This is three talks in one, as we look at several issues with DNS that affect control systems.
First we look at DNS squatting, which affects many ICS vendors. Then we look at two DNS issues that we frequently see on deployed control systems.
1. DNS and You
A primer
K. Reid Wightman
Digital Bond Labs
2. Two talks in one
• DNS squatting and malware
• DNS in deployment
3. But first - Terminology
• DNS – Domain Name System
• Resolve hostname, like ‘digitalbond.com’ to IP
like 45.33.22.182
• DNS contains many record types
• NS, Name Server
• MX, Mail eXchange
• A, Name records
• PTR, Reverse name records
• There are others, but less interesting to this talk
4. More Terminology
• Typosquatting
– Mistyping a domain name, many types
– Transpositions: Gogole.com instead of google.com
– Ommissions: gogle.com
– Insertions/repetitions: gooogle.com
– Replacements: goofle.com
• Homoglyphs: go0gle.com (GO0GLE.COM)
• Bitsquatting
– Bit error in a computer or router without ECC
– Googme.com < ‘l’ and ‘m’ are 1 bit difference,
0b01101100 versus 0b01101101
5. On bitsquatting
• Fantastic talk on the topic at Defcon 19
– https://www.youtube.com/watch?v=lZ8s1JwtNas
– (Or, Artem Dinaburg, blog post at
http://dinaburg.org/bitsquatting.html )
• Fantastic followup on the topic at Defcon 23 with
more exploitation
– https://www.youtube.com/watch?v=4b5disac9g4
– (Or, look at Luke Young’s site: http://bitfl1p.com )
• Neat technique for big content distribution
networks (Facebook, Akamai, etc)
6. Squatting Motivations
• Phishing
• Advertising revenue
• Offer/install Malware (adware/spyware, RATs,
etc)
• Sell the domain for $$$ to trademark holder
8. Survey of 11 Industrial Mfrs
Basic Stats
• Focused on just ‘industrial’ domains
• 433 ‘squat’ domains
Replacement
Insertions
Bitsquatting
Omission
Repetition
Transposition
Homoglyph
9. Survey of 11 Industrial Mfrs
‘MX’ Records
• 195/433 domains have MX records
• Of these, 22 accepted email to arbitrary users at
the domain
– Tested by emailing ‘joe.engineer@domain’ and
‘zatoichi@domain’ from custom source address
– This means someone may intercept your email if a
client typos an address
• What happens to these emails?
– One case of phishing!
– Not targeted though
10. Phishing Example: SlEMENS.COM
• Sent emails to the slemens.com domain,
received phish to custom source address
– Incredibly unlikely that this was coincidence
– This was only example out of all domains tested
• This domain’s website previously hosted
malware; now it is just a park
– Note: domain owner is private, domain registered via
fabulous.com
– Note 2: domain register has not changed between
malware hosting and phishing (same privacy shield in
place)
11. Survey of 11 Mfrs
‘A’ (and ‘AAAA’) Records
• Only tried ‘www.typodomain.com’
• 254 ‘live’ hosts
• 42% (107 hosts) advertising/for sale
• 11% (28 hosts) ‘suspicious redirect’ (changes daily)
• 4% (10 hosts) hosting direct malware downloads
– Malware usually targets user-agent string (Windows, OS X)
– Many sites use redirection network, target changes frequently
– Tracking cookies often used to determine behavior
– New/’0-day’ discovered for OS X
• 4% (10 hosts) hosting RAT pre-installers (popup window saying, ‘call
tech support/you have a virus’)
• 1% (2 hosts) hosting pornography
• 1% (2 hosts) ‘legit redirect’ (redirects to intended host)
• Remainder: ‘Under construction’ or Legit Business with similar name
17. The Future of Squatting
• Prediction: clone websites hosting malware
– Already (sort of) happened to Schneider Electric, but
website is gone now (was at schneide-electric.com
[note missing ‘r’]).
– Domain /was/ owned
by individual in China
(Shenzhen)
– Domain now owned
by Schneider Electric
(good job!)
18. Limitations
• For A records, can be difficult/impossible to know
‘who’ or ‘why’
– Ex: load one squat domain 5 times, get 5 different
redirects/payloads
– Many squats serve up pages based on User-Agent,
Referer, possibly more targeted info (country of
origin?)
• Could host interesting files for deep links, e.g.
support.industry.siemsns.com/path/to/software/
update
19. Challenge
• Legally, it is difficult to ‘clean up’ a squatter
– Have to prove harm/trademark violation
– Legal options take a long time
– Legal options take lawyers, cost €€€
– Buying domain from squatter will probably cost €€€
• Often cheaper to just register all
bitsquat/typosquat domains
– Costs only a few k€ per year to do this
– May save a Big Problem in the future
20. Tools & Tips
• Dnstwist to quickly see who owns domains
similar to yours
– https://github.com/elceef/dnstwist
– Usage: ‘dnstwist.py <domainname>’ to display all
squats
• Scour vendor sites for domain name typos
– We built a tool based on Scrapy
– Uses dnstwist to build bit-error/typo list, scrapes
website for links to bogon domains
– Watch https://github.com/digitalbond/scripts/
21. Further Research
• Rent redirect time
– 11% of sites have changing redirects
– Majority of malware/helpdesk sites add to this number
– Domain owners sometimes ‘rent time’
– Research idea: rent time and see how many potential
victims we could get
22. One down, one to go!
• DNS squatting and malware
• DNS in deployment
23. DNS in Deployment
• Two sub-areas to this topic
– Internal network map leaking
– Data exfiltration via DNS
• Let’s dive in
24. DNS Network Mapping
• DNS Zone Transfer *still* an issue
– Allows internet-users to retrieve hostname list
– 2014, ‘blindly’ coordinated with dow.com to
reconfigure their servers
• ~50,000 computer names+IP addresses being leaked
• Interior network layout revealed
– Can differentiate interior servers, cellular-hosted servers,
internet-facing servers
– Spend enough time, determine field site naming convention
• 1990s are calling us home
25. DNS Network Mapping
• Hostnames often reveal purpose
– vpn.yourcompany.com: what could this be?
– *gw.yourcompany.com: gateways and perimeters
– dc*.yourcompany.com: domain controllers?
– Numbering conventions often reveal purpose
separation (10.0.0.0/8 vs 192.168.0.0/16 vs
172.16.0.0/20)
– etc
• IPv6 is often misconfigured
– Few firewalls block access
– Having these records exposed may be a problem
26. DNS Network Mapping
• Example 1: dow.com
– Zone transfer returned 50,785 hosts
– Note: Dow has ~51,000 employees. Hmmmm.
192.168.0.0/16 (39790)
10.0.0.0/8 (5868)
172.16.0.0/20 (2437)
External IPv4 (1118)
External IPv6 (1572)
27. Further Reading
• Rob Fuller (Twitter: @mubix) runs Deep Magic
– Indexes tons of DNS info
– http://www.deepmagic.com
– Great talks on DNS zone transfer and other issues by
Rob, look him up
28. DNS for Data Exfiltration
• For attackers: wonderful way to get data out of
an ‘isolated’ network
• For defenders: painful thing to block
29. DNS is Recursive
• Example: we want to know what computer is
‘mail.google.com’
– First, ask local DNS server
– Assuming it is not cached, local DNS must find the
answer
31. DNS is Recursive
• …so you actually sent a request (via the local
DNS server) to a Google server
• You controlled the request data (‘mail’)
• Google controlled the response data (ip address)
32. Tunneling Data
• Bad guys can run a special DNS server, meant
for bidirectional communication
– Ex: we own a domain for this purpose
– Special subdomain runs IP over DNS tunnel
– Queries == encoded data
– Responses == encoded data
– Great for free Internet access (expired prepaid 3G SIM
card, in-flight WiFi, or expensive hotel WiFi often
vulnerable)
35. Other DNS Exfiltration
• IP over DNS tunnel:
– Iodine, http://code.kryo.se/iodine/
• Generic ‘data over DNS’ tool (like netcat, but
uses DNS instead of IP) by Ron Bowes:
– dnscat2, https://github.com/iagox86/dnscat2
• Metasploit even includes DNS tunnels
– See payloads/windows/*/*dns, reverse shells and
meterpreter payloads available
36. Challenge
• Blocking DNS entirely is best security option
• Next best: prevent your control system from
‘looking up’ external domains
– Most DNS servers can be configured to only forward
DNS requests for a fixed list of domains
– Example: Control zone DNS forwards requests for
corpdomain.com to corporate DNS, and rejects
queries for any other domain.
• Opportunity: IDS rules testing…
Specifically I will *not* be talking about DNSSEC or other ‘DNS spoofing’ methods
I plan to put a graphical representation of a DNS request here.
I will talk about how the names looked up are some encoded in Unicode (foreign character sets), so Wireshark (a software tool for displaying packets) does not display the queries correctly.
This is a graphical representation of the tunnel, shown on the previous slide
This is a graphic showing how to stop DNS tunneling. The hexagon shows to forward the corporate request to the corporate network, but to reject requests for any external servers.