DNS DC/DNS - ERPScan

Download PDF
2 downloads 217 Views 883KB Size Report
Comment
Firewall. / Router. DNS. 2. /. MAIL. DC /. DNS 1. DMZ. LAN. Attacker. Victim. Deny all. MAIL. 2 .... DNS are everywhere
DNS for EVIL Alexey Sintsov

I am…

Playing with SAP

Do research

Write articles

BUT my JOB is PENETRATION TESTER

Common work Task: Test employees awareness of IT policies and common security risks Tools: Metasploit/SET

Action: Spam e-mail messages with attached PDF or link

Idea: Tempt employers to open a malicious email attachment or visit malicious web-site

Common work Task: Test employees awareness of IT policies and common security risks Tools: Metasploit/SET

Action: Spam e-mail messages with attached PDF or link

Idea: Tempt employers to open a malicious email attachment or visit malicious web-site VS. ---------------------------------------------------------------------------------------------------------Antivirus Firewall Awareness

- block known exploits with PDF - block traffic to attacker - make employer smarter )

Common work Task: Test employees awareness of IT policies and common security risks Tools: Metasploit/SET

Action: Spam e-mail messages with attached PDF or link

Idea: Tempt employers to open a malicious email attachment or visit malicious web-site VS. ---------------------------------------------------------------------------------------------------------Antivirus Firewall Awareness

- block known exploits with PDF - block traffic to attacker - make employer smarter )

Common work Task: Test employees awareness of IT policies and common security risks Tools: Metasploit/SET

Action: Spam e-mail messages with attached PDF or link

Idea: Tempt employers to open a malicious email attachment or visit malicious web-site VS. ---------------------------------------------------------------------------------------------------------Antivirus Firewall Awareness

- block known exploits with PDF - block traffic to attacker - make employer smarter )

Common work Task: Test employees awareness of IT policies and common security risks Tools: Metasploit/SET

Action: Spam e-mail messages with attached PDF or link

Idea: Tempt employers to open a malicious email attachment or visit malicious web-site VS. ---------------------------------------------------------------------------------------------------------Antivirus Firewall Awareness

- block known exploits with PDF - block traffic to attacker - make employer smarter )

Tunnel ICMP

HTTP

ICMP traffic must be allowed

Web proxy with black-list or without OR HTTP traffic must be allowed

DNS

DNS service must forward client‟s requests

Tunnel ICMP

HTTP

ICMP traffic must be allowed

Web proxy with black-list or without OR HTTP traffic must be allowed

Do not forget about mail, ftp, ntp … DNS

DNS service must forward client‟s requests

Tunnel ICMP

HTTP

ICMP traffic must be allowed Rarely

Web proxy with black-list Often / or without Sometimes OR HTTP traffic must be allowed

DNS

DNS service must forward client‟s Always / requests Often

Tunnel ICMP

HTTP

ICMP traffic must be allowed Rarely

Web proxy with black-list Often / or without Sometimes OR HTTP traffic must be allowed

Most realistic scenario

DNS

DNS service must forward client‟s Always / requests Often

Target DMZ

Firewall / Router

DNS 2 / MAIL

Firewall / Router

LAN MAIL 2

Attacker Victim

DC / DNS 1

Target DMZ

Firewall / Router

DNS 2 / MAIL

Firewall / Router

Deny all LAN MAIL 2

Attacker Victim

DC / DNS 1

Target

E-mail tunnel possible DMZ

Firewall / Router

DNS 2 / MAIL

Firewall / Router

Allow 25 Allow 110 Deny all

LAN MAIL 2

Attacker Victim

DC / DNS 1

Target DMZ

Firewall / Router

DNS 2 / MAIL

Firewall / Router

Allow 53 Deny all LAN MAIL 2

Attacker Victim

DC / DNS 1

Step one – send mail DMZ

Firewall / Router

DNS 2 / MAIL

Firewall / Router

LAN MAIL 2

Attacker Victim

DC / DNS 1

Step one – send mail. DMZ

Firewall / Router

DNS 2 / MAIL

Firewall / Router

LAN MAIL 2

Attacker Victim

DC / DNS 1

Step one – send mail DMZ

Firewall / Router

DNS 2 / MAIL

Firewall / Router

LAN MAIL 2

Attacker Victim

DC / DNS 1

Step one – send mail DMZ

Firewall / Router

DNS 2 / MAIL

Firewall / Router

LAN MAIL 2

Attacker Victim

DC / DNS 1

Step one – send mail DMZ

Firewall / Router

DNS 2 / MAIL

Firewall / Router

LAN MAIL 2

Attacker Victim

DC / DNS 1

Step one – send mail DMZ

Firewall / Router

DNS 2 / MAIL

Firewall / Router

LAN MAIL 2

Attacker Victim

DC / DNS 1

Step one – send mail DMZ

Firewall / Router

DNS 2 / MAIL

Firewall / Router

LAN MAIL 2

Attacker Victim

DC / DNS 1

Step two – SE/infect DMZ

Firewall / Router

DNS 2 / MAIL

Firewall / Router

LAN MAIL 2

Attacker Victim

DC / DNS 1

Step 3. DNS Tunnel DMZ

DNS X

Firewall / Router

DNS 2 / MAIL

Firewall / Router

LAN MAIL 2

Attacker Victim

DC / DNS 1

Fight! Exploit: CVE-2010-1240

Fight! Exploit: CVE-2010-1240  Good for testing „awareness program‟

Fight! Exploit: CVE-2010-1240  Good for testing „awareness program‟  Good for testing patch management procedures

Fight! Exploit: CVE-2010-1240  Good for testing „awareness program‟  Good for testing patch management procedures SE scenario 1: vacancy  Vacancy in west company …

Fight! Exploit: CVE-2010-1240  Good for testing „awareness program‟  Good for testing patch management procedures SE scenario 1: vacancy  Vacancy in west company … SE scenario 2: mail from colleague  Spoof “From:” field  Phone call give +1 to success (if it is pretty big company)

CVE-2010-1240

Obfuscation pdf