Semantic Exploration of DNS Samuel Marchal, J er ome Fran cois, - - PowerPoint PPT Presentation

samuel.marchal@uni.lu 23/05/12

Semantic Exploration of DNS

Samuel Marchal, J´ erˆ

• me Fran¸

cois, Cynthia Wagner and Thomas Engel

Motivation Semantic exploration Experiments and Results Conclusion

Outline

1 Motivation 2 Semantic exploration 3 Experiments and Results 4 Conclusion

2 / 18

Motivation Semantic exploration Experiments and Results Conclusion

Outline

1 Motivation 2 Semantic exploration 3 Experiments and Results 4 Conclusion

3 / 18

Motivation Semantic exploration Experiments and Results Conclusion

Why DNS brute forcing ?

DNS scanning:

◮ Test DNS names by sending requests to a DNS

recursive server

◮ Network mapping: discover all machines of a domain

◮ penetration testing ◮ network security assessment (prevention) ◮ recon stage to craft attack (find accessible services) ◮ use by worms to spread themselves

4 / 18

Motivation Semantic exploration Experiments and Results Conclusion

Alternative to IP scanning

◮ Provided services (ftp, www, etc.) = network interfaces ◮ Machines are not probed directly (DNS requests) ◮ Can be enhanced by using multiple open recursive servers ◮ Reduce the search space (particularly in IPv6)

DNS recursive server DNS authoraitative server DNS authoraitative server WWW WWW FTP MAIL MAIL FTP

IP scanning DNS scanning

uni.lu google.com

R R A A

5 / 18

Motivation Semantic exploration Experiments and Results Conclusion

Current Approaches

◮ How names are defined?

◮ by human and easy to remember → pc1, pc2, atlanta,

boston, etc.

◮ to reflect the provided service → www, ftp, ssh, etc.

◮ → same names often used → scan the most popular

names

◮ dictionary based tools

◮ DNSenum: 266 930 names by default ◮ fierce: 1 895 names by default

◮ tool relying on natural language

◮ SDBF: domain name generator (domain names features,

Markov chain model)

6 / 18

Motivation Semantic exploration Experiments and Results Conclusion

Outline

1 Motivation 2 Semantic exploration 3 Experiments and Results 4 Conclusion

7 / 18

Motivation Semantic exploration Experiments and Results Conclusion

Names definition

Domain names are given by human:

◮ Reflect a provided service (ftp, www, etc.) ◮ Follow numerical patterns (ftp1, ftp2) ◮ Share a common semantic field

8 / 18

Motivation Semantic exploration Experiments and Results Conclusion

Names discovery

Given a subdomain ⇒ generate new subdomains:

9 / 18

Motivation Semantic exploration Experiments and Results Conclusion

Tool overview

◮ Generation of semantically close names

◮ name split in words ◮ generate similar words using Disco

◮ Enumeration of numbers www ftp ns1 ns2 marsserver1 paris london pc2room103

uni.lu

SDBF Fierce DNSenum marsserver1 venuspc3.uni.lu jupitermail5.uni.lu mars server 1

venus neptun jupiter pc computer mail 2 3 4

split related names numerical increment merge 10 / 18

Motivation Semantic exploration Experiments and Results Conclusion

Semantic exploration: Disco

Horizontal exploration Vertical exploration surf rugby whitewater help reggae runner skate soccer surfing …... cricket football voleyball …... assistance aid …... hedgehog athlete broadcaster relay tunes ……. football basketball …... announcer piglet ……. concolor badger ……. extensions …... freestyle sprint …….. songs tune ……. 1 2 3 4

disco disco disco disco d i s c

• disco

disco disco disco disco

roadgoing mockingbird ……..

disco

valid not valid

11 / 18

Motivation Semantic exploration Experiments and Results Conclusion

Outline

1 Motivation 2 Semantic exploration 3 Experiments and Results 4 Conclusion

12 / 18

Motivation Semantic exploration Experiments and Results Conclusion

Method and Results

◮ 24 popular domains ◮ 3 tools: DNSenum, Fierce, SDBF ⇒ initial list of

subdomains

%Impi = |Newi| |Initi| , i ∈ {SDBF, DNSenum, Fierce, overall}

13 / 18

Motivation Semantic exploration Experiments and Results Conclusion

Detailed Results

SDBF Fierce DNSenum Overall Domains |Init| |New| %Imp |Init| |New| %Imp |Init| |New| %Imp |Init| |New| %Imp livejasmin.com 24 39 162 20 14 70 18 14 77 37 33 89 ebay.com 123 284 230 115 257 223 185 225 121 284 158 55 google.com 69 125 181 84 87 103 83 108 130 149 77 51 vdl.lu 15 15 100 11 13 118 16 12 75 23 11 47 amazon.com 78 82 105 55 72 130 75 75 100 132 52 39 msn.com 207 281 135 196 246 125 236 223 94 372 140 37 baidu.com 369 243 65 178 280 157 238 253 106 478 157 32 microsoft.com 115 121 105 91 90 98 97 98 101 189 56 29 apple.com 141 128 90 65 116 178 130 106 81 241 70 29 ask.com 88 82 93 78 65 83 79 71 89 135 40 29 all domains 2057 1739 84 1520 1558 102 1788 1565 87 3170 954 30

◮ From 84% to 102% of newly discovered names ◮ Up to 230% of improvement ◮ Complementarity ⇒ 30 % overall improvement

14 / 18

Motivation Semantic exploration Experiments and Results Conclusion

Overhead

◮ Average of 40,000 probes per domain // SDBF &

DNSenum: 260,000 (6 times less)

15 / 18

Motivation Semantic exploration Experiments and Results Conclusion

Outline

1 Motivation 2 Semantic exploration 3 Experiments and Results 4 Conclusion

16 / 18

Motivation Semantic exploration Experiments and Results Conclusion

Conclusion

◮ New methods to brute-force DNS:

◮ semantic relatedness ◮ incremental techniques

◮ Results:

◮ able to generate valid names... ◮ ... mainly not present in well used dictionaries →

complementarity

◮ low overhead

◮ Future works:

◮ use other databases ◮ improve semantic relatedness metric

17 / 18

samuel.marchal@uni.lu 23/05/12

Semantic Exploration of DNS

Samuel Marchal, J´ erˆ

• me Fran¸

cois, Cynthia Wagner and Thomas Engel