John, a professional hacker, decided to use DNS to perform data exfilteration on a target network. In this process, he embedded malicious data into the DNS protocol packets that even DNSSEC cannot detect. Using this technique, John successfully injected malware to bypass a firewall and maintained communication with the victim machine and C&C server. What is the technique employed by John to bypass the firewall?

John, a professional hacker, decided to use DNS to perform data exfilteration on a target network. In this process, he embedded malicious data into the DNS protocol packets that even DNSSEC cannot detect. Using this technique, John successfully injected malware to bypass a firewall and maintained communication with the victim machine and C&C server.

What is the technique employed by John to bypass the firewall?

Option 1 : DNS tunneling method
Option 2 : DNS cache snooping
Option 3 : DNSSEC zone walking
Option 4 : DNS enumeration

1. DNS tunneling method

DNS tunneling may be a method wont to send data over the DNS protocol, a protocol which has never been intended for data transfer. due to that, people tend to overlook it and it’s become a well-liked but effective tool in many attacks.
Most popular use case for DNS tunneling is obtaining free internet through bypassing captive portals at airports, hotels, or if you are feeling patient the not-so-cheap on the wing Wi-Fi.
On those shared internet hotspots HTTP traffic is blocked until a username/password is provided, however DNS traffic is usually still allowed within the background: we will encode our HTTP traffic over DNS and voilà, we’ve internet access.
This sounds fun but reality is, browsing anything on DNS tunneling is slow. Like, back to 1998 slow.
Another more dangerous use of DNS tunneling would be bypassing network security devices (Firewalls, DLP appliances…) to line up an immediate and unmonitored communications channel on an organisation’s network. Possibilities here are endless: Data exfiltration, fixing another penetration testing tool… you name it.
To make it even more worrying, there’s an outsized amount of easy to use DNS tunneling tools out there.
There’s even a minimum of one VPN over DNS protocol provider (warning: the planning of the web site is hideous, making me doubt on the legitimacy of it).
As a pentester all this is often great, as a network admin not such a lot .

How does it work:

For those that ignoramus about DNS protocol but still made it here, i feel you deserve a really brief explanation on what DNS does: DNS is sort of a phonebook for the web , it translates URLs (human-friendly language, the person’s name), into an IP address (machine-friendly language, the phone number). That helps us remember many websites, same as we will remember many people’s names.
For those that know what DNS is i might suggest looking here for a fast refresh on DNS protocol, but briefly what you would like to understand is:
• A Record: Maps a website name to an IP address.
example.com ? 12.34.52.67
• NS Record (a.k.a. Nameserver record): Maps a website name to an inventory of DNS servers, just in case our website is hosted in multiple servers.
example.com ? server1.example.com, server2.example.com
Who is involved in DNS tunneling?
• Client. Will launch DNS requests with data in them to a website .
• One Domain that we will configure. So DNS servers will redirect its requests to an outlined server of our own.
• Server. this is often the defined nameserver which can ultimately receive the DNS requests.
The 6 Steps in DNS tunneling (simplified):
1. The client encodes data during a DNS request. The way it does this is often by prepending a bit of knowledge within the domain of the request. for instance : mypieceofdata.server1.example.com
2. The DNS request goes bent a DNS server.
3. The DNS server finds out the A register of your domain with the IP address of your server.
4. The request for mypieceofdata.server1.example.com is forwarded to the server.
5. The server processes regardless of the mypieceofdata was alleged to do. Let’s assume it had been an HTTP request.
6. The server replies back over DNS and woop woop, we’ve got signal.

2. DNS cache snooping

DNS cache snooping is when someone queries a DNS server so as to seek out out (snoop) if the DNS server features a specific DNS record cached, and thereby deduce if the DNS server’s owner (or its users) have recently visited a selected site.
This may reveal information about the DNS server’s owner, like what vendor, bank, service provider, etc. they use. Especially if this is often confirmed (snooped) multiple times over a period.
This method could even be wont to gather statistical information – for instance at what time does the DNS server’s owner typically access his net bank etc. The cached DNS record’s remaining TTL value can provide very accurate data for this.
DNS cache snooping is feasible albeit the DNS server isn’t configured to resolve recursively for 3rd parties, as long because it provides records from the cache also to 3rd parties (a.k.a. “lame requests”).

3. DNSSEC zone walking

Zone walking (also DNSSEC walking or zone enumeration ) may be a procedure with which attackers can read out the entire content of DNSSEC signed DNS zones . this enables confidential data (e.g. customer lists) and security-relevant information (e.g. IP addresses of servers) to be disclosed.

How it works

When signing a zone, DNSSEC automatically chains all labels during a ring in alphabetical order using NSEC Resource Records . Example zone example.de:
example.de. NSEC name1
name1 NSEC name2
name2 NSEC name5
name5 NSEC example.de.
On the left is that the label (canonical name) and on the proper may be a regard to subsequent lexigraphic label.
This can be wont to prove the absence of names. For example, if a client asks for the nonexistent name name3 , the name server replies with the NSEC entry name2 NSEC name5, indicating that there’s no further entry between name2 and name5 .
An attacker makes use of this concatenation by starting with the primary name of a zone (this is usually the name of the zone itself) running through the chain through successive queries. With this technically quite simple process, he can read out the whole zone content within a couple of seconds.

4. DNS enumeration

DNS enumeration is that the process of locating all the DNS servers and their corresponding records for a corporation . DNS enumeration will yield usernames, computer names, and IP addresses of potential target systems. The list of DNS record provides an summary of sorts of resource records (database records) stored within the zone files of the name System (DNS). The DNS implements a distributed, hierarchical, and redundant database for information related to Internet domain names and addresses.
DNS Zone Transfer wont to replicate DNS data across variety of DNS servers or to copy DNS files. A user or server will perform a selected zone transfer request from a ?name server. If the name server allows zone transfers by an anonymous user to occur, all the DNS names and IP addresses hosted by the name server are going to be returned in human-readable ASCII text.

Tools: nslookup, maltego, dnenum,dnsrecon
Countermeasures:
1. Disable Zone transfer by untrusted hosts
2. make sure that private hostnames aren’t referenced to IP addresses within the DNS zone files of publicly accessible DNS servers.

Learn CEH & Think like hacker

---

• What is Ethical Hacking? & Types of Hacking
• 5 Phases of Hacking
• 8 Most Common Types of Hacker Motivations
• What are different types of attacks on a system
• Scope and Limitations of Ethical Hacking
• TEN Different Types Of Hackers
• What is the Foot-printing?
• Top 12 steps for Footprinting Penetration Testing
• Different types of tools with Email Footprinting
• What is “Anonymizer” & Types of Anonymizers
• Top DNS Interrogation Tools
• What is SNMP Enumeration?
• Top vulnerability scanning tools
• Information Security of Threat
• Footprinting tools:
• What is Enumeration?
• Network Security Controls
• What is Identity and Access Management?
• OWASP high TEN web application security risks
• Password Attacks
• Defend Against Key loggers
• Defend Against Spyware
• Covering Tracks
• Covering Track on Networks
• Everything You Need To Know About Sniffing – Part 1
• Everything You Need To Know About Sniffing – Part 2
• Learn more about GPS Spyware & Apparatuses
• Introduction of USB Spyware and It’s types
• 10 Types of Identity Theft You Should Know About
• Concepts of Denial-of-Service Attack & Distributed Denial of Service Attack
• Most Effective Ways to Overcome Impersonation on the Social Networking Site’s Problem
• How Dynamic Host Configuration Protocol (DHCP) Works
• DHCP Request/Reply Messages
• DHCP Starvation Attack
• Rogue DHCP Server Attack
• IOS Switch Commands
• Web Server Concept
• Web Server Attacks
• Web Server Attack Tools
• Web Server Security Tools
• 6 Quick Methodology For Web Server Attack
• Learn Skills From Web Server Foot Printing / Banner Grabbing
• The 10 Secrets You Will Never Know About Cyber Security And Its Important?
• Ways To Learn Finding Default Content Of Web Server Effectively
• How will Social Engineering be in the Future
• Understand The Background Of Top 9 Challenges IT Leaders Will Face In 2020 Now
• Learning Good Ways To Protect Yourself From Identity Theft
• Anti-phishing Tools Guide

---

This Blog Article is posted by

Infosavvy, 2nd Floor, Sai Niketan, Chandavalkar Road Opp. Gora Gandhi Hotel, Above Jumbo King, beside Speakwell Institute, Borivali West, Mumbai, Maharashtra 400092

Contact us – www.info-savvy.com

https://g.co/kgs/ttqPpZ