Diese Präsentation wurde erfolgreich gemeldet.
Die SlideShare-Präsentation wird heruntergeladen. ×

Finding Evil In DNS Traffic

Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Nächste SlideShare
Unix Monitoring Tools
Unix Monitoring Tools
Wird geladen in …3
×

Hier ansehen

1 von 31 Anzeige

Finding Evil In DNS Traffic

Herunterladen, um offline zu lesen

This talk was given at BSides Augusta 2016. It was conducted by @real_slacker007 of CyberSyndicates.com; The creators of Mercenary-Linux. This slideshow covers numerous vulnerabilities within the DNS protocol and the methods used to exploit them. In addition to vulnerabilities and attacks, it also displays several IOC's that can be used to signature the attacks.

This talk was given at BSides Augusta 2016. It was conducted by @real_slacker007 of CyberSyndicates.com; The creators of Mercenary-Linux. This slideshow covers numerous vulnerabilities within the DNS protocol and the methods used to exploit them. In addition to vulnerabilities and attacks, it also displays several IOC's that can be used to signature the attacks.

Anzeige
Anzeige

Weitere Verwandte Inhalte

Diashows für Sie (20)

Ähnlich wie Finding Evil In DNS Traffic (20)

Anzeige

Aktuellste (20)

Finding Evil In DNS Traffic

  1. 1. ©2016 CyberSyndicates FINDING EVIL IN DNS TRAFFIC
  2. 2. ©2016 CyberSyndicates WHO AM I? Keelyn Roberts BACKGROUND:  (10 Years) CyberSecurity & IT Security RECENT PROJECTS:  Created Mercenary-Linux(Daniel West (PM))  Created (MHF) MercenaryHuntFramework (Daniel West(PM)) How To Find Me:  @real_slacker007  Github.com/slacker007  HuntTools.org  CyberSyndicates.com
  3. 3. ©2016 CyberSyndicates AGENDA Motivation Brief DNS Overview Types of Malware Malware IOC’s Detection Methods Key Takeaways Questions
  4. 4. ©2016 CyberSyndicates WHY DNS?
  5. 5. ©2016 CyberSyndicates OVERVIEW User Local Recursive Server User browses to www.hunttools.org Recursive server checks its cache, then reaches out to root servers and provides the answer Root .orgTLD Root Authoritative The authoritative server tells the recursive server the IP address for www.hunttools.org The .orgTLD root tells the recursive server to ask the authoritative server for hunttools.org Root server tells the recursive server to ask the .orgTLD root Info provided by “DNS Security” 2016 Elsevier Inc.
  6. 6. ©2016 CyberSyndicates DNS VULNERABILITIES INFRASTRUCTURE PROTOCOL Buffer Overflows Race Conditions Misconfigurations Zone Transfers Anycasting Recursion Caching
  7. 7. ©2016 CyberSyndicates INFRASTRUCTURE OS (Windows, Unix, BSD, Linux)  DNS Software ( Microsoft DNS, BIND) oBuffer Overflows (CVE-2015-6125, CVE-2008-0122) o Race Conditions (CVE-2015-8461) o Misconfigured Permissions  Other nested services (FTP, SMB/CIFS) “DNS Security” 2016 Elsevier Inc.
  8. 8. ©2016 CyberSyndicates PROTOCOL “DNS Security” 2016 Elsevier Inc. DNS Cache Poisoning Bolware Dridex DNS Spoofing Win32.QHOST (modern variants) DNSChanger (old & new) Data Exfil Channel DNS Beacons C & C DNSTrojan DNS Beacons Staging DNS Beacons DDoS Attacks Low Orbit Ion Cannon (LOIC) VULNERABILITIES
  9. 9. ©2016 CyberSyndicates CACHE POISONING “DNS Security” 2016 Elsevier Inc.
  10. 10. ©2016 CyberSyndicates CACHE POISONING “DNS Security” 2016 Elsevier Inc. Recursive Servers  Delay Fast Packets (DFP) o Bailiwick rule o Birthday Paradox o SPEED o QUANTITY o ANOMOLY Local DNS Cache  OS maintained local cache  Web browser cache o Boleware (Brazil 2015) o Dridex (United Kingdom) o DNS-Changer (US 2016)
  11. 11. ©2016 CyberSyndicates CACHE POISONING “DNS Security” 2016 Elsevier Inc. 00:22:50.599361 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 317) 192.168.1.254.53 > 192.168.1.85 16020: [udp sum ok] 52318 q: A? csi.gstatic.com. 16/0/0 csi.gstatic.com. [3m26s] A 216.58.217.227, csi.gstatic.com. [3m26s] A 216.58.193.131, csi.gstatic.com. [3m26s] A 216.58.212.227, csi.gstatic.com. [3m26s] A 216.58.218.3, csi.gstatic.com. [3m26s] A 216.58.201.195, csi.gstatic.com. [3m26s] A 172.217.1.131, csi.gstatic.com. [3m26s] A 216.58.209.99, csi.gstatic.com. [3m26s] A 216.58.212.131, csi.gstatic.com. [3m26s] A 172.217.17.227, csi.gstatic.com. [3m26s] A 216.58.212.195, csi.gstatic.com. [3m26s] A 172.217.18.131, csi.gstatic.com. [3m26s] A 216.58.212.163, csi.gstatic.com. [3m26s] A 216.58.209.131, csi.gstatic.com. [3m26s] A 172.217.22.163 (289) IP SRC PORT TRANS ID TRACKING DNS COMMUNICATIONS
  12. 12. ©2016 CyberSyndicates DNS AMPLIFICATION
  13. 13. ©2016 CyberSyndicates DNS AMPLIFICATION Spoofed Source address Open DNS Servers  TTL ANY (*) Quantity o nodes o volume of queries o queries vs. responses ip=77.92.48.67 ; domain=bryaiqfvenakbsr.www.hunttools.org; count=1 ; qtype=A ; ttl=234 ip=77.92.48.67 ; domain=izeuvqnkcooofqx.www.hunttools.org ; count=1 ; qtype=A ; ttl=247 INDICATORS
  14. 14. ©2016 CyberSyndicates DNS AMPLIFICATION
  15. 15. ©2016 CyberSyndicates DNS AMPLIFICATION 05:45:38.621599 IP (tos 0x0, ttl 64, id 56784, offset 0, flags [none], proto UDP (17), length 64) 10.0.49.16.45522 > 84.200.69.80.53: 27427+ [1au] ANY? ietf.org. ar: . OPT UDPsize=4096 (36) 0x0000: 0004 0001 0006 000c 2917 04df 300f 0800 ........)...0... 0x0010: 4500 0040 ddd0 0000 4011 51bd 0a00 3110 E..@....@.Q...1. 0x0020: 0808 0808 b1d2 0035 002c 4b5d 6b23 0120 .......5.,K]k#.. 0x0030: 0001 0000 0000 0001 0369 7363 036f 7267 .........ietf.org 0x0040: 0000 ff00 0100 0029 1000 0000 0000 0000 .......)........ QUERY
  16. 16. ©2016 CyberSyndicates DNS AMPLIFICATION global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5147 ;; flags: qr rd ra; QUERY: 1, ANSWER: 27, AUTHORITY: 4, ADDITIONAL: 5 ;; QUESTION SECTION: ;isc.org. IN ANY ;; ANSWER SECTION: isc.org. 4084 IN SOA ns-int.isc.org. hostmaster.isc.org. 2012102700 7200 3600 24796800 3600 isc.org. 4084 IN A 149.20.64.42 isc.org. 4084 IN MX 10 mx.pao1.isc.org. isc.org. 4084 IN MX 10 mx.ams1.isc.org. isc.org. 4084 IN TXT "v=spf1 a mx ip4:204.152.184.0/21 ip4:149.20.0.0/16 ip6:2001:04F8::0/32 ip6:2001:500:60::65/128 ~all" isc.org. 4084 IN TXT "$Id: isc.org,v 1.1724 2012-10-23 00:36:09 bind Exp $" isc.org. 4084 IN AAAA 2001:4f8:0:2::d isc.org. 4084 IN NAPTR 20 0 "S" "SIP+D2U" "" _sip._udp.isc.org. isc.org. 484 IN NSEC _kerberos.isc.org. A NS SOA MX TXT AAAA NAPTR RRSIG NSEC DNSKEY SPF isc.org. 4084 IN DNSKEY 256 3 5 BQEAAAAB2F1v2HWzCCE9vNsKfk0K8vd4EBwizNT9KO6WYXj0oxEL4eOJ aXbax/BzPFx+3qO8B8pu8E/JjkWH0oaYz4guUyTVmT5Eelg44Vb1kssy q8W27oQ+9qNiP8Jv6zdOj0uCB/N0fxfVL3371xbednFqoECfSFDZa6Hw jU1qzveSsW0= isc.org. 4084 IN DNSKEY 257 3 5 BEAAAAOhHQDBrhQbtphgq2wQUpEQ5t4DtUHxoMVFu2hWLDMvoOMRXjGr hhCeFvAZih7yJHf8ZGfW6hd38hXG/xylYCO6Krpbdojwx8YMXLA5/kA+ u50WIL8ZR1R6KTbsYVMf/Qx5RiNbPClw+vT+U8eXEJmO20jIS1ULgqy3 47cBB1zMnnz/4LJpA0da9CbKj3A254T515sNIMcwsB8/2+2E63/zZrQz Bkj0BrN/9Bexjpiks3jRhZatEsXn3dTy47R09Uix5WcJt+xzqZ7+ysyL KOOedS39Z7SDmsn2eA0FKtQpwA6LXeG2w+jxmw3oA8lVUgEf/rzeC/bB yBNsO70aEFTd isc.org. 4084 IN SPF "v=spf1 a mx ip4:204.152.184.0/21 ip4:149.20.0.0/16 ip6:2001:04F8::0/32 ip6:2001:500:60::65/128 ~all" isc.org. 484 IN RRSIG NS 5 2 7200 20121125230752 20121026230752 4442 isc.org. oFeNy69Pn+/JnnltGPUZQnYzo1YGglMhS/SZKnlgyMbz+tT2r/2v+X1j AkUl9GRW9JAZU+x0oEj5oNAkRiQqK+D6DC+PGdM2/JHa0X41LnMIE2NX UHDAKMmbqk529fUy3MvA/ZwR9FXurcfYQ5fnpEEaawNS0bKxomw48dcp Aco= isc.org. 484 IN RRSIG SOA 5 2 7200 20121125230752 20121026230752 4442 isc.org. S+DLHzE/8WQbnSl70geMYoKvGlIuKARVlxmssce+MX6DO/J1xdK9xGac XCuAhRpTMKElKq2dIhKp8vnS2e+JTZLrGl4q/bnrrmhQ9eBS7IFmrQ6s 0cKEEyuijumOPlKCCN9QX7ds4siiTIrEOGhCaamEgRJqVxqCsg1dBUrR hKk= isc.org. 484 IN RRSIG MX 5 2 7200 20121125230752 20121026230752 4442 isc.org. VFqFWRPyulIT8VsIdXKMpMRJTYpdggoGgOjKJzKJs/6ZrxmbJtmAxgEu /rkwD6Q9JwsUCepNC74EYxzXFvDaNnKp/Qdmt2139h/xoZsw0JVA4Z+b zNQ3kNiDjdV6zl6ELtCVDqj3SiWDZhYB/CR9pNno1FAF2joIjYSwiwbS Lcw= isc.org. 484 IN RRSIG TXT 5 2 7200 20121125230752 20121026230752 4442 isc.org. Ojj8YCZf3jYL9eO8w4Tl9HjWKP3CKXQRFed8s9xeh5TR3KI3tQTKsSeI JRQaCXkADiRwHt0j7VaJ3xUHa5LCkzetcVgJNPmhovVa1w87Hz4DU6q9 k9bbshvbYtxOF8xny/FCiR5c6NVeLmvvu4xeOqSwIpoo2zvIEfFP9deR UhA= isc.org. 484 IN RRSIG AAAA 5 2 7200 20121125230752 20121026230752 4442 isc.org. hutAcro0NBMvKU/m+2lF8sgIYyIVWORTp/utIn8KsF1WOwwM2QMGa5C9 /rH/ZQBQgN46ZMmiEm4LxH6mtaKxMsBGZwgzUEdfsvVtr+fS5NUoA1rF wg92eBbInNdCvT0if8m1Sldx5/hSqKn8EAscKfg5BMQp5YDFsllsTauA 8Y4= isc.org. 484 IN RRSIG NAPTR 5 2 7200 20121125230752 20121026230752 4442 isc.org. ZD14qEHR7jVXn5uJUn6XR9Lvt5Pa7YTEW94hNAn9Lm3Tlnkg11AeZiOU 3woQ1pg+esCQepKCiBlplPLcag3LHlQ19OdACrHGUzzM+rnHY50Rn/H4 XQTqUWHBF2Cs0CvfqRxLvAl5AY6P2bb/iUQ6hV8Go0OFvmMEkJOnxPPw 5i4= isc.org. 484 IN RRSIG NSEC 5 2 3600 20121125230752 20121026230752 4442 isc.org. rY1hqZAryM045vv3bMY0wgJhxHJQofkXLeRLk20LaU1mVTyu7uair7jb MwDVCVhxF7gfRdgu8x7LPSvJKUl6sn731Y80CnGwszXBp6tVpgw6oOcr Pi0rsnzC6lIarXLwNBFmLZg2Aza6SSirzOPObnmK6PLQCdmaVAPrVJQs FHY= isc.org. 484 IN RRSIG DNSKEY 5 2 7200 20121125230126 20121026230126 4442 isc.org. i0S2MFqvHB3wOhv2IPozE/IQABM/eDDCV2D7dJ3AuOwi1A3sbYQ29XUd BK82+mxxsET2U6hv64crpbGTNJP3OsMxNOAFA0QYphoMnt0jg3OYg+AC L2j92kx8ZdEhxKiE6pm+cFVBHLLLmXGKLDaVnffLv1GQIl5YrIyy4jiw h0A= isc.org. 484 IN RRSIG DNSKEY 5 2 7200 20121125230126 20121026230126 12892 isc.org. j1kgWw+wFFw01E2z2kXq+biTG1rrnG1XoP17pIOToZHElgpy7F6kEgyj fN6e2C+gvXxOAABQ+qr76o+P+ZUHrLUEI0ewtC3v4HziMEl0Z2/NE0MH qAEdmEemezKn9O1EAOC7gZ4nU5psmuYlqxcCkUDbW0qhLd+u/8+d6L1S nlrD/vEi4R1SLl2bD5VBtaxczOz+2BEQLveUt/UusS1qhYcFjdCYbHqF JGQziTJv9ssbEDHT7COc05gG+A1Av5tNN5ag7QHWa0VE+Ux0nH7JUy0N ch1kVecPbXJVHRF97CEH5wCDEgcFKAyyhaXXh02fqBGfON8R5mIcgO/F DRdXjA== isc.org. 484 IN RRSIG SPF 5 2 7200 20121125230752 20121026230752 4442 isc.org. IB/bo9HPjr6aZqPRkzf9bXyK8TpBFj3HNQloqhrguMSBfcMfmJqHxKyD ZoLKZkQk9kPeztau6hj2YnyBoTd0zIVJ5fVSqJPuNqxwm2h9HMs140r3 9HmbnkO7Fe+Lu5AD0s6+E9qayi3wOOwunBgUkkFsC8BjiiGrRKcY8GhC kak= isc.org. 484 IN RRSIG A 5 2 7200 20121125230752 20121026230752 4442 isc.org. ViS+qg95DibkkZ5kbL8vCBpRUqI2/M9UwthPVCXl8ciglLftiMC9WUzq Ul3FBbri5CKD/YNXqyvjxyvmZfkQLDUmffjDB+ZGqBxSpG8j1fDwK6n1 hWbKf7QSe4LuJZyEgXFEkP16CmVyZCTITUh2TNDmRgsoxrvrOqOePWhp 8+E= isc.org. 4084 IN NS ns.isc.afilias-nst.info. isc.org. 4084 IN NS ams.sns-pb.isc.org. isc.org. 4084 IN NS ord.sns-pb.isc.org. isc.org. 4084 IN NS sfba.sns-pb.isc.org. ;; AUTHORITY SECTION: isc.org. 4084 IN NS ns.isc.afilias-nst.info. isc.org. 4084 IN NS ams.sns-pb.isc.org. isc.org. 4084 IN NS ord.sns-pb.isc.org. isc.org. 4084 IN NS sfba.sns-pb.isc.org. ;; ADDITIONAL SECTION: mx.ams1.isc.org. 484 IN A 199.6.1.65 mx.ams1.isc.org. 484 IN AAAA 2001:500:60::65 mx.pao1.isc.org. 484 IN A 149.20.64.53 mx.pao1.isc.org. 484 IN AAAA 2001:4f8:0:2::2b _sip._udp.isc.org. 4084 IN SRV 0 1 5060 asterisk.isc.org. ;; Query time: 176 msec ;;SERVER: x.x.x.x#53(x.x.x.x) ;; WHEN: Tue Oct 30 01:14:32 2012 ;; MSG SIZE rcvd: 3223 RESPONSE
  17. 17. ©2016 CyberSyndicates DNS BEACONS
  18. 18. ©2016 CyberSyndicates DNS BEACONS  DNS Beacon (Cobalt Strike)  DNSTrojan  RAT  C2 || Exfil  Staged vs. Inline  Last Resort  Stealthy  Throttle / Jitter  IOC’s  Incremental Changes Size of packet (udp vs. tcp)  # of packets sent  # of queries vs. responses  sequentially numbered subdomains  Key Info
  19. 19. ©2016 CyberSyndicates DNS BEACONS KEY ATTRIBUTES
  20. 20. ©2016 CyberSyndicates DNS BEACONS WHERE & WHY
  21. 21. ©2016 CyberSyndicates DNS BEACONS cfc7b9dff5ce62a12e31457d974e5618.malware.hash.cymru.com. cfc7b9dff5ce62a12e31457d974e5618.malware.hash.cymru.com. Security Onion (IDS) 4z9p5tjmcbnblehp4557z1d136.avqs.mcafee.com 4z9p5tjmcbnblehp4557z1d136.avts.mcafee.com McAfee (Global Threat Intelligence) LEGITIMATE
  22. 22. ©2016 CyberSyndicates DNS BEACONS 8.8.8.8 TXT aaa.stage.4777649.dns.jeffjumpsinthelake.xyz 8.8.8.8 TXT aab.stage.4777649.dns.jeffjumpsinthelake.xyz 8.8.8.8 TXT aac.stage.4777649.dns.jeffjumpsinthelake.xyz 192.168.1.90 TXT 255 PPPPPPIJIFJEPNPPPPIJIFKIPNPPPPIJIFMMPNPPPPIJIFNAPNPPPPIJIFPAPNPPPPIJIFMIJAAAAIDINPAPJCEA PNPPPPOJHEAJAAAAAPLOMCIDOICAHEEIIDOIADHEDECLMGHECEEIEIHEBEIDOIADAPIFFGAJAAAAA JLFPAPNPPPPOJELAJAAAAIDINPAPNPPPPAEOJDPAJAAAAIDINPAPNPPPPABOJDDAJAAAAIBINPAPNPPP PIAAAAAAAOJ 192.168.1.90 TXT 255 PPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPDOPPPPPPDPDEDFDGD HDIDJDKDLDMDNPPPPPPPOPPPPPPAAABACADAEAFAGAHAIAJAKALAMANAOAPBABBBCB DBEBFBGBHBIBJPPPPPPPPPPPPBKBLBMBNBOBPCACBCCCDCECFCGCHCICJCKCLCMCNCOC PDADBDCDDPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPP Staging Via DNS TXT MALICIOUS
  23. 23. ©2016 CyberSyndicates DNS BEACONS 12645.dns.jeffjumpsinthelake.xyz 12645.dns.jeffjumpsinthelake.xyz 12645.dns.jeffjumpsinthelake.xyz 0.0.0.0 12645.dns.jeffjumpsinthelake.xyz 139.59.10.212 C2 Via DNS TXT MALICIOUS
  24. 24. ©2016 CyberSyndicates DNS BEACONS MALICIOUS C2 Via DNS A
  25. 25. ©2016 CyberSyndicates DNS BEACONS DETECTING BEACONS USING DNSHUNTER
  26. 26. ©2016 CyberSyndicates DEMOS
  27. 27. ©2016 CyberSyndicates DNS A RECORDS WITH DNSHUNTER
  28. 28. ©2016 CyberSyndicates VISUALIZING DNS TRAFFIC WITH VDNS
  29. 29. ©2016 CyberSyndicates ANALYZING DNS RECORDS WITH DNSHUNTER
  30. 30. ©2016 CyberSyndicates MAJOR TAKEAWAYS Understand YOUR DNS traffic Perform ACTIVE Monitoring of your DNS Traffic Conduct Regular Penetration Testing!!!!!
  31. 31. ©2016 CyberSyndicates SOURCES https://www.isc.org/community/rfcs/dns/ (list all RFC’s by Title) “DNS Security”, (Allan Liska & Geoffrey Stowe) http://secdev.org/projects/scapy/doc/usage/html (Scapy examples) http://www.dcwg.org/ (DNS-Changer) http://blog.trendmicro.com/trendlabs-security-intelligence/dns-changer-malware-sets-sights-on-home-routers/ (DNS-Changer) RFC 1034, 1035 (DNS) RFC 3833(DNS Threat Analysis) RFC 5358(prevent recursive NS in reflection attacks) RFC 6672(name redirectors)

Hinweis der Redaktion

  • ljsddfljsljdfljslkdjfsdlaf

×