It's DNS again 😢 Did you know this Malware Hack?
HTML-код
- Опубликовано: 22 май 2024
- Chris Greer is back to show us Malware that Hackers could use to attack you (in this case using DNS). Chris is the man I talk to about Wireshark! Did you learn something new in this video? Big thanks to Brilliant for sponsoring this video! Get started with a free 30 day trial and 20% discount: brilliant.org/DavidBombal
// Chris SOCIAL //
RUclips: / chrisgreer
Wireshark course: davidbombal.wiki/chriswireshark
Nmap course: davidbombal.wiki/chrisnmap
LinkedIn: / cgreer
Twitter: / packetpioneer
// David SOCIAL //
Discord: / discord
Twitter: / davidbombal
Instagram: / davidbombal
LinkedIn: / davidbombal
Facebook: / davidbombal.co
TikTok: / davidbombal
RUclips: / davidbombal
Chris Greer Playlist: • Wireshark with Chris G...
// MENU //
00:00 Coming Up
00:27 Thanks Brilliant!
01:58 Did you know this?
02:41 DNS Misconceptions
03:16 DNS Example
04:38 Cloudflare / What Is DNS?
05:38 Virustotal
07:01 DNS String
08:52 Base-64 Decode
10:24 T Shark
12:25 Cyberchef
14:30 How Does The Hack Start?
14:54 Phishing Attacks
15:59 How DNS Attacks Started
16:57 Packets
17:53 Outro
Please note that links listed may be affiliate links and provide me with a small percentage/kickback should you use them to purchase any of the items listed or recommended. Thank you for supporting me and this channel!
Disclaimer: This video is for educational purposes only.
#malware #hack #wireshark
Chris Greer is back to show us Malware that Hackers could use to attack you (in this case using DNS). Chris is the man I talk to about Wireshark! Did you learn something new in this video?
Big thanks to Brilliant for sponsoring this video! Get started with a free 30 day trial and 20% discount: brilliant.org/DavidBombal
// Chris SOCIAL //
RUclips: ruclips.net/user/ChrisGreer
Wireshark course: davidbombal.wiki/chriswireshark
Nmap course: davidbombal.wiki/chrisnmap
LinkedIn: www.linkedin.com/in/cgreer/
Twitter: twitter.com/packetpioneer
// David SOCIAL //
Discord: discord.com/invite/usKSyzb
Twitter: twitter.com/davidbombal
Instagram: instagram.com/davidbombal
LinkedIn: www.linkedin.com/in/davidbombal
Facebook: facebook.com/davidbombal.co
TikTok: tiktok.com/@davidbombal
RUclips: ruclips.net/user/davidbombal
Chris Greer Playlist: ruclips.net/p/PLhfrWIlLOoKO8522T1OAhR5Bb2mD6Qy_l
// MENU //
00:00 Coming Up
00:27 Thanks Brilliant!
01:58 Did you know this?
02:41 DNS Misconceptions
03:16 DNS Example
04:38 Cloudflare / What Is DNS?
05:38 Virustotal
07:01 DNS String
08:52 Base-64 Decode
10:24 T Shark
12:25 Cyberchef
14:30 How Does The Hack Start?
14:54 Phishing Attacks
15:59 How DNS Attacks Started
16:57 Packets
17:53 Outro
Please note that links listed may be affiliate links and provide me with a small percentage/kickback should you use them to purchase any of the items listed or recommended. Thank you for supporting me and this channel!
Disclaimer: This video is for educational purposes only.
#malware #hack #wireshark
DNS = Did Not Search properly.
@@tailsorange2872 😂
So here is a question:
Do Certs by like Hack The Box to name one, have any value for us in Europe?
Ore are there better Certs to get for real world employment.
Thanks for having me back David!
Thanks so much for sharing your knowledge and experience with us Chris!
I almost fell from my chair laughing. "ostrykebs" from this Polish URL is literally tanslated as "spicy kebab" I'm dying laughing, oh my god.
same XD. I initially didn't notice it due to how he pronounced it but then it hit me.
Thanks for translating! That's funny!
Yeah this mean spicy kebabs
It's malware because a good one burns twice. SRAM always makes my old ass giggle 👀
Absolutely brilliant, presentation is top notch as per usual without getting too heavy. As someone who is relatively competent but unqualified in IT, currently doing A+ with a view to Net+ then Sec+ this is fantastic, thank you both. Hopefully having additional knowledge of tools like this and knowing when to use it will be advantageous in getting a job in IT/cybersecurity.
When David and Chris bring out new videos out it's just a Christmas for me. Love both your channels and learning a lot in past years thanks to you two.
Keep up the fantastic job guys!
Excellent interview and especially the technical information, which helps us learn about vulnerabilities
This was soo much informative video david. Thanks for making all us more aware about it. Now ill be looking out for supecious dns queries. That was totally a new learning for me, i really like the full broken down of info where it starts making sense for us cybersecurity enthusiasts. Thanks for covering this david and chris ❤❤
You're welcome! If you want to read more, some cool information here: unit42.paloaltonetworks.com/dns-tunneling-how-dns-can-be-abused-by-malicious-actors/
Best lesson about DNS tunneling, thank you David Bombal and Chris Greer, I hope that in future you will show us how can be established that connection and sent real malicious commands
Thank you
it's always great to see collabs with Chris and see how he explains things
thanks for this David
Thank you!
Agreed. Chris is amazing!
Nice demonstration. Thank you David, thank you Chris
This is super cool man thank you for dropping this !
That technic I already know but I thanks you for sharing it. Good explained - I like your videos.
It was a great enlightenment, and sir this sort of content is what we look forward to, if we could get more recent attack patterns and techniques and how they work, how to mitigate them, it would be great
The channel is amazing, your knowledge, experience and humility towards teaching is commendable
❤❤
Great work
Thank you!
Loved it , love all your videos with Chris , full house of information
DNS TXT records have been used for a long time for all sorts of things, we used to them for digital scavenger hunts way back when, they are still often used today for Command and Control of botnets. However this is the first time I've seen it used to propagate a potential malware script. Pretty slick! Thanks for the info!
Glad you enjoyed the video Dave! Nice detailed explanation here: unit42.paloaltonetworks.com/dns-tunneling-how-dns-can-be-abused-by-malicious-actors/
Thanks, David great info
Great content, short but concise deep dive of DNS malware
Thank you, Dave and Chris, for this great informative video.
Thank you for the information!
This video is amazing!
I really like how everything has been explained, easy and clear.
Wireshark is not easy to use, at least for me, I absolutely need to document myself before any operstion, otherwise it's really hard to find the information I'm looking for.
Plus, this attack shouldn't be undervalued, as DNS is something that is not so secure as we may think.
Recently I've got my whole home network hacked: all devices were compromised, including the main router and smartphones.
Well, the point of failure in my case wasn't discovered, but there's an high chance that DNS had been compromised while disconnecting from a VPN service, or at least while using it.
I've saved some pcap files on some devices in this network, but after watching this video, I think that I wouldn't find this script injection, if it happened, then it happened before the pcap recording :-/
Be careful with VPNs services, your traffic will be camouflaged, but remember that you are not aware on where each node is located, and who has access to it.
Cheers
Thanks. Great session. 👍
iv heard about them before.. But didnt know this
Done some custom email creation. There i met with dns txt registries for 1st time
gosh jolly this was clarifying.
LOVE EVERY VID u folks make.
Very cool. Would like definitely to see more videos like this.
Excellent video as always. Seems like more of a reason to use quad9 an top of other protections.
Nice detailed explanation of this attack: unit42.paloaltonetworks.com/dns-tunneling-how-dns-can-be-abused-by-malicious-actors/
thank you! you read my mind David, I was gonna ask to do a video on DNS
This was an awesome video,I can always watch Chris and his packet talk lol.
Another gifts my two Best teatcher i learn so much from you guys keep giving
Sharing knowledge is caring! Thank you for your support Majid
I had not seen this attack method before, and I just finished 2 associates degrees (Cyberdefense & Digital Forensics, and Network Technologies Administration) and just passed my Security+, so, very cool stuff, here. I thought the DNS text record was what a RA would have an admin modify to prove ownership/control of a domain to satisfy a CA. Guess I was off.
David, any time you have Chris or Ed Harmoush (of PracNet) on, it's an absolute treat!
Thank you Scott! Agreed, Chris and Ed are amazing 😀
thanks David for sharing.
Another great informative video by David and Chris. Thanks guys👍🏻
You're welcome Hazy!
Great video. Picked up a few new gems about DNS. Thank you.
Great! Glad you learned something new :)
Thank you both for helping all of us learn about everything with Wireshark !
it's great, thanks so much teacher David
Enlightening as always David ji
Didn't know DNS could do that.Really amazing and educational video
I really appreciate this Sir.👍🏻
Chris is the wireshark king, I've learnt so much from him! Thanks for a great and interesting video
Agreed! Chris is amazing! Glad you enjoyed the video
I had no idea David :D
But thanks for learning us again
Packet capture is always fascinate me, thanks for sharing this mate. My question for Chris, is there any good place or training for whose who wants to learn packet capturing? I have also wonder what certification could we do which included packet analysis by wireshark.
I was aware of the existence of DNS TXT records from my dealing with setting up domain names for myself and others. I knew they could contain potentially malicious information, but I didn't know they could be used to piece together a set of commands to run a powershell command to further compromise a machine.
Nice detailed explanation here: unit42.paloaltonetworks.com/dns-tunneling-how-dns-can-be-abused-by-malicious-actors/
I did not know this could be done. Kudos!
Helpful video sir ❤
In the old days we used to call this executing data. It was a big no-no. In these days of publicly accessible networks I’m shocked it’s not only allowed, but permitted even in high level code! If I were a hacker this would be so easy and obvious.
Great lessons please David engage Chris for future explain how to capture Packets
How does chris have so maNY IPs up and being shown???? I never see any IPs. certain filter??? Great videos David. you have been such a great tool for a n newbie like me. You're dope bro! and the videos with your daughter are adorable and put a smile on my face after a long day of construction
Glad to see you are still out here David. I have been out of the game for a while. I am working on getting into pentesting
Never give up on your dreams!
@@davidbombal Thank you. 🙂
Did not know, thanks for the heads up. They should just close off this DNS text field, no knew it was there any way, so no one will miss it.
Except it's used for various reasons, main one I come across is verifying you own the domain when connecting it to a service
From layer 1 to 7 it's mean deep working magnificent, especially hardware building
great video----very usefull
very interesting, I'll keep this in mind
Best WireShark instructional videos I’ve seen for length/ learning time. The quality and quantity of videos you produce is incredible. Thanks!
Thank you! Chris is amazing!
Cool stuff. Thanks.
My Friend, you don't need to make these faces on thumbnails to get youtube clicks, you are way beyond that, awesome content, loving it!!!
Stok did a great video on a bug bounty where he used DNS to interact with a server and extract information like etc/passwd all through DNS and using burp collab
You got a link to his video?
@@davidbombal I'd love to see a collab with the both of you
I had no idea but it makes sense how it could happen
DNS: the root of all all evil. This is proof. Thanks for posting, David, & Chris.
It's always DNS! :(
Edit: Some people didn't get that this is a meme / joke, so leaving that here.
LOL. Good one. Root of all evil.
DNS is not the problem. The hacker could easily use a webpage, FTP or many other possibilities for the the malicious program. The hacker chose DNS because it's a simple data file that is really easy to use and doesn't check the data for validity. A PTR record should have a domain name but it could be the malicious program. TXT records can be anything the record owner wants and is very rarely used.
This is utterly terrifying. Thank you for pointing out what can happen if you carelessly switch to a well known DNS, expecting nothing bad and than kaboom....
Well it might be worth pointing out, your operating system alone will not take harm from Powershell code being present on some DNS entries. There already has to be malicious code on your box that just uses the DNS entries as an online repository for even more malicious code to be downloaded and executed after that. So the infection vectors are the same as always.
@@nonlinearsound-001 Thanks for pointing this out. If I may ask, what would you consider the most likely exploit that would „benefit“ the most of this kind of attack?
@@etliberarahastenichgesehen That varies a lot. It strongly depends on the code that is being read from the DNS entries. As Powershell is a scripting environment with a lot of connections deep into the operating system, the attacker can come up with all sorts of different attacks. Most likely though it will be a network and file system discovery phase to see how the attacker or the program can move laterally, a C2 contact attempt to establish a reverse shell environment or to send back information about the attacked box. With more information, a possible exploit can be chosen to setup persistence on the box or to brute force passwords and such. In corporate environments its always a good target to become a priviledged user on the domain to gain more information or rights to move further laterally.
I love this kind of staff
I am a bit new in this area. I have few questions:
1. How is the call initiated? It is said that by email?
1.1. Then, we click a link, it starts communication using dns server.
1.2. Then, the reply of dns server, they send txt as type of query. (We need a tutorial for dns queries).
1.3. So, does the dns, server were the hacker or sending scripts?
1.4. The clicked site, is sending scripts?
2. We need one more example to show after the packets were made up as a full string (script), then who (browser) will run the script?. So, far I know, we run serverside code to run any applications or a process on client laptop.
3. Or the script will run by browser as java script and do intended hack?
4. In what extent such scripts can do harm? For example, is it possible to get an .exe file to bring by script and paste in client pc.
Good stuff guys !😎
If I understand correctly, can be done w ICMP too.
Always intresting stuff
That was a great analysis, but what about DoH/DoT?
Great video, thank you so much. What can we do to protect ourselves from this kind of attacks? Are there any recommendations for firewall setup?
Extract from: unit42.paloaltonetworks.com/dns-tunneling-how-dns-can-be-abused-by-malicious-actors/
"Organizations can defend themselves against DNS tunneling in many different ways, whether using Palo Alto Networks’ Security Operating Platform, or Open Source technology. Defense can take many different forms such as, but not limited to, the following:
- Blocking domain-names (or IPs or geolocation regions) based on known reputation or perceived danger;
- Rules around “strange looking” DNS query strings;
- Rules around the length, type, or size of both outbound or inbound DNS queries;
- General hardening of the client operating systems and understanding the name resolution capabilities as well as their specific search order;
- User and/or system behavior analytics that automatically spot anomalies, such as new domains being accessed especially when the method of access and frequency are abnormal.
- Palo Alto Networks recently introduced a new DNS security service focused on blocking access to malicious domain names."
Yes, but that proces of data extraction from captured stream is awesome 🙂
@DavidBombal ;
Thanks for this video - I knew that DNS did more than IP/Hostname resolutions, but wasn't aware of this specific text field within DNS, nor that that field could be configured to be malicious, so thanks for this!!
I recently got subscribed to the Udemy classes you put out, including the CCNA, SSL, & WireShark.
I'm currently going thru the SSL course, & am VERY excited to start the WireShark courses - I'm HOPING that I'm going to come out the other side knowing more than I already do, thanks to @ChrisGreer ! I can't wait!!
Thanks again! 🙏❤️👌
Glad you learned something Mike. Nice detailed explanation here if you are interested: unit42.paloaltonetworks.com/dns-tunneling-how-dns-can-be-abused-by-malicious-actors/
@@davidbombal awesome info, David - thanks!
I developed the DNS server with C++ programming, then used the certificate and private key generated by openssl, then I installed the certificate in my browser, and it worked, Encrypted data can only be decrypted with a matching private key, making it difficult to brute force with SSL encryption
What I would like to know is who thought it would be a good idea to enable a library/framework to execute code stored in a text record like that in the first place.
If it was originally intended to simply store human-readable comments, then why is it even a thing for something else to execute code stored in a text record?
What library/framework(s) allow executing code from a text record? Why hasn't this been disabled?
Amazing content!!!
Thank you!
Cheers Mate.
Very interesting no i did not know this existed.
Now to see if i can mitigate with my pfsense
I'm still a bit confused on how the attack starts. Is it just by clicking a link? Or does the victim have to have run a script to interpret the TXT record?
Love these types.
Glad you enjoyed the video!
Everyday is a school day when you work in security. Thanks guys for a brilliant video ☺️
I have heard of this method, but I had never seen it demonstrated. I still wonder why the host system would actually run the initial script contained within the initial TXT query... I understand how the script could run its loop and pull down the entire 17 packets and assemble itself - but why would an initial query actually start the subsequent process?
@davidbombal where is the link of chris's threat hunting course ?
You are a saint,Thank you.
Extremely new to me but outstanding how things in systems and networks are still weak. With where we are today in should we not be above and over with criminals on the net?
Hello DAVID, this is not concerning this video but a recent video you did with PHILLIP WYLIE on Pentester Roadmap. I want to acknowledge you for hosting nerds like that, I really like everything he said from start to finish. They were very informative and I like the fact that at a point you mentioned you are an introvert. That is another part I am interested in. Can you please make videos on introverts who want to get into or are already into IT and Cybersecurity. I believe that would really be helpful for people who are very introverted but passionate in such careers. Thank you beforehand.
If you can also make a video giving an overview of your studio and everything you use for streaming your contents that would also be good. Thanks once again
Thank you. Phillip is a amazing and a wonderful person! Great suggestions :)
Are there valid uses of the TXT DNS record type that are still in use today?
In the late 90's I hacked a RTL driver to send/receive encoded messages in ping requests, it was a little slow but you don't need a lot of code to get something running.
what does RTL stand for?
Very creative. Love this ! Newbie here, but am slight edging all the way.
Try to spend some time every day learning something and you'll be amazed at how much you can learn. I really like the book Atomic Habits - small increases = big rewards.
Using a dns to attack is one of the few things i do know.
It's basically fetching payloads using DNS to bypass anti-virus
I did not know that about adding machine readable txt
How does it keep asking for the next TXT records? Certainly the first DNS call which may be from a phishing link couldn't execute any code from the TXT record?
@5:40 be careful when putting data on virustotal, especially when you are doing an audit (pentest) for a client.
without the enterprise licence this data is public so... yeah.
@Narutoes all your activity - including samples you uploaded (as long as you are on the free account/API) is public [or "considered" public].
Another excellent one, thanks David :D
You're welcome!
I've seen DNS used to smuggle data out of secure(ish) systems that stopped outgoing requests to unknown addresses but not via DNS.
Glad you learned something Benjamin. Nice detailed explanation here if you are interested: unit42.paloaltonetworks.com/dns-tunneling-how-dns-can-be-abused-by-malicious-actors/
What I still don't understand is how the script gets executed... Yes invoke expression but from where if that's par of the script
@DavidBombal - I never knew this type of attack was possible 🤯
Awesome❤
a question - we passed the strings to txt file, but what made the client machine to run the initial txt instructions?
7:09 or so, the first command
@@paulus9660 Yeah if the client machine is already compromised, you can't really say DNS is the culprit here. They might as well get the code payload from a normal http request.
@@paulus9660 thank you!
it looks like a stage, it will connect to the c2 to download and install the payload
Nice video David! It's always DNS ha! I can say with confidence that I did know this :D. I've used a similar method on a test to escape firewall resitrctions. There is a neat tool called Iodine which you can use to set up a tunnel between boxes and all commmunication is done through DNS. You can then SSH to the box over DNS... pretty remarkable. It's a common technique used by malware to call back to C2's. There is a video on my channel about the set up process if you wanted to see it in action. Takes you through setting up the DNS records to deploying the server and then initiating the connection.
i have a simple question how does the code run on the target machine even though it is a text record?
@@ahmed_goodgame995 I could be wrong but afaik there would need to be a client of some kind on the victim machine that processes the code within the DNS responses. I believe It's more of an obfuscation technique. I would be surprised if there was a direct way to perform RCE on a box from DNS responses. That would cause chaos.
that means that there is no way to get full access using link?
@@ahmed_goodgame995 I think you would need a trigger first. For example, a hacker could send a link to victim. The victim clicks link which then downloads some malware. The malware then performs DNS requests to the malicious domain and extracts the data in the TXT record and executes it. It can be useful as it can make the malware more dynamic and less detectable as it doesn’t contain the payload itself. Plus most organizations have DNS open so its likely to get through the firewall. Other than that, I honestly don’t see how it would work unless there is some huge vulnerability in DNS that I’m not aware of. Can you imagine the carnage it would cause if you could easily perform code execution through standard DNS request/responses?
@@ahmed_goodgame995 But never say never, if someone found a bug in a popular Operating System and the way it handles DNS then maybe it could be used to execute code. Something like a traditional overflow or sequence of characters contained within a TXT record that when processed by the client service causes unexpected behaviour. That’s speculation though and I’m sure these things are tested regularly. The thought of that is actually terrifying.
A question i am asking myself is there any actual legitmate use for the dns txt request type left? If no then there would be no good reason to keep it at all honestly
Nope. Didn't know that one. I came up with a data exfiltration method against hardened internal corporate networks using DNS about 15 years ago. I've not seen it ever mentioned, so it may still be novel.
Glad you learned something new!
So just to reiterate, the victim executes a script which then makes DNS requests, assembles the txt resource records, executes that assembled text file which makes a callback to a C2/attacker....?
Nice detailed explanation here: unit42.paloaltonetworks.com/dns-tunneling-how-dns-can-be-abused-by-malicious-actors/
Could you make some videos related to digital forensics ❤
This Is INTERESTING❗😃
ima network security student its very interesting to learn it