Domain Name Stupidity

good afternoon everybody oh audience participation we've already nailed that right um I'm Liam and throughout the next hour I'm going to be explaining to you one of the most interesting ways I've ever gotten data off of a secure network now there will be some stories there's a little bit of coding involved in this but don't worry it's not like I'm not trying to you know code along with me any of that nonsense and full disclosure this technique only works against some networks and I was fortunate enough to run into some of these networks as I'll be explaining now obligatory who's this geizer and why should I listen to him um so couple of my social things are on the

screen all of it's nonsense the github's got some cool tools on it in fact the tool that I'm going to be talking about that I've written for this will be released on there um when I stop going out to pubs in the evening and actually get round to writing the rest of it um but I'm Liam I'm an application check team leader and Senior penetration tester for KPMG G um and as I said all the social stuff's on there um if you want to email me any questions after this that's great but for every every question I need at least one cat picture and it's got to be unique so got to play the pay the

tax now onto the talk proper are we all sitting comfortably because it's story time excellent then I can get into it the background of this I initially got interested in dns-based data exfiltration following an engagement I was on in 2021 I was brought on to support the application testing for a large piece of work we were doing for a client and also to review certain software configurations however this portion of the testing was completed way ahead of schedule and so I was reassigned to the purple teaming arm of the whole thing um this team I'm sure most of us know what purple teaming is um it's when you know the red team is our red team was sat

with their their sock and basically they were just trying to do some stuff and seeing what caused an alert and if something did cause an alert it was you you passed and if it didn't cause an alert we said you probably want to set just some more alerting around some of this was the basic premise of it so internal and external Parts um kind of broke down there was internal external and then EG Ingress and egress testing data Ingress and egress um internal external Parts the team that I was now joining had already got a lot of good results they' found some bypasses they'd implemented new logging um they were running into to some problems on

the Ingress and egress Parts they had their network was very well configured they had a lot of good security controls their mail filtering was excellent you couldn't email documents out they were getting blocked um all the protocols were properly locked down it was a pretty well-built Network and well almost well built I have a background in application testing and so was unfamiliar with the dns-based external service interaction anyone who's ever used burp Suite Pro knows the collaborator servers and you can use this to prove various um various misconfigurations within applications and so I wondered well if I'm sat on this network can I use collaborator to prove that we can get data out because if I can trigger an outbound DNS request

I won't bore you with the basics of DNS data exfiltration there's people who can explain that far better than I can but effectively you take some data you append as a subdomains collaborat playload or any thing you own the authorative server for and you can get data off of network nice and simple and lo and behold we got a hit now the network architect after very successfully tying down almost everything um that was you know could possibly be misconfigured with this network wasn't very happy with this um but we managed to prove it they added a load of logging and monitoring around you know weird domains and their external DNS and you know so say if you

did try to look up ai.com you it'd be logged it'd be alerted on and then they can go and isolate something clearly something weird going on and we'll go and fix that switch the machine off do all your normal kind of responsible activities around there so this engagement was successful for all parties you know us as the vent testers we felt oh great we found something really cool we found the hole um and the blue managed to get it all um lock down sorted and Report was um glowing now we'll fast forward 6 months um and I was test with another similar test um but for a different client this time now now during the

briefing The Immortal words were uttered don't worry our network is unhackable now I don't know if any of you any of you in the room either are pen cestors are red teamers or have ever worked with them that is the biggest red rag to a bull you could ever possibly start away oh and we accepted it um so we noticed something weird on their Network um you could connect to arbitrary IPS from within the network now we tried the obvious things when you when you see this um connect to a dodgy website um for data registration flagged instantly our host got nukes and had to reset it all back up we tried SSH FTP S&B shares but these also lit the sock

up like Christmas tree it was a pretty wellc configured Network so we turned our attention once again to DNS we tried the same thing we tried six months previously triggering a s look up to an arbitrary domain again it was just a collaborator server it's nothing particularly Advanced um and we got a hit but so did the sock and then they muted our box and laughed at us which we didn't like especially given the previous comments so it's was time to get back to the drawing board um forgive the really bad light bulb photo here but hey we we'll we'll we'll run with it um back to so but back to the light bulb moment in question it

was the domain we were looking up up that they got alerted on not the triggering of the request to an outbound Ser um external service which got me thinking parameter That Time Forgot so the third parameter of an NS lookup or dick command um is you can specify a domain server that you can want to look your domain name up against um it and given the particular set of circumstances we found ourselves in where we could trigger an out arbitrary outbound connection and the DNS alerting was based on the domain not the destination we spun up a DNS server in at us to try [Music] something our in initial test was pretty simple um this is just a demo this is

obviously from the from the live test um it's easy enough to write a DNS server in Python you can find an example of one online it's about 25 lines long very easy um we deployed it we ran a little check and lo and behold it got out now we'd used a silly domain for this um I think it was testings do you know you got hack l or something like that um we were we were just kind of writing this when we were quite tired um so it still got flagged but now we had a theory we could use this is where my crippling caffeine addiction comes in handy um I'm sure everybody in here either has one or will

develop one so um if you're a student getting into cyber well done yeah got some coffee there nice um there wasn't a lot of time left in the engagement but a combination of two things one I have a love of coffee and two somebody had said that their network was unhackable um so uh I again heat up the coffee machine and I got to work because we had a theory and I had all the motivation in the world and a lot of heavy stimulants which were own caffeine for legal reasons um and as I said at the start don't worry the the rest of this is not a play byplay of me writing this tool

that would be quite dull I wouldn't let you sit all all sit through that um but I'm going to take a a moment to quickly explain the process behind grabbing the data um this is a little snippet of how we' taking it this is all written in Python Python's quite easy to write so decided to go for that um grab the relevant values and the split at the bottom which will explain bit later um the code for this isn't particularly sophisticated which was good because again it was about 1: a.m. at this point and the engagement ended in a very short time frame so um we were on the clock so we managed to pull this off the that

that domain looks a little bit interesting and explain exactly how it's been formed there but this is version one of the tool that I'll be showing you later you used two subdomains on a normal domain to allow DNS based exfiltration and that was the legitimate reaction of one of the network Engineers when we pulled this off and he realized that it could get out um oh well I've asteris it out there w repeating it but you still needed two subdomains so the reason why you needed two subdomains is BAS 64 requires capital letters and pattern characters which um DNS doesn't traditionally support So you need a second subdomain to capture this so you can reformat a

lowercase string into uppercase lowercase and and special characters the way in which the tool does this is on the screen behind me it one correspond corresponds to an uppercase letter um zero to a lower or a number and then this also allows you to capture the padding characters as well because you can compare the lengths of the two strings and then you know exactly how much padding you need to add um and that you can use this on certain exams if you need to get um cookies outside of a firewall um you can use that but in JavaScript to encode the cookie and exfiltrate it but that's outside the scope of this talk quick aside why not hex um

capturing the basic this I've added this I did this talk again at besides um Cambridge for any of you that were there and somebody at the Afterparty pointed out why didn't you use hex well um and I thought that's a great idea why didn't I the answer is I was very very tired at the time and again on caffine so we didn't we didn't think of that um we stuck with Bas 64 so but that in turn then led us to something else enabled us to do something a little bit cooler right aside aside we're back to our engagement I now had a legitimate way of getting data off of the network but the dodgy subdomains were being

flagged and again the clock was running down so this is when brain wave number two hit the client was using the Office 365 Suite which I'm sure many of us here do um there is about a million different domains across the Microsoft estate and they're always changing them they're always adding to them um it makes trying to set up an Azure tency and actually like bookmark anything completely impossible um in fact importantly enough it has so many different domains you can assign each domain or pick a domain and assign it to each of the entire base 64 character set so now you have a unique domain that Maps back to one character within within the character set Allowed

by 64 65 characters so here using B 64 as opposed to something like hex actually comes in handy because you're spreading your data rout across more domains more code sorry um this little snip it shows the start of how I decided to do the mapping effectively you load up a list of 65 domains um subdomains of microsoft.com came to about 150 so you've got loads to play from um if you are more intimately aware with the architect your clients using or what tools they use what domains they're more likely to be browsing to um you can customize that as well um there's also a will I I will come back to this which I didn't that that's still in the tool so

we'll see if I refact to that before I release it probably um so this engagement was pretty much over but we'd managed to string together um a series of kind of key observations we've known that you could get arbitrary connections out to external Services we knew that they were logging the wrong part of the DNS packet um and we knew well not the wrong part but the part that we weren't necessarily as interested in and we knew we could and we knew using Microsoft and it's kind of this substitution Cipher might actually work so the encoding is shown above here um again as another side note I the a letter A changes every time you run the

tool that took me like far too long to figure out how to do but is still the most important part of of the tool um but if you pass a list of domains to the processor the domains that have just been spat out there it can fire them off to our external server recompile them you then got base 64 I've used a string in the above example but you could theoretically do this to whatever data you wanted to andc the file and extrated it now um on the engagement we pulled this attack off sat back and grinned at the network architect who famously several slides ago said our network is unhackable um because they didn't catch

this at all um to their credit they took it very very well um and we sat about trying to to fix the issue um other network Architects may not have taken it so well um we were we were grinning quite childishly when we broke broke the news to them um so kind of back to why this works why this will work um this attack works because of kind of misconfiguration and how logging is applied to DNS now there's two important parts of a DNS packet and there's the Q name which we've shown on some slides earlier which is when you're looking up and there's the destination address now because of how DNS works again going

back to the uh the keynote earlier somebody asked you how breathing Works um DNS is a little bit like breathing to me I'm I I know how the top level works but want toly it's a little bit further past that it gets very confusing effectively it's recursive though and a lot of the logging applied to it therefore ignores the destination address because it doesn't really matter normally a request would go to your server and go out and work its way around until you got an answer and then come back so in this instance they weren't logging the destination they're only logging the Q name now again if you log the Q name that's good if it's a dodgy

domain if it's ay.com you can highlight it do go off and do exactly what you need to do with it um but in this instance they had forgotten to Lo the second parameter and so that now us allows us to do searches for non- attacker control domains against our external server and thus get network out for it and if you're just logging in the Q name you're just alerting on that you won't catch it it because it looks like a legitimate domain that your users would actually try to get to and why it doesn't work um so as I said at the start this probably isn't the great next great data exitation method there are quite a lot of things

that have to line up before you can use this to get data off of networks um when you pull it off though it feels really cool so um do try it and if it does work um well you might not be able to let me know but but give me a little wink the next time you see me and I'll know what you mean um it is more likely to be possible if you compromise a maybe a developer Network admin admins Network something like that um or smaller less mature businesses who maybe don't have all the fancy bells and whistles um and security tooling out there um that can catch some of these and has kept C it and we've

tried to use it on the on other engagements my modeling dreams died with that photo why on Earth would you invest so much time this was the question that the network admin later asked us he like why did you invest so much time clearly you saw the bags under my eyes after all the late nights had done putting this together it's like why would you invest something into this that you can only pull off on a slight few networks again we've tried this on other networks and it got blocked there there is a chain of things that have to line up the Stars really have to align before you can pull this off um well it's a good question and we

answered it the first time is we were very honest and we said you did tell us network was unhackable that is a red rag to a bull um if you are working with pentesters and you want them to do loads of free extra overtime for you just say that to them and that's value for money right there uh seriously I think to me this is kind of what pen testing is all about you take a unique challenge you solve it and then you solve it to a degree where other people can learn from it and hopefully use it for themselves and you can distribute it back again we're all here at a community event it's

good to get back to that community can we fix it so we spoken about how we actually pulled off the attack how me and the team pulled off the attack now how do you fix it well good news there are a few options the first is you can run your own DNS server and block all of the paths out but in the modern world with elastic IPS and the like this becomes increasingly difficult in fact the last time I suggested to somebody that could run their own DNS server they threw something at me um you can stick stick a whole heap of monitoring on your network but make sure you monitor the right thing not

just the key name but also just the destination as part of this toolkit that is being released there is also a sample DNS server that scrubs traffic um so you can configure this to either have a dedicated DNS server 1111 AA whatever um I will Whit set domains see whitelist login. Microsoft online.com and it'll let that through um after scrubbing the destination server um you can also uh configure this on on some of the products that you may already use and also the one that is I'm using as an example that is on GitHub or will be um hasn't been tested in a live environment so please test it before using it I don't want any angry letters from

anybody who managed to get Ransom where because they deployed my shy python code that I wrote after several glasses of wine um and nothing else so again please test it disclaimer please test it before you use it does anybody have any questions yes

[Music] M right for anyone who didn't hear that it's um any problems with timing data loss or um transmission um we we did um but the droppers um that we wrote um waited for the response to come back first so that's how we dealt with that and it would just try it again and again until it got through until it got a response um and we customized the responses so that the dropper knew it gotten a response from what it was trying to look for um but injecting like txt records and things so it knew that it was finding the right thing um and but initially yes but then we had to oh sorry yeah the transfer rate

that's the important part right um it's it's not amazingly quickly um again you you struggle to get off very fast if time was of the essence um we managed to get some kind of small files thousands of kilobytes and things off networks but again we were more using this as a proof of concept as opposed to actually try and like run somewh someone and use this to get data off their Network yes mate do you think that the frequency of D could us sock to yes it can um that's how we uh that's how one of the one of the clients that was one of the controls they they put on the put on the network was um how

frequent this request and um we hadn't quite developed this capability yet um but if we had I presume that it would have caught that um unfortunately if you can't catch how they're getting the data out though they can just slow down and take a little bit longer um but yes you certainly could somebody was being a bit noisy in that respect any more for yes mate was there any ofing tools GitHub that inspired you this or any threat groups that um oh there is there's some really interesting DNS Expo toolkits out there um the one that kind of gave me the idea for this is there's um another tool that you can use attack non- attacker

controled domains for um but you have to be within the network boundary um you have to be able to intercept or Upstream a bit sorry um you have to be able to intercept the the NS request and then you capture them there and it doesn't really matter um I unfortunately the name of it eludes me if I find out if I remember it I'll dig it out and I'll I'll post it somewhere this but the biggest motivation was somebody said the network was unhackable and I don't like that anymore for anymore lovely stuff awesome well thank you very much for coming and I hope you have a lovely rest of your day