"Political freedom is a society's safety valve, allowing the passionately critical a nonviolent way to express their dissatisfaction with the status quo." --David Cole
Introduction
Let's say a company has an intranet page with certain data you want to get your hands on. Problem, its secured behind a firewall that blocks all traffic that isn't coming from inside their network. So, you can't access it. Or can you?
Basically, Anti-DNS is an exploit whereby you get your victim to website your website. Then, you tell the browser to reconnect to the page. When you do this, you tell your DNS server to change the IP address of your computer to their intranet. This will cause them to connect to their intranet page (as they have access to do) and your malicious Javascript will run. This code could either steal data and send it back to you, or run CSRF attacks on the network.
What is DNS?
DNS stands for Domain Name Service. When you visit a website you use a piece of text or URL which looks something like http://www.example.com Now, a server has no idea what that is. What a server knows is numerical address. Or, Internet Protocol address. that's what a DNS does. It converts a URL to an IP address.
DNS Pinning
Lets say you visit http://www.hackthissite.org which we'll say has the IP address of 111.111.111.111 for this example. Your browser sends the following request:
CODE :
GET / HTTP/1.0
Host: www.hackthissite.org
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.1) Gecko/20061204 Firefox/2.0.0.7
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
Cookie: MyPHPSessionID
If the server uses virtual hosts to store multiple websites on the same IP, the Host: tells it which website we want to view. Now, what the browser does here is store hostname to IP pair to protect itself. Ignoring what the DNS Time To Live is set for. This is called DNS Pinning.
Now, lets say that I run http://www.hacker.com with the IP address of 222.222.222.222. I set the DNS Time To Kill to 1 second. So when the victim visits my website, the DNS record expires. On my page, I have some Javascript that tells the browser to reconnect to my page after 2 seconds. Theoretically, the DNS record is gone so it has to do another lookup. But remember, it doesn't actually remove the DNS record (until the browser gets closed).
Now the users browser connects to the DNS server to find out where my site (www.hacker.com) is now. The DNS responds with 111.111.111.111 < the IP of the victims server (www.hackthissite.org) then the browser connects to it, and sends the following header:
CODE :
GET / HTTP/1.0
Host: www.hacker.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.1) Gecko/20061204 Firefox/2.0.0.7
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
You should notice two things.
1) The host has changed to that of my server
2) The cookie hasn't been sent.
The problem here is, the browser wont perform the second DNS lookup - its a security feature. So that attack won't work. So what can we do about it? that's called 'Anti-DNS Pinning'
Anti-DNS Pinning
Martin Johns found that if the server is down, it will have to perform the second DNS lookup so it can find a page to load. This is all good for legitimate reasons. But in the case of security, its a big no no.
So what we do is, instead of turning of our machine at that exact time that the user views our page - and just before the Javascript code forces it to reconnect... We run some code that will cause the firewall to block the user from accessing the site, based on IP their IP address.
So this is what we do (like before):
The user visits my website and the DNS replies with 222.222.222.222 (www.hacker.com) and times out after 1 second. Now the Javascript tells the site to reconnect after 2 seconds. In this time, my firewall now gets told to block all traffic from the victim which causes the DNS Pinning to be dropped. Now, the user reconnects to my website and has to find out where it is (because the DNS entry got killed after 1 second) and it responds with 111.111.111.111 the IP address of www.hackthissite.org
Now the browser will send the following header:
CODE :
GET / HTTP/1.0
Host: www.hacker.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.1) Gecko/20061204 Firefox/2.0.0.7
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
Now the browser will read the data on that page (which would be their private data behind a firewall) and send it back to me at www2.hacker.com - because they are still being prevented access to www.hacker.com at my end.
The problem with this is, its been beaten. As you can see, the Host: is different. Its my host. So the browser knows something's wrong and will prevent the hack from working. This is called Anti-Anti-DNS Pinning. I'm not going to create a bold title for it, because I just explained what it is in this short paragraph. Instead, I'll create a bold title for Anti-Anti-Anti-DNS Pinning ;)
Anti-Anti-Anti-DNS Pinning
Amit Klien sent an email to bugtraq with a proof of concept that shows by using Flash and XMLHTTPRequest, you can forge the Host: thus allowing us to beat Anti-Anti-Anti-DNS Pinning.
Thus allowing us to continue using this method of attack.
Conclusion
I found this on sla.ckers. Kanatako created a small demonstration on his website utilizing this attack: http://www.jumperz.net/index.php?i=2&a=1&b=7
He describes the code here:
http://sla.ckers.org/forum/read.php?6,4511#msg-4539
Also, I'd like to thank kuzza55 for helping me get my head around this. After figuring this shit out, I thought I'd share my newly acquired knowledge with you :P
Cast your vote on this article 10 - Highest, 1 - Lowest
Comments: Published: 9 comments.
HackThisSite is the collective work of the HackThisSite staff, licensed under a CC BY-NC license.
We ask that you inform us upon sharing or distributing.