‘It’s always DNS’
Red teamers and pen testers are being offered a DNS server technology geared to their needs and demonstrated during an Arsenal session at Black Hat Europe on Wednesday (December 9).
SnitchDNS is specially tuned to the needs of security researchers, developer Pavel Tsakalidis told The Daily Swig.
“There are a lot of tools that offer similar functionality, but these either lack some features or are not aimed towards security consultants,” he explained.
“SnitchDNS was created in order to allow security consultants to automate their infrastructure, monitor network traffic, receive notifications when domains are resolved, integrate with SIEM solutions, and more.”
During his presentation at Black Hat’s European edition, which is taking place entirely online this year, Tsakalidis went through the basic features of SnitchDNS, including its configuration, domain and record creation, notifications, IP restrictions, conditional responses, and logging.
Twist and shout
SnitchDNS was developed in Python and Twisted, an event-driven networking engine.
Aside from its application as a simple DNS server for red team infrastructure, SnitchDNS offers several different use cases, Tsakalidis explained:
- Phishing – By utilising catch-all domains, each phishing target can have their own domain rather than having the identification ID within the URL. For example, when using GoPhish the default parameter is yourphishingdomain.com/?rid=UNIQUE_VALUE. With SnitchDNS, that unique value can be used within the domain itself, for example one user will get a landing page at unique1.yourphishingdomain.com and another at unique2.yourphishingdomain.com. This way, if the domain is reported and you start seeing strange resolution/user activity, you can pinpoint which user reported the link.
- DNS Tunnel – This technique is used when attackers leverage the DNS protocol for command and control communications, or even data egress. Once again, utilising catch-all domains, Red Teamers can egress data. As all queries are logged with SnitchDNS, a security consultant can egress (for example) ‘topsecretpassword’ by just pinging topsecretpassword.tunnel.yourc2domain.com, which will be logged without using the HTTP protocol. The data can of course be encrypted before being transmitted, in which case it would appear as encrypteddata.tunnel.yourc2domain.com.
- Canary Tokens – A very basic example would be if an organization implemented honeypots within their network. For instance, a document called infrastructure-creds.docx is used to lure internal attackers and is placed in a network share. Within that document will be a link that loads a photo (automatically when the document is opened) from a domain where SnitchDNS is installed. The moment the honeypot domain is resolved, the administrator will receive a notification via email, web push, Slack, or Microsoft Teams (depending on their configuration).
DNS is a fundamental internetworking service that converts human-readable names to IP addresses.
The networking protocol has its dark side since its utility means that it is often used by malware for command and control, data exfiltration/infiltration, and other nefarious purposes such as phishing.