It's DNS again 😢 Did you know this Malware Hack?

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
- That's why packets, to me, are so important to learn how to capture and understand. It will make you better at troubleshooting, and it will also help you with exercises like this, in threat hunting or when we have been compromised, help to back up and piece together what happened. The idea here is that this could walk right by, that it's buried in plain sight, right? So that's what makes this example so interesting. What do you think, David? Are we dealing with malware or not? - It looks like it, doesn't it? (graphics warbling) I really wanna thank Brilliant for their fantastic partnership and for sponsoring this video. It doesn't matter if you wanna learn cybersecurity, ethical hacking, networking, artificial intelligence, programming. You need to learn about numbering systems. In this example, I've captured some network traffic. I'm capturing traffic sent to and from this router. Notice the format of this number, fe80 sending traffic to ff02. What numbering system is this? This is IP version 6, and these are hexadecimal numbers. Hexadecimal has only one numbering system that you need to learn. Another one is binary. Do you understand this joke? There are two types of people in this world, those that understand binary and those that don't. You need to understand binary. You need to understand hexadecimal. You need to understand decimal. It's important that you understand numbering systems. Again, doesn't matter if you wanna be a network engineer, doesn't matter if you want to do programming, artificial intelligence, et cetera. You need to learn this. And there's no better place to learn math and computer science than Brilliant. Brilliant gives you some history of how numbers were used by different cultures, and then moves onto modern applications of decimal, binary, and hexadecimal. Brilliant goes beyond the basics when it comes to teaching you numbering systems in binary, and helps you develop a more well-rounded understanding and intuition surrounding numbering systems. If you want an easy interactive way to learn, then Brilliant is the answer for you. Brilliant now offers a 30-day trial with a 20% discount if you sign up using my link brilliant.org/davidbombal. I really wanna thank Brilliant, again, for the partnership and for sponsoring this video. For everyone who's watching, Chris is gonna show us something really cool with DNS. Please put in the comments below. Did you know this? So when you've finished watching this video or part of the video, put in the comments below, did you actually know that this was possible to do with DNS, and that DNS could be used as a way to attack your clients. As they commonly say, it's always DNS' fault. And here's another example of where DNS could be used by a malicious actor to attack your network. - Yeah, David. And this one gets a little bit scary. And, really, the intent here is that this would if we don't have a properly configured IDS, IPS system. The idea here is that this could walk right by, that it's buried in plain sight, right? So that's what makes this example so interesting. - I think a lot of people are under the misconception that DNS is just used to resolve a domain name like Packet Pioneer to IP address. But actually, you're gonna show us that it can do a lot more than that, right? - Yes, exactly. So that's exactly what many people just think DNS only does. Here's an IP address, what's a name or here's a name, what's an IP address? But DNS can do a whole lot more. And let's take a look. Now, as you mentioned before, this is an example, and this is actually taken from a course that I've been teaching on threat hunting with Wireshark, and we'll talk a bit more about that course later. But this specific example, can you see my screen okay? - Yeah. - So if we just take a walk through it, just take a breeze through it real quick, we can see that a lot of it is DNS, okay? So if I just go up to the top, I can see that the one that is sending the DNS requests is this 101.121 device. So we're gonna call that our client, okay? So this client is initially talking to this, allegedly, 8.8.8.8 server. (David chuckles) Now we know from that, a lot of us use that as Google DNS. However, in this case, there's something interesting that happens, and that's why we know that we might not be directly talking out to that server itself. So I wanna show you something. So we send this request for a reverse record for 8.8.8.8. We're just asking who is the name that's associated with this IP. If I come down to the response, here, I can see, if I go down to DNS, here's their answer. And blah, blah, blah. Coming down here to the lower left, you can see dns.google. Okay, if I take a look at the next query. This time, so here, we can see that the client is requesting a TXT record, all right? So, l.ns.ostrykebs.pl. Okay, so what does that mean? Well, let's just take a look at at this request a little bit closer. So with DNS, DNS is more than just IP addresses and names. DNS has the ability to do different types of requests. So the query type in this case is a TXT string. Just a note about that, David, real quick, I'm just bringing in my browser here. There's a really nice description on Cloudflare. This is a quick one that I was able to find, but just what is that DNS TXT record? Well, if we take a look at Cloudflare, I thought this was a really good description of what it is. And basically, what it does is it allows us... Originally, it was intended as a place for human-readable notes to be in records. However, now it's possible to put some machine-readable data into TXT records, and that's where things get interesting. So basically, it's a way of putting TXT in a DNS reply. Okay? So a bit more detail in there if you want to go dig in through that. However, I'd rather demo this for you. So, let me come back to my PCAP. Now we're asking for a TXT record, and we're also asking for this interesting-looking site. Something that I like to do and like to teach others to do is when you see a a site that you're not quite sure about, one thing that we can do is always use VirusTotal to take a closer look at it. Okay, so what I'm gonna do, I'm just gonna right-click and I'm just gonna do Copy, Value, so I can pull that right out of the packet. And I'm just gonna peek into VirusTotal, this is something that I like to encourage people to do when you see a DNS record or anything, really, that just looks funny, okay? So I just put this into the search and I'm gonna say, "Okay, let's go get it." And what this does is it looks up that DNS name, and it goes to some common vendors and checks to see if it's okay. Well, what do you think, David? Are we dealing with malware or not? - It looks like it, doesn't it? - It sure does. Yeah. Doesn't look too happy. Okay, so let's go back into our packet capture. All right, so we go and we ask for a TXT record from this server. So let's see what happens, or rather in this record. Let's see what happens. So this alleged 8.8.8.8 address, which may or may not be true. We come down. Let's take a look at the TXT record that's returned for this lookup. And this is where we get this TXT record. Now, David, we don't have to be super amazing coders and scripters, and all the things. Does this look like a good, nice, happy DNS record to you? - [David] (chuckles) Yeah, right. But a code, right? - Yeah, this is code. So let's do this. I'm just gonna take a look. - [David] There's a while loop or something in there. It's matching something. - Excellent. Exactly. So, right away, we can see this isn't happy. In fact, this is what I'm gonna do. I'm just gonna take and I'm just going to copy this as well. Or you know what I could do real quick? Let me just do this. Let me just right-click and I'm just gonna do Show Packet Bytes. Now this is where I can see this full string, and that's just basically typed out for me. And without going too deep into the weeds on the string itself. Basically, what this is doing is it's giving an instruction to the client to continually come back and ask more questions for more pieces of this code. And then when it's finished, it will then execute that code. All right. So, let's actually see how that works. So this is just the initial request, okay? So this just came in from this server, but now, check this out. So now we're gonna go to a local box, which has absolutely been compromised. And if I come down here, now this is basically in a demo environment this was run, but let's go ahead and start to take a look at some more of these DNS records. So now, this client, this client is now starting to do the bidding of the attacker. It's going to 100.2 DNS, hitting us on 53. And let's take a look at what's happening. So first, here we have this first request, it's going to l.1.ns. Okay, give me your TXT. This server comes back, or alleged server comes back and says, "Oh, great. Thank you. Here's your first instruction, .1" Now, truncated. So this TXT record, it's keeping it small, basically, so to speak. So what we're trying to do here is we're trying not to do this massive script in one DNS packet, because that might trigger an IDS system, an IPS system, and say, "Whoa, whoa, whoa. Wait a second. You have a huge DNS record or a very large DNS packet. That can't be good." 'Cause usually DNS requests and responses are smaller packets, you know, 200 bytes-ish or so. Here's 254 bytes. This TXT record comes back. Check it out. Does that look dangerous to you necessarily? - [David] Yeah, it's encoded in a weird way, but- - Yeah. On it on its own, it doesn't look too crazy. But if we go back to that original request, we notice that there was actually Base64 in the previous request. And you come down here, you can see in Wireshark, I can do a Decode as, and I'm gonna say Base64. Now when I decode it as Base64, what's our thought here, David? Do you think we're starting to see some safe things? - [David] Yeah, it looks extreme. More and more dodgy, right? - Yeah, right? This probably isn't something I wanna see just in a TXT value coming back from DNS. Okay, so let's just remember that. Okay, there's that one. And if I close this, I'm gonna come back to my packets. We do another query, but this time it's for l.2. So the first one was .1, this is .2. Okay, we do a TXT query. Same thing. Let's kick back. Let's see what it sends us. Now another 254, gonna come down here, going to right-click, Show Packet Bytes. I'm gonna come up here, and this is where I can decode as Base64. Uh-oh. - Oh. - This looks like the next chunk of that script. Okay, so what's happening is we're requesting, basically, this script and we're getting sent this chunk, one chunk at a time. 254 bytes at a time. So you can see request. This is 1, 2, 3, 4, 5, right? So six, all of these different ones. So all these different pieces. Well, what happens when the client gets all those pieces, extracts that TXT, and puts it all together? That's what we wanna find out. So the next thing I'm gonna do, David, is I wanna show you something super cool that we can do on the command line with Terminal Shark. All right, so I just showed you, in Wireshark, we can see that we have these obfuscated or encoded pieces of a script that are being sent over DNS. All right, so here I am on the command line, and one reason why I do this is because I can take TShark, and I can throw a packet capture at it, and I can extract certain fields from those packets using TShark, and put them all in one place. You can do this with other tools. For me, it's just something I like to do with TShark. So, Terminal Shark. So this is what I'm gonna do. I'm gonna say tshark, all right, that calls that utility, which by the way, David, if you install Wireshark by default, TShark will get installed as well. So you already have this in your machine if you've installed Wireshark. All right, so the first thing I need to do is just tell it to read. So, I'm gonna read in. And as I recall, I'm just gonna look... C2 analysis, that was the name of our file. So, C2Analysis.pcapng. All right, and so now I'm gonna throw a filter at it. I'm gonna do .y or -y. That's how I set a filter. And what I wanna do is I just want to filter for all packets coming back. Basically, these 347s. And I want to... If I click on this string down here, if I go down to the lower left I can see that this is showing me that this string value, or this location rather, in DNS, is dns.txt. All right, so if I just set a filter for this, so let's just do that, dns.txt, enter. What I see is I'm getting all of the responses from that server, right? Because they actually have a dns.txt value in them. So that's gonna be a good filter for me. So let's just do this, dns.txt. Great. Now what I wanna do is I wanna extract that field out. So I'm just gonna do this, I'm gonna do, it's called -T, and then what I do is I'd say "fields." So that tells me go into whatever field I specify and print that out to my command line for me. Now, which field do I want? -e, I'm gonna do dns.txt. All right, now if I execute this, do we see what we're doing here? TShark, hey, go read this PCAP, use this filter, and pull out this field. Now I have all of those strings in one place for me. So, David, I'm going to introduce you to another buddy of mine, and that is CyberChef. So it allows us to take different strings and whatever's been encoded, decoded, and tinker around with it. So I'm gonna go ahead and input that string here. So here's all the messy code, but let's go ahead and say From Base64. So, this will decode it. And now, we have the full string, or the full script rather. So you and I can now begin to look through this and see, "Hey, if this was sent to a victim machine and it ran this script, what would it do?" Well, here, I'm not the best person in the universe with scripting. Maybe together we can help sort out some of this. So basically, what we're doing is we're saying, "Hey, go look for or get a TXT value from that server, and I want you to pull out that TXT information, and I want you to loop and do this until you get a full string." Once you get this full script back, if we come down here, this is the type of stuff that my eye looks for, what are you gonna do? Well, you're gonna reassemble it. And then this guy, IEX. So, what is that? Well, pop that in Google and just IEX, right there in a PowerShell script. This is Invoke-Expression. Okay. Well, that can't be good. So that means that I'm sending you pieces of a script and as soon as you get all the pieces, invoke it, do it. Okay? And we can see sendResult. So, what starts to happen here is after the victim machine gets all of these pieces of the script and invokes it, the next aspect of this attack is it's now starts sending instructions back. Now we actually start to see a callback conversation. That can be heavily encoded between the attacker and the victim machine. Using DNS TXT fields is the way that that first instruction gets sent, and it's sent in pieces to try to float below the radar of an IDS or IPS. Once it's actually all pulled out and executed, now that invoke-expression makes that machine call back to our server and we can begin to control it. - Yeah, like how does the very first step happen? Is it something to do with the DNS, so that machine is compromised somehow to go to the wrong DNS server, or how does the initial thing kickoff to actually request that TXT file? 'Cause you've shown us the DNS and then it's requesting the TXT file, but how does it actually start that process? - David, that's a great question. So I would imagine a few ways that this could happen. One, standard good old phishing, sending a user a link, and then redirecting them to a malicious device that then further runs a script. Spoofing a DNS server, (chuckles) acting like we're the one, the authority. - I'm the captain now. - And initially, we're going out to an allegedly known address, and we're doing this lookup for what looks like to be a good DNS record. But then that record gets implanted and the TXT is what actually starts the script. So initially, this client is just going out and asking this question. But in order to ask that question, how did that get to them, how did they begin that? Probably from some type of phishing attack. - But it's amazing. I mean the fact that, you, doing a DNS query like what you're showing on the screen there, and then the answer is he has a TXT file. - Exactly. (David chuckles) - And the DNS server can just control that client to pull down some crazy TXT. - Yeah, so it's interesting how this malware could be implanted using the TXT string of a DNS query. I think this is just crazy. - As they always say, Chris, it's always DNS. - (chuckles) Right. That is true. And this is also why modern IDS systems are gonna be taking a much closer look at inspecting DNS, right? It used to be that this kind of thing, probably, would just walk right by. But now, if you have a string like this or if I come back down to one of the previous records we were looking at, even a Base64 encoded string isn't as complicated to decode for our detection systems. Because this was so prevalent, and it was about about 2017, '18, was where we started seeing this. Basically, the malware is called DNSMessenger, and it was really designed to illustrate how this could happen, how we could bury C2 traffic in DNS calls. Thankfully, now, many systems are tuned to be able to detect this better than at that time. However, it's still something we wanna be aware of and how we could deliver that using DNS. - Chris, that's amazing. So, thanks so much for showing us this example. What I really love about what you do is you always take it down to the wire where you can actually see stuff. I think you've said it before, and correct me, 'cause I'm probably gonna say it wrong, something along the lines that packets don't lie. - Absolutely. Packets don't lie. This is the traffic that's actually on the Wire, which is another reason why I'm so passionate about anybody, not just network engineers but cybersecurity professionals. If you're just getting started with cybersecurity, studying for your Sec+ or even Net+, or any entry-level certification. That's why packets, to me, are so important to learn how to capture and understand. It will make you better at troubleshooting, and it will also help you with exercises like this, in threat hunting or when we have been compromised, help to back up and piece together what happened. - For everyone who's watching, Chris does this stuff day in and day out. And Chris, we can't say names 'cause of NDAs and the like, but I know that you're doing some work with government agencies and banks, and big institutions to try and help them with their capturing malware and other stuff. Just basically teach people how to use Wireshark like you do. So I really appreciate you sharing all of this knowledge with us. - Oh, no problem, David. I love coming on and and chatting with you, and we always find some interesting things. So, until next time. I think I'm gonna go back and and hit my books. - So for everyone who's watching, please put in the comments below what you want Chris to talk about, perhaps, in future videos. We've also got a whole bunch of videos which I've linked below where Chris teaches us Wireshark, teaches us a whole bunch of other things. Chris, all the very best. - Thanks, David. (logo chiming) - I'm David Bombal. I wish you all the very best.
Info
Channel: David Bombal
Views: 75,668
Rating: undefined out of 5
Keywords: malware, wireshark, dns, dns hack, dns malware, dns txt, base64, wireshark malware, hack, hacker, hacking, information security, nmap, wifi, cyber, cybersecurity, threat, threat hunting, wifi analysis, scanner, wifi scanner, hackers, ethical hacker, ethical hacking, hacking tutorial, learn hacking, how to hack, wifi cracking, nmap switches, infosec, attack, cyber security, wifi hack, nmap scan, nmap port scan, nmap scripts, nmap vulnerability scan
Id: slNe6z9gFv0
Channel Id: undefined
Length: 18min 20sec (1100 seconds)
Published: Fri May 26 2023
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.