A seemingly normal DNS packet:
ETH: dst:98:76:54:32:10:ab src:ab:cd:ef:12:34:56 type:0x0800 IPv4: version:4 hlen:5 tos:0x00 length:190 id:44821 IPv4: flags:0x00 offset:0 ttl:128 protocol:0x11 checksum:0xb060 IPv4: src:8.8.8.8 dst:192.168.10.1 UDP: src:53 dst:13245 length:170 checksum:0x8756 DNS: id:21817 qr:1 opcode:0 flags:0x18 rcode:0 DNS: qdCount:1 anCount:4 DNS: nsCount:0 arCount:0 DNS::Question: name:www.www.com DNS::Question: type:1 class:1 DNS::RR: name:www.www.com DNS::RR: type:5 class:1 ttl:64 rdlength:16 DNS::RR::CNAME: cname:www.Johnny.com DNS::RR: name:www.www.com DNS::RR: type:5 class:1 ttl:64 rdlength:17 DNS::RR::CNAME: cname:www.Fingers.com DNS::RR: name:www.www.com DNS::RR: type:1 class:1 ttl:64 rdlength:4 DNS::RR::A: address:25.7.42.197 DNS::RR: name:www.www.com DNS::RR: type:1 class:1 ttl:64 rdlength:4 DNS::RR::A: address:73.156.82.200
But upon some decoding ...
ppc> print join " ", ssnExtract $packet; Johnny Fingers 01/01/1990 234-98-1576
Uh-oh! It's using CNAME to pass first and last name and the A records to encode date and social security number as IP addresses. Not terribly innovative, but also not terribly hard to do. Can DNS firewalls or data leak prevention catch this?
This little exercise created with Perl Packet Crafter.
Posts
No comments :
Post a Comment