1 / 15

Email and DNS Hacking

Email and DNS Hacking. Overview. Email Hacking - Technology - Attacks - Phishing/Spearphishing/Whaling DNS Hacking - Technology - Attacks - Flux. Email. Here is the program you’ve been waiting for. 33. VIP@XXX.COM. Trusted Colleague.

magee
Download Presentation

Email and DNS Hacking

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Email and DNS Hacking

  2. Overview Email Hacking - Technology - Attacks - Phishing/Spearphishing/Whaling DNS Hacking - Technology - Attacks - Flux

  3. Email Here is the program you’ve been waiting for. 33 VIP@XXX.COM Trusted Colleague A postcard written in pencil, with trusted cargo attached

  4. How Email Works User User Mail User Agent Mail User Agent Mail Transfer Agent Mail Transfer Agent Mail Transfer Agent Mail Transfer Agent •••

  5. Simple Mail Transfer Protocol S: 220 smtp.example.com ESMTP Postfix C: HELO relay.example.org S: 250 Hello relay.example.org, I am glad to meet you C: MAIL FROM:<bob@example.org> S: 250 Ok C: RCPT TO:<alice@example.com> S: 250 Ok C: RCPT TO:<theboss@example.com> S: 250 Ok C: DATA S: 354 End data with <CR><LF>.<CR><LF> C: From: "Bob Example" <bob@example.org> C: To: Alice Example <alice@example.com> C: Date: Tue, 15 Jan 2008 16:02:43 -0500 C: Subject: Test message C: Hello Alice. C: Your friend, Bob C: . S: 250 Ok: queued as 12345 C: QUIT S: 221 Bye {The server closes the connection} • TCP/25 by default • Transfer-agent based • Text Protocol • Single connection, multiple messages (maybe) • Easily forged

  6. How Email Can Go Wrong Integration with OS User User Malicious Software Preview & Download Mail User Agent Mail User Agent Weak Protocol Inserted Message Mail Transfer Agent Mail Transfer Agent Mail Transfer Agent Mail Transfer Agent ••• Weak Protocol Intercepted Message Dropped Message Malicious Software

  7. Attacking Email Fool User User Propagate Subvert Mail User Agent Mail User Agent Attach Compromise Mail Transfer Agent Mail Transfer Agent Mail Transfer Agent Mail Transfer Agent ••• Insert Subvert Extract Flood Hijack

  8. Social Engineering • Exploit trust relationships between people • Exploit service climate • Exploit business methods

  9. 33 33 33 Exchange IRC Love Letter Virus Check out this joke... 33 VIP@XXX.GOV TrustedColleague Corrupt data/script files Steal Passwords Clog email • VBS • JPG • MP3 • others Replace

  10. Phishing example? Date: Tue, 20 Sep 2005 03:06:03 -0700 (PDT)From: Countrywide countrywide@email.countrywide.comTo: tjs@cert.orgSubject: Important Customer Correspondence [Image: "height="] [Image: "Countrywide - Full Speectrum Lending Division"] [Image: "1-866-227-4118"] [Image: "height="] [Image: "height="] [Image: "height="] [Image: "If you could use some extra cash, Countrywide could make it easy."] [Image: "Click Here to Get Started"] [Image: "height="] [Image: "height="] [Image: "height="] [Image: "height="] Dear Timothy, We can help customers get cash from the available equity they've built up in their homes by refinancing their mortgages ? and with the trend in rising home values, we estimate your home's equity may have increased to as much as $43,867.00. (much more…) Phone number appears legit, current mortgage holder Note typographical errors (Speectrum, empty images, etc.) Big payoff offered Closer look: embedded domains doesn’t match from domain(m0.net, r.delivery.net, not countrywide.com, all same ISP (Digital Impact))

  11. Domain Name System • More than just hostname → IP • Query hierarchy of nameservers • Local nameserver (resolver): answer from cache or preloaded resolutions, may do recursive queries • Authoritative nameserver: answer based on domains it covers, or recurse • Root nameserver: answer top-level, delegate, or generate errors

  12. Name Server Protocol Query Response • UDP/53 or TCP/53 • Client queries local (address, ptr, mx, ns, hinfo, any) • Local responds from cache or queries to root • Root responds with referral to TLD or error • Local queries TLD • TLD responds with referral to authority or error • Local queries authority • Authority sends answer • Local sends answer Query

  13. Where DNS Can Go Wrong • Client Side • Cache Poisoning • False Response • False Domains • Compromise • Tunneling • Server Side • Flooding • False Response • Compromise

  14. Flux • Why would a domain change its resolution? • Why would a domain change frequently? • Why would a domain change transiently?

  15. Summary • Common and needed protocols • Many, many vulnerabilities • Many, many attacks • Some systematic solutions (encryption) • Trust

More Related