These are the slides of a talk by John Bambenek at THOTCON 0x5 in Chicago. Imagine your first day at a client site and you spend your time figuring out what’s going on with the network. You query passive DNS to find tons of apparently VPN over DNS endpoints on your network. What starts as a simple incident investigation process sees the tables turned on those who used the protocol to hide their tracks. This talk will discuss reverse engineering VPN over DNS (vpnoverdns.com) and how weaknesses in using DNS tunneling makes it trivial to retroactively wiretap all communications over the protocol long after the fact.
Text of Thotcon 0x5 - Retroactive Wiretapping VPN over DNS
How I Turned VPNoverDNS into a Retroactive Wiretapping Tool THOTCON 0x5 John Bambenek / Bambenek Consulting email@example.com
The Setup... Hired by a mid-sized business to increase the security posture Yes, it was just that open-ended They had a fairly large web presence and maintain dozens of sites But had no authoritative list of them Commence policy review and massive paper dump. Has some PCI, HIPAA, other private (and valuable) information...
The Setup Continued... As a way to verify the correctness of information, do various threat intel queries on a netblock Has there been any breaches? Listing in blacklists? Known contact with C&Cs? Passive DNS will log all queries and responses a sensor sees so they can be used for later searches. For instance, will show all FQDNs resolved for a given IP address seen by a sensor. Scanning the clients /24 yields all the likely used websites (and unused IPs)
pDNS Example A historical search on thotcon.org yields: ;; first seen: 2012-09-06 22:17:09 -0000 ;; last seen: 2013-11-05 20:41:26 -0000 thotcon.org. IN A 220.127.116.11 -- ;; first seen: 2011-06-02 10:57:38 -0000 ;; last seen: 2012-09-02 02:05:33 -0000 thotcon.org. IN A 18.104.22.168 -- ;; first seen: 2013-10-30 07:04:27 -0000 ;; last seen: 2014-04-24 23:15:54 -0000 thotcon.org. IN A 22.214.171.124 -- ;; first seen: 2010-07-29 16:00:22 -0000 ;; last seen: 2010-09-20 16:58:07 -0000 thotcon.org. IN A 126.96.36.199 -- ;; first seen: 2010-08-13 02:05:21 -0000 ;; last seen: 2011-06-02 06:20:26 -0000 thotcon.org. IN A 188.8.131.52
pDNS example... A historical search on 184.108.40.206 yields: ut.ae. IN A 220.127.116.11 oec.ae. IN A 18.104.22.168 meatco.ae. IN A 22.214.171.124 cpssa.com.ar. IN A 126.96.36.199 facimex.com.ar. IN A 188.8.131.52 iltinello.com.ar. IN A 184.108.40.206 tunga-tunga.com.ar. IN A 220.127.116.11 ceramicas-lourdes.com.ar. IN A 18.104.22.168 ictys.org.ar. IN A 22.214.171.124 y-yo.com.au. IN A 126.96.36.199
A Wild Passive DNS Scan Appears Rdata results for ANY/188.8.131.52/24 Returned 280 RRs in 0.05 seconds. tunisia-sat1.no-ip.info. A 184.108.40.206 samibazoug.dyndns.ws. A 220.127.116.11 koooooko.no-ip.biz. A 18.104.22.168 only-security.no-ip.biz. A 22.214.171.124 no-hack.zapto.org. A 126.96.36.199 camfrog-ir.zapto.org. A 188.8.131.52 camfrog-2r9.zapto.org. A 184.108.40.206 gboxbest.dyndns.org. A 220.127.116.11
A Wild Passive DNS Scan Appears mrigel.zapto.org. A 18.104.22.168 hacked007.no-ip.org. A 22.214.171.124 tarajist1919.no-ip.biz. A 126.96.36.199 reflex.sytes.net. A 188.8.131.52 1month-5euro.sytes.net. A 184.108.40.206 gaagle.no-ip.org. A 220.127.116.11 djamelgbox.no-ip.org. A 18.104.22.168 bibitahackertn.no-ip.biz. A 22.214.171.124 kalboussa.no-ip.biz. A 126.96.36.199 njratxmoro.zapto.org. A 188.8.131.52 migalou2012.no-ip.biz. A 184.108.40.206 papu81.no-ip.biz. A 220.127.116.11
A Wild Passive DNS Scan Appears manortn.dyndns.biz. A 18.104.22.168 papu81.no-ip.biz. A 22.214.171.124 ln-048.rd-00000240.id-14932049.v0.tun. vpnoverdns.com. A 126.96.36.199 revenger.zapto.org. A 188.8.131.52 oscamserver.dyndns.org. A 184.108.40.206 cinefoot.selfip.com. A 220.127.116.11 proxysat.selfip.com. A 18.104.22.168 tun.vpnoverdns.com????
What is this VPNoverDNS you speak of? From vpnoverdns.com: In a few words, it lets you tunnel data through a DNS server. Data exfiltration, for those times when everything else is blocked. At the point I first started seeing this, no one seemed to know anything about it aside of the obvious it looks like a tunnel endpoint One oddity: to install it on a PC you FIRST have to install the Android app to create a login As an unapologetic iPhone user, this displeases me.
Data Exfiltration You Say? ZOMG!! ITS AN APT! MOMMY HELP! MUCH SCARED!
So how prevalent is VPNoverDNS? pDNS dump of *.tun.vpnverdns.com yields almost 6 million entries. Endpoints seen on educational, government, business and military ASNs. And some unassigned IP addresses Looks prevalent but No one knows about it Would it so obviously be sitting on NATO IP addresses? Why would a data exfiltration tool require an Android device?
Seriously, who uses Adobe AIR for this? After finding an Android device, downloaded to that device and then created a VM to install PC version which uses Adobe AIR. Provides a web browser and an email client to send/receive e-mail. This is not looking like data exfiltration Much disappoint :( Time to fire up Wireshark and see what the traffic looks like...
A Closer Look...
Got Packets? Query a specific FQDN and it returns multiple A records. rd- Byte Offset id- Session ID A records start at 192. and sequentially get higher. This explains why pDNS shows what it does, in effect, it poisons the data. The only REAL traffic is DNS to the network resolver (and the resolver to vpnoverdns.coms DNS servers).
Can we parse this response? Looking at the hex of the packet... The last three octets of the A record DNS responses are the HTTP response in the clear.
Did you know gzip is 1337 crypto? So now to rebuild an entire session across all the queries for a given session ID x 0OK HTTP/1.1 200 OK Date: Sat, 05 Jan 2013 18:08:05 GMT Content-Type: text/html;c:Accept-Encoding Content-Encoding: gzip ---- gzipd content ----
What about HTML requests? HTML requests are made by querying FQDNs starting with bf-: Example: bf-1b3132313330363734c2a7536f636b657444617461c2a734303436304745.wr- 00000000.id-00912196.v0.tun.vpnoverdns.com. IN A 22.214.171.124 bf-5420687474703a2f2f616e64726f69642e636c69656e74732e676f6f676c.wr- 00000030.id-00912196.v0.tun.vpnoverdns.com. IN A 126.96.36.199 bf-652e636f6d2f70726f78792f677361737567676573742f7365617263683f.wr- 00000060.id-00912196.v0.tun.vpnoverdns.com. IN A 188.8.131.52 Syntax: wr- byte offset, id- session ID Is the bf- content just ASCII text in hex form? 12130674SocketData40460GET http://android.clients.google. com/proxy/gsasuggest/search?client=qsb-android&hl=en&gl=us
The Incident that Never was... Nothing is quite as depressing as finding a cool incident that really wasnt. Takeaway: Passive DNS operators probably should ignore this domain as the data isnt real DNS, its actually HTTP/Mail traffic.
The Truth About VPN over DNS This is not data exfiltration, its a way to surf the web behind WiFi hotspot paywalls (because DNS isnt blocked even if you havent authenticated). Take that Marriott and your $10/day Internet fee. This will also bypass any web proxies you have. In theory you COULD use if for data exfiltration, but its pretty easy to spot Any DNS queries for *.tun.vpnoverdns.com? You are bad and you should feel bad.
Then Evil Genius Struck I was able to rebuild traffic in Wireshark what if I dumped the entire pDNS database for tun. vpnoverdns.com? Remember, pDNS is just a big log of all DNS queries and responses it sees. $ python dnsdb_query.py *.tun.vpnoverdns.com | wc -l 5799244
Look Mom, I Built PRISM for Script Kiddies Looking at just the timestamps I have data from, there are records back from May 2013. Since the sensor is in between the VPNoverDNS user and their DNS server, if it captures any traffic it likely has the ENTIRE session in its logs. So what websites do you think VPN over DNS users like to view? Lets check those bf- records
Wait for it... Some are not surprising: Host: m.facebook.com:443 Host: profile.ak.fbcdn.net Host: i2.cdn.turner.com Host: googleads.g.doubleclick.net This had to be a fun listening experience: Host: stats.pandora.com
And what is the Internet for? And of course, there was this... Host: metaltoys.co.za Host: www.youngleafs.com Host: myshortskirt.com Host: www.bravotube.net Host: promo.badoink.com Host: www.coedcherry.com Host: cdn-z3.perfectgirls.net Host: cdn-z4.perfectgirls.net
Y U NO ENCRYPT?
But it gets worse... Referer: http://127.0.0.1:8888/mail4hotspot/app/navigation?url=https://accounts.google. com/ServiceLoginAuth^M User-Agent: Mozilla/5.0 (Linux; U; Android 2.3.5; en-us; N860 Build/GINGERBREAD) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1^M Origin: http://127.0.0.1:8888^M Accept: application/xml,application/vnd.wap.xhtml+xml,application/xhtml+xml;profile='http://www.wapforum. org/xhtml',text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5^M Content-Type: application/x-www-form-urlencoded^M x-wap-proxy-