User Controls
Someone teach me about DNS fluxxing and DNS cache poisoning.
-
2015-10-01 at 3:46 PM UTCSo apparently there's this thing called DNS fast flux, the basic idea is that you switch out IP addresses at a high rate through a single fully qualified domain name by changing the DNS record. This allows for something that they call distributed command and control. Where it is hard to detect where the actual C&C is because requests are rerouted through a series of proxies. Pic related.
Now that's all well and good but doesn't explain to me how it actually works or how one would go about setting something like this up, hypothetically of course. And while we're on the topic of doing haxxy things with DNS, feel free to give me a walkthrough of DNS cache poisoning. Now i could probably configure nmap to scan the entire internet for DNS servers but then what. I got Responder which is a LLMNR, NBT-NS and MSDNS poisoner with built in rogue server authentication support, but i'd like to get into details on the specific process of poisoning DNS records.
-
2015-10-08 at 12:04 AM UTCfast-flux DNS is (was?) usually used to host spam websites on botnet nodes... as far as I know the technique isn't used for C&C servers.
basically what it does is set up a dns record with a tiny ttl that lists a bot as the SOA - it's transferred between bots intermittently, but the main thing is the DNS record itself is a list of IPs on the botnet which is constantly updated, so when someone tries to access 'faggot.net', the request gets passed on to a compromised machine, which then loads a list of all the bots running http services and directs the requester to one of them. it's referred to as fast-flux because the list is constantly updated, so when bots go down or come back up the dns record is dynamically updated.
dns cache poisoning I'm not familiar with, but a quick search indicates the following:
at it's basest level, it involves updating dns entries to point to malicious sites - virtually the same as editing your hosts file and adding an entry pointing facebook.com to goatse.cx's IP address. practically it's a little different though - to understand fully, I recommend reading a little about DNS to understand the tiers of queries and importance of trust.
anyway, let's use facebook.com as a simplified example.
your average internet user uses their ISP's DNS servers. when they try to access www.facebook.com, their computer sends the request to their ISP asking where www.facebook.com is. your ISP goes to their upstream provider, and then on to whoever owns the facebook domain to get the address to connect to, then passes it on to the end-user. the end-user then connects to the address and posts pictures of his dick.
to reduce load on DNS servers and the network in general, they will cache requests. in the above scenario, what might actually happen is the end user will request the address for facebook.com from their ISP, and because facebook is a popular website that gets requested every few minutes, they'll actually retain a copy of facebook's address in cache instead of having to pass the request up the chain every time. if someone were to poison the cache - change facebook's address to goatse in the ISP's cache - all of the ISP's customers would be greeted with a different gaping asshole when opening facebook.
back to the attack - how does an attacker get their custom entry into the ISP's cache? DNS uses the UDP protocol on port 53 (from memory) to send/receive information. because UDP is not transactional like TCP, it is possible to spoof the sender's IP address, purporting to be the authoritive server for facebook.com sending a record update to the ISP.
there's a little more to it than that but I'll update later maybe -
2015-10-08 at 12:44 AM UTC
fast-flux DNS is (was?) usually used to host spam websites on botnet nodes… as far as I know the technique isn't used for C&C servers.
basically what it does is set up a dns record with a tiny ttl that lists a bot as the SOA - it's transferred between bots intermittently, but the main thing is the DNS record itself is a list of IPs on the botnet which is constantly updated, so when someone tries to access 'faggot.net', the request gets passed on to a compromised machine, which then loads a list of all the bots running http services and directs the requester to one of them. it's referred to as fast-flux because the list is constantly updated, so when bots go down or come back up the dns record is dynamically updated.
Thanks, also, my niggers at over at evilzone were talking about a C&C mechanism, involving fast flux so IDK. That's where i got the idea.dns cache poisoning I'm not familiar with, but a quick search indicates the following:
at it's basest level, it involves updating dns entries to point to malicious sites - virtually the same as editing your hosts file and adding an entry pointing facebook.com to goatse.cx's IP address. practically it's a little different though - to understand fully, I recommend reading a little about DNS to understand the tiers of queries and importance of trust.
anyway, let's use facebook.com as a simplified example.
your average internet user uses their ISP's DNS servers. when they try to access www.facebook.com, their computer sends the request to their ISP asking where www.facebook.com is. your ISP goes to their upstream provider, and then on to whoever owns the facebook domain to get the address to connect to, then passes it on to the end-user. the end-user then connects to the address and posts pictures of his dick.
to reduce load on DNS servers and the network in general, they will cache requests. in the above scenario, what might actually happen is the end user will request the address for facebook.com from their ISP, and because facebook is a popular website that gets requested every few minutes, they'll actually retain a copy of facebook's address in cache instead of having to pass the request up the chain every time. if someone were to poison the cache - change facebook's address to goatse in the ISP's cache - all of the ISP's customers would be greeted with a different gaping asshole when opening facebook.
back to the attack - how does an attacker get their custom entry into the ISP's cache? DNS uses the UDP protocol on port 53 (from memory) to send/receive information. because UDP is not transactional like TCP, it is possible to spoof the sender's IP address, purporting to be the authoritive server for facebook.com sending a record update to the ISP.
there's a little more to it than that but I'll update later maybe
Oh i see, it also seems my program responder is for the local network. Anyway if i were to find out what the authoritative server's IP adress is spoof it and send a record update i could redirect traffic to my malicious site. I'd probably just spoof the entire site i'd be replacing to fish for credentials or something.