Documents
Resources
Learning Center
Upload
Plans & pricing Sign in
Sign Out

Introduction and Preparing for Attacks

VIEWS: 2 PAGES: 15

  • pg 1
									Email and DNS Hacking




                        1
               Overview
Email Hacking
    - Technology
    - Attacks
    - Phishing/Spearphishing/Whaling
DNS Hacking
    - Technology
    - Attacks
    - Flux
                                       2
     Email

Here is the
program you’ve
been waiting for.
                    VIP@XXX.COM
     Trusted
   Colleague
        A postcard written in pencil,
        with trusted cargo attached

                                        3
            How Email Works
  User                                       User


Mail User                                  Mail User
 Agent                                      Agent

 Mail           Mail             Mail       Mail
Transfer       Transfer   •••   Transfer   Transfer
 Agent          Agent            Agent      Agent



                                                    4
Simple Mail Transfer Protocol
                         S: 220 smtp.example.com ESMTP Postfix
                         C: HELO relay.example.org
                         S: 250 Hello relay.example.org, I am glad to meet
                         you
                         C: MAIL FROM:<bob@example.org>
• TCP/25 by default      S: 250 Ok
                         C: RCPT TO:<alice@example.com>
• Transfer-agent based   S: 250 Ok
                         C: RCPT TO:<theboss@example.com>
• Text Protocol          S: 250 Ok
                         C: DATA
• Single connection,     S: 354 End data with <CR><LF>.<CR><LF>
                         C: From: "Bob Example" <bob@example.org>
  multiple messages      C: To: Alice Example <alice@example.com>
                         C: Date: Tue, 15 Jan 2008 16:02:43 -0500
  (maybe)                C: Subject: Test message
                         C: Hello Alice.
• Easily forged          C: Your friend, Bob
                         C: .
                         S: 250 Ok: queued as 12345
                         C: QUIT
                         S: 221 Bye {The server closes the connection}
                                                                    5
   How Email Can Go Wrong
                                        Integration
                                         with OS
      User            Malicious         Preview &       User
                      Software          Download

   Mail User                                          Mail User
                        Weak             Inserted
    Agent                                              Agent
                       Protocol          Message

     Mail             Mail               Mail          Mail
    Transfer         Transfer     •••   Transfer      Transfer
     Agent            Agent              Agent         Agent

                           Intercepted                 Weak
Dropped        Malicious    Message                   Protocol
Message        Software                                        6
                  Attacking Email
                                             Fool
      User                                            User
                                         Propagate
                  Subvert
    Mail User                                      Mail User
                  Attach
     Agent                              Compromise  Agent

      Mail              Mail             Mail         Mail
     Transfer          Transfer   •••   Transfer     Transfer
      Agent             Agent            Agent        Agent

Subvert   Flood       Extract                        Insert
 Hijack
                                                              7
         Social Engineering
• Exploit trust
  relationships
  between people
• Exploit service
  climate
• Exploit business
  methods

                              8
                  Love Letter Virus
   Check out
   this joke...                   Exchange
                    VIP@XXX.GOV
        Trusted
      Colleague


          IRC

                                   Corrupt data/script files
                     •VBS          Steal Passwords
Replace              •JPG
                     •MP3          Clog email
                     •others
                                                               9
                     Phishing example?
Date: Tue, 20 Sep 2005 03:06:03 -0700 (PDT)
From: Countrywide countrywide@email.countrywide.com
To: tjs@cert.org
Subject: Important Customer Correspondence
[Image: "height="] [Image: "Countrywide - Full Speectrum Lending Division"] [Image:
"1-866-227-4118"] [Image: "height="] [Image: "height="] [Image: "height="] [Image:
"If you could use some extra cash, Countrywide could make it easy."] [Image: "Click Here
to Get Started"] [Image: "height="] [Image: "height="] [Image: "height="] [Image:
"height="]
Dear Timothy,
We can help customers get cash from the available equity they've built up in their homes by
refinancing their mortgages ? and with the trend in rising home values, we estimate your
home's equity may have increased to as much as $43,867.00. (much more…)


Phone number appears legit, current mortgage holder
Note typographical errors (Speectrum, empty images, etc.)
Big payoff offered
Closer look: embedded domains doesn’t match from domain
(m0.net, r.delivery.net, not countrywide.com, all same ISP (Digital Impact))
                                                                                       10
         Domain Name System
• More than just hostname → IP
• Query hierarchy of nameservers
   – Local nameserver (resolver): answer from cache or
     preloaded resolutions, may do recursive queries
   – Authoritative nameserver: answer based on domains
     it covers, or recurse
   – Root nameserver: answer top-level, delegate, or
     generate errors



                                                         11
 Name Server Protocol

• UDP/53 or TCP/53
• Client queries local (address, ptr, mx, ns,
  hinfo, any)
• Local responds from cache or queries to root
• Root responds with referral to TLD or error
• Local queries TLD
• TLD responds with referral to authority or
  error
• Local queries authority
• Authority sends answer
• Local sends answer

                                                 12
       Where DNS Can Go Wrong
• Client Side            • Server Side
   –   Cache Poisoning     – Flooding
   –   False Response      – False Response
   –   False Domains       – Compromise
   –   Compromise
   –   Tunneling




                                              13
                  Flux
• Why would a domain change its resolution?
• Why would a domain change frequently?
• Why would a domain change transiently?




                                          14
                 Summary
•   Common and needed protocols
•   Many, many vulnerabilities
•   Many, many attacks
•   Some systematic solutions (encryption)
•   Trust



                                             15

								
To top