adam's notes

DNS Attacks

The Domain Name System (DNS) resolves requests for named host and services to IP addresses.

  • many potential attacks
    • on public Internet:
      • attacks might use typosquatting techniques
        • confuse malicious sites with legit ones
      • can be exploited in a DRDoS attack
      • directly target public DNS services as a DoS attack
      • hijack a public DNS server and insert poisoned records
        • direct victims to rogue websites
    • on private network:
      • DNS spoofing
        • using false DNS request or replies or running a rogue DNS server
      • DNS poisoning
        • is an attack where a threat actor injects false resource records into a client or server cache to redirect a domain name to an IP address of the attacker’s choosing
        • manipulating cache records
      • often taken to mean same thing
      • both compromise the process by which clients query name servers to locate IP address for a domain name

DNS-Based On-Path Attacks

  • if threat actor has access to same local network as victim,
    • can use ARP poisoning to respond to DNS queries from the victim with spoofed replies
      • may be combined with DoS attack on victim’s legit DNS server
    • rogue DHCP could configure clients with address of a DNS resolver controlled by threat actor

DNS Client Cache Poisoning

  • before DNS was developed in 1980s, name resolution used a text file named HOSTS
    • each name:IP address mapping was recorded in this file
    • systems admins had to download a copy to each client and server manually
  • even with DNS, HOSTS file is still present and:
    • used before DNS
    • or loads it into cache of known name:IP mappings
    • client only contacts a DNS server if the name is not cached
  • attacker can poison DNS cache by placing false name:IP mappings into HOSTS file
    • can redirect traffic
  • HOSTS file requires admin access to modify
  • stored at:
    • UNIX/Linux:
      • /etc/hosts
    • Windows:
      • %SystemRoot%\System32\Drivers\etc\hosts

DNS Server Cache Poisoning

DNS server cache poisoning aims to corrupt the records held by the DNS server.

  • one attack method:
    • involves getting a victim name server to respond to a recursive query from the attacking host
      • compels the DNS server to query the authoritative server for the answer on behalf of the client
    • attacker’s DNS masquerades as the authoritative name server and responds with the answer to the query
      • includes false domain:IP mappings
  • finding false records:
    • use nslookup or dig to query the name records and cached records held by a server

DNS Attack Indicators

  • DNS server may log an event each time it handles a request
  • DNS logs can hold a variety of information that may supply useful security intelligence and attack indicators:
    • types of queries a host has made to DNS
    • Hosts that are in communication with suspicious IP address ranges or domains
    • Statistical anomalies such as spikes or consistently large numbers of DNS lookup failures
      • may point to computers that are infected with malware, misconfigured, or running obsolete or faulty applications
  • DNS is a popular choice for implementing C&C of remote access Trojans

How to Conduct DNS Spoofing/Poisoning Attack

  • What we’ll do:
    • redirect DNS to our machine
    • spoof DNS
    • point to web page we setup
  • Steps
    • edit config file
      • locate etter.conf
      • open in leafpad
        • leafpad /etc/ettercap/etter.conf
      • change the following values to 0:
        • [privs]
          • ec_uid = 65634
          • ec_gid = 65534
      • scroll to Linux section
        • uncomment the 2 IP tables
      • save
    • edit etter.dns file to redirect to machine:
      • locate etter.dns
      • open in leafpad
        • leafpad /etc/ettercap/etter.dns
      • scroll to lines with Microsoft addresses, insert above them:
        • * A 10.10.10.197
        • comment out Microsoft address
      • save file
    • create index file for page
      • /var/www
    • open ettercap
      • Sniff > Unified Sniffing
        • select interface
      • Stop sniffing
        • Start > Stop sniffing
      • Hosts > Scan for hosts
      • Host > Hosts list
      • select victim machine
      • Add to target 1
      • Plugins > Manage the plugins
      • select dns_spoof
      • Mitm > ARP Poisoning
        • check Sniff remote connections
    • start apache web service
      • service apache2 start
    • test on victim machine
      • launch browser and try browsing
      • should show the created index page

Graph View

Backlinks