Andrey Skuratov and Sergey Migalin - DNS tunneling in 2018. What is that, and what to do with it?

Transcript

1. DNS-туннелирование в 2k18. Что есть и что с этим делать?

   Скуратов Андрей Мигалин Сергей

2. Who we are? We are a subsidiary of the largest

   Russian audit and consulting FBK Grant Thornton and specializes in providing services in the field of practical information security. Andrey Skuratov Information security engineer Pen-tester Sergey Migalin Information security engineer Digital forensic engineer

3. What is DNS - tunnel?

4. Prehistory of research

5. What we need for that? • Network connection • DNS

   resolve possibility

6. What does the open-source market offer? • dnscat2 • iodine

   • dns2tcp • Heyoka • OzymanDNS

7. Lets look closer Name «IN» speed, Kb/s «OUT» speed, KB/s

   Advantages Disadvantages dnscat2 0.7 10 Easy setting, large functionality, multisession Compiled clients, unstable Windows work iodine 9,8 9.8 High speed, auto optimization Only root use, compiled client, spec. Windows drivers needed dns2tcp 5 13 404 Compiled clients, only «www to local» mode Heyoka NaN NaN 404 Launch troubles OzymanD NS NaN NaN 404 Launch troubles

8. So what problems we face? • Compiled clients • Unstable

   windows work • Low level additional software needed (sometimes)

9. Our goal? Try to remove described flaws!

10. And here comes... ThunderDNS Alpha version

11. Our architecture

12. Protocol 0 – registrer action <7 random chars> – random

    ASCII symbols to avoid caching <client name> – the name given to the client at startup <your domain> – domain configured to work (ex.: xakep.ru) Client registration 0<7 random chars><client name>.<your domain> DNS query DNS Response (TXT) In case of successful registration, client id assigned to him, which he will continue to use.

13. Protocol 1 – get data action <7 random chars> –

    random ASCII symbols to avoid caching <client id> – the id given at registration <your domain> – domain configured to work (ex.: xakep.ru) Client main loop 1<7 random chars><client id>.<your domain> DNS query DNS Response (TXT) If there is new data, response will be in the format <client id><target ip>:<target port>:<data in base64> …or <client id>ND if not

14. Protocol 2 – upload data action <4 random chars> –

    random ASCII symbols to avoid caching <client id> – the id given at registration <block id> – number of block in buffer <your domain> – domain configured to work (ex.: xakep.ru) Client upload data loop 2<4 random chars><client id><block id>.data.<your domain> DNS query DNS Response (TXT) <client id><block id>:OK message if all right, or Error message if not

15. Protocol Pentester proxy \x00GETCLIENTS\n` Get clients list \x02RESET:client_id\n Initialize connection

    \x01<client_id>:<ip>:<port>:\n Set up aim \x03<data> Data transfer to server <data> Data transfer to application

16. Our architecture Another time

17. Server Python3 + dnslib Make our custom resolver resolve method

    processes requests

18. Server Python3 + dnslib Your code here Send ordinary requests

    to GoogleDNS request address in var request.q.qname

19. Server Python3 + dnslib Send reply We must divide reply

    in 255 char strings

20. Server Our code To put the data from the pentester

    into the buffer, we wrote a small “receiver”, which is launched in a separate thread. catch connections from the pentester performs routing Transport buffer structure

21. Our architecture Another time

22. PowerShell client Client for Windows is based on the standard

    nslookup and object.Net.Sockets.TcpClient Each iteration of the loop is a call to the nslookup command using the Protocol described earlier. Works simple The work was tested and the code for Windows was unified from version 7 to 10 and standard versions of PowerShell From 7 to 10 Less than 400 lines of code Minimum of code

23. Bash client Client for Linux works on the standard dig

    commands and Bash shortcuts Connection to local hosts creates with help of /dev/tcp/ip/port Bash standard shortcut Bash shortcuts The work was tested on popular Linux distributives All Bash-linux systems support Less than 300 lines of code Also minimum of code

24. Our architecture Another time

25. Pentester proxy Written on Python3 + socketserver library Supports simple

    forwarding: pentester specifies local ip, port, client id and all traffic goes there. Simple TCP-forwarding Proxy can works as SOCKS5 server. Pentester should specify only client id SOCKS5 proxy Universal Work does not depend on the application. You can use both Metasploit and nmap.

26. Stop talking, lets look! Example 1: Forwarding ssh through meterpreter

    session

27. Stop talking, lets look! Step 1: Description Step 1: run

    DNS – server Step 2: set up msf reverse TCP handler and load ps1 client code to meterpreter Step 3: run ps1 client from meterpreter (we are in some local network) Step 4: get list of available clients and set up proxy Step 5: run ssh to proxy Step 6: b|b|b|b|b|

28. Stop talking, lets look! Example 2: SOCKS5 usage

29. Stop talking, lets look! Step 2: Description Step 1: run

    DNS – server Step 2: run bash client local machine Step 3: run proxy on socks5 mode Step 4: make curl to service in other local network, using proxychains Step 5: b|b|b|b|b|

30. Summary 1. 4.9 Kb/s with compasrassion 2. Interpretable clients 3.

    No root needed 4. SOCKS5 avaliable

31. What problems could be? 1. Unstable work in unstable network

    (thanks, cap.) 2. Sometimes session isn’t setting on first time, proxy restart helps 3. Some magic if your local DNS - server is wizard :)

32. Stay in touch fbkcs.ru – official site blog.fbkcs.ru – tech

    blog @fbk_cs - Twitter @skuratov_andrey – Twitter @h3llraiser - Telegram @smigalin – Twitter @migalin - Telegram

33. Thanks!