DNS Brute-Forcing-0.5cm - Jérôme François

enumeration of numbers. ▷ generation of semantically close names. ▻ name split in words. ▻ generate similar words using http://www.linguatools.de/disco.
Télécharger le PDF
2MB taille 2 téléchargements 41 vues
commentaire
Report
[email protected]

DNS Brute-Forcing

J´erˆome Fran¸cois

20/01/12

Team

Motivation

Current Approaches

Our Method

Results

Conclusion

Outline 1

Team

2

Motivation

3

Current Approaches

4

Our Method

5

Results

6

Conclusion 2 / 17

Team

Motivation

Current Approaches

Our Method

Results

Conclusion

Outline 1

Team

2

Motivation

3

Current Approaches

4

Our Method

5

Results

6

Conclusion 3 / 17

Team

Motivation

Current Approaches

Our Method

Results

Conclusion

5 people I

Professors: I I

I

Post-doc: I

I

Prof. Thomas Engel Prof. Radu State Dr. J´erˆome Fran¸cois

Ph.D. students I I

Cynthia Wagner Samuel Marchal

4 / 17

Team

Motivation

Current Approaches

Our Method

Results

Conclusion

Outline 1

Team

2

Motivation

3

Current Approaches

4

Our Method

5

Results

6

Conclusion 5 / 17

Team

Motivation

Current Approaches

Our Method

Results

Conclusion

Why DNS brute-force ? I

DNS: I I I

critical Internet service threats: cache poisoning, typosquatting, fast/double-flux Network security assessment (prevention) I I

I

attack → recon stage → scan for finding accessible services... ... but IP scanning = noisy + long, in particular with IPv6

DNS brute-force = test DNS names by sending requests to a recursive server I

I I

names generally assigned by human → not random (the search space can be limited) scanned machines not actively probed enhanced by using multiple open recursive servers 6 / 17

Team

Motivation

Current Approaches

Our Method

Results

Conclusion

Outline 1

Team

2

Motivation

3

Current Approaches

4

Our Method

5

Results

6

Conclusion 7 / 17

Team

Motivation

Current Approaches

Our Method

Results

Conclusion

Penetration testing tools I

How names are defined? I

I

I I

by human and easy to remember → pc1, pc2, atlanta, boston, etc. to reflect the provided service → www, ftp, ssh, etc.

scan the most popular names → main dictionary + extensions: Tool dnsenum

Dictionnary size 266 930

fierce

1 895

Extension search for other names in google results (query ”allinurl: -www site:domain”) IP scanning to extend the results, get SOA (Start of Authority) records, zone transfer (normally not available) 8 / 17

Team

Motivation

Current Approaches

Our Method

Results

Conclusion

Outline 1

Team

2

Motivation

3

Current Approaches

4

Our Method

5

Results

6

Conclusion 9 / 17

Team

Motivation

Current Approaches

Our Method

Results

Conclusion

Natural language model I I

I

Human based names → relying on natural language Key idea: generate names similar to those defined by an human extract features from passively collected names (1) Number of words

user-defined

random

I

I

I

3

...

(2) Word length

(2') Word definition

lu

uni user-defined

random

user-defined

3 (3) First character

(4) Next characters

s random

s

n

t

a e

markov chain

snt

}

snt.uni.lu

I

name length (#words separated by a dot) word lengths (#characters) distribution of the first character for each word n-gram model → markov chain (transition probability between characters)

10 / 17

Team

Motivation

Current Approaches

Our Method

Results

Conclusion

Semantic extension I

Systematic naming schemes I I I

I

choice of one or several semantic fields (cities, planet, etc.) enumerative name assignation (ftp1, ftp2, etc.) → 2 extensions

enumeration of numbers I

generation of semantically close names I

I

name split in words generate similar words using

http://www.linguatools.de/disco 11 / 17

Team

Motivation

Current Approaches

Our Method

Results

Conclusion

Outline 1

Team

2

Motivation

3

Current Approaches

4

Our Method

5

Results

6

Conclusion 12 / 17

Team

Motivation

Current Approaches

Our Method

Results

Conclusion

Without semantic extension I I

I

Tests based on 15 popular domains Our tool: SDBF (Smart DNS Brute-Forcer) #Dtool %Dtool = max(#Dsdbf , #Dfierce , #Ddnsenum ) Luxembourg

I

Worldwide

13 / 17

Team

Motivation

Current Approaches

Our Method

Results

Conclusion

With semantic extensions I I

Initial list of discovered domains: Initi Assess the ability to discover new names |Newi | , i ∈ {SDBF , DNSenum, Fierce, overall} |Initi | Initoverall = InitSDBF ∪ InitDNSenum ∪ InitFierce

%Impi =

I

I

24 popular domains probed from 84% to 102% of newly discovered names 14 / 17

Team

Motivation

Current Approaches

Our Method

Results

Conclusion

Outline 1

Team

2

Motivation

3

Current Approaches

4

Our Method

5

Results

6

Conclusion 15 / 17

Team

Motivation

Current Approaches

Our Method

Results

Conclusion

Conclusion I

New methods to brute-force DNS I I

I

Results: I I

I

natural language model semantic extensions able to generate valid names... ... mainly not present in well used dictionaries (complementarity)

SDBF is highly configurable → search for specific service, scan subdomain,... (*.*.uni.lu, www.*.com, etc) 16 / 17

[email protected]

DNS Brute-Forcing

J´erˆome Fran¸cois

20/01/12