If you can’t hack the user, maybe you can hack the DNS server. In this video, you’ll learn how a DNS poisoning attack or domain hijacking can allow an attacker to seamlessly impersonate an entire company.
<< Previous Video: Privilege Escalation Next: Zero-Day Attacks >>
The domain name services are a critical part of our IP networking. These are obviously the servers that are taking the names that we provide and give us IP addresses in translation. If you’re able to modify the information in the DNS server, if you are able to manipulate the information inside of this DNS server, then you could potentially send someone to an IP address that isn’t necessarily where they thought they were going.
One way to do this is to modify the files that are on the workstations. If you change the client’s host file, for example, it won’t even make the request to a DNS server. You can simply direct someone to an IP address based on what you put on the file, on that person’s machine. Changing the contents of a single file across a large number of devices may be too difficult to manage.
That’s why many bad guys focus their efforts on changing what’s in the DNS server. That way the clients don’t have to be changed, you just make one change on the DNS server, and now the response to all of those clients has been updated with whatever the bad guy would like. There’s many different ways to do this, but most of them involve taking control of the DNS server.
Here’s how this might work. You’ve got a couple of users that will need access to professormesser.com. There’s a bad guy down here who’s going to want to poison the DNS server, and then you’ve got the DNS server itself, which has professormesser.com and the IP address for my web server. User number one is going to make a request to my DNS server and get the appropriate IP address for that particular domain, and it will register and keep that information in its cache.
Before the second user is able to make the exact same request, the bad guy is going to take control of the DNS server and make changes so that the professormesser.com address is now pointing to a completely different IP address. Now each subsequent user to the DNS server will still get a response from professormesser.com, but it will contain a completely incorrect IP address.
Now, the bad guy has control of where people will be going every time they type in professormesser.com. Many DNS servers are well protected. So it’s sometimes difficult to poison the information that’s on a single DNS server. Instead, what if we were able to change which DNS server was being used for our particular domain name.
We do this through a technique called domain highjacking. We somehow gain access to the domain registration, which is where all of the primary DNS information is input. This means we don’t have to change anything with the existing DNS server, we simply change our domain information to point to a domain server that’s controlled by the bad guys.
Of course, performing this domain hijacking is not a simple process. You somehow need to gain access to the domain registrar. This might be guessing the password through brute force. Maybe we’re social engineering the password by calling the domain registrar or calling the owner of the domain. Or maybe we’re gaining access to the email account that’s used to control the administration for the domain.
As long as you can gain access to the account, you can then change what DNS server is being used to provide this IP addressing. A good example of a domain hijacking occurred on Saturday, October the 22nd in 2016 at 1:00 p.m. In the afternoon. This occurred on a number of banks in Brazil. The registrations of 36 domains associated with this bank were suddenly changed. This changed not only the banks login but the domains for the desktops, mobile devices, and many others.
They were under the hackers control for six hours until the bank could then get control back for their domain names. The bad guys effectively became the bank. This bank managed the accounts of over 5 million customers and had over $27 billion in assets. And for those six hours, the bad guys were able to manipulate and change what their clients were seeing. The results of this domain hijacking were never made public, but we can bet that this particular bank is taking special care to make sure that nobody gains access to their domains again.