Articles

DNS Poisoning and Domain Hijacking – CompTIA Security+ SY0-501 – 1.2


The domain name services
are a critical part of our IP networking. These are obviously
the servers that are taking the names that
we provide and give us IP addresses in translation. If you’re able to modify the
information in the DNS server, if you are able to
manipulate the information inside of this DNS
server, then you could potentially send
someone to an IP address that isn’t necessarily where
they thought they were going. One way to do this is
to modify the files that are on the workstations. If you change the client’s
host file, for example, it won’t even make the
request to a DNS server. You can simply direct
someone to an IP address based on what you put on the
file, on that person’s machine. Changing the contents
of a single file across a large number of devices
may be too difficult to manage. That’s why many bad guys focus
their efforts on changing what’s in the DNS server. That way the clients
don’t have to be changed, you just make one change
on the DNS server, and now the response
to all of those clients has been updated with whatever
the bad guy would like. There’s many different ways
to do this, but most of them involve taking control
of the DNS server. Here’s how this might work. You’ve got a couple of
users that will need access to professormesser.com. There’s a bad guy
down here who’s going to want to
poison the DNS server, and then you’ve got the
DNS server itself, which has professormesser.com and the
IP address for my web server. User number one is going to
make a request to my DNS server and get the
appropriate IP address for that particular domain,
and it will register and keep that information in its cache. Before the second user is able
to make the exact same request, the bad guy is going to take
control of the DNS server and make changes so that the
professormesser.com address is now pointing to a completely
different IP address. Now each subsequent
user to the DNS server will still get a response
from professormesser.com, but it will contain a
completely incorrect IP address. Now, the bad guy
has control of where people will be going
every time they type in professormesser.com. Many DNS servers
are well protected. So it’s sometimes difficult to
poison the information that’s on a single DNS server. Instead, what if we
were able to change which DNS server was being used
for our particular domain name. We do this through a technique
called domain highjacking. We somehow gain access to
the domain registration, which is where all of the
primary DNS information is input. This means we don’t
have to change anything with the existing
DNS server, we simply change our domain information to
point to a domain server that’s controlled by the bad guys. Of course, performing
this domain hijacking is not a simple process. You somehow need to gain
access to the domain registrar. This might be guessing the
password through brute force. Maybe we’re social
engineering the password by calling the domain
registrar or calling the owner of the domain. Or maybe we’re gaining
access to the email account that’s used to control the
administration for the domain. As long as you can gain
access to the account, you can then change what
DNS server is being used to provide this IP addressing. A good example of
a domain hijacking occurred on Saturday, October
the 22nd in 2016 at 1:00 p.m. In the afternoon. This occurred on a number
of banks in Brazil. The registrations of 36 domains
associated with this bank were suddenly changed. This changed not
only the banks login but the domains for the
desktops, mobile devices, and many others. They were under the hackers
control for six hours until the bank could
then get control back for their domain names. The bad guys effectively
became the bank. This bank managed the accounts
of over 5 million customers and had over $27
billion in assets. And for those six
hours, the bad guys were able to
manipulate and change what their clients were seeing. The results of this
domain hijacking were never made
public, but we can bet that this particular
bank is taking special care to make sure that nobody gains
access to their domains again.

Leave a Reply

Your email address will not be published. Required fields are marked *