- That's why packets,
to me, are so important to learn how to capture and understand. It will make you better
at troubleshooting, and it will also help you
with exercises like this, in threat hunting or when
we have been compromised, help to back up and piece
together what happened. The idea here is that
this could walk right by, that it's buried in plain sight, right? So that's what makes this
example so interesting. What do you think, David? Are we dealing with malware or not? - It looks like it, doesn't it? (graphics warbling) I really wanna thank Brilliant for their fantastic partnership and for sponsoring this video. It doesn't matter if you
wanna learn cybersecurity, ethical hacking, networking, artificial intelligence, programming. You need to learn about numbering systems. In this example, I've
captured some network traffic. I'm capturing traffic sent
to and from this router. Notice the format of this number, fe80 sending traffic to ff02. What numbering system is this? This is IP version 6, and
these are hexadecimal numbers. Hexadecimal has only one numbering system that you need to learn. Another one is binary. Do you understand this joke? There are two types of
people in this world, those that understand
binary and those that don't. You need to understand binary. You need to understand hexadecimal. You need to understand decimal. It's important that you
understand numbering systems. Again, doesn't matter if you
wanna be a network engineer, doesn't matter if you
want to do programming, artificial intelligence, et cetera. You need to learn this. And there's no better place to learn math and computer science than Brilliant. Brilliant gives you some
history of how numbers were used by different cultures, and then moves onto modern
applications of decimal, binary, and hexadecimal. Brilliant goes beyond
the basics when it comes to teaching you numbering
systems in binary, and helps you develop a more
well-rounded understanding and intuition surrounding
numbering systems. If you want an easy
interactive way to learn, then Brilliant is the answer for you. Brilliant now offers a 30-day
trial with a 20% discount if you sign up using my link
brilliant.org/davidbombal. I really wanna thank Brilliant, again, for the partnership and
for sponsoring this video. For everyone who's watching, Chris is gonna show us
something really cool with DNS. Please put in the comments
below. Did you know this? So when you've finished
watching this video or part of the video, put
in the comments below, did you actually know
that this was possible to do with DNS, and that DNS could be used as a way to attack your clients. As they commonly say,
it's always DNS' fault. And here's another example
of where DNS could be used by a malicious actor
to attack your network. - Yeah, David. And this one
gets a little bit scary. And, really, the intent
here is that this would if we don't have a properly
configured IDS, IPS system. The idea here is that
this could walk right by, that it's buried in plain sight, right? So that's what makes this
example so interesting. - I think a lot of people
are under the misconception that DNS is just used
to resolve a domain name like Packet Pioneer to IP address. But actually, you're gonna show us that it can do a lot
more than that, right? - Yes, exactly. So that's exactly what many
people just think DNS only does. Here's an IP address, what's
a name or here's a name, what's an IP address? But DNS can do a whole lot more. And let's take a look. Now, as you mentioned
before, this is an example, and this is actually taken from a course that I've been teaching on
threat hunting with Wireshark, and we'll talk a bit more
about that course later. But this specific example,
can you see my screen okay? - Yeah.
- So if we just take a walk through it, just take a
breeze through it real quick, we can see that a lot of it is DNS, okay? So if I just go up to the top, I can see that the one that
is sending the DNS requests is this 101.121 device. So we're gonna call that our client, okay? So this client is
initially talking to this, allegedly, 8.8.8.8 server. (David chuckles)
Now we know from that, a lot of us use that as Google DNS. However, in this case, there's something
interesting that happens, and that's why we know that we
might not be directly talking out to that server itself. So I wanna show you something. So we send this request for
a reverse record for 8.8.8.8. We're just asking who is the name that's associated with this IP. If I come down to the
response, here, I can see, if I go down to DNS, here's their answer. And blah, blah, blah. Coming down here to the lower
left, you can see dns.google. Okay, if I take a look at the next query. This time, so here, we can see
that the client is requesting a TXT record, all right? So, l.ns.ostrykebs.pl. Okay, so what does that mean? Well, let's just take a
look at at this request a little bit closer. So with DNS, DNS is more than
just IP addresses and names. DNS has the ability to do
different types of requests. So the query type in this
case is a TXT string. Just a note about that, David, real quick, I'm just bringing in my browser here. There's a really nice
description on Cloudflare. This is a quick one
that I was able to find, but just what is that DNS TXT record? Well, if we take a look at Cloudflare, I thought this was a really
good description of what it is. And basically, what it
does is it allows us... Originally, it was intended as a place for human-readable notes to be in records. However, now it's possible to
put some machine-readable data into TXT records, and that's
where things get interesting. So basically, it's a way of
putting TXT in a DNS reply. Okay? So a bit more detail in there if you want to go dig in through that. However, I'd rather demo this for you. So, let me come back to my PCAP. Now we're asking for a TXT record, and we're also asking for
this interesting-looking site. Something that I like to do
and like to teach others to do is when you see a a site that
you're not quite sure about, one thing that we can do
is always use VirusTotal to take a closer look at it. Okay, so what I'm gonna do,
I'm just gonna right-click and I'm just gonna do Copy, Value, so I can pull that
right out of the packet. And I'm just gonna peek into VirusTotal, this is something that I like
to encourage people to do when you see a DNS record
or anything, really, that just looks funny, okay? So I just put this into the
search and I'm gonna say, "Okay, let's go get it." And what this does is it
looks up that DNS name, and it goes to some common vendors and checks to see if it's okay. Well, what do you think, David? Are we dealing with malware or not? - It looks like it, doesn't it? - It sure does. Yeah. Doesn't look too happy. Okay, so let's go back
into our packet capture. All right, so we go and
we ask for a TXT record from this server. So let's see what happens,
or rather in this record. Let's see what happens. So this alleged 8.8.8.8 address, which may or may not be true. We come down. Let's take a look at the
TXT record that's returned for this lookup. And this is where we get this TXT record. Now, David, we don't have
to be super amazing coders and scripters, and all the things. Does this look like a good,
nice, happy DNS record to you? - [David] (chuckles) Yeah,
right. But a code, right? - Yeah, this is code. So let's do this. I'm just gonna take a look. - [David] There's a while
loop or something in there. It's matching something. - Excellent. Exactly. So, right away, we can
see this isn't happy. In fact, this is what I'm gonna do. I'm just gonna take and I'm
just going to copy this as well. Or you know what I could do
real quick? Let me just do this. Let me just right-click and I'm just gonna do Show Packet Bytes. Now this is where I can
see this full string, and that's just basically
typed out for me. And without going too deep into the weeds on the string itself. Basically, what this is doing
is it's giving an instruction to the client to continually come back and ask more questions for
more pieces of this code. And then when it's finished,
it will then execute that code. All right. So, let's
actually see how that works. So this is just the initial request, okay? So this just came in from this server, but now, check this out. So now we're gonna go to a local box, which has absolutely been compromised. And if I come down here, now this is basically in a
demo environment this was run, but let's go ahead and start
to take a look at some more of these DNS records. So now, this client, this client is now
starting to do the bidding of the attacker. It's going to 100.2 DNS, hitting us on 53. And let's take a look at what's happening. So first, here we have this first request, it's going to l.1.ns. Okay, give me your TXT. This server comes back, or alleged server comes back and says, "Oh, great. Thank you. Here's your first instruction, .1" Now, truncated. So this TXT record, it's keeping it small,
basically, so to speak. So what we're trying to
do here is we're trying not to do this massive
script in one DNS packet, because that might trigger
an IDS system, an IPS system, and say, "Whoa, whoa, whoa. Wait a second. You have a huge DNS record
or a very large DNS packet. That can't be good." 'Cause usually DNS requests and responses are smaller packets, you
know, 200 bytes-ish or so. Here's 254 bytes. This
TXT record comes back. Check it out. Does that look
dangerous to you necessarily? - [David] Yeah, it's
encoded in a weird way, but- - Yeah. On it on its own,
it doesn't look too crazy. But if we go back to
that original request, we notice that there was actually Base64 in the previous request. And you come down here,
you can see in Wireshark, I can do a Decode as,
and I'm gonna say Base64. Now when I decode it as Base64, what's our thought here, David? Do you think we're starting
to see some safe things? - [David] Yeah, it looks extreme. More and more dodgy, right? - Yeah, right? This probably isn't something I wanna see just in a TXT value coming back from DNS. Okay, so let's just remember that. Okay, there's that one. And if I close this, I'm
gonna come back to my packets. We do another query, but
this time it's for l.2. So the first one was .1, this is .2. Okay, we do a TXT query. Same thing. Let's kick back. Let's
see what it sends us. Now another 254, gonna come down here, going to right-click, Show Packet Bytes. I'm gonna come up here, and this is where I can decode as Base64. Uh-oh.
- Oh. - This looks like the
next chunk of that script. Okay, so what's happening is
we're requesting, basically, this script and we're
getting sent this chunk, one chunk at a time. 254 bytes at a time. So you can see request. This
is 1, 2, 3, 4, 5, right? So six, all of these different ones. So all these different pieces. Well, what happens when the
client gets all those pieces, extracts that TXT, and
puts it all together? That's what we wanna find out. So the next thing I'm gonna do, David, is I wanna show you something super cool that we can do on the command
line with Terminal Shark. All right, so I just showed you, in Wireshark, we can see
that we have these obfuscated or encoded pieces of a script
that are being sent over DNS. All right, so here I
am on the command line, and one reason why I do this
is because I can take TShark, and I can throw a packet capture at it, and I can extract certain fields from those packets using TShark, and put them all in one place. You can do this with other tools. For me, it's just something
I like to do with TShark. So, Terminal Shark. So this is what I'm gonna do. I'm gonna say tshark, all
right, that calls that utility, which by the way, David, if you install Wireshark by default, TShark will get installed as well. So you already have this in your machine if you've installed Wireshark. All right, so the first thing I need to do is just tell it to read. So, I'm gonna read in. And as I recall, I'm just gonna look... C2 analysis, that was
the name of our file. So, C2Analysis.pcapng. All right, and so now I'm
gonna throw a filter at it. I'm gonna do .y or -y.
That's how I set a filter. And what I wanna do is
I just want to filter for all packets coming back. Basically, these 347s. And I want to... If I click on this string down here, if I go down to the lower left I can see that this is showing
me that this string value, or this location rather,
in DNS, is dns.txt. All right, so if I just
set a filter for this, so let's just do that, dns.txt, enter. What I see is I'm getting
all of the responses from that server, right? Because they actually have
a dns.txt value in them. So that's gonna be a good filter for me. So let's just do this, dns.txt. Great. Now what I wanna do is I
wanna extract that field out. So I'm just gonna do this,
I'm gonna do, it's called -T, and then what I do is I'd say "fields." So that tells me go into
whatever field I specify and print that out to
my command line for me. Now, which field do I want?
-e, I'm gonna do dns.txt. All right, now if I execute this, do we see what we're doing here? TShark, hey, go read this
PCAP, use this filter, and pull out this field. Now I have all of those
strings in one place for me. So, David, I'm going to introduce you to another buddy of mine,
and that is CyberChef. So it allows us to take different strings and whatever's been encoded, decoded, and tinker around with it. So I'm gonna go ahead and
input that string here. So here's all the messy code, but let's go ahead and say From Base64. So, this will decode it. And now, we have the full string,
or the full script rather. So you and I can now begin
to look through this and see, "Hey, if this was sent to a victim machine and it ran this script, what would it do?" Well, here, I'm not the best person in the universe with scripting. Maybe together we can help
sort out some of this. So basically, what we're
doing is we're saying, "Hey, go look for or get a
TXT value from that server, and I want you to pull
out that TXT information, and I want you to loop and do this until you get a full string." Once you get this full script back, if we come down here,
this is the type of stuff that my eye looks for,
what are you gonna do? Well, you're gonna reassemble it. And then this guy, IEX. So, what is that? Well, pop that in Google and just IEX, right there in a PowerShell script. This is Invoke-Expression. Okay. Well, that can't be good. So that means that I'm
sending you pieces of a script and as soon as you get all
the pieces, invoke it, do it. Okay? And we can see sendResult. So, what starts to happen here
is after the victim machine gets all of these pieces of
the script and invokes it, the next aspect of this attack is it's now starts
sending instructions back. Now we actually start to
see a callback conversation. That can be heavily encoded between the attacker
and the victim machine. Using DNS TXT fields is the way that that first instruction gets sent, and it's sent in pieces to try to float below the radar of an IDS or IPS. Once it's actually all
pulled out and executed, now that invoke-expression
makes that machine call back to our server and
we can begin to control it. - Yeah, like how does the
very first step happen? Is it something to do with the DNS, so that machine is compromised somehow to go to the wrong DNS server, or how does the initial thing kickoff to actually request that TXT file? 'Cause you've shown us the DNS and then it's requesting the TXT file, but how does it actually
start that process? - David, that's a great question. So I would imagine a few
ways that this could happen. One, standard good old phishing, sending a user a link,
and then redirecting them to a malicious device that
then further runs a script. Spoofing a DNS server, (chuckles) acting like we're the one, the authority. - I'm the captain now. - And initially, we're going out to an allegedly known address, and we're doing this
lookup for what looks like to be a good DNS record. But then that record gets implanted and the TXT is what
actually starts the script. So initially, this
client is just going out and asking this question. But in order to ask that question, how did that get to them,
how did they begin that? Probably from some type
of phishing attack. - But it's amazing. I mean the fact that,
you, doing a DNS query like what you're showing
on the screen there, and then the answer is he has a TXT file. - Exactly.
(David chuckles) - And the DNS server can
just control that client to pull down some crazy TXT. - Yeah, so it's interesting how this malware could be
implanted using the TXT string of a DNS query. I think this is just crazy. - As they always say,
Chris, it's always DNS. - (chuckles) Right. That is true. And this is also why modern IDS systems are gonna be taking a much closer look at inspecting DNS, right? It used to be that this
kind of thing, probably, would just walk right by. But now, if you have a string like this or if I come back down to
one of the previous records we were looking at, even a Base64 encoded
string isn't as complicated to decode for our detection systems. Because this was so prevalent, and it was about about 2017, '18, was where we started seeing this. Basically, the malware
is called DNSMessenger, and it was really designed to illustrate how this could happen, how we could bury C2 traffic in DNS calls. Thankfully, now, many systems are tuned to be able to detect this
better than at that time. However, it's still something
we wanna be aware of and how we could deliver that using DNS. - Chris, that's amazing. So, thanks so much for
showing us this example. What I really love about what
you do is you always take it down to the wire where you
can actually see stuff. I think you've said it
before, and correct me, 'cause I'm probably gonna say it wrong, something along the lines
that packets don't lie. - Absolutely. Packets don't lie. This is the traffic that's
actually on the Wire, which is another reason why I'm
so passionate about anybody, not just network engineers but
cybersecurity professionals. If you're just getting
started with cybersecurity, studying for your Sec+ or even Net+, or any entry-level certification. That's why packets, to
me, are so important to learn how to capture and understand. It will make you better
at troubleshooting, and it will also help you
with exercises like this, in threat hunting or when
we have been compromised, help to back up and piece
together what happened. - For everyone who's watching, Chris does this stuff day in and day out. And Chris, we can't say names
'cause of NDAs and the like, but I know that you're doing some work with government agencies and banks, and big institutions to try and help them with their capturing
malware and other stuff. Just basically teach people how to use Wireshark like you do. So I really appreciate you sharing all of this knowledge with us. - Oh, no problem, David. I love coming on and
and chatting with you, and we always find some
interesting things. So, until next time. I think I'm gonna go back
and and hit my books. - So for everyone who's watching, please put in the comments
below what you want Chris to talk about, perhaps, in future videos. We've also got a whole bunch of videos which I've linked below where Chris teaches us Wireshark, teaches us a whole bunch of other things. Chris, all the very best. - Thanks, David. (logo chiming)
- I'm David Bombal. I wish you all the very best.
