The Infosec Thread: Yes, time to move off Entrust

The Something Awful Forums > Discussion > Serious Hardware/Software Crap > The Infosec Thread: Yes, time to move off Entrust

«‹›507 »

Mopp: Oct 29, 2004

Daman posted:

in dns tunneling you'll usually get data via base32 encoding into subdomain requests. it'll look like random characters. does that exist here? would help a lot.

otherwise I'd try the obvious that I can't via a phone. use "042" as an xor otp, or "jml", or the last byte in one of those requests.

you might also consider the dot in responses as immutable, as a separator between a subdomain and a domain. if you know the domain, you could probably derive the xor key using the bytes after the dot. really the most unlikely solution.

No, the client is asking for known sites (for example: google.com) with an appended TXT field containing the data. The server replies with data in the TXT field as well. No trickery being done with subdomain requests.

# ? Jul 20, 2017 21:16

Adbot: ADBOT LOVES YOU

# ? May 10, 2024 02:50

Rufus Ping: Dec 27, 2006; I'm a Friend of Rodney Nano

Mopp posted:

the client is asking for known sites (for example: google.com) with an appended TXT field containing the data

I'm pretty sure this isn't how DNS works?

How is the additional data being incorporated into the query and what is its (legitimate) purpose? I've never heard of anything like this

# ? Jul 20, 2017 22:03

RFC2324: Jun 7, 2012; http 418

Rufus Ping posted:

I'm pretty sure this isn't how DNS works?

How is the additional data being incorporated into the query and what is its (legitimate) purpose? I've never heard of anything like this

Pretty sure you can put anything you want in a TXT field.

# ? Jul 21, 2017 03:00

Rufus Ping: Dec 27, 2006; I'm a Friend of Rodney Nano

He seemed to be suggesting the query had arbitrary data in it, not just the response. His original post appeared to show data going in both directions too.

# ? Jul 21, 2017 03:21

Trabisnikof: Dec 24, 2005

Rufus Ping posted:

He seemed to be suggesting the query had arbitrary data in it, not just the response. His original post appeared to show data going in both directions too.

Right, that's a common technique in DNS tunneling https://www.sans.org/reading-room/whitepapers/dns/detecting-dns-tunneling-34152

# ? Jul 21, 2017 03:29

Space Gopher: Jul 31, 2006; BLITHERING IDIOT AND HARDCORE DURIAN APOLOGIST. LET ME TELL YOU WHY THIS SHIT DON'T STINK EVEN THOUGH WE ALL KNOW IT DOES BECAUSE I'M SUPER CULTURED.

Rufus Ping posted:

I'm pretty sure this isn't how DNS works?

How is the additional data being incorporated into the query and what is its (legitimate) purpose? I've never heard of anything like this

You query subdomains of a special DNS server that knows KNXGKYLLPFCE4UZB.mydomain.com isn't an actual request for a subdomain but actually a few bits of encoded data. (Preventing issues from caching, etc is left as an exercise for the reader)

Your server returns responses in the TXT field, or as a CNAME with another encoded domain.

The technique is really slow, but most people trust the DNS infrastructure to not do anything nefarious, and it'll happily route traffic for you even if IP-level stuff is blocked.

# ? Jul 21, 2017 03:46

Rufus Ping: Dec 27, 2006; I'm a Friend of Rodney Nano

Thanks for the replies. I understand how subdomains can be used to smuggle arbitrary data in DNS queries, but Mopp says this is not what he is referring to, and I was wondering what other method there could be because I don't know of any.

Mopp posted:

No, the client is asking for known sites (for example: google.com) with an appended TXT field containing the data. The server replies with data in the TXT field as well. No trickery being done with subdomain requests.

# ? Jul 21, 2017 04:56

Trabisnikof: Dec 24, 2005

Rufus Ping posted:

Thanks for the replies. I understand how subdomains can be used to smuggle arbitrary data in DNS queries, but Mopp says this is not what he is referring to, and I was wondering what other method there could be because I don't know of any.

It is smuggling the data inside the txt record itself you can do it with at least A, AAAA, CNAME, NS, TXT and MX records.

# ? Jul 21, 2017 05:46

anthonypants: May 6, 2007; by Nyc_Tattoo; Dinosaur Gum

Trabisnikof posted:

It is smuggling the data inside the txt record itself you can do it with at least A, AAAA, CNAME, NS, TXT and MX records.

That's sending data from the server to the client. You don't send a TXT record from the client to the server. How do you send data from the client to the server without that data being an encoded subdomain?

# ? Jul 21, 2017 07:58

wyoak: Feb 14, 2005; a glass case of emotion; Fallen Rib

Yeah the client isn't going to be sending the server a TXT field, and if the queries are using common domains I don't even understand how the client and server would be talking to each other (unless the client is sending the DNS packets directly to the server, which seems to negate the biggest advantage of DNS tunneling to begin with).

# ? Jul 21, 2017 16:53

wolrah: May 8, 2006; what?

wyoak posted:

Yeah the client isn't going to be sending the server a TXT field, and if the queries are using common domains I don't even understand how the client and server would be talking to each other (unless the client is sending the DNS packets directly to the server, which seems to negate the biggest advantage of DNS tunneling to begin with).

A lot of half-assed WiFi hotspot systems allow DNS traffic through across the board rather than just to their own servers before authentication. Same with ICMP.

In those cases you can get away with bastardizing the protocol a lot more rather than actually trying to make something work through real DNS resolvers.

# ? Jul 21, 2017 16:56

maskenfreiheit: Dec 30, 2004

https://twitter.com/caseyjohnellis/status/887732940095889408

Gotta love when a branded exploit drops right before Defcon.

Introducing: Broadpwn

# ? Jul 21, 2017 17:00

Space Gopher: Jul 31, 2006; BLITHERING IDIOT AND HARDCORE DURIAN APOLOGIST. LET ME TELL YOU WHY THIS SHIT DON'T STINK EVEN THOUGH WE ALL KNOW IT DOES BECAUSE I'M SUPER CULTURED.

wyoak posted:

Yeah the client isn't going to be sending the server a TXT field, and if the queries are using common domains I don't even understand how the client and server would be talking to each other (unless the client is sending the DNS packets directly to the server, which seems to negate the biggest advantage of DNS tunneling to begin with).

All DNS messages have the same format, and there's theoretically nothing to stop a client from appending answer sections with TXT records to its request (except that it doesn't make any sense, of course). Back when dinosaurs roamed the earth, this was actually valid under the RFC as an inverse query, although I'm not sure that anyone ever bothered to implement it and it was officially deprecated something like fifteen years ago.

I guess if you control the local client and its local DNS server, it'd be enough for a covert channel that might look kind of like legitimate traffic to somebody who wasn't inspecting too closely.

Space Gopher fucked around with this message at 03:07 on Jul 22, 2017

# ? Jul 22, 2017 03:04

Mopp: Oct 29, 2004

The scenario is tunneling from a corporate network using a compromised DNS server and a client. The challenge is decoding the data. I will try to post wireshark dumps tomorrow.

# ? Jul 22, 2017 16:22

Absurd Alhazred: Mar 27, 2010; by Athanatos

https://twitter.com/SwiftOnSecurity/status/888941787255107584

# ? Jul 23, 2017 04:22

andrew smash: Jun 26, 2006; smooth soul

This is the first time i have ever heard of jake paul but what i could stand to watch of that video reinforces my deeply held prejudice that people with two first names should just be shoveled quietly into a ditch and forgotten

# ? Jul 23, 2017 05:55

Thanks Ants: May 21, 2004; #essereFerrari

"Meme war"

:jerkbag:

# ? Jul 23, 2017 11:02

Cup Runneth Over: Aug 8, 2009; She said life's
Too short to worry
Life's too long to wait
It's too short
Not to love everybody
Life's too long to hate

andrew smash posted:

This is the first time i have ever heard of jake paul but what i could stand to watch of that video reinforces my deeply held prejudice that people with two first names should just be shoveled quietly into a ditch and forgotten

"Jake paulers proved as the strongest army out there in this thread"

# ? Jul 23, 2017 14:20

Mopp: Oct 29, 2004

Rufus Ping posted:

I'm pretty sure this isn't how DNS works?

How is the additional data being incorporated into the query and what is its (legitimate) purpose? I've never heard of anything like this

Space Gopher posted:

All DNS messages have the same format, and there's theoretically nothing to stop a client from appending answer sections with TXT records to its request (except that it doesn't make any sense, of course). Back when dinosaurs roamed the earth, this was actually valid under the RFC as an inverse query, although I'm not sure that anyone ever bothered to implement it and it was officially deprecated something like fifteen years ago.

I guess if you control the local client and its local DNS server, it'd be enough for a covert channel that might look kind of like legitimate traffic to somebody who wasn't inspecting too closely.

Alright, I've tried XORing with obvious OTPs but with no success. All Google examples of DNS tunnel CTFs show only base64 encoding, nothing like this.

I've added a screenshot of Wireshark to show the tunneling in more detail.

# ? Jul 25, 2017 15:48

Three-Phase: Aug 5, 2006; by zen death robot

maskenfreiheit posted:

https://twitter.com/caseyjohnellis/status/887732940095889408

Gotta love when a branded exploit drops right before Defcon.

Introducing: Broadpwn

I am wondering if BroadPWN will also affect routers that use Broadcom chipsets too.

EDIT: I just checked on the other devices I have - they have different chipsets that are not Broadcom.

EDIT 2 (Electric Boogaloo): The Broadcom chipsets that are vulnerable were mentioned on Forbes as Broadcom BCM4354, 4358 and 4359 chips.

Three-Phase fucked around with this message at 17:08 on Jul 25, 2017

# ? Jul 25, 2017 16:13

ufarn: May 30, 2009

If I have to hook up a smart tv to the internet, and I don't have a guest network, is the best thing to do to go wired or wireless where you hand it the login without knowing how it's handled?

# ? Jul 25, 2017 18:30

Double Punctuation: Dec 30, 2009; Ships were made for sinking;
Whiskey made for drinking;
If we were made of cellophane
We'd all get stinking drunk much faster!

Good news, everyone!

(This is officially going to take longer than the death of XP, which is still getting updates through that loving registry hack.)

# ? Jul 25, 2017 19:03

anthonypants: May 6, 2007; by Nyc_Tattoo; Dinosaur Gum

Double Punctuation posted:

Good news, everyone!

(This is officially going to take longer than the death of XP, which is still getting updates through that loving registry hack.)

I'm getting 500 errors from that link.

# ? Jul 25, 2017 19:09

CLAM DOWN: Feb 13, 2007

I'm so excited and I'm gonna use this as ammo to get rid of flash right now rather than wait. Also lol we're still on the version of vcenter that uses flash.

# ? Jul 25, 2017 19:27

orange sky: May 7, 2007

wait what I just spent a million on a flash-only storage gently caress this

# ? Jul 26, 2017 00:14

anthonypants: May 6, 2007; by Nyc_Tattoo; Dinosaur Gum

orange sky posted:

wait what I just spent a million on a flash-only storage gently caress this

# ? Jul 26, 2017 00:20

Daman: Oct 28, 2011

Mopp posted:

Alright, I've tried XORing with obvious OTPs but with no success. All Google examples of DNS tunnel CTFs show only base64 encoding, nothing like this.

I've added a screenshot of Wireshark to show the tunneling in more detail.

oh cool that one looks way closer to some protocol stuck as hex text in that field

0x11 and 0x05 are probably key to understanding the stupid protocol. 0x11 is probably a length, the 0x05 is something else. if 0x11 is a length, then it could be a USHORT so the zero byte before or after it may be a part of it. my guess is the following zero byte is a part of the value, same with 0x05 if they're both little endian USHORT. I'd treat 0x05 as an xor otp or look for five things occurring.

one of the bytes that's zeroed there is probably the packet type or sequence number. probably the first one.

you're likely going to see initiating messages that look like that one, and then messages that follow will probably look very similar to eachother until some entire payload data is transferred. then there will likely be another message similar to the first somewhere.

you probably need to look at the entire big picture like that to understand it and guess at what to use to xor better.

also this is super similar to one of a consulting groups interview questions lol

check if domains reappear and payloads to the same domain look similar

Daman fucked around with this message at 06:30 on Jul 26, 2017

# ? Jul 26, 2017 06:24

Mopp: Oct 29, 2004

Daman posted:

oh cool that one looks way closer to some protocol stuck as hex text in that field

0x11 and 0x05 are probably key to understanding the stupid protocol. 0x11 is probably a length, the 0x05 is something else. if 0x11 is a length, then it could be a USHORT so the zero byte before or after it may be a part of it. my guess is the following zero byte is a part of the value, same with 0x05 if they're both little endian USHORT. I'd treat 0x05 as an xor otp or look for five things occurring.

one of the bytes that's zeroed there is probably the packet type or sequence number. probably the first one.

you're likely going to see initiating messages that look like that one, and then messages that follow will probably look very similar to eachother until some entire payload data is transferred. then there will likely be another message similar to the first somewhere.

you probably need to look at the entire big picture like that to understand it and guess at what to use to xor better.

also this is super similar to one of a consulting groups interview questions lol

check if domains reappear and payloads to the same domain look similar

I'm not sure that XORing is a method used in this CTF if the password is sent in cleartext. If it is encrypted, then it is more likely to be using a weak method that can be attacked rather than extracting a cleartext password. This is speaking from previous ctfs.

I'll look into if any available tunneling tool is used (not iodine, but maybe dnscat2) and will report back.

# ? Jul 26, 2017 08:27

Furism: Feb 21, 2006; Live long and headbang

orange sky posted:

wait what I just spent a million on a flash-only storage gently caress this

Aren't you afraid they make lovely technological decisions if their GUI is in Flash? And you trust them for storage?

# ? Jul 26, 2017 09:06

Cup Runneth Over: Aug 8, 2009; She said life's
Too short to worry
Life's too long to wait
It's too short
Not to love everybody
Life's too long to hate

Furism posted:

Aren't you afraid they make lovely technological decisions if their GUI is in Flash? And you trust them for storage?

flash storage is solid state desu

# ? Jul 26, 2017 09:08

Furism: Feb 21, 2006; Live long and headbang

Cup Runneth Over posted:

flash storage is solid state desu

Oh for gently caress sake that joke went straight over my head hasn't it

:smith:

# ? Jul 26, 2017 09:43

orange sky: May 7, 2007

Ahahah

# ? Jul 26, 2017 10:03

BlankSystemDaemon: Mar 13, 2009

In what can only be described as the least shocking turn of events since water was discovered to be wet, AMD/ARM TrustZone turns out to not be much better than Intel ME.

# ? Jul 26, 2017 10:42

Mopp: Oct 29, 2004

Mopp posted:

I'm not sure that XORing is a method used in this CTF if the password is sent in cleartext. If it is encrypted, then it is more likely to be using a weak method that can be attacked rather than extracting a cleartext password. This is speaking from previous ctfs.

I'll look into if any available tunneling tool is used (not iodine, but maybe dnscat2) and will report back.

OK, I managed to crack the first part and got two flags. It looks like the traffic gets encrypted after this exchange.

code:

S[80]: "4plugin:{
	'seed_key_arg1':1095923727,'
	arch':'x86',
	seed_key:'U\x89\xe5\x83\xec\x bla bla bla',
	'crypt':'U\x89\xe5\x81\x00\x89\x02\x83\xc2\x04\xb8\x00g bla bla bla'}"
C[81]: "plugin{'seed_key_arg2':3459613537, 'seed_key_arg3':2312051101}"
S[82]: 'got it'

Mopp fucked around with this message at 18:19 on Jul 26, 2017

# ? Jul 26, 2017 17:42

ChubbyThePhat: Dec 22, 2006; Who nico nico needs anyone else

Mopp posted:

OK, I managed to crack the first part and got two flags. It looks like the traffic gets encrypted after this exchange.
code:
S[80]: "4plugin:{
	'seed_key_arg1':1095923727,'
	arch':'x86',
	seed_key:'U\x89\xe5\x83\xec\x bla bla bla',
	'crypt':'U\x89\xe5\x81\x00\x89\x02\x83\xc2\x04\xb8\x00g bla bla bla'}"
C[81]: "plugin{'seed_key_arg2':3459613537, 'seed_key_arg3':2312051101}"
S[82]: 'got it'

drat this actually looks fun.

# ? Jul 26, 2017 18:33

LochNessMonster: Feb 3, 2005; I need about three fitty

ChubbyThePhat posted:

drat this actually looks fun.

It does. Are there tutorials that teach you these kind of things because I'm reading this with close attention but would have no clue where to begin on stuff like this.

# ? Jul 26, 2017 20:05