Firewall. / Router. DNS. 2. /. MAIL. DC /. DNS 1. DMZ. LAN. Attacker. Victim. Deny all. MAIL. 2 .... DNS are everywhere
DNS for EVIL Alexey Sintsov
I am…
Playing with SAP
Do research
Write articles
BUT my JOB is PENETRATION TESTER
Common work Task: Test employees awareness of IT policies and common security risks Tools: Metasploit/SET
Action: Spam e-mail messages with attached PDF or link
Idea: Tempt employers to open a malicious email attachment or visit malicious web-site
Common work Task: Test employees awareness of IT policies and common security risks Tools: Metasploit/SET
Action: Spam e-mail messages with attached PDF or link
Idea: Tempt employers to open a malicious email attachment or visit malicious web-site VS. ---------------------------------------------------------------------------------------------------------Antivirus Firewall Awareness
- block known exploits with PDF - block traffic to attacker - make employer smarter )
Common work Task: Test employees awareness of IT policies and common security risks Tools: Metasploit/SET
Action: Spam e-mail messages with attached PDF or link
Idea: Tempt employers to open a malicious email attachment or visit malicious web-site VS. ---------------------------------------------------------------------------------------------------------Antivirus Firewall Awareness
- block known exploits with PDF - block traffic to attacker - make employer smarter )
Common work Task: Test employees awareness of IT policies and common security risks Tools: Metasploit/SET
Action: Spam e-mail messages with attached PDF or link
Idea: Tempt employers to open a malicious email attachment or visit malicious web-site VS. ---------------------------------------------------------------------------------------------------------Antivirus Firewall Awareness
- block known exploits with PDF - block traffic to attacker - make employer smarter )
Common work Task: Test employees awareness of IT policies and common security risks Tools: Metasploit/SET
Action: Spam e-mail messages with attached PDF or link
Idea: Tempt employers to open a malicious email attachment or visit malicious web-site VS. ---------------------------------------------------------------------------------------------------------Antivirus Firewall Awareness
- block known exploits with PDF - block traffic to attacker - make employer smarter )
Tunnel ICMP
HTTP
ICMP traffic must be allowed
Web proxy with black-list or without OR HTTP traffic must be allowed
DNS
DNS service must forward client‟s requests
Tunnel ICMP
HTTP
ICMP traffic must be allowed
Web proxy with black-list or without OR HTTP traffic must be allowed
Do not forget about mail, ftp, ntp … DNS
DNS service must forward client‟s requests
Tunnel ICMP
HTTP
ICMP traffic must be allowed Rarely
Web proxy with black-list Often / or without Sometimes OR HTTP traffic must be allowed
DNS
DNS service must forward client‟s Always / requests Often
Tunnel ICMP
HTTP
ICMP traffic must be allowed Rarely
Web proxy with black-list Often / or without Sometimes OR HTTP traffic must be allowed
Most realistic scenario
DNS
DNS service must forward client‟s Always / requests Often
Target DMZ
Firewall / Router
DNS 2 / MAIL
Firewall / Router
LAN MAIL 2
Attacker Victim
DC / DNS 1
Target DMZ
Firewall / Router
DNS 2 / MAIL
Firewall / Router
Deny all LAN MAIL 2
Attacker Victim
DC / DNS 1
Target
E-mail tunnel possible DMZ
Firewall / Router
DNS 2 / MAIL
Firewall / Router
Allow 25 Allow 110 Deny all
LAN MAIL 2
Attacker Victim
DC / DNS 1
Target DMZ
Firewall / Router
DNS 2 / MAIL
Firewall / Router
Allow 53 Deny all LAN MAIL 2
Attacker Victim
DC / DNS 1
Step one – send mail DMZ
Firewall / Router
DNS 2 / MAIL
Firewall / Router
LAN MAIL 2
Attacker Victim
DC / DNS 1
Step one – send mail. DMZ
Firewall / Router
DNS 2 / MAIL
Firewall / Router
LAN MAIL 2
Attacker Victim
DC / DNS 1
Step one – send mail DMZ
Firewall / Router
DNS 2 / MAIL
Firewall / Router
LAN MAIL 2
Attacker Victim
DC / DNS 1
Step one – send mail DMZ
Firewall / Router
DNS 2 / MAIL
Firewall / Router
LAN MAIL 2
Attacker Victim
DC / DNS 1
Step one – send mail DMZ
Firewall / Router
DNS 2 / MAIL
Firewall / Router
LAN MAIL 2
Attacker Victim
DC / DNS 1
Step one – send mail DMZ
Firewall / Router
DNS 2 / MAIL
Firewall / Router
LAN MAIL 2
Attacker Victim
DC / DNS 1
Step one – send mail DMZ
Firewall / Router
DNS 2 / MAIL
Firewall / Router
LAN MAIL 2
Attacker Victim
DC / DNS 1
Step two – SE/infect DMZ
Firewall / Router
DNS 2 / MAIL
Firewall / Router
LAN MAIL 2
Attacker Victim
DC / DNS 1
Step 3. DNS Tunnel DMZ
DNS X
Firewall / Router
DNS 2 / MAIL
Firewall / Router
LAN MAIL 2
Attacker Victim
DC / DNS 1
Fight! Exploit: CVE-2010-1240
Fight! Exploit: CVE-2010-1240 Good for testing „awareness program‟
Fight! Exploit: CVE-2010-1240 Good for testing „awareness program‟ Good for testing patch management procedures
Fight! Exploit: CVE-2010-1240 Good for testing „awareness program‟ Good for testing patch management procedures SE scenario 1: vacancy Vacancy in west company …
Fight! Exploit: CVE-2010-1240 Good for testing „awareness program‟ Good for testing patch management procedures SE scenario 1: vacancy Vacancy in west company … SE scenario 2: mail from colleague Spoof “From:” field Phone call give +1 to success (if it is pretty big company)