[email protected]
DNS Brute-Forcing
J´erˆome Fran¸cois
20/01/12
Team
Motivation
Current Approaches
Our Method
Results
Conclusion
Outline 1
Team
2
Motivation
3
Current Approaches
4
Our Method
5
Results
6
Conclusion 2 / 17
Team
Motivation
Current Approaches
Our Method
Results
Conclusion
Outline 1
Team
2
Motivation
3
Current Approaches
4
Our Method
5
Results
6
Conclusion 3 / 17
Team
Motivation
Current Approaches
Our Method
Results
Conclusion
5 people I
Professors: I I
I
Post-doc: I
I
Prof. Thomas Engel Prof. Radu State Dr. J´erˆome Fran¸cois
Ph.D. students I I
Cynthia Wagner Samuel Marchal
4 / 17
Team
Motivation
Current Approaches
Our Method
Results
Conclusion
Outline 1
Team
2
Motivation
3
Current Approaches
4
Our Method
5
Results
6
Conclusion 5 / 17
Team
Motivation
Current Approaches
Our Method
Results
Conclusion
Why DNS brute-force ? I
DNS: I I I
critical Internet service threats: cache poisoning, typosquatting, fast/double-flux Network security assessment (prevention) I I
I
attack → recon stage → scan for finding accessible services... ... but IP scanning = noisy + long, in particular with IPv6
DNS brute-force = test DNS names by sending requests to a recursive server I
I I
names generally assigned by human → not random (the search space can be limited) scanned machines not actively probed enhanced by using multiple open recursive servers 6 / 17
Team
Motivation
Current Approaches
Our Method
Results
Conclusion
Outline 1
Team
2
Motivation
3
Current Approaches
4
Our Method
5
Results
6
Conclusion 7 / 17
Team
Motivation
Current Approaches
Our Method
Results
Conclusion
Penetration testing tools I
How names are defined? I
I
I I
by human and easy to remember → pc1, pc2, atlanta, boston, etc. to reflect the provided service → www, ftp, ssh, etc.
scan the most popular names → main dictionary + extensions: Tool dnsenum
Dictionnary size 266 930
fierce
1 895
Extension search for other names in google results (query ”allinurl: -www site:domain”) IP scanning to extend the results, get SOA (Start of Authority) records, zone transfer (normally not available) 8 / 17
Team
Motivation
Current Approaches
Our Method
Results
Conclusion
Outline 1
Team
2
Motivation
3
Current Approaches
4
Our Method
5
Results
6
Conclusion 9 / 17
Team
Motivation
Current Approaches
Our Method
Results
Conclusion
Natural language model I I
I
Human based names → relying on natural language Key idea: generate names similar to those defined by an human extract features from passively collected names (1) Number of words
user-defined
random
I
I
I
3
...
(2) Word length
(2') Word definition
lu
uni user-defined
random
user-defined
3 (3) First character
(4) Next characters
s random
s
n
t
a e
markov chain
snt
}
snt.uni.lu
I
name length (#words separated by a dot) word lengths (#characters) distribution of the first character for each word n-gram model → markov chain (transition probability between characters)
10 / 17
Team
Motivation
Current Approaches
Our Method
Results
Conclusion
Semantic extension I
Systematic naming schemes I I I
I
choice of one or several semantic fields (cities, planet, etc.) enumerative name assignation (ftp1, ftp2, etc.) → 2 extensions
enumeration of numbers I
generation of semantically close names I
I
name split in words generate similar words using
http://www.linguatools.de/disco 11 / 17
Team
Motivation
Current Approaches
Our Method
Results
Conclusion
Outline 1
Team
2
Motivation
3
Current Approaches
4
Our Method
5
Results
6
Conclusion 12 / 17
Team
Motivation
Current Approaches
Our Method
Results
Conclusion
Without semantic extension I I
I
Tests based on 15 popular domains Our tool: SDBF (Smart DNS Brute-Forcer) #Dtool %Dtool = max(#Dsdbf , #Dfierce , #Ddnsenum ) Luxembourg
I
Worldwide
13 / 17
Team
Motivation
Current Approaches
Our Method
Results
Conclusion
With semantic extensions I I
Initial list of discovered domains: Initi Assess the ability to discover new names |Newi | , i ∈ {SDBF , DNSenum, Fierce, overall} |Initi | Initoverall = InitSDBF ∪ InitDNSenum ∪ InitFierce
%Impi =
I
I
24 popular domains probed from 84% to 102% of newly discovered names 14 / 17
Team
Motivation
Current Approaches
Our Method
Results
Conclusion
Outline 1
Team
2
Motivation
3
Current Approaches
4
Our Method
5
Results
6
Conclusion 15 / 17
Team
Motivation
Current Approaches
Our Method
Results
Conclusion
Conclusion I
New methods to brute-force DNS I I
I
Results: I I
I
natural language model semantic extensions able to generate valid names... ... mainly not present in well used dictionaries (complementarity)
SDBF is highly configurable → search for specific service, scan subdomain,... (*.*.uni.lu, www.*.com, etc) 16 / 17
[email protected]
DNS Brute-Forcing
J´erˆome Fran¸cois
20/01/12