Presentation is loading. Please wait.

Presentation is loading. Please wait.

DNS Hijacking – KL Tech Meet-up - May 2015

Published byEsther Short Modified over 5 years ago

Similar presentations

Presentation on theme: "DNS Hijacking – KL Tech Meet-up - May 2015"— Presentation transcript:

1 DNS Hijacking – KL Tech Meet-up - May 2015
Abhishek Dujari, Technical Project Manager

2 What is DNS Hijacking Some terms to remember: DNS – Domain Name System
Domain Name Registry - Centralized record of Domain names and owners Designated Registrar or Registrar – Where you register the domains DNS Hosting Provider Authoritative DNS and Recursive DNS ICANN Registry Registrar Owner

3 How DNS Works Secondary DNS Primary DNS User
Upload zone data from customer-managed master using zone transfer agents Master ZTA Let’s take a look at how Fast DNS works. Fast DNS can be configured as either a primary or a secondary DNS service. Let’s take a look at how it works as a secondary DNS service first. Basically, you maintain zone data on your master name server, and Fast DNS zone transfer agents (ZTA) perform zone transfer requests to get that zone data and push it out to Fast DNS name servers. [CLICK] With a primary DNS, you upload zone data through either the Luna Control Center or Akamai’s {OPEN} API. The zone transfer agent will push out your zone data to the Fast DNS name servers and provide you a list of name servers (typically six) that you can register with your domain registrar. [CLICK] Regardless of whether it’s deployed as a primary or secondary DNS service, when a user performs a DNS lookup request or your site, his/her local name server will query the root name servers, which will redirect the request to the .com name servers, which will redirect the request to Fast DNS which will resolve the request and return the IP address of your site. IP or CNAME a akam.net a akam.net Zone transfer request a akam.net IP or CNAME Zone data Local Name server a akam.net a akam.net Domain registrar a1-123.akam.net a2-123.akam.net a3-123.akam.net a4-123.akam.net a5-123.akam.net a6-123.akam.net Primary DNS Upload zone data through Luna Control Center or {OPEN} API and register Akamai name servers with domain registrar ZTA a akam.net Zone data Validation

4 DNS Hijacking in the news

5 Get the Tech Walkthrough of a planned DNS hijack
Impact of the DNS Hijack Uncovering a DNS Hijack and recovery Prevention

6 How it all happens. Phase 1.
Hacktivists collaborate over IRC or Social Media selecting multiple targets. Criminal rings develop plans for Ransom

7 Phase 2 . Preparation Targeted organization domains are “looked up” whois query returns the Admin contact details. Phish Domain is registered along with SSL certificate e.g. StartSSL. Malicious domains are hosted on Free hosting, Free CDN or compromised hosts and proxies. pages.html Set up “Catch-all” address mailbox for target domains Phishing s is crafted with cloaked URL (demo blacksquirrel.io, s are sent to targets. Now they wait!

8 Phase 3 : Bait and wait. Some s are opened and malicious URLs clicked. Once the password is received or Remote Access Tool is active, the Hacker is in business. Social Engineering at its best!

9 OpSec! Operations security (OPSEC) is a term originating in U.S. military jargon, as a process that identifies critical information to determine if friendly actions can be observed by adversary intelligence systems, determines if information obtained by adversaries could be interpreted to be useful to them, and then executes selected measures that eliminate or reduce adversary exploitation of friendly critical information. Attackers avoid using payment information at all costs as it can be traced. Think free CDN, free SSL and free hosting!

10 Phase 4: OpSec Login to Victim’s email account
Look for any other Sign up s. Perhaps the domain registrar? Try the /username and password on the registrar, web hosting and CDN accounts. If password does not work send a password reset to victims account. Look for other OpSec opportunities.

11 Phase 5: Exploit! Access the Registrar portal
Change DNS servers to point to other 3rd party Name Servers under hacker’s control Change MX and A records to point to own mail servers. Both SMTP and POP/IMAP can replaced. OR Access the CDN portal and change Origin IP to point to Cloaked Hosting URL

12 How compromised DNS Works
User Let’s take a look at how Fast DNS works. Fast DNS can be configured as either a primary or a secondary DNS service. Let’s take a look at how it works as a secondary DNS service first. Basically, you maintain zone data on your master name server, and Fast DNS zone transfer agents (ZTA) perform zone transfer requests to get that zone data and push it out to Fast DNS name servers. [CLICK] With a primary DNS, you upload zone data through either the Luna Control Center or Akamai’s {OPEN} API. The zone transfer agent will push out your zone data to the Fast DNS name servers and provide you a list of name servers (typically six) that you can register with your domain registrar. [CLICK] Regardless of whether it’s deployed as a primary or secondary DNS service, when a user performs a DNS lookup request or your site, his/her local name server will query the root name servers, which will redirect the request to the .com name servers, which will redirect the request to Fast DNS which will resolve the request and return the IP address of your site. Attackers website IP or CNAME a akam.net a akam.net ns.sara-ns.com IP or CNAME Local Name server a akam.net a akam.net a akam.net Domain registrar Ns.Sara-ns.com Ns.Todd-ns.com

13 Anything is possible! Sky is the limit.
Impact All s sent and received are going to the attackers mail server. They are reading everything. The website is showing a different page. Owned by attackers. They are able to collect Logged in user’s web sessions! (how?) They can still access your site by spoofing and inserting stolen web sessions to steal customer data. They can even access VPN if there is no client certificate. They are still able to send password reset s to victims account and take over Social Media accounts. OpSec – Network Pivoting, exfiltration, Command and Control. Anything is possible! Sky is the limit.

14 How to spot a DNS Hijack DIG for it. Use multiple remote locations
See where the compromise has happened. Follow the request process. Registrar! DNS CDN Web Hosting

15 Recover from the HiJack – time is running out!
Contact the 3rd party providers immediately to restore the correct records. Shut down your web server. Invalidate all sessions. Shut down access/servers. Any other services on the same DNS? Sessions? Use a secondary non-public domain name as recovery address. Rotate all passwords including VPN. Sessions? Notify the public, staff and vendors clearly on what has happened to avoid further Data theft and breaches. Anyone possibly affected should be made aware. It can take Hours to restore correct DNS records. Use IP addresses to connect to services until restoration is complete Take No RISK!. Assume all accounts are compromised.

16 Recovery contd… Start to OpSec: Look for any 3rd party services that are unclassified and could have been compromised. Take necessary action to lock them down. Ensure you have full DNS control & is secure before you start rotating passwords and enabling services. (48 hours)

17 Prevention Whois Lookup ICANN Registry Registrar Owner
• serverDeleteProhibited • serverUpdateProhibited • serverTransferProhibited clientDeleteProhibited clientUpdateProhibited clientTransferProhibited Whois is public information. addresses listed should not be used for account creation

18 Prevention tips Whois Privacy. DNS monitoring. SOC is important.
VPN for access VPN must use Client Certificates that can be revoked Use an unadvertised domain name for creating 3rd party Accounts Select a Good registrar that allows Server* locks. 2FA/MFA, 2FA , 2FA ….. Access e.g. Akamai Luna portal Practice good OpSec. Audit all 3rd party accounts. Ensure no users exist which are not needed in any system. Like Registrar, Luna portal etc. Use SSO where possible. Akamai Luna portal supports SSO.

19 Educate and Inform Conduct regular Security exercises with your End users. Educate end users on identifying Scam/Phishing s. Resources

20

Download ppt "DNS Hijacking – KL Tech Meet-up - May 2015"

Similar presentations

Internet Applications INTERNET APPLICATIONS. Internet Applications Domain Name Service Proxy Service Mail Service Web Service.

Internet Applications INTERNET APPLICATIONS. Internet Applications Domain Name Service Proxy Service Mail Service Web Service.
Avoid data leakage, espionage, sabotage and other reputation and business risks without losing employee performance and mobility.

Avoid data leakage, espionage, sabotage and other reputation and business risks without losing employee performance and mobility.
Research and Innovation Participant Portal How to register for an ECAS account NEXT.

Research and Innovation Participant Portal How to register for an ECAS account NEXT.
Session Hijacking Why web security depends on communications security and how TLS everywhere is the only solution. Scott Helme - 6th Aug 2013 - scotthel.me.

Session Hijacking Why web security depends on communications security and how TLS everywhere is the only solution. Scott Helme - 6th Aug scotthel.me.
1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.

1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.
Hacking Presented By :KUMAR ANAND SINGH 04-243,ETC/2008.

Hacking Presented By :KUMAR ANAND SINGH ,ETC/2008.
Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.

Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.
Phishing – Read Behind The Lines Veljko Pejović

Phishing – Read Behind The Lines Veljko Pejović
Introduction to the Secure SMTP Server service. Secure SMTP server is a secure, reliable SMTP mail relay server for your outgoing mail. Secure SMTP service.

Introduction to the Secure SMTP Server service. Secure SMTP server is a secure, reliable SMTP mail relay server for your outgoing mail. Secure SMTP service.
Hands-On Microsoft Windows Server 2008 Chapter 8 Managing Windows Server 2008 Network Services.

Hands-On Microsoft Windows Server 2008 Chapter 8 Managing Windows Server 2008 Network Services.
Beyond DDoS: Case Studies on Attack Mitigation for Financial Services Mike Kun and Patrick Laverty, Akamai CSIRT.

Beyond DDoS: Case Studies on Attack Mitigation for Financial Services Mike Kun and Patrick Laverty, Akamai CSIRT.
Incident Response Updated 03/20/2015

Incident Response Updated 03/20/2015
Website Hardening HUIT IT Security | Sep 30 2011.

Website Hardening HUIT IT Security | Sep
Norman SecureSurf Protect your users when surfing the Internet.

Norman SecureSurf Protect your users when surfing the Internet.
Session Hijacking & ARP Poisoning Why web security depends on communications security and how TLS everywhere is the only solution.

Session Hijacking & ARP Poisoning Why web security depends on communications security and how TLS everywhere is the only solution.
Got DNS? A review of Domain Name Services and how it impacts website developers. By Jason Baker Digital North.

Got DNS? A review of Domain Name Services and how it impacts website developers. By Jason Baker Digital North.
CSCI 6962: Server-side Design and Programming Secure Web Programming.

CSCI 6962: Server-side Design and Programming Secure Web Programming.
XHTML Introductory1 Linking and Publishing Basic Web Pages Chapter 3.

XHTML Introductory1 Linking and Publishing Basic Web Pages Chapter 3.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Application Layer Functionality and Protocols.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Application Layer Functionality and Protocols.
MCTS Guide to Microsoft Windows Server 2008 Applications Infrastructure Configuration (Exam # 70-643) Chapter Five Windows Server 2008 Remote Desktop Services,

MCTS Guide to Microsoft Windows Server 2008 Applications Infrastructure Configuration (Exam # ) Chapter Five Windows Server 2008 Remote Desktop Services,

Similar presentations

Ads by Google