Presented at
DeepSec 2018 „I like to mov &6974,%bx“,
Unknown date/time
(Unknown duration).
The Domain Name Server or DNS is one of the most fundamental parts of the internet. It is crucial for a billion of users daily to help us build presence on the internet using names humans can understand rather than IP addresses. However, DNS comes with security issues organizations should be aware of and take into consideration. Attackers are abusing the DNS to redirect traffic to malicious sites, communicate with command and control (C&C) servers, steal data from organizations and conduct massive attacks that cause harm to organizations. Many organizations are not prepared to mitigate, or even detect, the problems DNS might bring.
Due to the criticality of DNS to maintain an Internet presence, access applications, connect to a network or simply send an email, everyone has the potential to be impacted by DNS vulnerabilities. Since DNS is important for routing traffic, it simply cannot be disabled. Organizations should look for ways to protect their DNS data. We should learn about ways to manage the attack surface DNS offers and also to benefit from the capabilities DNS has to offer.
Security companies and vendors are getting more aware of the fact that DNS is the first line of defense and, since all the traffic is routed through the DNS, it acts as a good resource for analyzing any form of malicious traffic or attacks. Most vendors now provide IP address management (IPAM) data for diagnosing the network traffic regarding network and security problems. DNS plays an important role for malware detection based on its logical place in the network architecture. Incident Response teams look to DNS, DHCP and IPAM data for carrying out thorough investigations and improving threat hunting capabilities.
DNS traffic should result into being one of the main points for network traffic data analysis, which would serve organizations to improve their detection and analyzing capabilities in order to be ready for what may come.
In this talk we examine the following:
• About DNS
A brief introduction to DNS and how it works.
• Types of DNS-based attacks
A brief introduction to the type of attacks on DNS.
DNS Cache Poisoning
Denial of Service
o DNS Flood Attacks
o DNS Reflection Attacks
o DNS Amplification Attacks
• DNS Tunneling
A brief introduction about DNS Tunneling and the negligence of the DNS port 53 in the security posture of organizations due to the large size.
• Data exfiltration using DNS
How attackers and malwares are targeting DNS for exfiltration of data.
• Case Study of DNSMessenger
DNSMessenger is a RAT that uses DNS queries to execute malicious Powershell commands through a two-way communication of command and control server.
• Out of band attacks
A description of "out of band" attacks.
o SQL Injection
How SQL injections can be used to fetch information through DNS queries.
o XML Injection
How XML-Injections can be used to get information from the server.
• Magic of Burp
Showcase of how to use Burp for carrying out DNS based attacks and gain information.
• DNS Exfiltration Restrictions
About limitations of DNS based exfiltration.
• Best practices for using DNS data to enhance investigations
We will give certain guidelines that could be used by organizations to leverage the DNS traffic and provide a better security posture.
• Conclusion
Presenters:
-
Nitesh Shilpkar
- PwC Singapore
Nitesh Shilpkar is a security researcher currently working with PwC Singapore. He has received CVE's for finding bugs in products like Adobe Coldfusion, Adobe Shockwave Player, Apple iCloud and Amazon Kindle. He has been acknowledged by over 40 websites such as Facebook, Google, AT&T etc. He currently holds certifications like OSCE, OSCP, OSWP, CREST-CRT. His interests lie in Exploit Development and Research.
Links:
Similar Presentations: