Impact of domain name drop-catching on business security - Research carried out by: Kirils Solovjovs Mārtiņš Rozenbergs Toms Liepājnieks

Page created by Julia Chan
 
CONTINUE READING
Impact of domain name drop-catching on business security - Research carried out by: Kirils Solovjovs Mārtiņš Rozenbergs Toms Liepājnieks
impact of domain name drop-catching on business security

                                     Research carried out by:
                                      ●
                                        Kirils Solovjovs
                                      ●
                                        Mārtiņš Rozenbergs
                                      ●
                                        Toms Liepājnieks
Impact of domain name drop-catching on business security - Research carried out by: Kirils Solovjovs Mārtiņš Rozenbergs Toms Liepājnieks
relevance

●
    When was the last time your non-IT friend
    typed something
    –   like this 172.217.18.78?
    –   or this 2a00:1450:4016:809::200e?
●
    Yep, 100%-ε of non-malicious connections start
    with a DNS request

#BalCCon2k18              http://kirils.org   @KirilsSolovjovs
Impact of domain name drop-catching on business security - Research carried out by: Kirils Solovjovs Mārtiņš Rozenbergs Toms Liepājnieks
domain expiration

 ●
     Most domains aren’t free
 ●
     Negligence:                      ●
                                          Abandonment:
     –   forgot to renew                   –   project is over
         domain                            –   company merger
     –   credit card expired               –   court order

#BalCCon2k18               http://kirils.org               @KirilsSolovjovs
Impact of domain name drop-catching on business security - Research carried out by: Kirils Solovjovs Mārtiņš Rozenbergs Toms Liepājnieks
research scope

●
    What attack vectors can be observed in real life?
●
    mid-2018                       ●
                                       quantitative and
●
    .lv ccTLD                          qualitative methods
    –   including IDN              ●
                                       ftp, ssh, telnet, smtp,
●
    no phishing                        dns, http, pop3, imap,
●
    no active attacks                  https, rdp, vnc

#BalCCon2k18            http://kirils.org                @KirilsSolovjovs
Impact of domain name drop-catching on business security - Research carried out by: Kirils Solovjovs Mārtiņš Rozenbergs Toms Liepājnieks
literature review

●
    C. Healey. Domain tasting is taking over the internet as
    a result of ICANN’s “Add Grace Period”, 2007
●
    S. Hao, M. Thomas, V. Paxson, N. Feamster, C.
    Kreibich, C. Grier, S. Hollenbeck. Understanding the
    domain registration behavior of spammers, 2013
●
    G. Szathmari. Hacking law firms with abandoned
    domain names, 2018

#BalCCon2k18              http://kirils.org        @KirilsSolovjovs
Impact of domain name drop-catching on business security - Research carried out by: Kirils Solovjovs Mārtiņš Rozenbergs Toms Liepājnieks
terminology

●
    Drop-catching
        re-registering a freshly expired domain name
●
    Domain back-orders
    –   many registrar offer a service to catch the domain
    –   some registries (.ru, .pl, ...) cooperate on that service
●
    Domain tasting
    –   registering a domain name for the add-grace period

#BalCCon2k18                    http://kirils.org           @KirilsSolovjovs
Impact of domain name drop-catching on business security - Research carried out by: Kirils Solovjovs Mārtiņš Rozenbergs Toms Liepājnieks
gTLD life-cycle

#BalCCon2k18   http://kirils.org      @KirilsSolovjovs
Impact of domain name drop-catching on business security - Research carried out by: Kirils Solovjovs Mārtiņš Rozenbergs Toms Liepājnieks
.lv ccTLD life-cycle

#BalCCon2k18   http://kirils.org          @KirilsSolovjovs
Impact of domain name drop-catching on business security - Research carried out by: Kirils Solovjovs Mārtiņš Rozenbergs Toms Liepājnieks
enough theory;
                 let’s dig in!

#BalCCon2k18       http://kirils.org   @KirilsSolovjovs
Impact of domain name drop-catching on business security - Research carried out by: Kirils Solovjovs Mārtiņš Rozenbergs Toms Liepājnieks
challanges

 ●
     180 domains on 1 IP
 ●
     Lots of scanners and other bad guys
 ●
     Bots vs humans

#BalCCon2k18           http://kirils.org   @KirilsSolovjovs
tools

●
    custom DNS server               ●
                                        netfilter
    based on twisted                ●
                                        apache
●
    a bunch of honeypots:                –   custom PHP honeypot
    –   mailoney, netwatch,         ●
                                        acme.sh
        imap-honey, malbait,                 + custom dns api
        RDPY, vnclowpot             ●
                                        custom .sh & .py

#BalCCon2k18             http://kirils.org               @KirilsSolovjovs
methodology/setup

 ●
     Register recently expired domains that:
     –   have search engine presence
     –   relate to an existing company/person
     –   are typos of popular domains
 ●
     Request SSL certificate for those domains ASAP

#BalCCon2k18             http://kirils.org         @KirilsSolovjovs
methodology/analysis

●
    Link DNS request logs with other request logs
    –   heuristics: timing + AS
●
    Detect bots (web)
●
    Detect network scanners and bruteforcers
●
    Look at the remaining data in detail
    –   qualitative analysis on e-mails and web requests
    –   quantitative analysis on other protocols

#BalCCon2k18                  http://kirils.org            @KirilsSolovjovs
yeah, yeah, yeah,
               but have you got any data?

#BalCCon2k18             http://kirils.org   @KirilsSolovjovs
domains registered

#BalCCon2k18   http://kirils.org          @KirilsSolovjovs
dns/requests (weighted)

#BalCCon2k18   http://kirils.org              @KirilsSolovjovs
dns/record_types

#BalCCon2k18   http://kirils.org        @KirilsSolovjovs
dns/subdomains

#BalCCon2k18   http://kirils.org       @KirilsSolovjovs
dns/subdomains/record_types

#BalCCon2k18   http://kirils.org               @KirilsSolovjovs
dns/avg_req_by_length (weighted)

#BalCCon2k18   http://kirils.org              @KirilsSolovjovs
dns/countries

#BalCCon2k18   http://kirils.org     @KirilsSolovjovs
ftp/top10

Username:                   Password:
 1) ** lol :p **             1) 1q2w3e4r
 2) changeme                 2) test
 3) webmaster                3) admin
 4) admin                    4) 123456
 5) root                     5) 1q2w3e
 6) test                     6) 12345
 7) clearvision              7) test123
 8) ubuntu                   8) qwerty
 9) nagios                   9) q1w2e3
 10) ftpuser                 10) 1234

#BalCCon2k18       http://kirils.org       @KirilsSolovjovs
ssh/top10

Username:               Password:
 1) root                 1) 123456
 2) admin                2) password
 3) test                 3) 12345
 4) user                 4) 1234
 5) support              5) 123
 6) ubnt                 6) admin
 7) oracle               7) test
 8) ubuntu               8) wubao
 9) postgres             9) 1
 10) adm                 10) root

#BalCCon2k18   http://kirils.org       @KirilsSolovjovs
telnet/top10

Username:                    Password:
 1) root                      1) 1234
 2) admin                     2) admin
 3) guest                     3) 12345
 4) supervisor                4) password
 5) default                   5) 123456
 6) support                   6) 7ujMko0admin
 7) user                      7) 5up
 8) ubnt                      8) 888888
 9) Administrator             9) aquario
 10) 888888                   10) 54321

#BalCCon2k18        http://kirils.org           @KirilsSolovjovs
mail/open_relay_attempts

#BalCCon2k18   http://kirils.org                @KirilsSolovjovs
web/requests

#BalCCon2k18   http://kirils.org    @KirilsSolovjovs
enough of looking at bad guys;
        from now on — only legit data

#BalCCon2k18        http://kirils.org   @KirilsSolovjovs
web/protocols

#BalCCon2k18   http://kirils.org     @KirilsSolovjovs
web/methods

#BalCCon2k18   http://kirils.org    @KirilsSolovjovs
web/referrers

#BalCCon2k18   http://kirils.org    @KirilsSolovjovs
web/cookies

               lrn2cookie plz

#BalCCon2k18               http://kirils.org   @KirilsSolovjovs
web/subdomains

#BalCCon2k18   http://kirils.org       @KirilsSolovjovs
web/countries

#BalCCon2k18   http://kirils.org     @KirilsSolovjovs
mail/sender_domains/attachments

#BalCCon2k18   http://kirils.org           @KirilsSolovjovs
mail/attachment_types

#BalCCon2k18   http://kirils.org             @KirilsSolovjovs
mail/sender_domains/attachment_types

#BalCCon2k18   http://kirils.org        @KirilsSolovjovs
I think it’s about enough of this;
     let’s look at some qualitative data

#BalCCon2k18       http://kirils.org   @KirilsSolovjovs
a torrent tracker

#BalCCon2k18   http://kirils.org       @KirilsSolovjovs
cron requests from abandoned wordpress instances

#BalCCon2k18             http://kirils.org          @KirilsSolovjovs
embedded HTML elements from .gov.lv

#BalCCon2k18   http://kirils.org         @KirilsSolovjovs
inter-connector of e-government systems

#BalCCon2k18    http://kirils.org          @KirilsSolovjovs
notifications from a social network

#BalCCon2k18   http://kirils.org               @KirilsSolovjovs
notification from a latvian social network

#BalCCon2k18    http://kirils.org            @KirilsSolovjovs
notification from a belgian social network

#BalCCon2k18    http://kirils.org            @KirilsSolovjovs
group reservation for a hotel

#BalCCon2k18   http://kirils.org                    @KirilsSolovjovs
e-mail from a lawyer

#BalCCon2k18   http://kirils.org            @KirilsSolovjovs
message from state revenue service

#BalCCon2k18   http://kirils.org             @KirilsSolovjovs
flight reservation

#BalCCon2k18   http://kirils.org        @KirilsSolovjovs
bill with a lot of private data

#BalCCon2k18   http://kirils.org                     @KirilsSolovjovs
telecommunications bill

#BalCCon2k18   http://kirils.org               @KirilsSolovjovs
electronically signed letter from the government

#BalCCon2k18           http://kirils.org           @KirilsSolovjovs
officially binding electronically signed government decision

#BalCCon2k18                      http://kirils.org            @KirilsSolovjovs
GPS tracking alert on a car

#BalCCon2k18   http://kirils.org                  @KirilsSolovjovs
full bank statement

#BalCCon2k18   http://kirils.org          @KirilsSolovjovs
sensitive health documents (encrypted)

#BalCCon2k18   http://kirils.org          @KirilsSolovjovs
occupational health check-up sheet

#BalCCon2k18   http://kirils.org            @KirilsSolovjovs
damn, that was intense!
               let’s wrap up & chill out

#BalCCon2k18            http://kirils.org   @KirilsSolovjovs
abandoner risks

●
    Previous owner endangers:
    –   their clients and business partners
    –   employees who’ve used e-mails for personal
        accounts
        ●
            via password reset
    –   banking, insurance and sensitive health information

#BalCCon2k18                 http://kirils.org       @KirilsSolovjovs
attacker benefits

●
    Attackers may gain control over:
    –   commercial secrets
    –   old installations of your website
    –   government systems
    –   information about passwords of the users
        ●
            via breach notification sites
    –   SSL certificates for the future website

#BalCCon2k18                    http://kirils.org        @KirilsSolovjovs
what can you do

●
    Use 2FA
●
    Pay for your damn domains
●
    If not, then:
    –   notify everybody — partners, employees, and third parties
        using your API
    –   remove old e-mail addresses from online accounts
●
    Check for suspicious behavior of mail servers; blacklist them

#BalCCon2k18                  http://kirils.org        @KirilsSolovjovs
further work

●
    Gather a larger, more representative data set
●
    Practically verify the following attack scenarios:
    –   Use AGP to request SSL certificates valid for as long as possible
        ●
            mitm connection to the domain after it’s been re-registered
        ●
            write an advisory, if needed
    –   Locate and access the old server by looking at cron-like
        requests
    –   Register breach notification alerts for a domain and wait

#BalCCon2k18                      http://kirils.org            @KirilsSolovjovs
impact of domain name drop-catching on business security

      visit for more
         goodies

#BalCCon2k18                     http://kirils.org          @KirilsSolovjovs
You can also read