Impact of domain name drop-catching on business security - Research carried out by: Kirils Solovjovs Mārtiņš Rozenbergs Toms Liepājnieks

Page created by Julia Chan

Society

English

Like
Share
Embed
Fullscreen
Slides
Download HTML
Download PDF
Abuse

←

→

Page content transcription

If your browser does not render page correctly, please read the page content below

Impact of domain name drop-catching on business security - Research carried out by: Kirils Solovjovs Mārtiņš Rozenbergs Toms Liepājnieks

impact of domain name drop-catching on business security

                                     Research carried out by:
                                      ●
                                        Kirils Solovjovs
                                      ●
                                        Mārtiņš Rozenbergs
                                      ●
                                        Toms Liepājnieks

relevance

●
    When was the last time your non-IT friend
    typed something
    –   like this 172.217.18.78?
    –   or this 2a00:1450:4016:809::200e?
●
    Yep, 100%-ε of non-malicious connections start
    with a DNS request

#BalCCon2k18              http://kirils.org   @KirilsSolovjovs

domain expiration

 ●
     Most domains aren’t free
 ●
     Negligence:                      ●
                                          Abandonment:
     –   forgot to renew                   –   project is over
         domain                            –   company merger
     –   credit card expired               –   court order

#BalCCon2k18               http://kirils.org               @KirilsSolovjovs

research scope

●
    What attack vectors can be observed in real life?
●
    mid-2018                       ●
                                       quantitative and
●
    .lv ccTLD                          qualitative methods
    –   including IDN              ●
                                       ftp, ssh, telnet, smtp,
●
    no phishing                        dns, http, pop3, imap,
●
    no active attacks                  https, rdp, vnc

#BalCCon2k18            http://kirils.org                @KirilsSolovjovs

literature review

●
    C. Healey. Domain tasting is taking over the internet as
    a result of ICANN’s “Add Grace Period”, 2007
●
    S. Hao, M. Thomas, V. Paxson, N. Feamster, C.
    Kreibich, C. Grier, S. Hollenbeck. Understanding the
    domain registration behavior of spammers, 2013
●
    G. Szathmari. Hacking law firms with abandoned
    domain names, 2018

#BalCCon2k18              http://kirils.org        @KirilsSolovjovs

terminology

●
    Drop-catching
        re-registering a freshly expired domain name
●
    Domain back-orders
    –   many registrar offer a service to catch the domain
    –   some registries (.ru, .pl, ...) cooperate on that service
●
    Domain tasting
    –   registering a domain name for the add-grace period

#BalCCon2k18                    http://kirils.org           @KirilsSolovjovs

gTLD life-cycle

#BalCCon2k18   http://kirils.org      @KirilsSolovjovs

.lv ccTLD life-cycle

#BalCCon2k18   http://kirils.org          @KirilsSolovjovs

enough theory;
                 let’s dig in!

#BalCCon2k18       http://kirils.org   @KirilsSolovjovs

challanges

 ●
     180 domains on 1 IP
 ●
     Lots of scanners and other bad guys
 ●
     Bots vs humans

#BalCCon2k18           http://kirils.org   @KirilsSolovjovs

tools

●
    custom DNS server               ●
                                        netfilter
    based on twisted                ●
                                        apache
●
    a bunch of honeypots:                –   custom PHP honeypot
    –   mailoney, netwatch,         ●
                                        acme.sh
        imap-honey, malbait,                 + custom dns api
        RDPY, vnclowpot             ●
                                        custom .sh & .py

#BalCCon2k18             http://kirils.org               @KirilsSolovjovs

methodology/setup

 ●
     Register recently expired domains that:
     –   have search engine presence
     –   relate to an existing company/person
     –   are typos of popular domains
 ●
     Request SSL certificate for those domains ASAP

#BalCCon2k18             http://kirils.org         @KirilsSolovjovs

methodology/analysis

●
    Link DNS request logs with other request logs
    –   heuristics: timing + AS
●
    Detect bots (web)
●
    Detect network scanners and bruteforcers
●
    Look at the remaining data in detail
    –   qualitative analysis on e-mails and web requests
    –   quantitative analysis on other protocols

#BalCCon2k18                  http://kirils.org            @KirilsSolovjovs

yeah, yeah, yeah,
               but have you got any data?

#BalCCon2k18             http://kirils.org   @KirilsSolovjovs

domains registered

#BalCCon2k18   http://kirils.org          @KirilsSolovjovs

dns/requests (weighted)

#BalCCon2k18   http://kirils.org              @KirilsSolovjovs

dns/record_types

#BalCCon2k18   http://kirils.org        @KirilsSolovjovs

dns/subdomains

#BalCCon2k18   http://kirils.org       @KirilsSolovjovs

dns/subdomains/record_types

#BalCCon2k18   http://kirils.org               @KirilsSolovjovs

dns/avg_req_by_length (weighted)

#BalCCon2k18   http://kirils.org              @KirilsSolovjovs

dns/countries

#BalCCon2k18   http://kirils.org     @KirilsSolovjovs

ftp/top10

Username:                   Password:
 1) ** lol :p **             1) 1q2w3e4r
 2) changeme                 2) test
 3) webmaster                3) admin
 4) admin                    4) 123456
 5) root                     5) 1q2w3e
 6) test                     6) 12345
 7) clearvision              7) test123
 8) ubuntu                   8) qwerty
 9) nagios                   9) q1w2e3
 10) ftpuser                 10) 1234

#BalCCon2k18       http://kirils.org       @KirilsSolovjovs

ssh/top10

Username:               Password:
 1) root                 1) 123456
 2) admin                2) password
 3) test                 3) 12345
 4) user                 4) 1234
 5) support              5) 123
 6) ubnt                 6) admin
 7) oracle               7) test
 8) ubuntu               8) wubao
 9) postgres             9) 1
 10) adm                 10) root

#BalCCon2k18   http://kirils.org       @KirilsSolovjovs

telnet/top10

Username:                    Password:
 1) root                      1) 1234
 2) admin                     2) admin
 3) guest                     3) 12345
 4) supervisor                4) password
 5) default                   5) 123456
 6) support                   6) 7ujMko0admin
 7) user                      7) 5up
 8) ubnt                      8) 888888
 9) Administrator             9) aquario
 10) 888888                   10) 54321

#BalCCon2k18        http://kirils.org           @KirilsSolovjovs

mail/open_relay_attempts

#BalCCon2k18   http://kirils.org                @KirilsSolovjovs

web/requests

#BalCCon2k18   http://kirils.org    @KirilsSolovjovs

enough of looking at bad guys;
        from now on — only legit data

#BalCCon2k18        http://kirils.org   @KirilsSolovjovs

web/protocols

#BalCCon2k18   http://kirils.org     @KirilsSolovjovs

web/methods

#BalCCon2k18   http://kirils.org    @KirilsSolovjovs

web/referrers

#BalCCon2k18   http://kirils.org    @KirilsSolovjovs

web/cookies

               lrn2cookie plz

#BalCCon2k18               http://kirils.org   @KirilsSolovjovs

web/subdomains

#BalCCon2k18   http://kirils.org       @KirilsSolovjovs

web/countries

#BalCCon2k18   http://kirils.org     @KirilsSolovjovs

mail/sender_domains/attachments

#BalCCon2k18   http://kirils.org           @KirilsSolovjovs

mail/attachment_types

#BalCCon2k18   http://kirils.org             @KirilsSolovjovs

mail/sender_domains/attachment_types

#BalCCon2k18   http://kirils.org        @KirilsSolovjovs

I think it’s about enough of this;
     let’s look at some qualitative data

#BalCCon2k18       http://kirils.org   @KirilsSolovjovs

a torrent tracker

#BalCCon2k18   http://kirils.org       @KirilsSolovjovs

cron requests from abandoned wordpress instances

#BalCCon2k18             http://kirils.org          @KirilsSolovjovs

embedded HTML elements from .gov.lv

#BalCCon2k18   http://kirils.org         @KirilsSolovjovs

inter-connector of e-government systems

#BalCCon2k18    http://kirils.org          @KirilsSolovjovs

notifications from a social network

#BalCCon2k18   http://kirils.org               @KirilsSolovjovs

notification from a latvian social network

#BalCCon2k18    http://kirils.org            @KirilsSolovjovs

notification from a belgian social network

#BalCCon2k18    http://kirils.org            @KirilsSolovjovs

group reservation for a hotel

#BalCCon2k18   http://kirils.org                    @KirilsSolovjovs

e-mail from a lawyer

#BalCCon2k18   http://kirils.org            @KirilsSolovjovs

message from state revenue service

#BalCCon2k18   http://kirils.org             @KirilsSolovjovs

flight reservation

#BalCCon2k18   http://kirils.org        @KirilsSolovjovs

bill with a lot of private data

#BalCCon2k18   http://kirils.org                     @KirilsSolovjovs

telecommunications bill

#BalCCon2k18   http://kirils.org               @KirilsSolovjovs

electronically signed letter from the government

#BalCCon2k18           http://kirils.org           @KirilsSolovjovs

officially binding electronically signed government decision

#BalCCon2k18                      http://kirils.org            @KirilsSolovjovs

GPS tracking alert on a car

#BalCCon2k18   http://kirils.org                  @KirilsSolovjovs

full bank statement

#BalCCon2k18   http://kirils.org          @KirilsSolovjovs

sensitive health documents (encrypted)

#BalCCon2k18   http://kirils.org          @KirilsSolovjovs

occupational health check-up sheet

#BalCCon2k18   http://kirils.org            @KirilsSolovjovs

damn, that was intense!
               let’s wrap up & chill out

#BalCCon2k18            http://kirils.org   @KirilsSolovjovs

abandoner risks

●
    Previous owner endangers:
    –   their clients and business partners
    –   employees who’ve used e-mails for personal
        accounts
        ●
            via password reset
    –   banking, insurance and sensitive health information

#BalCCon2k18                 http://kirils.org       @KirilsSolovjovs

attacker benefits

●
    Attackers may gain control over:
    –   commercial secrets
    –   old installations of your website
    –   government systems
    –   information about passwords of the users
        ●
            via breach notification sites
    –   SSL certificates for the future website

#BalCCon2k18                    http://kirils.org        @KirilsSolovjovs

what can you do

●
    Use 2FA
●
    Pay for your damn domains
●
    If not, then:
    –   notify everybody — partners, employees, and third parties
        using your API
    –   remove old e-mail addresses from online accounts
●
    Check for suspicious behavior of mail servers; blacklist them

#BalCCon2k18                  http://kirils.org        @KirilsSolovjovs

further work

●
    Gather a larger, more representative data set
●
    Practically verify the following attack scenarios:
    –   Use AGP to request SSL certificates valid for as long as possible
        ●
            mitm connection to the domain after it’s been re-registered
        ●
            write an advisory, if needed
    –   Locate and access the old server by looking at cron-like
        requests
    –   Register breach notification alerts for a domain and wait

#BalCCon2k18                      http://kirils.org            @KirilsSolovjovs

impact of domain name drop-catching on business security

      visit for more
         goodies

#BalCCon2k18                     http://kirils.org          @KirilsSolovjovs

You can also read