Tuesday, July 10, 2007

Time to learn DNS-Pinning

Update 07.12.2007: Kelly Jackson Higgins from Dark Reading posted a story highlighting the new Anti-DNS Pinning demos set to be presented at BlackHat. It appears there are many notable industry experts piling on the research trying to figure out how deep the rabbit hole goes. It should be an interesting year.

Per the typical web security M.O, attack techniques we’ve known and ignored for years have a way of coming back around as new ways of using them are discovered. It happened with XSS, recently with CSRF, and now new life is being breathed in Ant-DNS Pinning. Anti-DNS Pinning is a very important issue, especially as it related to intranet hacking, but its HIGHLY complicated and few people understand the nuances. In fact only a few months ago is the first time I’d seen the term mentioned in the mainstream media.

Fortunately learning about Ant-DNS pinning is getting easier as Christian Matthies and PortSwigger both posted freshly minted and extremely well-written white papers. The benefit of Christian’s is that he’s got a bit more data on anti-anti- and anti-anti-anti DNS Pinning, while PortSwigger’s explores web proxy implications which I had not seen anywhere else.

Also, if you are attending Black Hat USA 2007, make sure to catch David Byrne's Intranet Invasion With Anti-DNS Pinning.


Christian Matthies said...

It's cool to see so many people now bringing more attention on DNS pinning.

However, what I failed to mention on my blog is that I just reproduced what I learned at the time DNS pinning hasn't been that well documented yet. Nothing to credit me for since you and rsnake essentially are the ones who discovered all this. I just wanted to have this said.

Apart from that, you're perfectly right. Anti DNS Pinning seems to be the "new CSRF" ;-)

Jeremiah Grossman said...

@Chistina, I know what you mean, but you don't have to offer something "new" to create a valuable paper. The concept isn't well documented and your paper helps a lot of people. And besides, I don't think either myself or RSnake can take credit for Anti-DNS pinning discoveries either. :)

David Byrne said...

Thanks for pitching my presentation. Personally, I highly recommend the presentation immediately following mine (http://www.blackhat.com/html/bh-usa-07/bh-usa-07-speakers.html#grossman). I’ve seen two previous incarnations of it and would like to see it again, although there are three other presentations in the same time slot that I also want to see. Ugh.

Interesting timing on this post. Last night I published some minor anti-DNS pinning attacks against Java (http://archives.neohapsis.com/archives/fulldisclosure/2007-07/0159.html). The cool thing about Java is that it supports full sockets, not just HTTP. One of the demos I’m doing at BlackHat will be getting root access on internal servers using non-web attacks (probably against a known Windows vulnerability) tunneled through anti-DNS pinning with Firefox & Java.

David Byrne

Jeremiah Grossman said...

@david, ahaha, well you know I'll be there for yours. :)

Anonymous said...

DNS is growing attention everywhere, as DNS security is a growing concern its essential to keep up to date with the latest news and offerings check www.dnshelponline.com