Chris Greer is back to show us Malware that Hackers could use to attack you (in this case using DNS). Chris is the man I talk to about Wireshark! Did you learn something new in this video? Big thanks to Brilliant for sponsoring this video! Get started with a free 30 day trial and 20% discount: brilliant.org/DavidBombal // Chris SOCIAL // TH-cam: th-cam.com/users/ChrisGreer Wireshark course: davidbombal.wiki/chriswireshark Nmap course: davidbombal.wiki/chrisnmap LinkedIn: www.linkedin.com/in/cgreer/ Twitter: twitter.com/packetpioneer // David SOCIAL // Discord: discord.com/invite/usKSyzb Twitter: twitter.com/davidbombal Instagram: instagram.com/davidbombal LinkedIn: www.linkedin.com/in/davidbombal Facebook: facebook.com/davidbombal.co TikTok: tiktok.com/@davidbombal TH-cam: th-cam.com/users/davidbombal Chris Greer Playlist: th-cam.com/play/PLhfrWIlLOoKO8522T1OAhR5Bb2mD6Qy_l.html // MENU // 00:00 Coming Up 00:27 Thanks Brilliant! 01:58 Did you know this? 02:41 DNS Misconceptions 03:16 DNS Example 04:38 Cloudflare / What Is DNS? 05:38 Virustotal 07:01 DNS String 08:52 Base-64 Decode 10:24 T Shark 12:25 Cyberchef 14:30 How Does The Hack Start? 14:54 Phishing Attacks 15:59 How DNS Attacks Started 16:57 Packets 17:53 Outro Please note that links listed may be affiliate links and provide me with a small percentage/kickback should you use them to purchase any of the items listed or recommended. Thank you for supporting me and this channel! Disclaimer: This video is for educational purposes only. #malware #hack #wireshark
So here is a question: Do Certs by like Hack The Box to name one, have any value for us in Europe? Ore are there better Certs to get for real world employment.
When David and Chris bring out new videos out it's just a Christmas for me. Love both your channels and learning a lot in past years thanks to you two. Keep up the fantastic job guys!
Absolutely brilliant, presentation is top notch as per usual without getting too heavy. As someone who is relatively competent but unqualified in IT, currently doing A+ with a view to Net+ then Sec+ this is fantastic, thank you both. Hopefully having additional knowledge of tools like this and knowing when to use it will be advantageous in getting a job in IT/cybersecurity.
Best lesson about DNS tunneling, thank you David Bombal and Chris Greer, I hope that in future you will show us how can be established that connection and sent real malicious commands
DNS TXT records have been used for a long time for all sorts of things, we used to them for digital scavenger hunts way back when, they are still often used today for Command and Control of botnets. However this is the first time I've seen it used to propagate a potential malware script. Pretty slick! Thanks for the info!
This was soo much informative video david. Thanks for making all us more aware about it. Now ill be looking out for supecious dns queries. That was totally a new learning for me, i really like the full broken down of info where it starts making sense for us cybersecurity enthusiasts. Thanks for covering this david and chris ❤❤
You're welcome! If you want to read more, some cool information here: unit42.paloaltonetworks.com/dns-tunneling-how-dns-can-be-abused-by-malicious-actors/
This is utterly terrifying. Thank you for pointing out what can happen if you carelessly switch to a well known DNS, expecting nothing bad and than kaboom....
Well it might be worth pointing out, your operating system alone will not take harm from Powershell code being present on some DNS entries. There already has to be malicious code on your box that just uses the DNS entries as an online repository for even more malicious code to be downloaded and executed after that. So the infection vectors are the same as always.
@@nonlinearsound-001 Thanks for pointing this out. If I may ask, what would you consider the most likely exploit that would „benefit“ the most of this kind of attack?
@@etliberarahastenichgesehen That varies a lot. It strongly depends on the code that is being read from the DNS entries. As Powershell is a scripting environment with a lot of connections deep into the operating system, the attacker can come up with all sorts of different attacks. Most likely though it will be a network and file system discovery phase to see how the attacker or the program can move laterally, a C2 contact attempt to establish a reverse shell environment or to send back information about the attacked box. With more information, a possible exploit can be chosen to setup persistence on the box or to brute force passwords and such. In corporate environments its always a good target to become a priviledged user on the domain to gain more information or rights to move further laterally.
It was a great enlightenment, and sir this sort of content is what we look forward to, if we could get more recent attack patterns and techniques and how they work, how to mitigate them, it would be great The channel is amazing, your knowledge, experience and humility towards teaching is commendable ❤❤ Great work
This video is amazing! I really like how everything has been explained, easy and clear. Wireshark is not easy to use, at least for me, I absolutely need to document myself before any operstion, otherwise it's really hard to find the information I'm looking for. Plus, this attack shouldn't be undervalued, as DNS is something that is not so secure as we may think. Recently I've got my whole home network hacked: all devices were compromised, including the main router and smartphones. Well, the point of failure in my case wasn't discovered, but there's an high chance that DNS had been compromised while disconnecting from a VPN service, or at least while using it. I've saved some pcap files on some devices in this network, but after watching this video, I think that I wouldn't find this script injection, if it happened, then it happened before the pcap recording :-/ Be careful with VPNs services, your traffic will be camouflaged, but remember that you are not aware on where each node is located, and who has access to it. Cheers
DNS is not the problem. The hacker could easily use a webpage, FTP or many other possibilities for the the malicious program. The hacker chose DNS because it's a simple data file that is really easy to use and doesn't check the data for validity. A PTR record should have a domain name but it could be the malicious program. TXT records can be anything the record owner wants and is very rarely used.
Just because code is returned in a TXT string does not mean the receiving machine will decode it and execute it. You still have to have a way to trigger the decode and execute the TXT once it is received.
iv heard about them before.. But didnt know this Done some custom email creation. There i met with dns txt registries for 1st time gosh jolly this was clarifying. LOVE EVERY VID u folks make.
I'm still a bit confused on how the attack starts. Is it just by clicking a link? Or does the victim have to have run a script to interpret the TXT record?
I had not seen this attack method before, and I just finished 2 associates degrees (Cyberdefense & Digital Forensics, and Network Technologies Administration) and just passed my Security+, so, very cool stuff, here. I thought the DNS text record was what a RA would have an admin modify to prove ownership/control of a domain to satisfy a CA. Guess I was off. David, any time you have Chris or Ed Harmoush (of PracNet) on, it's an absolute treat!
A question i am asking myself is there any actual legitmate use for the dns txt request type left? If no then there would be no good reason to keep it at all honestly
I was aware of the existence of DNS TXT records from my dealing with setting up domain names for myself and others. I knew they could contain potentially malicious information, but I didn't know they could be used to piece together a set of commands to run a powershell command to further compromise a machine.
Nice video David! It's always DNS ha! I can say with confidence that I did know this :D. I've used a similar method on a test to escape firewall resitrctions. There is a neat tool called Iodine which you can use to set up a tunnel between boxes and all commmunication is done through DNS. You can then SSH to the box over DNS... pretty remarkable. It's a common technique used by malware to call back to C2's. There is a video on my channel about the set up process if you wanted to see it in action. Takes you through setting up the DNS records to deploying the server and then initiating the connection.
@@ahmed_goodgame995 I could be wrong but afaik there would need to be a client of some kind on the victim machine that processes the code within the DNS responses. I believe It's more of an obfuscation technique. I would be surprised if there was a direct way to perform RCE on a box from DNS responses. That would cause chaos.
@@ahmed_goodgame995 I think you would need a trigger first. For example, a hacker could send a link to victim. The victim clicks link which then downloads some malware. The malware then performs DNS requests to the malicious domain and extracts the data in the TXT record and executes it. It can be useful as it can make the malware more dynamic and less detectable as it doesn’t contain the payload itself. Plus most organizations have DNS open so its likely to get through the firewall. Other than that, I honestly don’t see how it would work unless there is some huge vulnerability in DNS that I’m not aware of. Can you imagine the carnage it would cause if you could easily perform code execution through standard DNS request/responses?
@@ahmed_goodgame995 But never say never, if someone found a bug in a popular Operating System and the way it handles DNS then maybe it could be used to execute code. Something like a traditional overflow or sequence of characters contained within a TXT record that when processed by the client service causes unexpected behaviour. That’s speculation though and I’m sure these things are tested regularly. The thought of that is actually terrifying.
Stok did a great video on a bug bounty where he used DNS to interact with a server and extract information like etc/passwd all through DNS and using burp collab
What I would like to know is who thought it would be a good idea to enable a library/framework to execute code stored in a text record like that in the first place. If it was originally intended to simply store human-readable comments, then why is it even a thing for something else to execute code stored in a text record? What library/framework(s) allow executing code from a text record? Why hasn't this been disabled?
So just to reiterate, the victim executes a script which then makes DNS requests, assembles the txt resource records, executes that assembled text file which makes a callback to a C2/attacker....?
@paulus9660 Yeah if the client machine is already compromised, you can't really say DNS is the culprit here. They might as well get the code payload from a normal http request.
I am a bit new in this area. I have few questions: 1. How is the call initiated? It is said that by email? 1.1. Then, we click a link, it starts communication using dns server. 1.2. Then, the reply of dns server, they send txt as type of query. (We need a tutorial for dns queries). 1.3. So, does the dns, server were the hacker or sending scripts? 1.4. The clicked site, is sending scripts? 2. We need one more example to show after the packets were made up as a full string (script), then who (browser) will run the script?. So, far I know, we run serverside code to run any applications or a process on client laptop. 3. Or the script will run by browser as java script and do intended hack? 4. In what extent such scripts can do harm? For example, is it possible to get an .exe file to bring by script and paste in client pc.
@DavidBombal ; Thanks for this video - I knew that DNS did more than IP/Hostname resolutions, but wasn't aware of this specific text field within DNS, nor that that field could be configured to be malicious, so thanks for this!! I recently got subscribed to the Udemy classes you put out, including the CCNA, SSL, & WireShark. I'm currently going thru the SSL course, & am VERY excited to start the WireShark courses - I'm HOPING that I'm going to come out the other side knowing more than I already do, thanks to @ChrisGreer ! I can't wait!! Thanks again! 🙏❤️👌
Glad you learned something Mike. Nice detailed explanation here if you are interested: unit42.paloaltonetworks.com/dns-tunneling-how-dns-can-be-abused-by-malicious-actors/
In the old days we used to call this executing data. It was a big no-no. In these days of publicly accessible networks I’m shocked it’s not only allowed, but permitted even in high level code! If I were a hacker this would be so easy and obvious.
How does it keep asking for the next TXT records? Certainly the first DNS call which may be from a phishing link couldn't execute any code from the TXT record?
How does chris have so maNY IPs up and being shown???? I never see any IPs. certain filter??? Great videos David. you have been such a great tool for a n newbie like me. You're dope bro! and the videos with your daughter are adorable and put a smile on my face after a long day of construction
I have heard of this method, but I had never seen it demonstrated. I still wonder why the host system would actually run the initial script contained within the initial TXT query... I understand how the script could run its loop and pull down the entire 17 packets and assemble itself - but why would an initial query actually start the subsequent process?
In the late 90's I hacked a RTL driver to send/receive encoded messages in ping requests, it was a little slow but you don't need a lot of code to get something running.
Yeah I don't really get the point here. If the client machine is already compromised and the malware is able to execute code on the machine and send out multiple DNS requests, why would it matter if the code comes from a DNS TXT record? When they could simply get it from an HTTP request as well? This does not seem like a vulnerability in DNS
I developed the DNS server with C++ programming, then used the certificate and private key generated by openssl, then I installed the certificate in my browser, and it worked, Encrypted data can only be decrypted with a matching private key, making it difficult to brute force with SSL encryption
Hello DAVID, this is not concerning this video but a recent video you did with PHILLIP WYLIE on Pentester Roadmap. I want to acknowledge you for hosting nerds like that, I really like everything he said from start to finish. They were very informative and I like the fact that at a point you mentioned you are an introvert. That is another part I am interested in. Can you please make videos on introverts who want to get into or are already into IT and Cybersecurity. I believe that would really be helpful for people who are very introverted but passionate in such careers. Thank you beforehand. If you can also make a video giving an overview of your studio and everything you use for streaming your contents that would also be good. Thanks once again
Glad you learned something Benjamin. Nice detailed explanation here if you are interested: unit42.paloaltonetworks.com/dns-tunneling-how-dns-can-be-abused-by-malicious-actors/
Who ever heard of text in a DNS reply. We were fine with RFC 1035() which had a limit of 512 "octets" then came RFC 2671 replaced by RFC 6891, which extends the payload to over 1k. Anything over 512 bytes should be suspect.
It should be stopped at source, ie the DNS provider. Just put some validation and checking in place to prevent this method of injection and close it down.
Extremely new to me but outstanding how things in systems and networks are still weak. With where we are today in should we not be above and over with criminals on the net?
Try to spend some time every day learning something and you'll be amazed at how much you can learn. I really like the book Atomic Habits - small increases = big rewards.
Packet capture is always fascinate me, thanks for sharing this mate. My question for Chris, is there any good place or training for whose who wants to learn packet capturing? I have also wonder what certification could we do which included packet analysis by wireshark.
Nope. Didn't know that one. I came up with a data exfiltration method against hardened internal corporate networks using DNS about 15 years ago. I've not seen it ever mentioned, so it may still be novel.
Extract from: unit42.paloaltonetworks.com/dns-tunneling-how-dns-can-be-abused-by-malicious-actors/ "Organizations can defend themselves against DNS tunneling in many different ways, whether using Palo Alto Networks’ Security Operating Platform, or Open Source technology. Defense can take many different forms such as, but not limited to, the following: - Blocking domain-names (or IPs or geolocation regions) based on known reputation or perceived danger; - Rules around “strange looking” DNS query strings; - Rules around the length, type, or size of both outbound or inbound DNS queries; - General hardening of the client operating systems and understanding the name resolution capabilities as well as their specific search order; - User and/or system behavior analytics that automatically spot anomalies, such as new domains being accessed especially when the method of access and frequency are abnormal. - Palo Alto Networks recently introduced a new DNS security service focused on blocking access to malicious domain names."
Hey everyone, I just got a simple question is it ok to continue using the google DNS, I'm not a network savvy user neither English is my mother tongue so it is not helping me to understand very well
This doesn't make a lot of sense. The client doing the requests has to already be running malware. There's no reason to get an unencrypted script after you already have a payload running on the victim And no, usual phishing doesn't directly do RCE, and if when it does, the initial script is already being run by the victim I don't see a common attack vector that would use this aside very specific 0days
Really cool, but the delivery doesn’t actually execute it right? I think it required a word attachment and clicking a pop up? In other words, receiving the TXT field doesn’t run the program, so it’s a method of delivery but not of execution…
Extract from: unit42.paloaltonetworks.com/dns-tunneling-how-dns-can-be-abused-by-malicious-actors/ "Guess what looks likes text? Base64-encoded non-text data! Figure 4 below shows the identical query being sent to the malicious site as in Figure 2, however, the type is now TXT on both the request and response, and the response data contains the first 300 or so characters of an encoded binary executable file that could be executed by the client malware. Again, using the logs, the adversary would be able to know which client asked for the payload, and that the payload was sent (who knows if it actually arrived…)."
Chris Greer is back to show us Malware that Hackers could use to attack you (in this case using DNS). Chris is the man I talk to about Wireshark! Did you learn something new in this video?
Big thanks to Brilliant for sponsoring this video! Get started with a free 30 day trial and 20% discount: brilliant.org/DavidBombal
// Chris SOCIAL //
TH-cam: th-cam.com/users/ChrisGreer
Wireshark course: davidbombal.wiki/chriswireshark
Nmap course: davidbombal.wiki/chrisnmap
LinkedIn: www.linkedin.com/in/cgreer/
Twitter: twitter.com/packetpioneer
// David SOCIAL //
Discord: discord.com/invite/usKSyzb
Twitter: twitter.com/davidbombal
Instagram: instagram.com/davidbombal
LinkedIn: www.linkedin.com/in/davidbombal
Facebook: facebook.com/davidbombal.co
TikTok: tiktok.com/@davidbombal
TH-cam: th-cam.com/users/davidbombal
Chris Greer Playlist: th-cam.com/play/PLhfrWIlLOoKO8522T1OAhR5Bb2mD6Qy_l.html
// MENU //
00:00 Coming Up
00:27 Thanks Brilliant!
01:58 Did you know this?
02:41 DNS Misconceptions
03:16 DNS Example
04:38 Cloudflare / What Is DNS?
05:38 Virustotal
07:01 DNS String
08:52 Base-64 Decode
10:24 T Shark
12:25 Cyberchef
14:30 How Does The Hack Start?
14:54 Phishing Attacks
15:59 How DNS Attacks Started
16:57 Packets
17:53 Outro
Please note that links listed may be affiliate links and provide me with a small percentage/kickback should you use them to purchase any of the items listed or recommended. Thank you for supporting me and this channel!
Disclaimer: This video is for educational purposes only.
#malware #hack #wireshark
DNS = Did Not Search properly.
@@tailsorange2872 😂
So here is a question:
Do Certs by like Hack The Box to name one, have any value for us in Europe?
Ore are there better Certs to get for real world employment.
Thanks for having me back David!
Thanks so much for sharing your knowledge and experience with us Chris!
When David and Chris bring out new videos out it's just a Christmas for me. Love both your channels and learning a lot in past years thanks to you two.
Keep up the fantastic job guys!
Absolutely brilliant, presentation is top notch as per usual without getting too heavy. As someone who is relatively competent but unqualified in IT, currently doing A+ with a view to Net+ then Sec+ this is fantastic, thank you both. Hopefully having additional knowledge of tools like this and knowing when to use it will be advantageous in getting a job in IT/cybersecurity.
Best lesson about DNS tunneling, thank you David Bombal and Chris Greer, I hope that in future you will show us how can be established that connection and sent real malicious commands
Thank you
it's always great to see collabs with Chris and see how he explains things
thanks for this David
Thank you!
Agreed. Chris is amazing!
I almost fell from my chair laughing. "ostrykebs" from this Polish URL is literally tanslated as "spicy kebab" I'm dying laughing, oh my god.
same XD. I initially didn't notice it due to how he pronounced it but then it hit me.
Thanks for translating! That's funny!
Yeah this mean spicy kebabs
It's malware because a good one burns twice. SRAM always makes my old ass giggle 👀
DNS TXT records have been used for a long time for all sorts of things, we used to them for digital scavenger hunts way back when, they are still often used today for Command and Control of botnets. However this is the first time I've seen it used to propagate a potential malware script. Pretty slick! Thanks for the info!
Glad you enjoyed the video Dave! Nice detailed explanation here: unit42.paloaltonetworks.com/dns-tunneling-how-dns-can-be-abused-by-malicious-actors/
Excellent interview and especially the technical information, which helps us learn about vulnerabilities
This was soo much informative video david. Thanks for making all us more aware about it. Now ill be looking out for supecious dns queries. That was totally a new learning for me, i really like the full broken down of info where it starts making sense for us cybersecurity enthusiasts. Thanks for covering this david and chris ❤❤
You're welcome! If you want to read more, some cool information here: unit42.paloaltonetworks.com/dns-tunneling-how-dns-can-be-abused-by-malicious-actors/
This is utterly terrifying. Thank you for pointing out what can happen if you carelessly switch to a well known DNS, expecting nothing bad and than kaboom....
Well it might be worth pointing out, your operating system alone will not take harm from Powershell code being present on some DNS entries. There already has to be malicious code on your box that just uses the DNS entries as an online repository for even more malicious code to be downloaded and executed after that. So the infection vectors are the same as always.
@@nonlinearsound-001 Thanks for pointing this out. If I may ask, what would you consider the most likely exploit that would „benefit“ the most of this kind of attack?
@@etliberarahastenichgesehen That varies a lot. It strongly depends on the code that is being read from the DNS entries. As Powershell is a scripting environment with a lot of connections deep into the operating system, the attacker can come up with all sorts of different attacks. Most likely though it will be a network and file system discovery phase to see how the attacker or the program can move laterally, a C2 contact attempt to establish a reverse shell environment or to send back information about the attacked box. With more information, a possible exploit can be chosen to setup persistence on the box or to brute force passwords and such. In corporate environments its always a good target to become a priviledged user on the domain to gain more information or rights to move further laterally.
It was a great enlightenment, and sir this sort of content is what we look forward to, if we could get more recent attack patterns and techniques and how they work, how to mitigate them, it would be great
The channel is amazing, your knowledge, experience and humility towards teaching is commendable
❤❤
Great work
Thank you!
This video is amazing!
I really like how everything has been explained, easy and clear.
Wireshark is not easy to use, at least for me, I absolutely need to document myself before any operstion, otherwise it's really hard to find the information I'm looking for.
Plus, this attack shouldn't be undervalued, as DNS is something that is not so secure as we may think.
Recently I've got my whole home network hacked: all devices were compromised, including the main router and smartphones.
Well, the point of failure in my case wasn't discovered, but there's an high chance that DNS had been compromised while disconnecting from a VPN service, or at least while using it.
I've saved some pcap files on some devices in this network, but after watching this video, I think that I wouldn't find this script injection, if it happened, then it happened before the pcap recording :-/
Be careful with VPNs services, your traffic will be camouflaged, but remember that you are not aware on where each node is located, and who has access to it.
Cheers
That technic I already know but I thanks you for sharing it. Good explained - I like your videos.
Another gifts my two Best teatcher i learn so much from you guys keep giving
Sharing knowledge is caring! Thank you for your support Majid
DNS: the root of all all evil. This is proof. Thanks for posting, David, & Chris.
It's always DNS! :(
Edit: Some people didn't get that this is a meme / joke, so leaving that here.
LOL. Good one. Root of all evil.
DNS is not the problem. The hacker could easily use a webpage, FTP or many other possibilities for the the malicious program. The hacker chose DNS because it's a simple data file that is really easy to use and doesn't check the data for validity. A PTR record should have a domain name but it could be the malicious program. TXT records can be anything the record owner wants and is very rarely used.
Just because code is returned in a TXT string does not mean the receiving machine will decode it and execute it. You still have to have a way to trigger the decode and execute the TXT once it is received.
This is super cool man thank you for dropping this !
iv heard about them before.. But didnt know this
Done some custom email creation. There i met with dns txt registries for 1st time
gosh jolly this was clarifying.
LOVE EVERY VID u folks make.
I'm still a bit confused on how the attack starts. Is it just by clicking a link? Or does the victim have to have run a script to interpret the TXT record?
Best WireShark instructional videos I’ve seen for length/ learning time. The quality and quantity of videos you produce is incredible. Thanks!
Thank you! Chris is amazing!
Great video. Picked up a few new gems about DNS. Thank you.
Great! Glad you learned something new :)
Loved it , love all your videos with Chris , full house of information
Nice demonstration. Thank you David, thank you Chris
Thank you both for helping all of us learn about everything with Wireshark !
Great content, short but concise deep dive of DNS malware
I had not seen this attack method before, and I just finished 2 associates degrees (Cyberdefense & Digital Forensics, and Network Technologies Administration) and just passed my Security+, so, very cool stuff, here. I thought the DNS text record was what a RA would have an admin modify to prove ownership/control of a domain to satisfy a CA. Guess I was off.
David, any time you have Chris or Ed Harmoush (of PracNet) on, it's an absolute treat!
Thank you Scott! Agreed, Chris and Ed are amazing 😀
I had no idea David :D
But thanks for learning us again
My Friend, you don't need to make these faces on thumbnails to get youtube clicks, you are way beyond that, awesome content, loving it!!!
Glad to see you are still out here David. I have been out of the game for a while. I am working on getting into pentesting
Never give up on your dreams!
@@davidbombal Thank you. 🙂
A question i am asking myself is there any actual legitmate use for the dns txt request type left? If no then there would be no good reason to keep it at all honestly
Thank you, Dave and Chris, for this great informative video.
thank you! you read my mind David, I was gonna ask to do a video on DNS
Chris is the wireshark king, I've learnt so much from him! Thanks for a great and interesting video
Agreed! Chris is amazing! Glad you enjoyed the video
Did not know, thanks for the heads up. They should just close off this DNS text field, no knew it was there any way, so no one will miss it.
Except it's used for various reasons, main one I come across is verifying you own the domain when connecting it to a service
I was aware of the existence of DNS TXT records from my dealing with setting up domain names for myself and others. I knew they could contain potentially malicious information, but I didn't know they could be used to piece together a set of commands to run a powershell command to further compromise a machine.
Nice detailed explanation here: unit42.paloaltonetworks.com/dns-tunneling-how-dns-can-be-abused-by-malicious-actors/
Nice video David! It's always DNS ha! I can say with confidence that I did know this :D. I've used a similar method on a test to escape firewall resitrctions. There is a neat tool called Iodine which you can use to set up a tunnel between boxes and all commmunication is done through DNS. You can then SSH to the box over DNS... pretty remarkable. It's a common technique used by malware to call back to C2's. There is a video on my channel about the set up process if you wanted to see it in action. Takes you through setting up the DNS records to deploying the server and then initiating the connection.
i have a simple question how does the code run on the target machine even though it is a text record?
@@ahmed_goodgame995 I could be wrong but afaik there would need to be a client of some kind on the victim machine that processes the code within the DNS responses. I believe It's more of an obfuscation technique. I would be surprised if there was a direct way to perform RCE on a box from DNS responses. That would cause chaos.
that means that there is no way to get full access using link?
@@ahmed_goodgame995 I think you would need a trigger first. For example, a hacker could send a link to victim. The victim clicks link which then downloads some malware. The malware then performs DNS requests to the malicious domain and extracts the data in the TXT record and executes it. It can be useful as it can make the malware more dynamic and less detectable as it doesn’t contain the payload itself. Plus most organizations have DNS open so its likely to get through the firewall. Other than that, I honestly don’t see how it would work unless there is some huge vulnerability in DNS that I’m not aware of. Can you imagine the carnage it would cause if you could easily perform code execution through standard DNS request/responses?
@@ahmed_goodgame995 But never say never, if someone found a bug in a popular Operating System and the way it handles DNS then maybe it could be used to execute code. Something like a traditional overflow or sequence of characters contained within a TXT record that when processed by the client service causes unexpected behaviour. That’s speculation though and I’m sure these things are tested regularly. The thought of that is actually terrifying.
Very cool. Would like definitely to see more videos like this.
Didn't know DNS could do that.Really amazing and educational video
Stok did a great video on a bug bounty where he used DNS to interact with a server and extract information like etc/passwd all through DNS and using burp collab
You got a link to his video?
@@davidbombal I'd love to see a collab with the both of you
What I would like to know is who thought it would be a good idea to enable a library/framework to execute code stored in a text record like that in the first place.
If it was originally intended to simply store human-readable comments, then why is it even a thing for something else to execute code stored in a text record?
What library/framework(s) allow executing code from a text record? Why hasn't this been disabled?
Another great informative video by David and Chris. Thanks guys👍🏻
You're welcome Hazy!
This was an awesome video,I can always watch Chris and his packet talk lol.
So just to reiterate, the victim executes a script which then makes DNS requests, assembles the txt resource records, executes that assembled text file which makes a callback to a C2/attacker....?
Nice detailed explanation here: unit42.paloaltonetworks.com/dns-tunneling-how-dns-can-be-abused-by-malicious-actors/
a question - we passed the strings to txt file, but what made the client machine to run the initial txt instructions?
7:09 or so, the first command
@paulus9660 Yeah if the client machine is already compromised, you can't really say DNS is the culprit here. They might as well get the code payload from a normal http request.
@Paulus thank you!
I am a bit new in this area. I have few questions:
1. How is the call initiated? It is said that by email?
1.1. Then, we click a link, it starts communication using dns server.
1.2. Then, the reply of dns server, they send txt as type of query. (We need a tutorial for dns queries).
1.3. So, does the dns, server were the hacker or sending scripts?
1.4. The clicked site, is sending scripts?
2. We need one more example to show after the packets were made up as a full string (script), then who (browser) will run the script?. So, far I know, we run serverside code to run any applications or a process on client laptop.
3. Or the script will run by browser as java script and do intended hack?
4. In what extent such scripts can do harm? For example, is it possible to get an .exe file to bring by script and paste in client pc.
@DavidBombal ;
Thanks for this video - I knew that DNS did more than IP/Hostname resolutions, but wasn't aware of this specific text field within DNS, nor that that field could be configured to be malicious, so thanks for this!!
I recently got subscribed to the Udemy classes you put out, including the CCNA, SSL, & WireShark.
I'm currently going thru the SSL course, & am VERY excited to start the WireShark courses - I'm HOPING that I'm going to come out the other side knowing more than I already do, thanks to @ChrisGreer ! I can't wait!!
Thanks again! 🙏❤️👌
Glad you learned something Mike. Nice detailed explanation here if you are interested: unit42.paloaltonetworks.com/dns-tunneling-how-dns-can-be-abused-by-malicious-actors/
@@davidbombal awesome info, David - thanks!
Excellent video as always. Seems like more of a reason to use quad9 an top of other protections.
Nice detailed explanation of this attack: unit42.paloaltonetworks.com/dns-tunneling-how-dns-can-be-abused-by-malicious-actors/
In the old days we used to call this executing data. It was a big no-no. In these days of publicly accessible networks I’m shocked it’s not only allowed, but permitted even in high level code! If I were a hacker this would be so easy and obvious.
Thanks. Great session. 👍
Thanks, David great info
How does it keep asking for the next TXT records? Certainly the first DNS call which may be from a phishing link couldn't execute any code from the TXT record?
Thank you for the information!
How does chris have so maNY IPs up and being shown???? I never see any IPs. certain filter??? Great videos David. you have been such a great tool for a n newbie like me. You're dope bro! and the videos with your daughter are adorable and put a smile on my face after a long day of construction
I have heard of this method, but I had never seen it demonstrated. I still wonder why the host system would actually run the initial script contained within the initial TXT query... I understand how the script could run its loop and pull down the entire 17 packets and assemble itself - but why would an initial query actually start the subsequent process?
Great lessons please David engage Chris for future explain how to capture Packets
Everyday is a school day when you work in security. Thanks guys for a brilliant video ☺️
In the late 90's I hacked a RTL driver to send/receive encoded messages in ping requests, it was a little slow but you don't need a lot of code to get something running.
what does RTL stand for?
Yeah I don't really get the point here. If the client machine is already compromised and the malware is able to execute code on the machine and send out multiple DNS requests, why would it matter if the code comes from a DNS TXT record? When they could simply get it from an HTTP request as well? This does not seem like a vulnerability in DNS
Nice detailed explanation here: unit42.paloaltonetworks.com/dns-tunneling-how-dns-can-be-abused-by-malicious-actors/
I developed the DNS server with C++ programming, then used the certificate and private key generated by openssl, then I installed the certificate in my browser, and it worked, Encrypted data can only be decrypted with a matching private key, making it difficult to brute force with SSL encryption
Hello DAVID, this is not concerning this video but a recent video you did with PHILLIP WYLIE on Pentester Roadmap. I want to acknowledge you for hosting nerds like that, I really like everything he said from start to finish. They were very informative and I like the fact that at a point you mentioned you are an introvert. That is another part I am interested in. Can you please make videos on introverts who want to get into or are already into IT and Cybersecurity. I believe that would really be helpful for people who are very introverted but passionate in such careers. Thank you beforehand.
If you can also make a video giving an overview of your studio and everything you use for streaming your contents that would also be good. Thanks once again
Thank you. Phillip is a amazing and a wonderful person! Great suggestions :)
Another excellent one, thanks David :D
You're welcome!
Using a dns to attack is one of the few things i do know.
it's great, thanks so much teacher David
From layer 1 to 7 it's mean deep working magnificent, especially hardware building
Yes, but that proces of data extraction from captured stream is awesome 🙂
I really appreciate this Sir.👍🏻
thanks David for sharing.
@davidbombal where is the link of chris's threat hunting course ?
I've seen DNS used to smuggle data out of secure(ish) systems that stopped outgoing requests to unknown addresses but not via DNS.
Glad you learned something Benjamin. Nice detailed explanation here if you are interested: unit42.paloaltonetworks.com/dns-tunneling-how-dns-can-be-abused-by-malicious-actors/
Enlightening as always David ji
Are there valid uses of the TXT DNS record type that are still in use today?
Who ever heard of text in a DNS reply. We were fine with RFC 1035() which had a limit of 512 "octets" then came RFC 2671 replaced by RFC 6891, which extends the payload to over 1k. Anything over 512 bytes should be suspect.
The non-sexy side of IT is always the most important. Thanks for the video, David.
Very interesting no i did not know this existed.
Now to see if i can mitigate with my pfsense
If I understand correctly, can be done w ICMP too.
That was a great analysis, but what about DoH/DoT?
It should be stopped at source, ie the DNS provider. Just put some validation and checking in place to prevent this method of injection and close it down.
Extremely new to me but outstanding how things in systems and networks are still weak. With where we are today in should we not be above and over with criminals on the net?
Very creative. Love this ! Newbie here, but am slight edging all the way.
Try to spend some time every day learning something and you'll be amazed at how much you can learn. I really like the book Atomic Habits - small increases = big rewards.
Helpful video sir ❤
I did not know this could be done. Kudos!
@DavidBombal - I never knew this type of attack was possible 🤯
It's basically fetching payloads using DNS to bypass anti-virus
Packet capture is always fascinate me, thanks for sharing this mate. My question for Chris, is there any good place or training for whose who wants to learn packet capturing? I have also wonder what certification could we do which included packet analysis by wireshark.
Good stuff guys !😎
Nope. Didn't know that one. I came up with a data exfiltration method against hardened internal corporate networks using DNS about 15 years ago. I've not seen it ever mentioned, so it may still be novel.
Glad you learned something new!
Where could we download the pcap file? Thanks in advance.
very interesting, I'll keep this in mind
I got something weird file while downloading txt file from messanger.
It was in zip. And I red flagged it. What was that I'm still wondering
Great video, thank you so much. What can we do to protect ourselves from this kind of attacks? Are there any recommendations for firewall setup?
Extract from: unit42.paloaltonetworks.com/dns-tunneling-how-dns-can-be-abused-by-malicious-actors/
"Organizations can defend themselves against DNS tunneling in many different ways, whether using Palo Alto Networks’ Security Operating Platform, or Open Source technology. Defense can take many different forms such as, but not limited to, the following:
- Blocking domain-names (or IPs or geolocation regions) based on known reputation or perceived danger;
- Rules around “strange looking” DNS query strings;
- Rules around the length, type, or size of both outbound or inbound DNS queries;
- General hardening of the client operating systems and understanding the name resolution capabilities as well as their specific search order;
- User and/or system behavior analytics that automatically spot anomalies, such as new domains being accessed especially when the method of access and frequency are abnormal.
- Palo Alto Networks recently introduced a new DNS security service focused on blocking access to malicious domain names."
Hey everyone, I just got a simple question is it ok to continue using the google DNS, I'm not a network savvy user neither English is my mother tongue so it is not helping me to understand very well
How is it that the packets of code in the TXT records actually get run? It didn't seem like he explained that.
In Iran, the first level of web filtering is applied by the IRGC government with DNS hijacking. please talk more about filtering .
This doesn't make a lot of sense.
The client doing the requests has to already be running malware. There's no reason to get an unencrypted script after you already have a payload running on the victim
And no, usual phishing doesn't directly do RCE, and if when it does, the initial script is already being run by the victim
I don't see a common attack vector that would use this aside very specific 0days
I love this kind of staff
I had no idea but it makes sense how it could happen
Really cool, but the delivery doesn’t actually execute it right? I think it required a word attachment and clicking a pop up?
In other words, receiving the TXT field doesn’t run the program, so it’s a method of delivery but not of execution…
Extract from: unit42.paloaltonetworks.com/dns-tunneling-how-dns-can-be-abused-by-malicious-actors/
"Guess what looks likes text? Base64-encoded non-text data! Figure 4 below shows the identical query being sent to the malicious site as in Figure 2, however, the type is now TXT on both the request and response, and the response data contains the first 300 or so characters of an encoded binary executable file that could be executed by the client malware. Again, using the logs, the adversary would be able to know which client asked for the payload, and that the payload was sent (who knows if it actually arrived…)."
@@davidbombal I get that, I was trying to highlight the difference between execution and delivery
So how does the file run once it's downloaded trough dns? further social engineering?
Is this a David Bombal YT short? 😉
how can i get the pcap used in presentation?