Domain Name System. Overview. Domain Name System. Domain Name System

Transcription

1 Overview Domain Name System We look first at how the Domain Name System (DNS) is implemented and the role it plays in the Internet We examine some potential DNS vulnerabilities and in particular we consider a selection of the DNS cache-poisoning techniques available to attackers For more information on DNS see Chapter 8 of Tanenbaum s Computer Networks, 4th edition Layers below the application layer support the network applications (e.g. web browsers) with which users are familiar However, applications also rely on support protocols in the application layer and one such support protocol is DNS, the protocol responsible for naming across the Internet A flexible mapping from host names to IP addresses is required for two reasons: 1. IP addresses are difficult to remember 2. Sending to dobrien@[ ] ties a host (here an server) to a particular IP address (which we might wish to subsequently change) In ARPANET the mapping was stored in a single file called hosts.txt which every host would download nightly As the Internet expanded a distributed DNS was developed Copyright c 2016, Darragh O Brien, Dublin City University 1 Copyright c 2016, Darragh O Brien, Dublin City University 2 Domain Name System Domain Name System DNS is a hierarchical naming scheme backed by a distributed database and is used for mapping host names to IP addresses Typically, to use DNS a local resolver is invoked (by gethostbyname) and passes to a local DNS server (over UDP to port 53) the name of the host whose IP address is sought The local DNS server (with the help of other DNS servers) maps the host name to an IP address and returns it to the resolver which hands it to the application A hierarchical approach simplifies managing a large and constantly changing set of mappings Top level domains come in several types: countries (.ie), generics (.com), sponsored (.aero) and infrastructure (.arpa) The number of generics is expanding and is expected to exceed 1300 over the next few years Generic Countries int com edu gov mil org net jp us nl... sun yale acm ieee ac co oce vu eng cs eng jack jill keio nec cs ai linda cs csl flits fluit robot pc24 Copyright c 2016, Darragh O Brien, Dublin City University 3 Copyright c 2016, Darragh O Brien, Dublin City University 4

2 Domain Name System Domains and Zones A domain is a node in the hierarchical DNS namespace tree and is identified by a domain name e.g. dcu.ie A fully qualified domain name is a leaf in the DNS namespace and identifies a particular device on the Internet e.g. Each domain must be registered only with the domain that dominates it (perhaps requiring the payment of an annual fee) A zone is a region of the namespace whose administration has been delegated to a particular authority by its parent administrator (a zone contains one or more domains) The dcu.ie zone s administrator has delegated the administration of the computing.dcu.ie subdomain to technical staff in the School of Computing (who could (but do not) divide that domain into further administrative zones) Generic Countries int com edu gov mil org net jp us nl... sun yale acm ieee ac co oce vu eng cs eng jack jill keio nec cs ai linda cs csl flits fluit robot pc24 Copyright c 2016, Darragh O Brien, Dublin City University 5 Copyright c 2016, Darragh O Brien, Dublin City University 6 Domain Name System Domain Name System From the diagram we see that Yale has a name server that handles the yale.edu and eng.yale.edu domains but not the cs.yale.edu domain which is in a separate zone that has its own name server A zone file contains all of the resource records associated with that zone and it is these records that make up the DNS database It is resource records that are served by name servers to resolvers inquiring about hosts in a zone Most resource records are a simple IP address hostname mapping but other kinds of resource records also exist The different kinds of resource records that may be associated with a particular zone are given below Copyright c 2016, Darragh O Brien, Dublin City University 7 Copyright c 2016, Darragh O Brien, Dublin City University 8

3 Domain Name System Domain Name System An SOA record provides administrative information about the zone e.g. the name of the primary authoritative name server for this zone and the address of the zone s administrator An A record holds the IPv4 address of a host An AAAA record holds the IPv6 address of a host An MX record provides the name of a mail server for the zone (a zone may have several, each with an associated priority) An NS record associates a name server with the zone (a zone may have several, each with an associated priority) A CNAME record allows aliases to be created so one host can go by several names A PTR record is used for reverse lookups A HINFO record associates particular hardware and/or operating system information with a particular host An SRV record identifies the location of services A TXT record allows arbitrary zone information to be recorded Every resource record has an associated timeout (specified in seconds) which determines for how long it should be cached by requesting clients and servers before being discarded Some of the resource records associated with the cs.vul.nl zone are given below Copyright c 2016, Darragh O Brien, Dublin City University 9 Copyright c 2016, Darragh O Brien, Dublin City University 10 Name Servers Normally a zone has a primary name server that is configured by an administrator and one or more secondary servers that get their information from the primary server Secondary servers are synchronised with the primary server by periodically performing a zone transfer i.e. downloading the definitive zone file from the primary server For reliability some name servers may be located outside their zone A zone knows the name servers for the zones immediately below it An authoritative record is one returned from a zone by its name server and is always correct A non-authoritative record is a cached record returned by an intermediary server and not the definitive name server for a zone Whether an answer is authoritative or non-authoritative is indicated in the results returned to a resolver Copyright c 2016, Darragh O Brien, Dublin City University 11 Copyright c 2016, Darragh O Brien, Dublin City University 12

4 Start Of Authority Start Of Authority The SOA record contains the following fields: Serial number: indicates the version of the zone file and is incremented whenever the zone file is modified Refresh interval: determines how often secondary name servers will check for updates to the zone file Retry interval: determines how long secondary name servers should wait before attempting again a failed zone transfer Expiry time: determines how long secondary name servers will continue to use outdated zone files when unable to perform a zone transfer TTL: determines for how long negative results (e.g. domain does not exist) will be cached by this server $ dig +multiline soa ;; ANSWER SECTION: computing.dcu.ie. 600 IN SOA Mailhost.computing.dcu.ie. McGorman.computing.dcu.ie. ( ; serial 1800 ; refresh (30 minutes) 600 ; retry (10 minutes) ; expire (4 weeks 2 days) 3600 ; minimum (1 hour) ) Copyright c 2016, Darragh O Brien, Dublin City University 13 Copyright c 2016, Darragh O Brien, Dublin City University 14 Name Servers Recursive and Iterative Queries A resolver s query can be recursive or iterative Recursive queries travel the DNS hierarchy until resolved when the answer is returned to the resolver With each iterative query only the next name server in the chain is returned The various stages of a recursive query (assuming no cached records along the way) are illustrated here: Originator flits.cs.vu.nl 1 8 VU CS name server 2 Edu name server Yale name server Yale CS name server cs.vu.nl edu-server.net yale.edu cs.yale.edu 7 The various stages of the following iterative query follow $ dig +trace Copyright c 2016, Darragh O Brien, Dublin City University 15 Copyright c 2016, Darragh O Brien, Dublin City University 16

5 Lookup Root (.) Servers Lookup.ie Servers ; <<>> DiG P2 <<>> +trace ;; global options: +cmd IN NS j.root-servers.net IN NS k.root-servers.net IN NS l.root-servers.net IN NS i.root-servers.net IN NS d.root-servers.net IN NS c.root-servers.net IN NS b.root-servers.net IN NS m.root-servers.net IN NS g.root-servers.net IN NS e.root-servers.net IN NS a.root-servers.net IN NS h.root-servers.net IN NS f.root-servers.net. ;; Received 699 bytes from #53 in 33 ms ie IN NS a.iedr.ie. ie IN NS b.iedr.ie. ie IN NS c.iedr.ie. ie IN NS d.iedr.ie. ie IN NS ns3.ns.esat.net. ie IN NS gns1.domainregistry.ie. ie IN NS gns2.domainregistry.ie. ie IN NS ns-ie.nic.fr. ;; Received 611 bytes from l.root-servers.net in 78 ms Copyright c 2016, Darragh O Brien, Dublin City University 17 Copyright c 2016, Darragh O Brien, Dublin City University 18 Lookup rte.ie Servers Lookup IP Address rte.ie IN NS ns-1264.awsdns-30.org. rte.ie IN NS ns-448.awsdns-56.com. rte.ie IN NS ns-872.awsdns-45.net. rte.ie IN NS ns-1539.awsdns-00.co.uk. ;; Received 179 bytes from gns1.domainregistry.ie in 211 ms IN A ;; Received 195 bytes from ns-872.awsdns-45.net in 2 ms Copyright c 2016, Darragh O Brien, Dublin City University 19 Copyright c 2016, Darragh O Brien, Dublin City University 20

6 DNS Cache Poisoning DNS Cache Poisoning DNS cache poisoning is a technique used to trick clients into contacting a malicious rather than the intended system An attacker could attempt to mount a man-in-the-middle attack (without having to sniff the victim s traffic) as follows: 1. Submit a DNS query for to the target DNS server 2. Forge the reply thereby injecting a bogus IP address into the DNS server s cache (both request/response are over UDP and so are easily forged) 3. When the real reply arrives it will be dropped as unsolicited traffic 4. When Alice subsequently uses the poisoned DNS server to resolves she ends up visiting What can be done to mitigate this kind of attack? Alice 1 2 DNS server 1. Give me Bob's IP address (Bob's IP address) 3. GET index.html 4. Bob's home page 3 4 (a) Bob's Web server ( ) Alice 1 2 Cracked DNS server 3 4 Trudy's Web server ( ) 1. Give me Bob's IP address (Trudy's IP address) 3. GET index.html 4. Trudy's fake of Bob's home page (b) Copyright c 2016, Darragh O Brien, Dublin City University 21 Copyright c 2016, Darragh O Brien, Dublin City University 22 DNS Cache Poisoning DNS Cache Poisoning To prevent the latter attack and to associate a reply with a particular DNS request, each DNS request carries a sequence number To trick the target DNS server the attacker must guess the sequence number the DNS server used in its request for One approach to guessing the sequence number is for the attacker to register her own domain and query it through the target DNS server When the query arrives she notes the sequence number it contains and immediately queries the target DNS server for Into her spoofed replies the attacker places sequence numbers in the vicinity of the one just received and one is likely to match Trudy DNS server for com Alice's ISP's cache 1. Look up foobar.trudy-the-intruder.com (to force it into the ISP's cache) 2. Look up (to get the ISP's next sequence number) 3. Request for (Carrying the ISP's next sequence number, n) 4. Quick like a bunny, look up bob.com (to force the ISP to query the com server in step 5) 5. Legitimate query for bob.com with seq = n+1 6. Trudy's forged answer: Bob is , seq = n+1 7. Real answer (rejected, too late) What can be done to mitigate this kind of attack? Copyright c 2016, Darragh O Brien, Dublin City University 23 Copyright c 2016, Darragh O Brien, Dublin City University 24

7 DNS Cache Poisoning DNS Cache Poisoning To prevent the latter attack DNS servers use a randomised sequence number in each DNS query thus making the attacker s task more difficult If the spoofed reply does not arrive in time with a correctly guessed sequence number it will be dropped and the real IP address (when it arrives) of is cached Before attempting the attack again the attacker must wait until the cached entry for expires In July 2008 Dan Kaminsky released details of an alternative (and highly effective) DNS poisoning approach When a name server cannot answer a query the ANSWER section of its DNS reply is blank but the AUTHORITY and ADDITIONAL INFO sections indicate to whom the requester should now direct the query The DNS server is basically saying: I don t know the answer, ask this name server... Kaminsky s approach does not forge the A resource record for but instead forges AUTHORITY and ADDITIONAL INFO records for the bob.com domain Copyright c 2016, Darragh O Brien, Dublin City University 25 Copyright c 2016, Darragh O Brien, Dublin City University 26 DNS Cache Poisoning Summary The attacker continuously queries at the target DNS server for non-existent machines in the bob.com domain and spoofs the reply I don t know that machine s IP address but X does (where X is the IP address of the attacker s DNS server) The crucial difference to earlier poisoning techniques is that there is no time-to-live constraint as each request for a randomly generated machine in the target domain generates a new query from the target DNS machine Soon (it can take as little time as 10 seconds) the spoofed authority and additional info records are accepted by the target DNS server and thereafter every query for a machine in bob.com, including is answered by evil.net We looked at how DNS works We examined some of the DNS cache poisoning techniques available to attackers Secure DNS (DNSsec), which solves the spoofing problem through authenticating DNS servers is gradually gaining more widespread adoption Copyright c 2016, Darragh O Brien, Dublin City University 27 Copyright c 2016, Darragh O Brien, Dublin City University 28

8 Overview Web and Newsgroup Searches The first step in performing a network security assessment is to gather all publicly available relevant information on the target network s organisation and topology Here we look at some of the techniques and tools involved in performing Internet host and network enumeration For more information see Chapter 3 of McNab s Network Security Assessment Simple Google searches may reveal security-relevant information e.g. publicly accessible web server directory listings A directory listing is an automatically-generated web page that lists files and directories on a web server Such listings are a threat to confidentiality and allow the web server s file system to be navigated by simply clicking on file and directory names (effectively turning it into an FTP server) The following Google search finds directory listings by locating pages in the DCU domain that contain the string parent directory and have the string index of in their title: intitle:index.of "parent directory" site:.dcu.ie Copyright c 2016, Darragh O Brien, Dublin City University 29 Copyright c 2016, Darragh O Brien, Dublin City University 30 Web and Newsgroup Searches Domain and IP WHOIS Registrars We can also use Google to search for specific filetypes For example, the following Google search will locate all publicly accessible Excel spreadsheets in the DCU domain: filetype:xls site:.dcu.ie WHOIS registrars can provide useful information on domains: Geographical locations and postal addresses Administrative contact details Assigned network blocks Name server details The whois utility can be used to query WHOIS registrars Alternatively, web-based whois queries can be submitted through web sites such as Copyright c 2016, Darragh O Brien, Dublin City University 31 Copyright c 2016, Darragh O Brien, Dublin City University 32

9 Border Gateway Protocol Autonomous System 1213 The Border Gateway Protocol (BGP) uses Autonomous System (AS) numbers to define collections of IP networks and routers that present a common routing policy to the Internet We can use whois queries to find the AS number associated with a given network We can then use web sites such as to reveal all network blocks associated with that AS number This all helps in building up a picture of the target network whois reveals DCU has been assigned /16 whois reveals /16 is part of AS reveals AS1213 is controlled by Ireland s HEA (Higher Education Authority) AS1213 is composed of eleven network blocks AS1213 comprises 1.7 million IP addresses One network block is reserved for Broadband for Schools Ten network blocks are class B networks assigned to various third level institutions in Ireland Copyright c 2016, Darragh O Brien, Dublin City University 33 Copyright c 2016, Darragh O Brien, Dublin City University 34 DNS Querying DNS Querying Utilities such as nslookup, host and dig are used to issue general DNS queries to DNS servers Other specific tools are available to perform reverse DNS sweeping and forward DNS grinding against DNS servers Poorly configured DNS servers may allow the enumeration of: 1. Host operating system and hardware platform information in the form of Host Information (HINFO) resource records 2. Names and IP addresses of internal or non-public hosts and networks For each new network block uncovered by DNS querying a new round of WHOIS queries and web searches can be instigated The nslookup utility can be used in an interactive fashion to identify the IP address and hostname of a domain s mail server MX record details are useful to attackers because the mail servers they identify often reside along the corporate network boundary between the Internet and the internal network IP addresses listed in DNS records can be fed into whois queries to further enhance an overall picture of the network Copyright c 2016, Darragh O Brien, Dublin City University 35 Copyright c 2016, Darragh O Brien, Dublin City University 36

10 DNS Querying DNS Querying $ nslookup > server ns1.tcd.ie Default server: ns1.tcd.ie Address: #53 > set querytype=ns > dcu.ie Server: ns1.tcd.ie Address: #53 $ nslookup > server ns1-ext.dcu.ie Default server: ns1-ext.dcu.ie Address: #53 > set querytype=mx > computing.dcu.ie Server: ns1-ext.dcu.ie Address: #53 dcu.ie dcu.ie dcu.ie dcu.ie dcu.ie nameserver = ns5.univie.ac.at. nameserver = ns1-ext.dcu.ie. nameserver = ns1.tcd.ie. nameserver = auth-ns1.ucd.ie. nameserver = ns2-ext.dcu.ie. mail exchanger = 100 bodkin.nuigalway.ie. mail exchanger = 10 mailhost.computing.dcu.ie. mail exchanger = 120 mxbackup.esat.net. mail exchanger = 50 scan4.dcu.ie. Copyright c 2016, Darragh O Brien, Dublin City University 37 Copyright c 2016, Darragh O Brien, Dublin City University 38 DNS Zone Transfers DNS Zone Transfers The handiest way of collecting all information about machines within a DNS domain is to request a zone transfer The zone file contains all the information a DNS server knows about a particular domain As mentioned previously, a domain is typically served by a primary and one or more secondary name servers with the secondary servers kept in sync with the primary server by periodically requesting a zone transfer All of host, dig and nslookup can be used to request a zone transfer (i.e. an AXFR record query) from a DNS server: $ host -l ucia.gov relay2.ucia.gov $ ucia.gov axfr... alpamayo.computing.dcu.ie. CNAME mail.computing.dcu.ie. ampato.computing.dcu.ie. A aoraki.computing.dcu.ie. A apollo.computing.dcu.ie. A arizona.computing.dcu.ie. A atcdf.computing.dcu.ie. A babel.computing.dcu.ie. A babylon5.computing.dcu.ie. A berlin.computing.dcu.ie. A zag.computing.dcu.ie. HINFO "PC" "NT"... Copyright c 2016, Darragh O Brien, Dublin City University 39 Copyright c 2016, Darragh O Brien, Dublin City University 40

11 Forward DNS Grinding Reverse DNS Sweeping Where zone transfers are unavailable forward hostname grinding may be useful in enumerating valid DNS address records One tool that automates the process and supports dictionary based hostname grinding is txdns txdns simply guesses likely hostnames and queries the target DNS server for records on those hosts Below txdns is used to successfully query likely mail server hostnames in the bankofengland.co.uk domain: $ txdns -f mail-dict.txt bankofengland.co.uk mail.bankofengland.co.uk mail2.bankofengland.co.uk mailhost.bankofengland.co.uk After uncovering the network blocks assigned to the target organisation a reverse DNS sweep can help enumerate specific network hosts that may not be publicly accessible but still have DNS hostnames associated with them Although very simple (they basically repeatedly call gethostbyaddr) such tools can be surprisingly effective This technique can identify particular departments and machines (machines are often named after their owners), information that may be useful to an attacker Departments may have associated subdomains with name servers that can be queried for zone transfers, etc. Copyright c 2016, Darragh O Brien, Dublin City University 41 Copyright c 2016, Darragh O Brien, Dublin City University 42 Web Server Crawling Enumeration Countermeasures Google and Netcraft can be queried to build a list of accessible web servers in the target organisation Such web servers can then be crawled and mirrored using tools such as Wikto, HTTrack and wget Once web servers contents have been locally mirrored their contents can be more effectively scanned and analysed in the hunt for possibly security-sensitive information Configure web servers to disable indexing of directories that do not contain an index.html file Use generic references in WHOIS database entries (e.g. refer to the IT helpdesk rather than to a named individual) Configure all name servers to allow zone transfers only between authorised primary and secondary DNS servers Remove unnecessary information (e.g. HINFO records) from zone files Copyright c 2016, Darragh O Brien, Dublin City University 43 Copyright c 2016, Darragh O Brien, Dublin City University 44

12 Enumeration Countermeasures Summary Ensure that non-public IP addresses are not mapped to hostnames within the zone files of publicly accessible DNS servers (thus reducing the impact of both reverse DNS sweeping and forward DNS grinding) (The practice of separating internal/external DNS zones is known as split-horizon DNS) Configure SMTP servers to ignore messages to non-existent recipients (or to send responses that reveal neither details of the internal network organisation nor software versions) Here we looked at some of the techniques and tools available when performing Internet host and network enumeration Once we have formed a picture of the target organisation s network we can go on to scan the network for accessible services using tools such as nmap We next attempt to work which software is providing those services (again nmap can help us out) We then consult a vulnerability database to check if any running software contains exploitable vulnerabilities We finally use an exploit framework such as Metasploit to exploit the identified vulnerability in the software and take over the host Copyright c 2016, Darragh O Brien, Dublin City University 45 Copyright c 2016, Darragh O Brien, Dublin City University 46