How I Turned VPNoverDNS into a Retroactive Wiretapping ToolTHOTCON 0x5John Bambenek / Bambenek [email protected]
The Setup...
●Hired by a mid-sized business to increase the security posture○Yes, it was just that open-ended…
●They had a fairly large web presence and maintain dozens of sites○But had no authoritative list of them…
●Commence policy review and massive paper dump.
●Has some PCI, HIPAA, other private (and valuable) information...
The Setup Continued...
●As a way to verify the correctness of information, do various threat intel queries on a netblock…
●Has there been any breaches? Listing in blacklists? Known contact with C&Cs?
●Passive DNS will log all queries and responses a sensor sees so they can be used for later searches.○For instance, will show all FQDNs resolved for a
given IP address seen by a sensor.
●Scanning the clients /24 yields all the likely used websites (and unused IPs)
pDNS Example
●A historical search on thotcon.org yields:;; first seen: 2012-09-06 22:17:09 -0000;; last seen: 2013-11-05 20:41:26 -0000thotcon.org. IN A 67.195.61.65--;; first seen: 2011-06-02 10:57:38 -0000;; last seen: 2012-09-02 02:05:33 -0000thotcon.org. IN A 98.136.92.206--;; first seen: 2013-10-30 07:04:27 -0000;; last seen: 2014-04-24 23:15:54 -0000thotcon.org. IN A 98.136.187.13--;; first seen: 2010-07-29 16:00:22 -0000;; last seen: 2010-09-20 16:58:07 -0000thotcon.org. IN A 216.39.57.104--;; first seen: 2010-08-13 02:05:21 -0000;; last seen: 2011-06-02 06:20:26 -0000thotcon.org. IN A 216.39.62.189……
pDNS example...
●A historical search on 98.136.187.13 yields:
ut.ae. IN A 98.136.187.13oec.ae. IN A 98.136.187.13meatco.ae. IN A 98.136.187.13cpssa.com.ar. IN A 98.136.187.13facimex.com.ar. IN A 98.136.187.13iltinello.com.ar. IN A 98.136.187.13tunga-tunga.com.ar. IN A 98.136.187.13ceramicas-lourdes.com.ar. IN A 98.136.187.13ictys.org.ar. IN A 98.136.187.13y-yo.com.au. IN A 98.136.187.13
……
A Wild Passive DNS Scan Appears
Rdata results for ANY/197.1.246.0/24
Returned 280 RRs in 0.05 seconds.
tunisia-sat1.no-ip.info. A 197.1.246.1samibazoug.dyndns.ws. A 197.1.246.3koooooko.no-ip.biz. A 197.1.246.3only-security.no-ip.biz. A 197.1.246.3no-hack.zapto.org. A 197.1.246.3camfrog-ir.zapto.org. A 197.1.246.3camfrog-2r9.zapto.org. A 197.1.246.3gboxbest.dyndns.org. A 197.1.246.3
A Wild Passive DNS Scan Appears
mrigel.zapto.org. A 197.1.246.4hacked007.no-ip.org. A 197.1.246.5tarajist1919.no-ip.biz. A 197.1.246.8reflex.sytes.net. A 197.1.246.101month-5euro.sytes.net. A 197.1.246.10gaagle.no-ip.org. A 197.1.246.10djamelgbox.no-ip.org. A 197.1.246.12bibitahackertn.no-ip.biz. A 197.1.246.14kalboussa.no-ip.biz. A 197.1.246.16njratxmoro.zapto.org. A 197.1.246.16migalou2012.no-ip.biz. A 197.1.246.18papu81.no-ip.biz. A 197.1.246.19
A Wild Passive DNS Scan Appears
manortn.dyndns.biz. A 197.1.246.19papu81.no-ip.biz. A 197.1.246.20ln-048.rd-00000240.id-14932049.v0.tun.vpnoverdns.com. A 197.1.246.20revenger.zapto.org. A 197.1.246.21oscamserver.dyndns.org. A 197.1.246.24cinefoot.selfip.com. A 197.1.246.28proxysat.selfip.com. A 197.1.246.28
……
tun.vpnoverdns.com????
What is this VPNoverDNS you speak of?
●From vpnoverdns.com:○“In a few words, it lets you tunnel data through a DNS
server. Data exfiltration, for those times when everything else is blocked.”
●At the point I first started seeing this, no one seemed to know anything about it aside of the obvious… “it looks like a tunnel endpoint”
●One oddity: to install it on a PC you FIRST have to install the Android app to create a login…○As an unapologetic iPhone user, this displeases
me.
Data Exfiltration You Say?
ZOMG!!
IT’S AN APT!
MOMMY HELP!
MUCH SCARED!
So how prevalent is VPNoverDNS?
●pDNS dump of *.tun.vpnverdns.com yields almost 6 million entries.
●“Endpoints” seen on educational, government, business and military ASNs.○And some unassigned IP addresses…
●Looks prevalent but…○No one knows about it…○Would it so obviously be sitting on NATO IP
addresses?○Why would a data exfiltration tool require an
Android device?
Seriously, who uses Adobe AIR for this?
●After finding an Android device, downloaded to that device and then created a VM to install PC version which uses Adobe AIR.
●Provides a web browser and an email client to send/receive e-mail.○This is not looking like data exfiltration…○Much disappoint… :(
●Time to fire up Wireshark and see what the traffic looks like...
Got Packets?
A Closer Look...
Got Packets?
●Query a specific FQDN and it returns multiple A records.
●rd- Byte Offset● id- Session ID
●A records start at 192. and sequentially get higher.
●This explains why pDNS shows what it does, in effect, it poisons the data. The only REAL traffic is DNS to the network resolver (and the resolver to vpnoverdns.com’s DNS servers).
Can we parse this response?
Looking at the hex of the packet...
The last three octets of the A record DNS responses are the HTTP response… in the clear.
Did you know gzip is 1337 crypto?
●So now to rebuild an entire session across all the queries for a given session ID…
x�õï 0§OKHTTP/1.1 200 OK
Date: Sat, 05 Jan 2013 18:08:05 GMT
Content-Type: text/html;c:Accept-Encoding
Content-Encoding: gzip
---- gzip’d content ----
What about HTML requests?
●HTML requests are made by querying FQDN’s starting with bf-:
●Example:
bf-1b3132313330363734c2a7536f636b657444617461c2a734303436304745.wr-00000000.id-00912196.v0.tun.vpnoverdns.com. IN A 128.69.0.255bf-5420687474703a2f2f616e64726f69642e636c69656e74732e676f6f676c.wr-00000030.id-00912196.v0.tun.vpnoverdns.com. IN A 128.69.0.255bf-652e636f6d2f70726f78792f677361737567676573742f7365617263683f.wr-00000060.id-00912196.v0.tun.vpnoverdns.com. IN A 128.69.0.255
●Syntax: wr- byte offset, id- session ID● Is the bf- content just ASCII text in hex form?● 12130674§SocketData§40460GET http://android.clients.google.
com/proxy/gsasuggest/search?client=qsb-android&hl=en&gl=us
The Incident that Never was...
●Nothing is quite as depressing as finding a cool incident that really wasn’t.
●Takeaway: Passive DNS operators probably should ignore this domain as the data isn’t real DNS, it’s actually HTTP/Mail traffic.
The Truth About VPN over DNS
●This is not data exfiltration, it’s a way to surf the web behind WiFi hotspot paywalls (because DNS isn’t blocked even if you haven’t authenticated).○Take that Marriott and your $10/day Internet
fee.
●This will also bypass any web proxies you have.
● In theory you COULD use if for data exfiltration, but it’s pretty easy to spot○Any DNS queries for *.tun.vpnoverdns.com? You
are bad and you should feel bad.
Then Evil Genius Struck
● I was able to rebuild traffic in Wireshark… what if I dumped the entire pDNS database for tun.vpnoverdns.com?○Remember, pDNS is just a big log of all DNS
queries and responses it sees.
$ python dnsdb_query.py *.tun.vpnoverdns.com | wc -l5799244
Look Mom, I Built PRISM for Script Kiddies
●Looking at just the timestamps I have data from, there are records back from May 2013.
●Since the sensor is in between the VPNoverDNS user and their DNS server, if it captures any traffic it likely has the ENTIRE session in its logs.
●So what websites do you think VPN over DNS users like to view?○Let’s check those bf- records
Wait for it...
●Some are not surprising:
Host: m.facebook.com:443 Host: profile.ak.fbcdn.net Host: i2.cdn.turner.com Host: googleads.g.doubleclick.net
● This had to be a fun listening experience:
Host: stats.pandora.com
And what is the Internet for?
●And of course, there was this...
Host: metaltoys.co.za Host: www.youngleafs.com Host: myshortskirt.com Host: www.bravotube.net Host: promo.badoink.com Host: www.coedcherry.com Host: cdn-z3.perfectgirls.net Host: cdn-z4.perfectgirls.net
Y U NO ENCRYPT?
But it gets worse...
Referer: http://127.0.0.1:8888/mail4hotspot/app/navigation?url=https://accounts.google.com/ServiceLoginAuth^MUser-Agent: Mozilla/5.0 (Linux; U; Android 2.3.5; en-us; N860 Build/GINGERBREAD) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1^MOrigin: http://127.0.0.1:8888^MAccept: application/xml,application/vnd.wap.xhtml+xml,application/xhtml+xml;profile='http://www.wapforum.org/xhtml',text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5^MContent-Type: application/x-www-form-urlencoded^Mx-wap-proxy-cookie: none^MCache-Control: no-transform^MContent-Length: 197^M^Murl=https%3A%2F%2Faccounts.google.com%2FServiceLoginAuth&GALX=bAmxoTJR_XY&_utf8=%26%239731%3B&bgresponse=&Email=XXXXXXXXX%40gmail.com&Passwd=XXXXXXX …….
Yes, kids, this sends HTTPS requests over DNS **IN THE CLEAR**(Oh, and this guys username was the same as his password)
The Fail is Strong With This One...
DISCLAIMERS
I’ve asked pDNS operators to purge this data.
There should also be a rule to detect clients using this on your networks in the Emerging Threats open snort rules soon.
Recommended
