1 and DNS Hacking

Overview Hacking - Technology - Attacks - Phishing/Spearphishing/Whaling DNS Hacking - Technology - Attacks - Flux 2

3 A postcard written in pencil, with trusted cargo attached Here is the program you’ve been waiting for. Trusted Colleague

How Works 4 User Mail User Agent Mail Transfer Agent Mail User Agent

Simple Mail Transfer Protocol TCP/25 by default Transfer-agent based Text Protocol Single connection, multiple messages (maybe) Easily forged 5 S: 220 smtp.example.com ESMTP Postfix C: HELO relay.example.org S: 250 Hello relay.example.org, I am glad to meet you C: MAIL FROM: S: 250 Ok C: RCPT TO: S: 250 Ok C: RCPT TO: S: 250 Ok C: DATA S: 354 End data with. C: From: "Bob Example" C: To: Alice Example C: Date: Tue, 15 Jan :02: C: Subject: Test message C: Hello Alice. C: Your friend, Bob C:. S: 250 Ok: queued as C: QUIT S: 221 Bye {The server closes the connection}

How Can Go Wrong 6 User Mail User Agent Mail Transfer Agent Mail User Agent Malicious Software Weak Protocol Intercepted Message Malicious Software Weak Protocol Inserted Message Preview & Download Integration with OS Dropped Message

Attacking 7 User Mail User Agent Mail Transfer Agent Mail User Agent Subvert Attach Hijack Flood Extract Insert Compromise Propagate Fool

Social Engineering Exploit trust relationships between people Exploit service climate Exploit business methods 8

9 Love Letter Virus Check out this joke... Trusted Colleague IRC Exchange VBS JPG MP3 others Replace Corrupt data/script files Steal Passwords Clog

10 Phishing example? Date: Tue, 20 Sep :06: (PDT) From: Countrywide To: Subject: Important Customer Correspondence [Image: "height="] [Image: "Countrywide - Full Speectrum Lending Division"] [Image: " "] [Image: "height="] [Image: "height="] [Image: "height="] [Image: "If you could use some extra cash, Countrywide could make it easy."] [Image: "Click Here to Get Started"] [Image: "height="] [Image: "height="] [Image: "height="] [Image: "height="] Dear Timothy, We can help customers get cash from the available equity they've built up in their homes by refinancing their mortgages ? and with the trend in rising home values, we estimate your home's equity may have increased to as much as $43, (much more…) Phone number appears legit, current mortgage holder Note typographical errors (Speectrum, empty images, etc.) Big payoff offered Closer look: embedded domains doesn’t match from domain (m0.net, r.delivery.net, not countrywide.com, all same ISP (Digital Impact))

Domain Name System More than just hostname → IP Query hierarchy of nameservers –Local nameserver (resolver): answer from cache or preloaded resolutions, may do recursive queries –Authoritative nameserver: answer based on domains it covers, or recurse –Root nameserver: answer top-level, delegate, or generate errors 11

Name Server Protocol UDP/53 or TCP/53 Client queries local (address, ptr, mx, ns, hinfo, any) Local responds from cache or queries to root Root responds with referral to TLD or error Local queries TLD TLD responds with referral to authority or error Local queries authority Authority sends answer Local sends answer 12 Query Response

Where DNS Can Go Wrong Client Side –Cache Poisoning –False Response –False Domains –Compromise –Tunneling Server Side –Flooding –False Response –Compromise 13

Flux Why would a domain change its resolution? Why would a domain change frequently? Why would a domain change transiently? 14

Summary Common and needed protocols Many, many vulnerabilities Many, many attacks Some systematic solutions (encryption) Trust 15