

Hacking with DNS - mathias
https://docs.google.com/presentation/d/1HfXVJyXElzBshZ9SYNjBwJf_4MBaho6UcATTFwApfXw

======
grflynn
Another bunch of slides with no context. Is there an accompanying video to go
with these, or can we gleen solid info from this?

My takeaway from this is that DNSSEC is done wrong from the outset here, and
hence all these vectors are possible. The vectors don't seem particularly
nasty if we verify the integrity of DNS from the get go.

~~~
iagox86
Hey, I'm the author of the talk, but I'm not the one who posted this. I'll
give you some context :)

It's the slides from a talk I gave yesterday at Derbycon -
[https://www.derbycon.com](https://www.derbycon.com). It was recorded, but it
doesn't look like the recording is up just yet - it will be on
[http://irongeek.com](http://irongeek.com) in the next couple days (and maybe
tweeted from @irongeek_adc sooner - he's already posted a few videos from
talks later than mine, but I was in kind of a weird room).

Anyway, this talk doesn't really have anything to do with DNSSEC. These
attacks would work just fine with or without DNSSEC. It's simply abusing DNS
the way DNS was supposed to work.

And finally, I'll definitely be posting more information (releasing the tool,
the video, etc) on my own twitter account - @iagox86.

~~~
namecast
You forgot the link to dnscat2 on GH - I hope you don't mind, it's in the
presentation and totally the first thing I wanted to look at:

[https://github.com/iagox86/dnscat2](https://github.com/iagox86/dnscat2)

I see shell/exec/upload/download payloads mentioned in the command protocol
docs, very cool.

------
tjgq
Slide 56 onwards (2-way communication over DNS) is basically what Iodine [0]
does to defeat firewalls. Quite a cool hack.

[0] [http://code.kryo.se/iodine/](http://code.kryo.se/iodine/)

~~~
iagox86
Hey, I'm the guy that wrote the talk and you're right - Iodone is similar in
some ways.

Some quick background - I wrote the original version of dnscat a few years
ago, and AFAIK Iodine was made at the same time. dnscat was designed to be an
all-purpose DNS relay.

dnscat2 was re-written from scratch with one thing in mind - pentesting. It's
NOT a general purpose DNS tunnel, and I've actively avoided adding features
that would make it that way. It's for offensive security, plain and simple.

I realize I didn't call that out very well in the slides, and I should have.
Next time! :)

~~~
tjgq
Thanks for the background! I didn't know about the original dnscat - that's
why I mentioned iodine in case someone was interested in trying this out as a
tunneling method.

And thanks also for your thoroughly enjoyable talk.

