Popping the AU gov & military through ((*DNS*)(N?SEC)) a *walk*through

[Music] I've been looking at a whole bunch of DNS rfcs learned some pretty interesting things and I wanted to share them with you um given the name of this talk I'm sure some Spooks have snuck in just to make sure that I'm not leaking any military secrets good all righty hi everyone I'm Harrison I'm a senior security consultant at Cyber CX within the adversary simulation team if you ask people about me they'll say one of three things firstly who the hell is that guy secondly he doesn't shut up about the DNS stuff and thirdly Graphics design is his passion DNS the domain name system don't let it Simplicity for you because there's a lot that goes into it as you all know good talks come in three parts this one will be coming in four so we've got the history and current context of DNS in today's world we're going to spoof federal government email then we're going to steal some of their data we're gonna have a look at DNS SEC and how it's potentially worse and having nothing at all and then we're going to look at the future of DNS and what's to come so before we do all that we need some context on DNS starting with its history DNS was created in 1983 by a guy called Getty Images um it was intended for people to remember internet hosts by a human memorable name rather than its IP address so instead of remembering that that's not a ballad of p uh you can just remember the post name um but DNS is by no means new older protocols had name resolution baked in like mbtns and ellenma and then and then Anatomy Nemo joke um thank you Microsoft for your naming conventions as always but 99 of the time that you'll be using DNS you'll be translating a hostname into an IP address and this was certainly the author's intentions but it's since been expanded to doing stuff like storing txt records for proving domain ownership or MX records for doing email routing or DNS key records assigning DNS signatures but there's also a fault tolerant globally distributed web scale low light latency database for storing jokes now this is a DNS inside joke I love inside jokes I um hope to be a part of one one day um I also wanted to see what my personal Windows PC uses DNS for so I pumped open Wireshark and they must Windows Microsoft must be doing updates over DNS now because I saw a whole bunch of requests to this thing um also my computer's been really slow recently I don't know why anywho um now DNS uses this whole recursive process for figuring out where to get your record from but in doing so you're trusting every single hop along the way but you don't need to you only need to trust the root zone or the DNS DNS dot Zone and work your way backwards you can ask it about.com and then the.com servers will be able to tell you about say your service example.com Etc you work your way down but you can only ask the root zoneabout.com.net and all those tlds we've come note known to come in love so if you're asking about the dot Healthcare TLD for instance it'll tell you to piss off and ask some servers in the US which is funny because if they can't be the authoritative provider of healthcare and practice at least they can be the authoritative provider of healthcare and DNS now enough to send many stuff this is a security conference after all so let's talk about El CIA Triad is it available yes DNS in and of itself is pretty good can it be used to affect other systems availability absolutely you may have heard of DNS amplification attacks sorry DDOS DNS amplification tax man that was a struggle uh is it uh confidential no it's unencrypted on the wire anyone can sniff it is it Integrity integral is that a word sure um no again it's plain text on the wire anyone in Tampa with it which is a concern because DNS is the root for identity on the internet every single online account you've ever made has been based in an email or a mobile number email surprise is rooted through DNS mobile numbers a little bit more nuanced the web server that you're creating the web the account on is going to be talking to some apis to an SMS gateway which again group based in DNS now your Enterprise or your web app can have security tools up the Wazoo but your users are only as secure as the bridge they use to travel to your zone so me as an adversary I can print a five cent piece of paper and take users over to my very trustworthy very secure Island I may not even need to hijack the bridge I can hijack the island by waiting for your domain to expire and if to buy it up or I can socially engineer your registrar into transferring your DNS soon over to me which is why locking your domain is so important now this is a big problem because people are trusting DNS with their medical records their payment information put it this way you can be typing your credit card information into ebay.com with a valid URL and a valid certificate and a padlock that's as green as the avocado my Victorian colleagues gluttonously slather on their toast every morning it doesn't matter because if I own DNS I own your life I own your credit card data I own your online identity and I own your health records now that's great Harrison but how often does DNS interception really happen well every time you connect to free Wi-Fi DNS is hijacked to redirect you to the login page and I think that's an Evidence of someone manually setting their DNS recursive resolver only for their ISP to hijack it so who knows what the government is doing and making isps do and tracking your DNS connections you ever seen this thing just so that we're all on the same page that's the sun I know in about July of this year I forgot it existed after months and months of torrential rain thanks Sydney um do you know Rockets like space Rockets uh they often have multiple redundant computers and that's not because they're running Windows and there's going to be an update that you can't stop when it comes time for landing but because of cosmic radiation from the universe they can flip bits in binary from a zero to a one or a one to a zero so here's windows.com in Ram white right um solar Cosmic radiation from the Sun hits it and windows is now windows so kind of just buy all the off by one bit domains and let the sun do its magic so that I can collect Microsoft credentials well of course there's nothing new Under the Sun and a researcher already gave that a go and they got traffic like this doing where Windows was doing its time clock update to Microsoft service but can we take a couple of minutes a couple seconds to appreciate the magic of this Cosmic radiation from the universe has hit Ram in the precise memory location for a bit to be translated to hit this adversarial domain just at the right time that this request is being made now this is an ntp request but imagine it's more of a Windows Microsoft account you could probably catch credentials using there so to recap the I.T security industry has done a really good job of securing user endpoints with EDR OS hardening Etc on the other end we've done a really good job of securing Enterprises and web applications with word application firewalls and seams and everything and then we rely on DNS which is just a rickety Bridge connecting the two which has trolls underneath it listening to traffic and diverting traffic and tampering with it and on top of all that you've got the hostility of the universe and I hope that paints a picture as to the criticality of DNS and how vital it is to the internet and its security so let's look at that a little bit more with spoofing government spoofing government emails now there's three email security measures that sit in DNS and they work hand in hand to prevent email spoofing the first is SPF and now I'm not talking about sunscreen sunscreen SPM dictates what IP addressed for a given domain can send email so here cloudflare has dictated that these IP addresses are allowed to send email on its behalf so if Gmail or Outlook gets an email from out from cloudflare it'll look up these records cross-references if it matches it's likely come from a trusted source and it's sent to the inbox if it doesn't match it's likely been spoofed and it's sent to spam which is oh the other thing with SPF is you can't just look at the root record it's actually recursive so yes there are those IP addresses but there are also IP addresses for say salesforce.com so I wrote a tool which recursively unpacks SPF records so here Cloud flares instead of just the root record looks like all of this if we have a look at Gmail's SPF record it looks like this and if we have a look at Hotmail it looks like this I'm sorry uh dqm brings public key cryptography to email so much like on a legal document you'll have someone writing a signature at the bottom to or then to buy it um dkm is the same principle just um in a manner that's unforgeable with public key cryptography now there's three parts to do Kim there is the private key that sits on the email server there is the public key sitting in DNS and there is the signature in the SMTP headers of the email so if data is tampered within the email the signature is no gonna no longer gonna match based on the public key and you can tell that it's been tampered with and it's discarded but if the signature matches it's likely been delivered safely and it's sent to uses inboxes the problem with SPF indeed Kim so far is that the rses were a little bit unclear as to what to do with email that didn't pass so dmarc was proposed it's called domain-based message authentication reporting and conformance which is about the most boring sentence I've ever heard in my life so dmarc is the go no-go of email It's the final decider so here cloudflare says that any email that fails SPF or dkim should be rejected and also there should be a report sent to for these domains if you look at our authentication Primitives dkim is something the mail server has no yes something that mail service has it's private signing key and SPF is something in the email server is its IP address which would make dmarc the downside that is the one that ultimately decides whether or not to let you in now Dimock has a very complicated decision tree as to whether or not to send an email to the inbox but it can be boiled down to these five cases now you'll notice that you only need a good SPF or a good dkim to pass dmarc and if you pass Demar you're delivered to the user's inboxes we don't care about the first one because we only need one or the other and we don't care about the last one because we want to spoof the email and actually have it delivered so time for some actual real world practical attacks based on these three ideas of having a misconfigured SPF misconfigured Dima and Miss configure D Kim starting with bad SPF so that tool I wrote also cross-references every single IP range in the unrolled SPF record with all the IP ranges from public crap Cloud providers so Oracle AWS is your gcp yada yada it'll cross reference it and if there's a match it means I can obtain an IP address from within that range and spoof email for that domain so I had a client that had this and I use one of those Cloud IP Rotator scripts to get an IP address within the trusted range which allowed me to send an email from it and because it was from a trusted IP address it was sent to the user's inbox which is why system administrators and Security Consultants need to seriously consider every single trusted IP range in that record otherwise you've got an impersonation condition on your hands next up is bad D mark now I had a client that was one of the asx-2 100 um companies that had a DMACC policy that looked like this now they're rejecting emails from their main domain policy equals reject but on subdomains they said don't worry about it sub domain policy equals none so I picked an interesting subdomain to send emails from and I made sure it didn't have an SPF record which it didn't it didn't even have an a record email doesn't care you can pick whatever you want so I sent an email address sorry sent an email from that subdomain because it was from a trusted dmart location it was sent to the victim's inbox one wrong character in your DNS records can spell disastrous foreign organization number three bad D Kim this one actually required some brain power unfortunately because it really hurt um so the way this worked is that I had a grievance with one of the government departments so in my own time not a company time for the record I did what any sane person would did do and I hacked them legally they had a responsible disclosure program don't worry about that now I had an email from this government Department in the past and it looked a bit like this and I noticed Two misconfigurations Can you spot them too late L equals 4096 means only sign the first 4096 bytes of the email I hope you can already see a problem with that the second misconfiguration was these headers and they weren't doing this thing called over signing but we'll get to that in a little bit because only the first 4096 bytes of the email are signed I can tack on whatever adversarial content I want after that and it'll still be valid injecting custom headers is a little bit more nuanced here's a bit of theory for you there's a mismatch between the SMTP RFC and the dqmrfc SMTP works from the top down it'll find the first instance of a header and it will interpret that deakin works from the bottom up and the first header is sees in that direction it will use for signing so in other words your Gmail your outlook Etc is going to be interpreting that first header that's what's displayed to the user but dkm is going to be signing on the final head-on so we've got header injection and we've got content injection so I was able to spoof email for a federal government Department thank you thank you except I wasn't because you'll notice that hi Harrison was in the first 4096 bytes so I've just drastically reduced the range of people I can make victims of this misconfiguration until I went back to the original email did some more thinking and I realized well I can inject custom headers can't I attack one and you content type boundary and have the original content still skip skipped over now it's still in the email Source the signature is still generated based off that so dmac passes and the emails delivered Here's the final proof of concept custom headers custom content and I was able to send arbitrary subjects to addresses from addresses dates and content from this government Department if we dig into it we can see that SPF fails because surprise I didn't have access to a government IP address we would have bigger problems if I was able to do that but because of the misconfigurations with the signature policy I passed ekim and because you only need one of SPF or dkm dmar class and it was delivered is that organization organization Department thank you me they were so embarrassed that they didn't want me to call them by name so I've had to redact them throughout the talk now Swift email is no joke I've had colleagues try to brush me off because it's just a low or an informational wall no for a corporation if you can spoof email you can fish internal users you can fish external users you can tarnish their reputation by sending out some doggy stuff get them banned in IP reputation databases and you can also spoof accounts billable and receivable to maybe make some money out of it for the government it's a lot worse you can pitch government employees you can fish the public you can threaten deportation and use that to extort someone to do whatever you can request identity documents and the last one's pretty major given the current tension around the world if I can send emails on behalf of the government I'll let your mind go crazy alrighty section number three D and Nest sec a traditional address lookup with regular DNS looks like that you request it you get your answers Cena sec in long long long story short as a signature that you can verify to make sure that those records weren't tampered with in transit but in my opinion DNS SEC is a misnomer it's currently called domain name system Securities if it was renowned today it'd probably be called DNS auth or authentication or authenticity now we're going towards the end of the day I can feel everyone's a bit groggy so we're going to do some audience participation um so far for the talks I've attended people have only been asked to raise their hand or not but no one has asked you to stand up and do 10 star jumps now I'm not going to but what I will do is we're going to say this together on one you ready three two one DNS act does not encrypt records instead the objective now that we're all a little bit more awake there's actually one person left in this room it's still a little bit groggy I can see him up the back is the cameraman so I hope this could be some extra time all right but I mean there's a reason that Google uses DNS SEC and Facebook and Banks and eBay use it right oh um well here's some Rapid Fire Reasons Why organizations may choose not to use dnsa firstly it uses cryptography from 20 years ago it's pretty garbage only very very recently did they approve elliptic cryptography Genesect is government controlled pkai now the root of DNS is protected by a non-government organization but guess who owns.com.net and 99 of the internet um and it's not like the US government has ever been known to uh sort of seize domains willy-nilly have they uh dinner set isn't seen another user we've done a great job with TLS letting the end user know whether or not their connection is secured with TLS but me as an end user I have no idea whether the underlying DNS resolution was secured Genesect has poor software support and that might be because DNS stack deployment is so minimal only three percent of.com domains use DNS Tech which contributes to this chicken in the egg problem no one uses DNS SEC because there's no software support for it because no one uses DNS Tech etc etc Genesect also means giving across your keys if you want to delegate part of your Zone you can use NS records to give it to a third party maybe a marketing department to do stuff willy-nilly uh but with Genesect that means giving your Zone signing Keys over to them pretty dangerous in a sec can also lead to creating a denial of service condition on on yourself if you implement it incorrectly Bad Keys and signatures can be cased in DNS for weeks at a time pretty nasty there have been some pretty major sites over the years that have gone down due to DNS deployment failures they have even been whole tlds if cloudflare who are in the business of DNS and DNS SEC with hundreds of Engineers can't get it right what hope do our small and medium businesses here in Australia have they can't even get TLS right Genesect is also heavy all those signatures contribute to massive answers which can amplify those DDOS conditions we talked about earlier now we're going to take a breather those are my arguments so far and in a little bit after my drink we're going to go through the two final ones the first is that DNA SEC doesn't protect the final mile okay what what does that mean there's no one know because I um so here's the user asking for the a record of cloudflare.com it recursively resolves and gets the answer back to them so let's see what part of this process DNS SEC protects the whole bit right well no just this part which means I as an adversary as long as I'm sitting between the recursive resolver and the end user can still tamper with traffic protected by dnsa so the recursive resolver might be 1.1 or Google's 8. in most cases for people in Australia it will be their isps DNS server um or an internal Network it might be their active directory controller but again there's like five to ten different hops between those two points and if I'm in the middle of any of them DNS SEC means nothing to me even the RFC is like well that's not our problem stuff you so Genesec