These are the slides of a talk by John Bambenek at THOTCON 0x5 in Chicago. Imagine your first day at a client site and you spend your time figuring out what’s going on with the network. You query passive DNS to find tons of apparently VPN over DNS endpoints on your network. What starts as a simple incident investigation process sees the tables turned on those who used the protocol to hide their tracks. This talk will discuss reverse engineering VPN over DNS (vpnoverdns.com) and how weaknesses in using DNS tunneling makes it trivial to retroactively wiretap all communications over the protocol long after the fact.

1. How I Turned VPNoverDNS into a
Retroactive Wiretapping Tool
THOTCON 0x5
John Bambenek / Bambenek Consulting
jcb@bambenekconsulting.com

2. The Setup...
●Hired by a mid-sized business to increase the
security posture
○Yes, it was just that open-ended…
●They had a fairly large web presence and maintain
dozens of sites
○But had no authoritative list of them…
●Commence policy review and massive paper dump.
●Has some PCI, HIPAA, other private (and valuable)
information...

3. The Setup Continued...
●As a way to verify the correctness of information,
do various threat intel queries on a netblock…
●Has there been any breaches? Listing in blacklists?
Known contact with C&Cs?
●Passive DNS will log all queries and responses a
sensor sees so they can be used for later searches.
○For instance, will show all FQDNs resolved for a
given IP address seen by a sensor.
●Scanning the clients /24 yields all the likely used
websites (and unused IPs)

4. pDNS Example
●A historical search on thotcon.org yields:
;; first seen: 2012-09-06 22:17:09 -0000
;; last seen: 2013-11-05 20:41:26 -0000
thotcon.org. IN A 67.195.61.65
--
;; first seen: 2011-06-02 10:57:38 -0000
;; last seen: 2012-09-02 02:05:33 -0000
thotcon.org. IN A 98.136.92.206
--
;; first seen: 2013-10-30 07:04:27 -0000
;; last seen: 2014-04-24 23:15:54 -0000
thotcon.org. IN A 98.136.187.13
--
;; first seen: 2010-07-29 16:00:22 -0000
;; last seen: 2010-09-20 16:58:07 -0000
thotcon.org. IN A 216.39.57.104
--
;; first seen: 2010-08-13 02:05:21 -0000
;; last seen: 2011-06-02 06:20:26 -0000
thotcon.org. IN A 216.39.62.189
……

5. pDNS example...
●A historical search on 98.136.187.13 yields:
ut.ae. IN A 98.136.187.13
oec.ae. IN A 98.136.187.13
meatco.ae. IN A 98.136.187.13
cpssa.com.ar. IN A 98.136.187.13
facimex.com.ar. IN A 98.136.187.13
iltinello.com.ar. IN A 98.136.187.13
tunga-tunga.com.ar. IN A 98.136.187.13
ceramicas-lourdes.com.ar. IN A 98.136.187.13
ictys.org.ar. IN A 98.136.187.13
y-yo.com.au. IN A 98.136.187.13
……

6. A Wild Passive DNS Scan Appears
Rdata results for ANY/197.1.246.0/24
Returned 280 RRs in 0.05 seconds.
tunisia-sat1.no-ip.info. A 197.1.246.1
samibazoug.dyndns.ws. A 197.1.246.3
koooooko.no-ip.biz. A 197.1.246.3
only-security.no-ip.biz. A 197.1.246.3
no-hack.zapto.org. A 197.1.246.3
camfrog-ir.zapto.org. A 197.1.246.3
camfrog-2r9.zapto.org. A 197.1.246.3
gboxbest.dyndns.org. A 197.1.246.3

7. A Wild Passive DNS Scan Appears
mrigel.zapto.org. A 197.1.246.4
hacked007.no-ip.org. A 197.1.246.5
tarajist1919.no-ip.biz. A 197.1.246.8
reflex.sytes.net. A 197.1.246.10
1month-5euro.sytes.net. A 197.1.246.10
gaagle.no-ip.org. A 197.1.246.10
djamelgbox.no-ip.org. A 197.1.246.12
bibitahackertn.no-ip.biz. A 197.1.246.14
kalboussa.no-ip.biz. A 197.1.246.16
njratxmoro.zapto.org. A 197.1.246.16
migalou2012.no-ip.biz. A 197.1.246.18
papu81.no-ip.biz. A 197.1.246.19

8. A Wild Passive DNS Scan Appears
manortn.dyndns.biz. A 197.1.246.19
papu81.no-ip.biz. A 197.1.246.20
ln-048.rd-00000240.id-14932049.v0.tun.
vpnoverdns.com. A 197.1.246.20
revenger.zapto.org. A 197.1.246.21
oscamserver.dyndns.org. A 197.1.246.24
cinefoot.selfip.com. A 197.1.246.28
proxysat.selfip.com. A 197.1.246.28
……
tun.vpnoverdns.com????

9. What is this VPNoverDNS you speak of?
●From vpnoverdns.com:
○ “In a few words, it lets you tunnel data through a DNS
server. Data exfiltration, for those times when everything
else is blocked.”
●At the point I first started seeing this, no one
seemed to know anything about it aside of the
obvious… “it looks like a tunnel endpoint”
●One oddity: to install it on a PC you FIRST have to
install the Android app to create a login…
○As an unapologetic iPhone user, this displeases
me.

10. Data Exfiltration You Say?
ZOMG!!
IT’S AN APT!
MOMMY HELP!
MUCH SCARED!

11. So how prevalent is VPNoverDNS?
●pDNS dump of *.tun.vpnverdns.com yields almost 6
million entries.
●“Endpoints” seen on educational, government,
business and military ASNs.
○And some unassigned IP addresses…
●Looks prevalent but…
○No one knows about it…
○Would it so obviously be sitting on NATO IP
addresses?
○Why would a data exfiltration tool require an
Android device?

12. Seriously, who uses Adobe AIR for this?
●After finding an Android device, downloaded to
that device and then created a VM to install PC
version which uses Adobe AIR.
●Provides a web browser and an email client to
send/receive e-mail.
○This is not looking like data exfiltration…
○Much disappoint… :(
●Time to fire up Wireshark and see what the traffic
looks like...

13. Got Packets?

14. A Closer Look...

15. Got Packets?
●Query a specific FQDN and it returns multiple A
records.
●rd- Byte Offset
●id- Session ID
●A records start at 192. and sequentially get higher.
●This explains why pDNS shows what it does, in
effect, it poisons the data. The only REAL traffic is
DNS to the network resolver (and the resolver to
vpnoverdns.com’s DNS servers).

16. Can we parse this response?
Looking at the hex of the packet...
The last three octets of the A record DNS
responses are the HTTP response… in the clear.

17. Did you know gzip is 1337 crypto?
●So now to rebuild an entire session across all the
queries for a given session ID…
xœ
õï 0§OK
HTTP/1.1 200 OK
Date: Sat, 05 Jan 2013 18:08:05 GMT
Content-Type: text/html;c:Accept-Encoding
Content-Encoding: gzip
---- gzip’d content ----

18. What about HTML requests?
●HTML requests are made by querying FQDN’s
starting with bf-:
●Example:
bf-1b3132313330363734c2a7536f636b657444617461c2a734303436304745.wr-
00000000.id-00912196.v0.tun.vpnoverdns.com. IN A 128.69.0.255
bf-5420687474703a2f2f616e64726f69642e636c69656e74732e676f6f676c.wr-
00000030.id-00912196.v0.tun.vpnoverdns.com. IN A 128.69.0.255
bf-652e636f6d2f70726f78792f677361737567676573742f7365617263683f.wr-
00000060.id-00912196.v0.tun.vpnoverdns.com. IN A 128.69.0.255
●Syntax: wr- byte offset, id- session ID
●Is the bf- content just ASCII text in hex form?
● 12130674§SocketData§40460GET http://android.clients.google.
com/proxy/gsasuggest/search?client=qsb-android&hl=en&gl=us

19. The Incident that Never was...
●Nothing is quite as depressing as finding a cool
incident that really wasn’t.
●Takeaway: Passive DNS operators probably should
ignore this domain as the data isn’t real DNS, it’s
actually HTTP/Mail traffic.

20. The Truth About VPN over DNS
●This is not data exfiltration, it’s a way to surf the
web behind WiFi hotspot paywalls (because DNS
isn’t blocked even if you haven’t authenticated).
○Take that Marriott and your $10/day Internet
fee.
●This will also bypass any web proxies you have.
●In theory you COULD use if for data exfiltration,
but it’s pretty easy to spot
○Any DNS queries for *.tun.vpnoverdns.com? You
are bad and you should feel bad.

21. Then Evil Genius Struck
●I was able to rebuild traffic in Wireshark… what if I
dumped the entire pDNS database for tun.
vpnoverdns.com?
○Remember, pDNS is just a big log of all DNS
queries and responses it sees.
$ python dnsdb_query.py *.tun.vpnoverdns.com |
wc -l
5799244

22. Look Mom, I Built PRISM for Script Kiddies
●Looking at just the timestamps I have data from,
there are records back from May 2013.
●Since the sensor is in between the VPNoverDNS
user and their DNS server, if it captures any traffic
it likely has the ENTIRE session in its logs.
●So what websites do you think VPN over DNS users
like to view?
○Let’s check those bf- records

23. Wait for it...
●Some are not surprising:
Host: m.facebook.com:443
Host: profile.ak.fbcdn.net
Host: i2.cdn.turner.com
Host: googleads.g.doubleclick.net
● This had to be a fun listening experience:
Host: stats.pandora.com

24. And what is the Internet for?
●And of course, there was this...
Host: metaltoys.co.za
Host: www.youngleafs.com
Host: myshortskirt.com
Host: www.bravotube.net
Host: promo.badoink.com
Host: www.coedcherry.com
Host: cdn-z3.perfectgirls.net
Host: cdn-z4.perfectgirls.net

25. Y U NO ENCRYPT?

26. But it gets worse...
Referer: http://127.0.0.1:8888/mail4hotspot/app/navigation?url=https://accounts.google.
com/ServiceLoginAuth^M
User-Agent: Mozilla/5.0 (Linux; U; Android 2.3.5; en-us; N860 Build/GINGERBREAD) AppleWebKit/533.1
(KHTML, like Gecko) Version/4.0 Mobile Safari/533.1^M
Origin: http://127.0.0.1:8888^M
Accept: application/xml,application/vnd.wap.xhtml+xml,application/xhtml+xml;profile='http://www.wapforum.
org/xhtml',text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5^M
Content-Type: application/x-www-form-urlencoded^M
x-wap-proxy-cookie: none^M
Cache-Control: no-transform^M
Content-Length: 197^M
^M
url=https%3A%2F%2Faccounts.google.com%2FServiceLoginAuth&GALX=bAmxoTJR_XY&_utf8=%26%
239731%3B&bgresponse=&Email=XXXXXXXXX%40gmail.com&Passwd=XXXXXXX …….
Yes, kids, this sends HTTPS requests over DNS **IN
THE CLEAR**
(Oh, and this guys username was the same as his
password)

27. The Fail is Strong With This One...

28. DISCLAIMERS
I’ve asked pDNS operators to purge this data.
There should also be a rule to detect clients
using this on your networks in the Emerging
Threats open snort rules soon.

29. No Applause please. Throw money.
jcb@bambenekconsulting.com
Questions?