|
Daman posted:in dns tunneling you'll usually get data via base32 encoding into subdomain requests. it'll look like random characters. does that exist here? would help a lot. No, the client is asking for known sites (for example: google.com) with an appended TXT field containing the data. The server replies with data in the TXT field as well. No trickery being done with subdomain requests.
|
# ? Jul 20, 2017 21:16 |
|
|
# ? May 15, 2024 20:16 |
|
Mopp posted:the client is asking for known sites (for example: google.com) with an appended TXT field containing the data I'm pretty sure this isn't how DNS works? How is the additional data being incorporated into the query and what is its (legitimate) purpose? I've never heard of anything like this
|
# ? Jul 20, 2017 22:03 |
|
Rufus Ping posted:I'm pretty sure this isn't how DNS works? Pretty sure you can put anything you want in a TXT field.
|
# ? Jul 21, 2017 03:00 |
|
He seemed to be suggesting the query had arbitrary data in it, not just the response. His original post appeared to show data going in both directions too.
|
# ? Jul 21, 2017 03:21 |
|
Rufus Ping posted:He seemed to be suggesting the query had arbitrary data in it, not just the response. His original post appeared to show data going in both directions too. Right, that's a common technique in DNS tunneling https://www.sans.org/reading-room/whitepapers/dns/detecting-dns-tunneling-34152
|
# ? Jul 21, 2017 03:29 |
|
Rufus Ping posted:I'm pretty sure this isn't how DNS works? You query subdomains of a special DNS server that knows KNXGKYLLPFCE4UZB.mydomain.com isn't an actual request for a subdomain but actually a few bits of encoded data. (Preventing issues from caching, etc is left as an exercise for the reader) Your server returns responses in the TXT field, or as a CNAME with another encoded domain. The technique is really slow, but most people trust the DNS infrastructure to not do anything nefarious, and it'll happily route traffic for you even if IP-level stuff is blocked.
|
# ? Jul 21, 2017 03:46 |
|
Thanks for the replies. I understand how subdomains can be used to smuggle arbitrary data in DNS queries, but Mopp says this is not what he is referring to, and I was wondering what other method there could be because I don't know of any. Mopp posted:No, the client is asking for known sites (for example: google.com) with an appended TXT field containing the data. The server replies with data in the TXT field as well. No trickery being done with subdomain requests.
|
# ? Jul 21, 2017 04:56 |
|
Rufus Ping posted:Thanks for the replies. I understand how subdomains can be used to smuggle arbitrary data in DNS queries, but Mopp says this is not what he is referring to, and I was wondering what other method there could be because I don't know of any. It is smuggling the data inside the txt record itself you can do it with at least A, AAAA, CNAME, NS, TXT and MX records.
|
# ? Jul 21, 2017 05:46 |
|
Trabisnikof posted:It is smuggling the data inside the txt record itself you can do it with at least A, AAAA, CNAME, NS, TXT and MX records.
|
# ? Jul 21, 2017 07:58 |
|
Yeah the client isn't going to be sending the server a TXT field, and if the queries are using common domains I don't even understand how the client and server would be talking to each other (unless the client is sending the DNS packets directly to the server, which seems to negate the biggest advantage of DNS tunneling to begin with).
|
# ? Jul 21, 2017 16:53 |
|
wyoak posted:Yeah the client isn't going to be sending the server a TXT field, and if the queries are using common domains I don't even understand how the client and server would be talking to each other (unless the client is sending the DNS packets directly to the server, which seems to negate the biggest advantage of DNS tunneling to begin with). A lot of half-assed WiFi hotspot systems allow DNS traffic through across the board rather than just to their own servers before authentication. Same with ICMP. In those cases you can get away with bastardizing the protocol a lot more rather than actually trying to make something work through real DNS resolvers.
|
# ? Jul 21, 2017 16:56 |
|
https://twitter.com/caseyjohnellis/status/887732940095889408 Gotta love when a branded exploit drops right before Defcon. Introducing: Broadpwn
|
# ? Jul 21, 2017 17:00 |
|
wyoak posted:Yeah the client isn't going to be sending the server a TXT field, and if the queries are using common domains I don't even understand how the client and server would be talking to each other (unless the client is sending the DNS packets directly to the server, which seems to negate the biggest advantage of DNS tunneling to begin with). All DNS messages have the same format, and there's theoretically nothing to stop a client from appending answer sections with TXT records to its request (except that it doesn't make any sense, of course). Back when dinosaurs roamed the earth, this was actually valid under the RFC as an inverse query, although I'm not sure that anyone ever bothered to implement it and it was officially deprecated something like fifteen years ago. I guess if you control the local client and its local DNS server, it'd be enough for a covert channel that might look kind of like legitimate traffic to somebody who wasn't inspecting too closely. Space Gopher fucked around with this message at 03:07 on Jul 22, 2017 |
# ? Jul 22, 2017 03:04 |
|
The scenario is tunneling from a corporate network using a compromised DNS server and a client. The challenge is decoding the data. I will try to post wireshark dumps tomorrow.
|
# ? Jul 22, 2017 16:22 |
|
https://twitter.com/SwiftOnSecurity/status/888941787255107584
|
# ? Jul 23, 2017 04:22 |
|
This is the first time i have ever heard of jake paul but what i could stand to watch of that video reinforces my deeply held prejudice that people with two first names should just be shoveled quietly into a ditch and forgotten
|
# ? Jul 23, 2017 05:55 |
|
"Meme war"
|
# ? Jul 23, 2017 11:02 |
|
andrew smash posted:This is the first time i have ever heard of jake paul but what i could stand to watch of that video reinforces my deeply held prejudice that people with two first names should just be shoveled quietly into a ditch and forgotten "Jake paulers proved as the strongest army out there in this thread"
|
# ? Jul 23, 2017 14:20 |
|
Rufus Ping posted:I'm pretty sure this isn't how DNS works? Space Gopher posted:All DNS messages have the same format, and there's theoretically nothing to stop a client from appending answer sections with TXT records to its request (except that it doesn't make any sense, of course). Back when dinosaurs roamed the earth, this was actually valid under the RFC as an inverse query, although I'm not sure that anyone ever bothered to implement it and it was officially deprecated something like fifteen years ago. Alright, I've tried XORing with obvious OTPs but with no success. All Google examples of DNS tunnel CTFs show only base64 encoding, nothing like this. I've added a screenshot of Wireshark to show the tunneling in more detail.
|
# ? Jul 25, 2017 15:48 |
|
maskenfreiheit posted:https://twitter.com/caseyjohnellis/status/887732940095889408 I am wondering if BroadPWN will also affect routers that use Broadcom chipsets too. EDIT: I just checked on the other devices I have - they have different chipsets that are not Broadcom. EDIT 2 (Electric Boogaloo): The Broadcom chipsets that are vulnerable were mentioned on Forbes as Broadcom BCM4354, 4358 and 4359 chips. Three-Phase fucked around with this message at 17:08 on Jul 25, 2017 |
# ? Jul 25, 2017 16:13 |
|
If I have to hook up a smart tv to the internet, and I don't have a guest network, is the best thing to do to go wired or wireless where you hand it the login without knowing how it's handled?
|
# ? Jul 25, 2017 18:30 |
|
Good news, everyone! (This is officially going to take longer than the death of XP, which is still getting updates through that loving registry hack.)
|
# ? Jul 25, 2017 19:03 |
|
Double Punctuation posted:Good news, everyone!
|
# ? Jul 25, 2017 19:09 |
|
I'm so excited and I'm gonna use this as ammo to get rid of flash right now rather than wait. Also lol we're still on the version of vcenter that uses flash.
|
# ? Jul 25, 2017 19:27 |
|
wait what I just spent a million on a flash-only storage gently caress this
|
# ? Jul 26, 2017 00:14 |
|
orange sky posted:wait what I just spent a million on a flash-only storage gently caress this
|
# ? Jul 26, 2017 00:20 |
|
Mopp posted:Alright, I've tried XORing with obvious OTPs but with no success. All Google examples of DNS tunnel CTFs show only base64 encoding, nothing like this. oh cool that one looks way closer to some protocol stuck as hex text in that field 0x11 and 0x05 are probably key to understanding the stupid protocol. 0x11 is probably a length, the 0x05 is something else. if 0x11 is a length, then it could be a USHORT so the zero byte before or after it may be a part of it. my guess is the following zero byte is a part of the value, same with 0x05 if they're both little endian USHORT. I'd treat 0x05 as an xor otp or look for five things occurring. one of the bytes that's zeroed there is probably the packet type or sequence number. probably the first one. you're likely going to see initiating messages that look like that one, and then messages that follow will probably look very similar to eachother until some entire payload data is transferred. then there will likely be another message similar to the first somewhere. you probably need to look at the entire big picture like that to understand it and guess at what to use to xor better. also this is super similar to one of a consulting groups interview questions lol check if domains reappear and payloads to the same domain look similar Daman fucked around with this message at 06:30 on Jul 26, 2017 |
# ? Jul 26, 2017 06:24 |
|
Daman posted:oh cool that one looks way closer to some protocol stuck as hex text in that field I'm not sure that XORing is a method used in this CTF if the password is sent in cleartext. If it is encrypted, then it is more likely to be using a weak method that can be attacked rather than extracting a cleartext password. This is speaking from previous ctfs. I'll look into if any available tunneling tool is used (not iodine, but maybe dnscat2) and will report back.
|
# ? Jul 26, 2017 08:27 |
|
orange sky posted:wait what I just spent a million on a flash-only storage gently caress this Aren't you afraid they make lovely technological decisions if their GUI is in Flash? And you trust them for storage?
|
# ? Jul 26, 2017 09:06 |
|
Furism posted:Aren't you afraid they make lovely technological decisions if their GUI is in Flash? And you trust them for storage? flash storage is solid state desu
|
# ? Jul 26, 2017 09:08 |
|
Cup Runneth Over posted:flash storage is solid state desu Oh for gently caress sake that joke went straight over my head hasn't it
|
# ? Jul 26, 2017 09:43 |
|
Ahahah
|
# ? Jul 26, 2017 10:03 |
In what can only be described as the least shocking turn of events since water was discovered to be wet, AMD/ARM TrustZone turns out to not be much better than Intel ME.
|
|
# ? Jul 26, 2017 10:42 |
|
Mopp posted:I'm not sure that XORing is a method used in this CTF if the password is sent in cleartext. If it is encrypted, then it is more likely to be using a weak method that can be attacked rather than extracting a cleartext password. This is speaking from previous ctfs. OK, I managed to crack the first part and got two flags. It looks like the traffic gets encrypted after this exchange. code:
Mopp fucked around with this message at 18:19 on Jul 26, 2017 |
# ? Jul 26, 2017 17:42 |
|
Mopp posted:OK, I managed to crack the first part and got two flags. It looks like the traffic gets encrypted after this exchange. drat this actually looks fun.
|
# ? Jul 26, 2017 18:33 |
|
ChubbyThePhat posted:drat this actually looks fun. It does. Are there tutorials that teach you these kind of things because I'm reading this with close attention but would have no clue where to begin on stuff like this.
|
# ? Jul 26, 2017 20:05 |
|
https://blogs.technet.microsoft.com/msrc/2017/07/26/announcing-the-windows-bounty-program/ MS launched a bug bounty program, $250k USD for a Hyper-V RCE
|
# ? Jul 27, 2017 07:08 |
|
How long until Tavis buys a boat with Microsoft bug bounty money?
|
# ? Jul 27, 2017 13:33 |
|
I think p0 members decline (donate?) bounties. Most professional firms do, IME.
|
# ? Jul 27, 2017 13:35 |
|
|
# ? May 15, 2024 20:16 |
Shamelessly stolen from elsewhere
|
|
# ? Jul 27, 2017 13:39 |