impact of domain name drop-catching on business security Research carried out by: ● Kirils Solovjovs ● Mārtiņš Rozenbergs ● Toms Liepājnieks
relevance ● When was the last time your non-IT friend typed something – like this 172.217.18.78 ? – or this 2a00:1450:4016:809::200e ? ● Yep, 100%- ε of non-malicious connections start with a DNS request #BalCCon2k18 http://kirils.org @KirilsSolovjovs
domain expiration ● Most domains aren’t free ● Negligence: ● Abandonment: – forgot to renew – project is over domain – company merger – credit card expired – court order #BalCCon2k18 http://kirils.org @KirilsSolovjovs
research scope ● What attack vectors can be observed in real life? ● mid-2018 ● quantitative and ● .lv ccTLD qualitative methods ● ftp, ssh, telnet, smtp, – including IDN ● no phishing dns, http, pop3, imap, ● no active attacks https, rdp, vnc #BalCCon2k18 http://kirils.org @KirilsSolovjovs
literature review ● C. Healey. Domain tasting is taking over the internet as a result of ICANN’s “Add Grace Period”, 2007 ● S. Hao, M. Thomas, V. Paxson, N. Feamster, C. Kreibich, C. Grier, S. Hollenbeck. Understanding the domain registration behavior of spammers, 2013 ● G. Szathmari. Hacking law fjrms with abandoned domain names, 2018 #BalCCon2k18 http://kirils.org @KirilsSolovjovs
terminology ● Drop-catching re-registering a freshly expired domain name ● Domain back-orders – many registrar ofger a service to catch the domain – some registries (.ru, .pl, ...) cooperate on that service ● Domain tasting – registering a domain name for the add-grace period #BalCCon2k18 http://kirils.org @KirilsSolovjovs
gTLD life-cycle #BalCCon2k18 http://kirils.org @KirilsSolovjovs
.lv ccTLD life-cycle #BalCCon2k18 http://kirils.org @KirilsSolovjovs
enough theory; let’s dig in! #BalCCon2k18 http://kirils.org @KirilsSolovjovs
challanges ● 180 domains on 1 IP ● Lots of scanners and other bad guys ● Bots vs humans #BalCCon2k18 http://kirils.org @KirilsSolovjovs
tools ● custom DNS server ● netfjlter ● apache based on twisted ● a bunch of honeypots: – custom PHP honeypot – mailoney, netwatch, ● acme.sh imap-honey, malbait, + custom dns api RDPY, vnclowpot ● custom .sh & .py #BalCCon2k18 http://kirils.org @KirilsSolovjovs
methodology/setup ● Register recently expired domains that: – have search engine presence – relate to an existing company/person – are typos of popular domains ● Request SSL certifjcate for those domains ASAP #BalCCon2k18 http://kirils.org @KirilsSolovjovs
methodology/analysis ● Link DNS request logs with other request logs – heuristics: timing + AS ● Detect bots (web) ● Detect network scanners and bruteforcers ● Look at the remaining data in detail – qualitative analysis on e-mails and web requests – quantitative analysis on other protocols #BalCCon2k18 http://kirils.org @KirilsSolovjovs
yeah, yeah, yeah, but have you got any data? #BalCCon2k18 http://kirils.org @KirilsSolovjovs
domains registered #BalCCon2k18 http://kirils.org @KirilsSolovjovs
dns/requests (weighted) #BalCCon2k18 http://kirils.org @KirilsSolovjovs
dns/record_types #BalCCon2k18 http://kirils.org @KirilsSolovjovs
dns/subdomains #BalCCon2k18 http://kirils.org @KirilsSolovjovs
dns/subdomains/record_types #BalCCon2k18 http://kirils.org @KirilsSolovjovs
dns/avg_req_by_length (weighted) #BalCCon2k18 http://kirils.org @KirilsSolovjovs
dns/countries #BalCCon2k18 http://kirils.org @KirilsSolovjovs
ftp/top10 Username: Password: 1) ** lol :p ** 1) 1q2w3e4r 2) changeme 2) test 3) webmaster 3) admin 4) admin 4) 123456 5) root 5) 1q2w3e 6) test 6) 12345 7) clearvision 7) test123 8) ubuntu 8) qwerty 9) nagios 9) q1w2e3 10) ftpuser 10) 1234 #BalCCon2k18 http://kirils.org @KirilsSolovjovs
ssh/top10 Username: Password: 1) root 1) 123456 2) admin 2) password 3) test 3) 12345 4) user 4) 1234 5) support 5) 123 6) ubnt 6) admin 7) oracle 7) test 8) ubuntu 8) wubao 9) postgres 9) 1 10) adm 10) root #BalCCon2k18 http://kirils.org @KirilsSolovjovs
telnet/top10 Username: Password: 1) root 1) 1234 2) admin 2) admin 3) guest 3) 12345 4) supervisor 4) password 5) default 5) 123456 6) support 6) 7ujMko0admin 7) user 7) 5up 8) ubnt 8) 888888 9) Administrator 9) aquario 10) 888888 10) 54321 #BalCCon2k18 http://kirils.org @KirilsSolovjovs
mail/open_relay_attempts #BalCCon2k18 http://kirils.org @KirilsSolovjovs
web/requests #BalCCon2k18 http://kirils.org @KirilsSolovjovs
enough of looking at bad guys; from now on — only legit data #BalCCon2k18 http://kirils.org @KirilsSolovjovs
web/protocols #BalCCon2k18 http://kirils.org @KirilsSolovjovs
web/methods #BalCCon2k18 http://kirils.org @KirilsSolovjovs
web/referrers #BalCCon2k18 http://kirils.org @KirilsSolovjovs
web/cookies lrn2cookie plz #BalCCon2k18 http://kirils.org @KirilsSolovjovs
web/subdomains #BalCCon2k18 http://kirils.org @KirilsSolovjovs
web/countries #BalCCon2k18 http://kirils.org @KirilsSolovjovs
mail/sender_domains/attachments #BalCCon2k18 http://kirils.org @KirilsSolovjovs
mail/attachment_types #BalCCon2k18 http://kirils.org @KirilsSolovjovs
mail/sender_domains/attachment_types #BalCCon2k18 http://kirils.org @KirilsSolovjovs
I think it’s about enough of this; let’s look at some qualitative data #BalCCon2k18 http://kirils.org @KirilsSolovjovs
a torrent tracker #BalCCon2k18 http://kirils.org @KirilsSolovjovs
cron requests from abandoned wordpress instances #BalCCon2k18 http://kirils.org @KirilsSolovjovs
embedded HTML elements from .gov.lv #BalCCon2k18 http://kirils.org @KirilsSolovjovs
inter-connector of e-government systems #BalCCon2k18 http://kirils.org @KirilsSolovjovs
notifications from a social network #BalCCon2k18 http://kirils.org @KirilsSolovjovs
notification from a latvian social network #BalCCon2k18 http://kirils.org @KirilsSolovjovs
notification from a belgian social network #BalCCon2k18 http://kirils.org @KirilsSolovjovs
group reservation for a hotel #BalCCon2k18 http://kirils.org @KirilsSolovjovs
e-mail from a lawyer #BalCCon2k18 http://kirils.org @KirilsSolovjovs
message from state revenue service #BalCCon2k18 http://kirils.org @KirilsSolovjovs
flight reservation #BalCCon2k18 http://kirils.org @KirilsSolovjovs
bill with a lot of private data #BalCCon2k18 http://kirils.org @KirilsSolovjovs
telecommunications bill #BalCCon2k18 http://kirils.org @KirilsSolovjovs
electronically signed letter from the government #BalCCon2k18 http://kirils.org @KirilsSolovjovs
officially binding electronically signed government decision #BalCCon2k18 http://kirils.org @KirilsSolovjovs
GPS tracking alert on a car #BalCCon2k18 http://kirils.org @KirilsSolovjovs
full bank statement #BalCCon2k18 http://kirils.org @KirilsSolovjovs
sensitive health documents (encrypted) #BalCCon2k18 http://kirils.org @KirilsSolovjovs
occupational health check-up sheet #BalCCon2k18 http://kirils.org @KirilsSolovjovs
damn, that was intense! let’s wrap up & chill out #BalCCon2k18 http://kirils.org @KirilsSolovjovs
abandoner risks ● Previous owner endangers: – their clients and business partners – employees who’ve used e-mails for personal accounts ● via password reset – banking, insurance and sensitive health information #BalCCon2k18 http://kirils.org @KirilsSolovjovs
attacker benefits ● Attackers may gain control over: – commercial secrets – old installations of your website – government systems – information about passwords of the users ● via breach notifjcation sites – SSL certifjcates for the future website #BalCCon2k18 http://kirils.org @KirilsSolovjovs
what can you do ● Use 2FA ● Pay for your damn domains ● If not, then: – notify everybody — partners, employees, and third parties using your API – remove old e-mail addresses from online accounts ● Check for suspicious behavior of mail servers; blacklist them #BalCCon2k18 http://kirils.org @KirilsSolovjovs
further work ● Gather a larger, more representative data set ● Practically verify the following attack scenarios: – Use AGP to request SSL certifjcates valid for as long as possible ● mitm connection to the domain after it’s been re-registered ● write an advisory, if needed – Locate and access the old server by looking at cron-like requests – Register breach notifjcation alerts for a domain and wait #BalCCon2k18 http://kirils.org @KirilsSolovjovs
impact of domain name drop-catching on business security visit for more goodies #BalCCon2k18 http://kirils.org @KirilsSolovjovs
Recommend
More recommend