Solved

DNS spoofing

Posted on 2012-03-14
14
290 Views
Last Modified: 2012-06-16
I had a partner claim that his small business was subject to a DNS attack where his staff's browsing was redirected to bogus sites.  And the attack was done from the OUTSIDE.
I think I understand how such an attack is made... you perform a man-in-the-middle where you intercept the DNS query and then return to the client an IP address to a site that you really want them to go...
But how is that really done if the attack is from the public internet?  How do you actually get the clients to send the query to you instead??  I promise I won't turn you in ;-) and I certainly am not going to do this, but how is this physically done??  Don't you have to have a registered DNS server at your control?? And don't you have to be able to hack into the client machines to change their pointers??
Is this a common occurrance?
0
Comment
Question by:mrkent
  • 6
  • 4
  • 3
  • +1
14 Comments
 
LVL 30

Assisted Solution

by:IanTh
IanTh earned 143 total points
Comment Utility
I have seen that done via virus's and spam as they do that to get your passwords credit card numbers etc by using their own web site that looks exactly like the real thing

to fix this run an antivirus and when there are no virus's do from cmd
ipconfig /flushdns
which takes everything in the local resolver cache (local dns ststem) out and when done type
ipconfig /displaydns

it should have not much in just a localhost and maybe a another to the local router but nothing else

then when you go to a website the local resolver cache gets the answer from dns and inserts it in the local resolver cache
0
 
LVL 9

Assisted Solution

by:michaelaknight
michaelaknight earned 286 total points
Comment Utility
The concept is quite simple actually. DNS exists on two 'layers' between a computer and the destination. First, The local machine has DNS records on their machine that tells it where to resolve say Google.com. the local machine isn't doing any of the work here (except maybe the cache if it's been visited before). The request shoots out to wherever local DNS tells it to go and in turn that Destination provides the translation, which however non-authoritative it may be, could be anything.  
I'm not insulting your knowledge of DNS, just breaking it down simply.
The hard part isn't creating a malicious DNS server, so I think where you're confused is how the local machine gets pointed to the malicious server.
For windows boxes, very simple:

 [HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces]
  "NameServer"

So use your infection exploit of choice on a Windows machine change that registry key, protect it a bit, make sure it stays resident and voila, the infected machine is now using your malicious DNS server.


You may hae heard recently of teh FBI taking over a few malicious servers then shutting them down after a while after letting infected users (Govt. agencies, Forbes companies, and average Joe users:

http://krebsonsecurity.com/2012/02/half-of-fortune-500s-us-govt-still-infected-with-dnschanger-trojan/


I'm just providing a simple example, there's other methods of Cache Poisoning that are alot less hacky.
0
 

Author Comment

by:mrkent
Comment Utility
So thru the virus or spam do they get your local machine password and then go in there to change your local resolver's parameters?

Do they get into your local DNS server and change its entries?

How are they doing it?
0
 

Author Comment

by:mrkent
Comment Utility
I just hit "send" and didn't see that last comment...
Reading it now... thanks
0
 
LVL 9

Assisted Solution

by:michaelaknight
michaelaknight earned 286 total points
Comment Utility
Nah you don't need a password for the machine. I see garden variety Malware do this type of crap all the time. They love popping in and switching your proxy settings, making it so all requests go through their proxy before 'sending you to the correct page' You've seen it i'm sure when Internet Explorer just serves random pages when you click on a link in Google, or how you can never get to an antivirus site when you're infected.

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy"=dword:00000001
"ProxyEnable"=dword:00000001
"ProxyHttp1.1"=dword:00000000
"ProxyServer"="http://ProxyServername:80"
"ProxyOverride"="<local>"

Anyway there's lots of TCPIP settings that can be changed that will break connections or send them somewhere else.

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{random}
DhcpNameServer=xxx.xxx.xx.xxx,xxx.xxx.xxx.xxx

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{random}
NameServer=xxx.xxx.xxx.xxx,xxx.xxx.xxx.xxx

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\
DhcpNameServer = xxx.xxx.xxx.xxx,xxx.xxx.xxx.xxx

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\
NameServer = xxx.xxx.xxx.xxx,xxx.xxx.xxx.xxx


Again, even garden variety malware takes advantage of this, and usually just by serving a malicious page that Internet Explorer hasn't patched a vulnerability for.
Which is why I guess I can't wrap my skull around why the FBI had to get involved with the DNSChanger Virus, I mean it was pretty low tech actually, just took someone with the stupidity to actually try it.




.
0
 
LVL 30

Assisted Solution

by:IanTh
IanTh earned 143 total points
Comment Utility
well you download a virus and if you are admin then I can do it through your admin account

a lot of windows virus uses api calls I think so its like a system file doing the damage I have seen that many virus's act as system files for doing that kind of thing and others in the last few years
0
 
LVL 30

Expert Comment

by:IanTh
Comment Utility
no they are just updating the local resource cache
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 9

Assisted Solution

by:michaelaknight
michaelaknight earned 286 total points
Comment Utility
There's a few routes to go, but yes you're essentialy running the code as the authenticated user already (though not necessarily). If the authenticated user has administrative privelages or just quickly clicks "allow" in order to get on with install of whatever useless piece of crapware they think they need, then that's all it takes, now that process and everything associated with it future or otherwise get run in that context. Or like Ian states, if there's holes in the API/WMI/RPC/DCOM (of which there are many) then the code gets run as SYSTEM, see above.
I think we're getting away from the DNS question and more into a generic discussion of how infections happen. I don't think the internet needs any more 'how to' guides in regards to this. Ask 5 programmers how "they'd do it" and you'll get 5 different answers. Suffice to say I've thought about this on occasion (as has any honest programmer) and could conceptually achieve it quite easily again, it's not that hard.

The 3 mistakes that allow this kind of nonsense to go on are essentially:

1. Running Windows in the first place (not a *nix fanboy here just logical enough to follow the money)
2. Running Windows as an administrative user all the time. FFS make a regular user account and drop down into root when you need to install something. Now watch as no malicious code can run under your regular user (mostly)
3. Not keeping your system patched, there's a reason you gotta update every other day, cause as soon as these holes are found they're patched. *nix is the same way there's constant updates getting pushed through Synaptic. It's just the way it goes.
0
 
LVL 26

Assisted Solution

by:Leon Fester
Leon Fester earned 71 total points
Comment Utility
I had a partner claim that his small business was subject to a DNS attack where his staff's browsing was redirected to bogus sites

I highly doubt this to be the case...more than likely that his computers had a virus.

Besides, if he knew enough to tell you that it was hacked from the outside, then surely he'd have the skills/knowledge to have protected himself from such an attack.

Ask him how he fixed the problem?
0
 

Author Comment

by:mrkent
Comment Utility
I did ask him and he said that his IT adjusted his firewall, he didn't get specific though.
Should I believe him?
0
 

Author Comment

by:mrkent
Comment Utility
Just curious if you know of an actual successful DNS attack where users were re-directed to a bogus site, and if so, how was it fixed?
0
 
LVL 9

Accepted Solution

by:
michaelaknight earned 286 total points
Comment Utility
hows this one for ya mrkent?

http://majorgeeks.com/story.php?id=33129

That's old news, it affected/infected half of the Fortune 500 companies and half the major Govt. Agencies something like 400,000 users in the US.
And it's not fixed (albeit through their own procrastination). The FBI is intending on shutting down the responsible DNS servers that they siezed months ago effectively cutting off the infected machines from the internet until they clean their own computers/networks.

Here's the summary: Your computer is infected from the 'public internet', said infection changes the local computers primary DNS servers (the ones it uses to get to the 'public internet'), you send a request to google.com and your 'new' malicious DNS server accepts your request over the 'public internet' and instead of sending you to 12.34.56.78 it sends you to 98.76.54.32. Without DNS your computer has no idea what google.com is, and your new malicious server is happy to send you anywhere it likes.
I do it all the time developing websites, I have my own DNS server...anyone can, most businesses do. If I'm making yournewwebsite.com and it's hosted on my dev server during development I still need to reach it by domain name. I use my local DNS server which is for all intents and purposes a mirror of the real world except i have A records pointing yournewwebsite.com to my local dev server. AND if your machine in anytown USA were using my DNS server you'd see that too, everyone else in the world using legit DNS would get a 404 cause it's my DNS server and I'm sending you where I want you to go. I infect your machine and all the sudden google.com pulls up cashforass.com.

Why are you having such a tough time believing your 'Partner'. I've explained ad nauseum how the infection could happen, what in DNS allows it to happen and even alluded to methods to make it happen.

If I'm alone and crash my car and say, "Well a deer jumped out in front of me and I ran off the road" No one can prove anything except that deers are capable of running out in front of cars and have been known to do so. We have no idea if your partner fell prey to that attack only that it is possible which was the point of your question.


Me thinks you didn't read my previous posts.
0
 

Author Comment

by:mrkent
Comment Utility
Nope, I just have a terrible memory.

Thank you!
0
 

Author Closing Comment

by:mrkent
Comment Utility
Thanks!!
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Transferring data across the virtual world became simpler but protecting it is becoming a real security challenge.  How to approach cyber security  in today's business world!
Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now