DNS,DNS, still DNS - PowerPoint PPT Presentation

1 / 12
About This Presentation
Title:

DNS,DNS, still DNS

Description:

Reference and Diagram from - http://unixwiz.net/techtips/iguide-kaminsky-dns-vuln.html#cache ... Use sub-domain query request to defeat TTL and bailiwick constraints ... – PowerPoint PPT presentation

Number of Views:148
Avg rating:3.0/5.0
Slides: 13
Provided by: blogRic
Category:
Tags: dns | bailiwick | still

less

Transcript and Presenter's Notes

Title: DNS,DNS, still DNS


1
DNS,DNS, still DNS
  • Rick Zhong
  • Oct 2008

2
  • Dan Kaminsky DNS Attack
  • Vendor Notified in April to May
  • Publicly Announced in early July
  • Public release of details by Kaminsky (Blackhat
    US 2008, 2-7 August)
  • Old vulnerabilities
  • New ways of using the attacks

3
  • DNS Basics
  • Internets Phonebook
  • Normal DNS Query flow
  • Reference and Diagram from - http//unixwiz.net/te
    chtips/iguide-kaminsky-dns-vuln.htmlcache

4
  • DNS Basics
  • Normal DNS Query flow
  • Reference and Diagram from - http//unixwiz.net/te
    chtips/iguide-kaminsky-dns-vuln.htmlcache

5
  • DNS Basics
  • Normal DNS Query flow
  • Reference and Diagram from - http//unixwiz.net/te
    chtips/iguide-kaminsky-dns-vuln.htmlcache

6
  • Old Vulnerabilities
  • DNS Request Transaction ID Predictability
    (Birthday attack)
  • 16 bit - 1 to 65535
  • DNS Request Spoofing
  • UDP packets

7
  • New Ways of Attacks
  • Use sub-domain query request to defeat TTL and
    bailiwick constraints
  • Insert spoof data in the authority and additional
    records sections.

8
  • New Ways of Attacks

Reference and Diagram from - http//unixwiz.net/te
chtips/iguide-kaminsky-dns-vuln.htmlcache
9
  • New Ways of Attacks
  • Step 1 Information Collection (NS discovery)
  • Step 2 Query for random hostnames (sub-domains)
    at the target domain
  • Step 3 Spoof a response to the target server
    including an answer for the query, an authority
    server record, and an additional record (The
    target domain name will be inserted as NS)
  • Step 4 Flood the target with the spoofed
    response until it hits the jackpot (matching
    Transaction ID)
  • Step 5 Try again from step 2 using a new
    sub-domain

10
  • POC Setup and Testing
  • Test Environment Setup
  • Victim DNS Server (Ubuntu Bind9 - 192.168.1.13)
  • Attacker (BackTrack 3.0 Final VM image
    192.168.1.24)
  • In the same subnet
  • Attacks
  • Metasploit 3.0
  • Module - use auxiliary/spoof/dns/bailiwicked_host
  • Conclusion
  • Recursive
  • Source Port
  • Non cached entry

11
  • Enterprise Vulnerability Management
  • Notification
  • Channels
  • Vendor
  • Community
  • Others ( FSISAC )
  • Evaluation
  • Impact Analysis
  • Remediation Analysis
  • Response
  • Internal Research Group
  • Engineering Team
  • Security Operation Centre
  • Senior Management
  • Line of Business

12
  • Discussion
  • - http//blog.rickzhong.com
  • - rick.zhong_at_gmail.com
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "DNS,DNS, still DNS" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!