
Day 2 Dns Cert 4c Malicious UseDay 2 Dns Cert 4c Malicious Use
Day 2 Dns Cert 4c Malicious Use
 
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
 
Day 2 Dns Cert 4b Name Server Redirection
Day 2 Dns Cert 4b Name Server RedirectionDay 2 Dns Cert 4b Name Server Redirection
Day 2 Dns Cert 4b Name Server Redirection
 
3: DNS vulnerabilities
3: DNS vulnerabilities 3: DNS vulnerabilities
3: DNS vulnerabilities
 
No more ARP : Another MiTm Attacks
No more ARP : Another MiTm AttacksNo more ARP : Another MiTm Attacks
No more ARP : Another MiTm Attacks
 
ION Islamabad - Deploying DNSSEC
ION Islamabad - Deploying DNSSECION Islamabad - Deploying DNSSEC
ION Islamabad - Deploying DNSSEC
 
NANOG32 - DNS Anomalies and Their Impacts on DNS Cache Servers
NANOG32 - DNS Anomalies and Their Impacts on DNS Cache ServersNANOG32 - DNS Anomalies and Their Impacts on DNS Cache Servers
NANOG32 - DNS Anomalies and Their Impacts on DNS Cache Servers
 
CNIT 40: 3: DNS vulnerabilities
CNIT 40: 3: DNS vulnerabilitiesCNIT 40: 3: DNS vulnerabilities
CNIT 40: 3: DNS vulnerabilities
 
Dns security
Dns securityDns security
Dns security
 
DNS spoofing/poisoning Attack Report (Word Document)
DNS spoofing/poisoning Attack Report (Word Document)DNS spoofing/poisoning Attack Report (Word Document)
DNS spoofing/poisoning Attack Report (Word Document)
 
Whalebone-UKNOF44security992_new_impl.pptx
Whalebone-UKNOF44security992_new_impl.pptxWhalebone-UKNOF44security992_new_impl.pptx
Whalebone-UKNOF44security992_new_impl.pptx
 
The latest news in the DNS resolution: DNSSEC
The latest news in the DNS resolution: DNSSECThe latest news in the DNS resolution: DNSSEC
The latest news in the DNS resolution: DNSSEC
 
DNS Rebinding Attack
DNS Rebinding AttackDNS Rebinding Attack
DNS Rebinding Attack
 
PLNOG14: DNS, czyli co nowego w świecie DNS-ozaurów - Adam Obszyński
PLNOG14: DNS, czyli co nowego w świecie DNS-ozaurów - Adam ObszyńskiPLNOG14: DNS, czyli co nowego w świecie DNS-ozaurów - Adam Obszyński
PLNOG14: DNS, czyli co nowego w świecie DNS-ozaurów - Adam Obszyński
 
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS Attacks
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS AttacksDNSSEC: The Antidote to DNS Cache Poisoning and Other DNS Attacks
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS Attacks
 
Drilling Down Into DNS DDoS
Drilling Down Into DNS DDoSDrilling Down Into DNS DDoS
Drilling Down Into DNS DDoS
 
Re-Engineering the DNS – One Resolver at a Time
Re-Engineering the DNS – One Resolver at a Time Re-Engineering the DNS – One Resolver at a Time
Re-Engineering the DNS – One Resolver at a Time
 
DNS Attacks
DNS AttacksDNS Attacks
DNS Attacks
 
bdNOG 7 - Re-engineering the DNS - one resolver at a time
bdNOG 7 - Re-engineering the DNS - one resolver at a timebdNOG 7 - Re-engineering the DNS - one resolver at a time
bdNOG 7 - Re-engineering the DNS - one resolver at a time
 
DNS_Tutorial 2.pptx
DNS_Tutorial 2.pptxDNS_Tutorial 2.pptx
DNS_Tutorial 2.pptx
 

Mais de vngundi

Anatomy of a CERT - Gordon Love, Symantec
Anatomy of a CERT - Gordon Love, SymantecAnatomy of a CERT - Gordon Love, Symantec
Anatomy of a CERT - Gordon Love, Symantecvngundi
 
Dealing With Security Threats
Dealing With Security ThreatsDealing With Security Threats
Dealing With Security Threatsvngundi
 
Cyber Security Strategies and Approaches
Cyber Security Strategies and ApproachesCyber Security Strategies and Approaches
Cyber Security Strategies and Approachesvngundi
 
Day 2 Dns Cert 4 Scenarios
Day 2 Dns Cert 4 ScenariosDay 2 Dns Cert 4 Scenarios
Day 2 Dns Cert 4 Scenariosvngundi
 
Day 2 Dns Cert 3 Dns Organizations
Day 2 Dns Cert 3 Dns OrganizationsDay 2 Dns Cert 3 Dns Organizations
Day 2 Dns Cert 3 Dns Organizationsvngundi
 
Day 1 Large Scale Attacks
Day 1 Large Scale AttacksDay 1 Large Scale Attacks
Day 1 Large Scale Attacksvngundi
 
Day 1 From CERT To NCSC
Day 1 From CERT To NCSCDay 1 From CERT To NCSC
Day 1 From CERT To NCSCvngundi
 
Day 1 Enisa Setting Up A Csirt
Day 1 Enisa Setting Up A CsirtDay 1 Enisa Setting Up A Csirt
Day 1 Enisa Setting Up A Csirtvngundi
 
Day 1 Coop Banks
Day 1 Coop BanksDay 1 Coop Banks
Day 1 Coop Banksvngundi
 

Mais de vngundi (9)

Anatomy of a CERT - Gordon Love, Symantec
Anatomy of a CERT - Gordon Love, SymantecAnatomy of a CERT - Gordon Love, Symantec
Anatomy of a CERT - Gordon Love, Symantec
 
Dealing With Security Threats
Dealing With Security ThreatsDealing With Security Threats
Dealing With Security Threats
 
Cyber Security Strategies and Approaches
Cyber Security Strategies and ApproachesCyber Security Strategies and Approaches
Cyber Security Strategies and Approaches
 
Day 2 Dns Cert 4 Scenarios
Day 2 Dns Cert 4 ScenariosDay 2 Dns Cert 4 Scenarios
Day 2 Dns Cert 4 Scenarios
 
Day 2 Dns Cert 3 Dns Organizations
Day 2 Dns Cert 3 Dns OrganizationsDay 2 Dns Cert 3 Dns Organizations
Day 2 Dns Cert 3 Dns Organizations
 
Day 1 Large Scale Attacks
Day 1 Large Scale AttacksDay 1 Large Scale Attacks
Day 1 Large Scale Attacks
 
Day 1 From CERT To NCSC
Day 1 From CERT To NCSCDay 1 From CERT To NCSC
Day 1 From CERT To NCSC
 
Day 1 Enisa Setting Up A Csirt
Day 1 Enisa Setting Up A CsirtDay 1 Enisa Setting Up A Csirt
Day 1 Enisa Setting Up A Csirt
 
Day 1 Coop Banks
Day 1 Coop BanksDay 1 Coop Banks
Day 1 Coop Banks
 

Último

Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?XfilesPro
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 

Último (20)

Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 

Day 2 Dns Cert 4a Cache Poisoning

  • 1. DNS Security for CERTs - Attack Scenarios & Demonstrations – Cache Poisoning Chris Evans Delta Risk, LLC 7 March 2010 1
  • 2. What You Will Need for the Exercise • Your Ubuntu VM – VMWare Web Console Access – SSH with X11 Forwarding (for Advanced Users) • Do a query for www.tld1 and verify its IP address before the attack is launched: – 192.168.101.50 2
  • 3. Description • A Change in Recursive DNS Server Causes Spoofed or Incorrect Resolutions – Attack Doesn’t Target Registry Architecture DNS Google.com ISP 1 DNS Fake Google ISP 2 Resolves Differently Than 3
  • 4. Description • Cache poisoning attacks target a specific DNS server, and therefore, only the users which use that DNS server – This doesn’t fit the “get most bang for the buck” of typical hackers out for fame and glory – BUT, the attack can be very insidious, difficult to detect and completely transparent to the victim • These attacks occur infrequently, or, are just not being detected and reported. 4
  • 5. Case Study – External Poisoning • Unverified report of a Brazilian bank victimized by cache poisoning attack. • Attack targeted local ISP DNS server • ISP reported only “1%” of its users were affected Eweek.com 4/22/09 5
  • 6. Case Study – External Poisoning • Hackers poisoned local ISP DNS server and redirected users to a login page that looked just like the Bank’s login page • Solicited usernames, passwords, and other information not normally asked for by the Bank at login Actual Bradesco Login Page 6
  • 7. Case Study – Internal Poisoning • Partido Colorado – political statement made by one organization against another during an election Attacker Modifies Upstream DNS Records www.partidocolorado.org. 3600 IN A 66.249.01.121 7
  • 8. Case Study – Internal Poisoning • The local ISP (Copaco) modified its own recursive name servers to redirect users looking for partidocolorado.org to a state-run news service 201.217.51.114 Attacker Modified Upstream DNS Records www.partidocolorado.org. 3600 IN A 66.249.01.121 8
  • 9. Attack Demonstration External Poisoning DNS Cache Web Server DNS Server Hacker Normal Request Poisoned Request Victim Web Server 9
  • 10. Demonstration – Attacker View _ _ _ | | (_)_ ____ ____| |_ ____ ___ ____ | | ___ _| |_ | / _ ) _)/ _ |/___) _ | |/ _ | | _) | | | ( (/ /| |_( ( | |___ | | | | | |_| | | |__ |_|_|_|____)___)_||_(___/| ||_/|_|___/|_|___) |_| =[ msf v3.2-release + -- --=[ 320 exploits - 217 payloads + -- --=[ 20 encoders - 6 nops =[ 99 aux msf auxiliary(bailiwicked_host) > Name: DNS BailiWicked Host Attack Version: 5794 Provided by: I)ruid <druid@caughq.org> hdm <hdm@metasploit.com> Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- HOSTNAME www.tld1 yes Hostname to hijack NEWADDR 192.168.85.5 yes New address for hostname RECONS 192.168.101.10 yes The nameserver used for recon RHOST 192.168.80.10 yes The target address SRCADDR Real yes The source address to use for SRCPORT 53 yes The target server's source TTL 37620 yes The TTL for the malicious host XIDS 0 yes The number of XIDs to try for 10
  • 11. Demonstration – Attacker View (cont.) [*] Targeting nameserver 192.168.80.10 for injection of www.tld1. as 192.168.85.5 [*] Querying recon nameserver for tld1.'s nameservers... [*] Got an NS record: tld1. 180 IN NS ns1.tld1. [*] Querying recon nameserver for address of ns1.tld1.... [*] Got an A record: ns1.tld1. 180 IN A 192.168.101.10 [*] Checking Authoritativeness: Querying 192.168.101.10 for tld1.... [*] ns1.tld1. is authoritative for tld1., adding to list of nameservers to spoof as [*] Calculating the number of spoofed replies to send per query... [*] race calc: 100 queries | min/max/avg time: 0.0/0.06/0.0 | min/max/avg replies: 0/6/3 [*] Sending 4 spoofed replies from each nameserver (1) for each query [*] Attempting to inject a poison record for www.tld1. into 192.168.80.10:53... ... ... ... ... [*] Poisoning successful after 61000 queries and 250000 responses: www.tld1 == 192.168.85.5 [*] TTL: 37619 DATA: #<Resolv::DNS::Resource::IN::A:0xb6b28688> [*] Auxiliary module execution completed Attack Successful!!!!! 11
  • 12. Demonstration – Server View • Wireshark Capture – Note the queries like “031PtyJamG6o.tld1” 12
  • 13. Demonstration – User View • Please open a browser and connect to the webmail server: http://192.168.101.50/squirrelmail – Login as: studentX – Password: password • Examine the message in your inbox – Looks realistic? ( Use your imagination  ) – The URL certainly does – it matches the web registry system URL. • Click on the link (it won’t hurt you!) – Does this look like the login page of the web registry system? 13
  • 14. Demonstration – User View 1 3 2 May look legit but is the hacker’s IP and webserver!!!!! 14
  • 15. Impact • Users are dependent on the answers from the DNS being accurate and legitimate • Cache Poisoning can be used to create very realistic phishing attacks, that are more likely to succeed, because they appear to use real URLs. – Users are more attune to “strange” URLs now than several years ago, but cache poisoning allows an attacker to use a “normal” URL 15
  • 16. Mitigation & Response Strategies • DNSSEC – will mitigate effect of external poisoning attacks, but will not address content “issues” at the authoritative server • SSL-Based Logins – but subject to user participation! • Server validation techniques like “site keys” – but again, subject to user participation! • Proactive monitoring of recursive servers – not necessarily tractable – but maybe useful for High Value Domains 16
  • 17. Mitigation & Response Strategies • Know WHO to contact at the ISPs within your span of control • Know the procedures for flushing the DNS cache – you may have to instruct operators how to do this! • Information Sharing – if you’re the victim of an attack – share the details of the attack within the community – you may prevent someone else from becoming a victim 17
  • 18. Questions? ? 18