SlideShare ist ein Scribd-Unternehmen logo

OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014

Als PPTX, PDF herunterladen
Leonardo Nve Egea
Leonardo Nve Egea

Efective exploiting the changes of the DNS Server of a computer (via router hacking or other way...)

Internet
1 von 37
OFFENSIVE: Exploiting changes on DNS server configuration Leonardo Nve Egea lnve@s21sec.com @leonardonve
• Security researcher since… (a lot of time) in SPAIN. • Pentester, Incident investigator & security researcher. • At the Offensive side (more funny). • I love protocol level. About me
INTRODUCTION
What.
Why.
EXPLOITATION (I) NORMAL PROCEDURE
• CSRF/XSS. • Insufficient authorization. • SNMP/TFTP. • Default password + external administration. • Cracking wifi passwords + default password. • Command line DNS change. • Rogue DSLAM. • Malware. How.
What.
• Metasploit. • Dnsmasq. • Bind server. Tools.
• Invisible proxy. – Burp suite, mitmproxy • SSLstrip. • HTML injection. – BeEF – Exploit kits • Bouncing to known servers. – SSLsplit • Fake web servers. – defacing. – Phishing • Sniffing data. Then.
OBSTACLES OF NORMAL EXPLOITATION
• SSL certificates (Critical). Obstacles.
• SSL certificate pinning / EMET (Critical). Obstacles.
• HSTS + Preloaded HSTS sites (Non critical). Obstacles.
• SSH signatures failure (Critical). Obstacles.
• POP3/SMTP Banner (Non critical problem). • FTP Banner (This can be critical). • Limited host interception. • Limited protocol interception. Obstacles.
• Limited of hosts interception. • Time to study IP communication manners. • Limited cleartext protocols interception. • HTTPS. • Accept the loose a lot of information. Limitations.
EXPLOITATION (II) IMPROVE THE ATTACK PROCEDURE
• Discretion. • Improve data acquisitions from time 0. Objectives.
• A DNS feature for high availability and Load Balancing: Improve the attack.
Improve the attack. DHCP REQ DHCP RESP with Fake DNS Server DNS A Request DNS A Request DNS Response DNS Response = IP attacker server1 + IP attacker server2 + DNS Resp Short TTL SYN port=xxx RST ACK port =xxx SYN port=xxx SYN port=xxx SYN ACK port=xxx SYN ACK port=xxx DATA DATA
• On port 80 the attacker can put a invisible proxy. • The attacker can reject SSL ports always because the client will later connect to the real server. • Other connections data will be forward through the evil server since the first moment. • And there is a tool. Improve the attack.
• dns2proxy (still in beta). • Full in python (PyDNS). • Permit spoof, direct forwarding and add IPs to the response. • Interact directly with iptables to forward connections. https://github.com/LeonardoNve/dns2proxy Tool.
Improve the attack.
DEMO (or video if demo effect ;)
• Limited of hosts interception. • Time to study IP communication manners. • Limited cleartext protocol interception. • HTTPS. • Accept the loose a lot of information. Previous limitations.
SSLStrip vs HSTS.
Common SSLStrip usage
• HSTS + Preloaded HSTS sites (Non critical). Obstacles.
• Strict Transport Security based in domain names predefined or not. • Change HTTPS to HTTP. • Also change domain names to connect based on predefined rules. • DNS Server can resolve based on these predefined rules. • HSTS. https://github.com/LeonardoNve/sslstrip2.git SSLStrip+ to defeat HSTS.
DEMO (or video if demo effect…)
SSL in general • You must take advantage with other factors/vulnerabilities
• Downgrade attacks. • JavaScript infections. http://media.blackhat.com/bh-us- 12/Briefings/Alonso/BH_US_12_Alonso_Owning_Bad_Guys_Slides.pdf • For decoding ciphered protocols, go there: More posibilities.
• With UDP the application have the control over the communication not the OS. • If this application resend a lost UDP packet, we have it! If not…  • Dns2proxy is a PoC and only control TCP but it is really easy extend it too UDP. UDP?
Other scenario.
• Improve DNS server configurations hijacks with two tools. • Much information capture than typical attacks. • Old protocols – Old security. • New protocols + Old protocols – Old security+ • Solutions… DNSSEC. Conclusions.
THANKs. Miguel Hernandez The man who first thought `Let’s put a default password. Then they can change it `

Empfohlen

Red Team Methodology - A Naked Look
Red Team Methodology - A Naked LookRed Team Methodology - A Naked Look
Red Team Methodology - A Naked LookJason Lang
 
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...DirkjanMollema
 
Offzone | Another waf bypass
Offzone | Another waf bypassOffzone | Another waf bypass
Offzone | Another waf bypassДмитрий Бумов
 
Secure code practices
Secure code practicesSecure code practices
Secure code practicesHina Rawal
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operationsSunny Neo
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryWill Schroeder
 
Reverse proxies & Inconsistency
Reverse proxies & InconsistencyReverse proxies & Inconsistency
Reverse proxies & InconsistencyGreenD0g
 
Nmap basics
Nmap basicsNmap basics
Nmap basicsitmind4u
 

Empfohlen

Red Team Methodology - A Naked Look
Red Team Methodology - A Naked LookRed Team Methodology - A Naked Look
Red Team Methodology - A Naked LookJason Lang
 
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...DirkjanMollema
 
Offzone | Another waf bypass
Offzone | Another waf bypassOffzone | Another waf bypass
Offzone | Another waf bypassДмитрий Бумов
 
Secure code practices
Secure code practicesSecure code practices
Secure code practicesHina Rawal
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operationsSunny Neo
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryWill Schroeder
 
Reverse proxies & Inconsistency
Reverse proxies & InconsistencyReverse proxies & Inconsistency
Reverse proxies & InconsistencyGreenD0g
 
Nmap basics
Nmap basicsNmap basics
Nmap basicsitmind4u
 
XSS Magic tricks
XSS Magic tricksXSS Magic tricks
XSS Magic tricksGarethHeyes
 
Frans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides AhmedabadFrans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides AhmedabadSecurity BSides Ahmedabad
 
Reconnaissance & Scanning
Reconnaissance & ScanningReconnaissance & Scanning
Reconnaissance & Scanningamiable_indian
 
Osint presentation nov 2019
Osint presentation nov 2019Osint presentation nov 2019
Osint presentation nov 2019Priyanka Aash
 
Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopDigit Oktavianto
 
password cracking using John the ripper, hashcat, Cain&abel
password cracking using John the ripper, hashcat, Cain&abelpassword cracking using John the ripper, hashcat, Cain&abel
password cracking using John the ripper, hashcat, Cain&abelShweta Sharma
 
Thick Client Penetration Testing.pdf
Thick Client Penetration Testing.pdfThick Client Penetration Testing.pdf
Thick Client Penetration Testing.pdfSouvikRoy114738
 
Different Methodology To Recon Your Targets
Different Methodology To Recon Your TargetsDifferent Methodology To Recon Your Targets
Different Methodology To Recon Your TargetsEslamAkl
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentTeymur Kheirkhabarov
 
Red Team Revenge - Attacking Microsoft ATA
Red Team Revenge - Attacking Microsoft ATARed Team Revenge - Attacking Microsoft ATA
Red Team Revenge - Attacking Microsoft ATANikhil Mittal
 
ELK introduction
ELK introductionELK introduction
ELK introductionWaldemar Neto
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat HuntingGIBIN JOHN
 
Six Degrees of Domain Admin - BloodHound at DEF CON 24
Six Degrees of Domain Admin - BloodHound at DEF CON 24Six Degrees of Domain Admin - BloodHound at DEF CON 24
Six Degrees of Domain Admin - BloodHound at DEF CON 24Andy Robbins
 
Maturity Model of Security Disciplines
Maturity Model of Security Disciplines Maturity Model of Security Disciplines
Maturity Model of Security Disciplines Florian Roth
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentTeymur Kheirkhabarov
 
FreeIPA - Attacking the Active Directory of Linux
FreeIPA - Attacking the Active Directory of LinuxFreeIPA - Attacking the Active Directory of Linux
FreeIPA - Attacking the Active Directory of LinuxJulian Catrambone
 
Oscp - Journey
Oscp - JourneyOscp - Journey
Oscp - JourneyVandana Verma
 
Introduction to MITRE ATT&CK
Introduction to MITRE ATT&CKIntroduction to MITRE ATT&CK
Introduction to MITRE ATT&CKArpan Raval
 
Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOWASP Delhi
 
Reconnaissance
ReconnaissanceReconnaissance
Reconnaissancen|u - The Open Security Community
 
Netscreen Policy Based Routing
Netscreen Policy Based RoutingNetscreen Policy Based Routing
Netscreen Policy Based RoutingBart Jansens
 
IP Routing Tutorial
IP Routing TutorialIP Routing Tutorial
IP Routing TutorialShortestPathFirst
 

Weitere ähnliche Inhalte

Was ist angesagt?

XSS Magic tricks
XSS Magic tricksXSS Magic tricks
XSS Magic tricksGarethHeyes
 
Reconnaissance & Scanning
Reconnaissance & ScanningReconnaissance & Scanning
Reconnaissance & Scanningamiable_indian
 
Osint presentation nov 2019
Osint presentation nov 2019Osint presentation nov 2019
Osint presentation nov 2019Priyanka Aash
 
Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopDigit Oktavianto
 
password cracking using John the ripper, hashcat, Cain&abel
password cracking using John the ripper, hashcat, Cain&abelpassword cracking using John the ripper, hashcat, Cain&abel
password cracking using John the ripper, hashcat, Cain&abelShweta Sharma
 
Thick Client Penetration Testing.pdf
Thick Client Penetration Testing.pdfThick Client Penetration Testing.pdf
Thick Client Penetration Testing.pdfSouvikRoy114738
 
Different Methodology To Recon Your Targets
Different Methodology To Recon Your TargetsDifferent Methodology To Recon Your Targets
Different Methodology To Recon Your TargetsEslamAkl
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentTeymur Kheirkhabarov
 
Red Team Revenge - Attacking Microsoft ATA
Red Team Revenge - Attacking Microsoft ATARed Team Revenge - Attacking Microsoft ATA
Red Team Revenge - Attacking Microsoft ATANikhil Mittal
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat HuntingGIBIN JOHN
 
Six Degrees of Domain Admin - BloodHound at DEF CON 24
Six Degrees of Domain Admin - BloodHound at DEF CON 24Six Degrees of Domain Admin - BloodHound at DEF CON 24
Six Degrees of Domain Admin - BloodHound at DEF CON 24Andy Robbins
 
Maturity Model of Security Disciplines
Maturity Model of Security Disciplines Maturity Model of Security Disciplines
Maturity Model of Security Disciplines Florian Roth
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentTeymur Kheirkhabarov
 
FreeIPA - Attacking the Active Directory of Linux
FreeIPA - Attacking the Active Directory of LinuxFreeIPA - Attacking the Active Directory of Linux
FreeIPA - Attacking the Active Directory of LinuxJulian Catrambone
 
Introduction to MITRE ATT&CK
Introduction to MITRE ATT&CKIntroduction to MITRE ATT&CK
Introduction to MITRE ATT&CKArpan Raval
 
Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOWASP Delhi
 

Was ist angesagt? (20)

XSS Magic tricks
XSS Magic tricksXSS Magic tricks
XSS Magic tricks
 
Frans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides AhmedabadFrans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides Ahmedabad
 
Reconnaissance & Scanning
Reconnaissance & ScanningReconnaissance & Scanning
Reconnaissance & Scanning
 
Osint presentation nov 2019
Osint presentation nov 2019Osint presentation nov 2019
Osint presentation nov 2019
 
Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting Workshop
 
password cracking using John the ripper, hashcat, Cain&abel
password cracking using John the ripper, hashcat, Cain&abelpassword cracking using John the ripper, hashcat, Cain&abel
password cracking using John the ripper, hashcat, Cain&abel
 
Thick Client Penetration Testing.pdf
Thick Client Penetration Testing.pdfThick Client Penetration Testing.pdf
Thick Client Penetration Testing.pdf
 
Different Methodology To Recon Your Targets
Different Methodology To Recon Your TargetsDifferent Methodology To Recon Your Targets
Different Methodology To Recon Your Targets
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows Environment
 
Red Team Revenge - Attacking Microsoft ATA
Red Team Revenge - Attacking Microsoft ATARed Team Revenge - Attacking Microsoft ATA
Red Team Revenge - Attacking Microsoft ATA
 
ELK introduction
ELK introductionELK introduction
ELK introduction
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat Hunting
 
Six Degrees of Domain Admin - BloodHound at DEF CON 24
Six Degrees of Domain Admin - BloodHound at DEF CON 24Six Degrees of Domain Admin - BloodHound at DEF CON 24
Six Degrees of Domain Admin - BloodHound at DEF CON 24
 
Maturity Model of Security Disciplines
Maturity Model of Security Disciplines Maturity Model of Security Disciplines
Maturity Model of Security Disciplines
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows Environment
 
FreeIPA - Attacking the Active Directory of Linux
FreeIPA - Attacking the Active Directory of LinuxFreeIPA - Attacking the Active Directory of Linux
FreeIPA - Attacking the Active Directory of Linux
 
Oscp - Journey
Oscp - JourneyOscp - Journey
Oscp - Journey
 
Introduction to MITRE ATT&CK
Introduction to MITRE ATT&CKIntroduction to MITRE ATT&CK
Introduction to MITRE ATT&CK
 
Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilities
 
Reconnaissance
ReconnaissanceReconnaissance
Reconnaissance
 

Andere mochten auch

Netscreen Policy Based Routing
Netscreen Policy Based RoutingNetscreen Policy Based Routing
Netscreen Policy Based RoutingBart Jansens
 
Linux Based Advanced Routing with Firewall and Traffic Control
Linux Based Advanced Routing with Firewall and Traffic ControlLinux Based Advanced Routing with Firewall and Traffic Control
Linux Based Advanced Routing with Firewall and Traffic Controlsandy_vasan
 
DNS rehabilitation Concept
DNS rehabilitation ConceptDNS rehabilitation Concept
DNS rehabilitation ConceptAlenamudr
 
Presentation on Domain Name System
Presentation on Domain Name SystemPresentation on Domain Name System
Presentation on Domain Name SystemChinmay Joshi
 

Andere mochten auch (7)

Netscreen Policy Based Routing
Netscreen Policy Based RoutingNetscreen Policy Based Routing
Netscreen Policy Based Routing
 
IP Routing Tutorial
IP Routing TutorialIP Routing Tutorial
IP Routing Tutorial
 
Linux Based Advanced Routing with Firewall and Traffic Control
Linux Based Advanced Routing with Firewall and Traffic ControlLinux Based Advanced Routing with Firewall and Traffic Control
Linux Based Advanced Routing with Firewall and Traffic Control
 
Tunnel & vpn1
Tunnel & vpn1Tunnel & vpn1
Tunnel & vpn1
 
Mikrotik load balansing
Mikrotik load balansingMikrotik load balansing
Mikrotik load balansing
 
DNS rehabilitation Concept
DNS rehabilitation ConceptDNS rehabilitation Concept
DNS rehabilitation Concept
 
Presentation on Domain Name System
Presentation on Domain Name SystemPresentation on Domain Name System
Presentation on Domain Name System
 

Ähnlich wie OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014

Setting Up .Onion Addresses for your Enterprise, v3.5
Setting Up .Onion Addresses for your Enterprise, v3.5Setting Up .Onion Addresses for your Enterprise, v3.5
Setting Up .Onion Addresses for your Enterprise, v3.5Alec Muffett
 
abusing dns to spread malware:from router to end user(滥用dns传播恶意软件:从路由器到最终用户)-...
abusing dns to spread malware:from router to end user(滥用dns传播恶意软件:从路由器到最终用户)-...abusing dns to spread malware:from router to end user(滥用dns传播恶意软件:从路由器到最终用户)-...
abusing dns to spread malware:from router to end user(滥用dns传播恶意软件:从路由器到最终用户)-...Yankmo
 
Mo and Tao 魔与道
Mo and Tao 魔与道Mo and Tao 魔与道
Mo and Tao 魔与道Austin Chou
 
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...Felipe Prado
 
Attack All the Layers - What's Working in Penetration Testing
Attack All the Layers - What's Working in Penetration TestingAttack All the Layers - What's Working in Penetration Testing
Attack All the Layers - What's Working in Penetration TestingNetSPI
 
Attack All The Layers - What's Working in Penetration Testing
Attack All The Layers - What's Working in Penetration TestingAttack All The Layers - What's Working in Penetration Testing
Attack All The Layers - What's Working in Penetration TestingNetSPI
 
Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)Scott Sutherland
 
Secure360 - Attack All the Layers! Again!
Secure360 - Attack All the Layers! Again!Secure360 - Attack All the Layers! Again!
Secure360 - Attack All the Layers! Again!Scott Sutherland
 
Uncommon MiTM in uncommon conditions
Uncommon MiTM in uncommon conditionsUncommon MiTM in uncommon conditions
Uncommon MiTM in uncommon conditionsHeadLightSecurity
 
44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal
44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal
44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal44CON
 
Is IPv6 Security Still an Afterthought?
Is IPv6 Security Still an Afterthought?Is IPv6 Security Still an Afterthought?
Is IPv6 Security Still an Afterthought?APNIC
 
A Technical Dive into Defensive Trickery
A Technical Dive into Defensive TrickeryA Technical Dive into Defensive Trickery
A Technical Dive into Defensive TrickeryDan Kaminsky
 
Day 2 Dns Cert 4c Malicious Use
Day 2 Dns Cert 4c Malicious UseDay 2 Dns Cert 4c Malicious Use
Day 2 Dns Cert 4c Malicious Usevngundi
 
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...BlueHat Security Conference
 

Ähnlich wie OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014 (20)

Setting Up .Onion Addresses for your Enterprise, v3.5
Setting Up .Onion Addresses for your Enterprise, v3.5Setting Up .Onion Addresses for your Enterprise, v3.5
Setting Up .Onion Addresses for your Enterprise, v3.5
 
abusing dns to spread malware:from router to end user(滥用dns传播恶意软件:从路由器到最终用户)-...
abusing dns to spread malware:from router to end user(滥用dns传播恶意软件:从路由器到最终用户)-...abusing dns to spread malware:from router to end user(滥用dns传播恶意软件:从路由器到最终用户)-...
abusing dns to spread malware:from router to end user(滥用dns传播恶意软件:从路由器到最终用户)-...
 
Mo and Tao 魔与道
Mo and Tao 魔与道Mo and Tao 魔与道
Mo and Tao 魔与道
 
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
 
Attack All the Layers - What's Working in Penetration Testing
Attack All the Layers - What's Working in Penetration TestingAttack All the Layers - What's Working in Penetration Testing
Attack All the Layers - What's Working in Penetration Testing
 
Attack All The Layers - What's Working in Penetration Testing
Attack All The Layers - What's Working in Penetration TestingAttack All The Layers - What's Working in Penetration Testing
Attack All The Layers - What's Working in Penetration Testing
 
Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)
 
Secure360 - Attack All the Layers! Again!
Secure360 - Attack All the Layers! Again!Secure360 - Attack All the Layers! Again!
Secure360 - Attack All the Layers! Again!
 
Uncommon MiTM in uncommon conditions
Uncommon MiTM in uncommon conditionsUncommon MiTM in uncommon conditions
Uncommon MiTM in uncommon conditions
 
44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal
44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal
44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal
 
Is IPv6 Security Still an Afterthought?
Is IPv6 Security Still an Afterthought?Is IPv6 Security Still an Afterthought?
Is IPv6 Security Still an Afterthought?
 
A Technical Dive into Defensive Trickery
A Technical Dive into Defensive TrickeryA Technical Dive into Defensive Trickery
A Technical Dive into Defensive Trickery
 
Understanding DNS Security
Understanding DNS SecurityUnderstanding DNS Security
Understanding DNS Security
 
Day 2 Dns Cert 4c Malicious Use
Day 2 Dns Cert 4c Malicious UseDay 2 Dns Cert 4c Malicious Use
Day 2 Dns Cert 4c Malicious Use
 
Penetration Testing Boot CAMP
Penetration Testing Boot CAMPPenetration Testing Boot CAMP
Penetration Testing Boot CAMP
 
IT infrastructure security 101
IT infrastructure security 101IT infrastructure security 101
IT infrastructure security 101
 
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
 
Bh eu 05-kaminsky
Bh eu 05-kaminskyBh eu 05-kaminsky
Bh eu 05-kaminsky
 
Bh eu 05-kaminsky
Bh eu 05-kaminskyBh eu 05-kaminsky
Bh eu 05-kaminsky
 
Defcon
DefconDefcon
Defcon
 

Kürzlich hochgeladen

Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...
Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...
Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...SUHANI PANDEY
 
"Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency""Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency"growthgrids
 
APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC
 
Sarola * Female Escorts Service in Pune | 8005736733 Independent Escorts & Da...
Sarola * Female Escorts Service in Pune | 8005736733 Independent Escorts & Da...Sarola * Female Escorts Service in Pune | 8005736733 Independent Escorts & Da...
Sarola * Female Escorts Service in Pune | 8005736733 Independent Escorts & Da...SUHANI PANDEY
 
VIP Call Girls Pollachi 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Pollachi 7001035870 Whatsapp Number, 24/07 BookingVIP Call Girls Pollachi 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Pollachi 7001035870 Whatsapp Number, 24/07 Bookingdharasingh5698
 
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrStory Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrHenryBriggs2
 
Pirangut | Call Girls Pune Phone No 8005736733 Elite Escort Service Available...
Pirangut | Call Girls Pune Phone No 8005736733 Elite Escort Service Available...Pirangut | Call Girls Pune Phone No 8005736733 Elite Escort Service Available...
Pirangut | Call Girls Pune Phone No 8005736733 Elite Escort Service Available...SUHANI PANDEY
 
Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...
Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...
Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...SUHANI PANDEY
 
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...kajalverma014
 
All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445
All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445
All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445ruhi
 
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...Neha Pandey
 
Trump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts SweatshirtTrump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts Sweatshirtrahman018755
 
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdfpdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdfJOHNBEBONYAP1
 
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdfMatthew Sinclair
 
➥🔝 7737669865 🔝▻ mehsana Call-girls in Women Seeking Men 🔝mehsana🔝 Escorts...
➥🔝 7737669865 🔝▻ mehsana Call-girls in Women Seeking Men 🔝mehsana🔝 Escorts...➥🔝 7737669865 🔝▻ mehsana Call-girls in Women Seeking Men 🔝mehsana🔝 Escorts...
➥🔝 7737669865 🔝▻ mehsana Call-girls in Women Seeking Men 🔝mehsana🔝 Escorts...nirzagarg
 
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdfMatthew Sinclair
 
VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...
VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...
VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...singhpriety023
 

Kürzlich hochgeladen (20)

Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...
Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...
Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...
 
"Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency""Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency"
 
APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53
 
Sarola * Female Escorts Service in Pune | 8005736733 Independent Escorts & Da...
Sarola * Female Escorts Service in Pune | 8005736733 Independent Escorts & Da...Sarola * Female Escorts Service in Pune | 8005736733 Independent Escorts & Da...
Sarola * Female Escorts Service in Pune | 8005736733 Independent Escorts & Da...
 
VIP Call Girls Pollachi 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Pollachi 7001035870 Whatsapp Number, 24/07 BookingVIP Call Girls Pollachi 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Pollachi 7001035870 Whatsapp Number, 24/07 Booking
 
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrStory Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
 
Pirangut | Call Girls Pune Phone No 8005736733 Elite Escort Service Available...
Pirangut | Call Girls Pune Phone No 8005736733 Elite Escort Service Available...Pirangut | Call Girls Pune Phone No 8005736733 Elite Escort Service Available...
Pirangut | Call Girls Pune Phone No 8005736733 Elite Escort Service Available...
 
valsad Escorts Service ☎️ 6378878445 ( Sakshi Sinha ) High Profile Call Girls...
valsad Escorts Service ☎️ 6378878445 ( Sakshi Sinha ) High Profile Call Girls...valsad Escorts Service ☎️ 6378878445 ( Sakshi Sinha ) High Profile Call Girls...
valsad Escorts Service ☎️ 6378878445 ( Sakshi Sinha ) High Profile Call Girls...
 
Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...
Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...
Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...
 
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
 
All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445
All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445
All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445
 
Low Sexy Call Girls In Mohali 9053900678 🥵Have Save And Good Place 🥵
Low Sexy Call Girls In Mohali 9053900678 🥵Have Save And Good Place 🥵Low Sexy Call Girls In Mohali 9053900678 🥵Have Save And Good Place 🥵
Low Sexy Call Girls In Mohali 9053900678 🥵Have Save And Good Place 🥵
 
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
 
Trump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts SweatshirtTrump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts Sweatshirt
 
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdfpdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
 
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
 
📱Dehradun Call Girls Service 📱☎️ +91'905,3900,678 ☎️📱 Call Girls In Dehradun 📱
📱Dehradun Call Girls Service 📱☎️ +91'905,3900,678 ☎️📱 Call Girls In Dehradun 📱📱Dehradun Call Girls Service 📱☎️ +91'905,3900,678 ☎️📱 Call Girls In Dehradun 📱
📱Dehradun Call Girls Service 📱☎️ +91'905,3900,678 ☎️📱 Call Girls In Dehradun 📱
 
➥🔝 7737669865 🔝▻ mehsana Call-girls in Women Seeking Men 🔝mehsana🔝 Escorts...
➥🔝 7737669865 🔝▻ mehsana Call-girls in Women Seeking Men 🔝mehsana🔝 Escorts...➥🔝 7737669865 🔝▻ mehsana Call-girls in Women Seeking Men 🔝mehsana🔝 Escorts...
➥🔝 7737669865 🔝▻ mehsana Call-girls in Women Seeking Men 🔝mehsana🔝 Escorts...
 
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
 
VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...
VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...
VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...
 

OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014

  • 1. OFFENSIVE: Exploiting changes on DNS server configuration Leonardo Nve Egea lnve@s21sec.com @leonardonve
  • 2. • Security researcher since… (a lot of time) in SPAIN. • Pentester, Incident investigator & security researcher. • At the Offensive side (more funny). • I love protocol level. About me
  • 7. • CSRF/XSS. • Insufficient authorization. • SNMP/TFTP. • Default password + external administration. • Cracking wifi passwords + default password. • Command line DNS change. • Rogue DSLAM. • Malware. How.
  • 9. • Metasploit. • Dnsmasq. • Bind server. Tools.
  • 10. • Invisible proxy. – Burp suite, mitmproxy • SSLstrip. • HTML injection. – BeEF – Exploit kits • Bouncing to known servers. – SSLsplit • Fake web servers. – defacing. – Phishing • Sniffing data. Then.
  • 12. • SSL certificates (Critical). Obstacles.
  • 13. • SSL certificate pinning / EMET (Critical). Obstacles.
  • 14. • HSTS + Preloaded HSTS sites (Non critical). Obstacles.
  • 15. • SSH signatures failure (Critical). Obstacles.
  • 16. • POP3/SMTP Banner (Non critical problem). • FTP Banner (This can be critical). • Limited host interception. • Limited protocol interception. Obstacles.
  • 17. • Limited of hosts interception. • Time to study IP communication manners. • Limited cleartext protocols interception. • HTTPS. • Accept the loose a lot of information. Limitations.
  • 18. EXPLOITATION (II) IMPROVE THE ATTACK PROCEDURE
  • 19. • Discretion. • Improve data acquisitions from time 0. Objectives.
  • 20. • A DNS feature for high availability and Load Balancing: Improve the attack.
  • 21. Improve the attack. DHCP REQ DHCP RESP with Fake DNS Server DNS A Request DNS A Request DNS Response DNS Response = IP attacker server1 + IP attacker server2 + DNS Resp Short TTL SYN port=xxx RST ACK port =xxx SYN port=xxx SYN port=xxx SYN ACK port=xxx SYN ACK port=xxx DATA DATA
  • 22. • On port 80 the attacker can put a invisible proxy. • The attacker can reject SSL ports always because the client will later connect to the real server. • Other connections data will be forward through the evil server since the first moment. • And there is a tool. Improve the attack.
  • 23. • dns2proxy (still in beta). • Full in python (PyDNS). • Permit spoof, direct forwarding and add IPs to the response. • Interact directly with iptables to forward connections. https://github.com/LeonardoNve/dns2proxy Tool.
  • 25. DEMO (or video if demo effect ;)
  • 26. • Limited of hosts interception. • Time to study IP communication manners. • Limited cleartext protocol interception. • HTTPS. • Accept the loose a lot of information. Previous limitations.
  • 29. • HSTS + Preloaded HSTS sites (Non critical). Obstacles.
  • 30. • Strict Transport Security based in domain names predefined or not. • Change HTTPS to HTTP. • Also change domain names to connect based on predefined rules. • DNS Server can resolve based on these predefined rules. • HSTS. https://github.com/LeonardoNve/sslstrip2.git SSLStrip+ to defeat HSTS.
  • 31. DEMO (or video if demo effect…)
  • 32. SSL in general • You must take advantage with other factors/vulnerabilities
  • 33. • Downgrade attacks. • JavaScript infections. http://media.blackhat.com/bh-us- 12/Briefings/Alonso/BH_US_12_Alonso_Owning_Bad_Guys_Slides.pdf • For decoding ciphered protocols, go there: More posibilities.
  • 34. • With UDP the application have the control over the communication not the OS. • If this application resend a lost UDP packet, we have it! If not…  • Dns2proxy is a PoC and only control TCP but it is really easy extend it too UDP. UDP?
  • 36. • Improve DNS server configurations hijacks with two tools. • Much information capture than typical attacks. • Old protocols – Old security. • New protocols + Old protocols – Old security+ • Solutions… DNSSEC. Conclusions.
  • 37. THANKs. Miguel Hernandez The man who first thought `Let’s put a default password. Then they can change it `