Hackers of India

DNS Exfiltration and Out-of-Band Attacks

 Nitesh Shilpkar 

2018/11/29

Abstract

The Domain Name Server or DNS is one of the most fundamental parts of the internet. It is crucial for a billion of users daily to help us build presence on the internet using names humans can understand rather than IP addresses. However, DNS comes with security issues organizations should be aware of and take into consideration. Attackers are abusing the DNS to redirect traffic to malicious sites, communicate with command and control (C&C) servers, steal data from organizations and conduct massive attacks that cause harm to organizations. Many organizations are not prepared to mitigate, or even detect, the problems DNS might bring. Due to the criticality of DNS to maintain an Internet presence, access applications, connect to a network or simply send an email, everyone has the potential to be impacted by DNS vulnerabilities. Since DNS is important for routing traffic, it simply cannot be disabled. Organizations should look for ways to protect their DNS data. We should learn about ways to manage the attack surface DNS offers and also to benefit from the capabilities DNS has to offer. Security companies and vendors are getting more aware of the fact that DNS is the first line of defense and, since all the traffic is routed through the DNS, it acts as a good resource for analyzing any form of malicious traffic or attacks. Most vendors now provide IP address management (IPAM) data for diagnosing the network traffic regarding network and security problems. DNS plays an important role for malware detection based on its logical place in the network architecture. Incident Response teams look to DNS, DHCP and IPAM data for carrying out thorough investigations and improving threat hunting capabilities. DNS traffic should result into being one of the main points for network traffic data analysis, which would serve organizations to improve their detection and analyzing capabilities in order to be ready for what may come.

In this talk we examine the following:

• About DNS A brief introduction to DNS and how it works.

• Types of DNS-based attacks A brief introduction to the type of attacks on DNS.  DNS Cache Poisoning  Denial of Service o DNS Flood Attacks o DNS Reflection Attacks o DNS Amplification Attacks

• DNS Tunneling A brief introduction about DNS Tunneling and the negligence of the DNS port 53 in the security posture of organizations due to the large size.

• Data exfiltration using DNS How attackers and malwares are targeting DNS for exfiltration of data.

• Case Study of DNSMessenger DNSMessenger is a RAT that uses DNS queries to execute malicious Powershell commands through a two-way communication of command and control server.

• Out of band attacks A description of “out of band” attacks. o SQL Injection How SQL injections can be used to fetch information through DNS queries.

o XML Injection How XML-Injections can be used to get information from the server. • Magic of Burp Showcase of how to use Burp for carrying out DNS based attacks and gain information.

• DNS Exfiltration Restrictions About limitations of DNS based exfiltration.

• Best practices for using DNS data to enhance investigations We will give certain guidelines that could be used by organizations to leverage the DNS traffic and provide a better security posture.

• Conclusion