Hackers of India

DNS Exfiltration and Out-of-Band Attacks

By  Nitesh Shilpkar  on 29 Nov 2018 @ Deepsec

Presentation Material

Abstract

The Domain Name Server or DNS is one of the most fundamental parts of the internet. It is crucial for a billion of users daily to help us build presence on the internet using names humans can understand rather than IP addresses. However, DNS comes with security issues organizations should be aware of and take into consideration. Attackers are abusing the DNS to redirect traffic to malicious sites, communicate with command and control (C&C) servers, steal data from organizations and conduct massive attacks that cause harm to organizations. Many organizations are not prepared to mitigate, or even detect, the problems DNS might bring. Due to the criticality of DNS to maintain an Internet presence, access applications, connect to a network or simply send an email, everyone has the potential to be impacted by DNS vulnerabilities. Since DNS is important for routing traffic, it simply cannot be disabled. Organizations should look for ways to protect their DNS data. We should learn about ways to manage the attack surface DNS offers and also to benefit from the capabilities DNS has to offer. Security companies and vendors are getting more aware of the fact that DNS is the first line of defense and, since all the traffic is routed through the DNS, it acts as a good resource for analyzing any form of malicious traffic or attacks. Most vendors now provide IP address management (IPAM) data for diagnosing the network traffic regarding network and security problems. DNS plays an important role for malware detection based on its logical place in the network architecture. Incident Response teams look to DNS, DHCP and IPAM data for carrying out thorough investigations and improving threat hunting capabilities. DNS traffic should result into being one of the main points for network traffic data analysis, which would serve organizations to improve their detection and analyzing capabilities in order to be ready for what may come.

In this talk we examine the following:

• About DNS A brief introduction to DNS and how it works.

• Types of DNS-based attacks A brief introduction to the type of attacks on DNS.  DNS Cache Poisoning  Denial of Service o DNS Flood Attacks o DNS Reflection Attacks o DNS Amplification Attacks

• DNS Tunneling A brief introduction about DNS Tunneling and the negligence of the DNS port 53 in the security posture of organizations due to the large size.

• Data exfiltration using DNS How attackers and malwares are targeting DNS for exfiltration of data.

• Case Study of DNSMessenger DNSMessenger is a RAT that uses DNS queries to execute malicious Powershell commands through a two-way communication of command and control server.

• Out of band attacks A description of “out of band” attacks. o SQL Injection How SQL injections can be used to fetch information through DNS queries.

o XML Injection How XML-Injections can be used to get information from the server. • Magic of Burp Showcase of how to use Burp for carrying out DNS based attacks and gain information.

• DNS Exfiltration Restrictions About limitations of DNS based exfiltration.

• Best practices for using DNS data to enhance investigations We will give certain guidelines that could be used by organizations to leverage the DNS traffic and provide a better security posture.

• Conclusion

AI Generated Summarymay contain errors

The speaker discusses the detection and prevention of DNS-based attacks, . Here’s a summary:

DNS-based attacks: The speaker explains how attackers use DNS queries to exfiltrate data from an organization. This is done by encoding malicious PowerShell scripts within DNS queries, which can then be used to establish command and control channels.

Restrictions in DNS: The speaker highlights the limitations of DNS, including the maximum length of domain names (253 characters) and subdomain names (63 characters), as well as the case-insensitive nature of DNS requests.

Securing DNS in an organization: To improve security posture, the speaker suggests:

  1. Monitoring DNS queries: Analyze DNS traffic to detect suspicious activity.
  2. Top-level domains: Restrict access to certain top-level domains that are not frequently visited by employees.
  3. High byte counts: Identify DNS queries with high byte counts, which may indicate data exfiltration.
  4. Whitelisting domains: Allow only known, trusted domains to be accessed.

Challenges and limitations: The speaker acknowledges the difficulties in detecting and preventing DNS-based attacks, particularly when it comes to whitelisting domains and dealing with encoded data.

Audience questions and comments:

  1. A questioner notes that whitelisting domains may not be practical in many environments.
  2. Another attendee suggests setting up internal DNS to not respond to external domains and using proxies to resolve DNS queries.
  3. A third person asks about using entropy calculation of outgoing DNS traffic to detect exfiltration, but the speaker is unsure about its effectiveness.

The discussion highlights the importance of monitoring and analyzing DNS traffic to prevent data exfiltration and improve overall security posture.