How I Turned VPN over DNS Into a Retroactive Wiretapping Mechanism

Presented at THOTCON 0x5 (2014), April 25, 2014, 12:30 p.m. (20 minutes)

Imagine your first day at a client site and you spend your time figuring out what’s going on with the network. You query passive DNS to find tons of apparently VPN over DNS endpoints on your network. What starts as a simple incident investigation process sees the tables turned on those who used the protocol to hide their tracks. This talk will discuss reverse engineering VPN over DNS (vpnoverdns.com) and how weaknesses in using DNS tunneling makes it trivial to retroactively wiretap all communications over the protocol long after the fact.

Presenters:

• John Bambenek
  John Bambenek is a handler with the SANS Internet Storm Center and President of Bambenek Consulting. He has contributed to many of the SANS courses and GIAC certification exams and has over 15 years experience as an information security professional. He is the only known hacker who is also a politician.

Similar Presentations:

• DeepSec 2018 „I like to mov &6974,%bx“ / DNS Exfiltration and Out-of-Band Attacks
• NolaCon 2016 / Analyzing DNS Traffic for Malicious Activity Using Open Source Logging Tools
• NolaCon 2019 / DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy