Wednesday, May 10, 2017

DNS PII UH-OH

A seemingly normal DNS packet:

ETH: dst:98:76:54:32:10:ab  src:ab:cd:ef:12:34:56  type:0x0800
IPv4: version:4  hlen:5  tos:0x00  length:190  id:44821
IPv4: flags:0x00  offset:0  ttl:128  protocol:0x11  checksum:0xb060
IPv4: src:8.8.8.8  dst:192.168.10.1
UDP: src:53  dst:13245  length:170  checksum:0x8756
DNS: id:21817  qr:1  opcode:0  flags:0x18  rcode:0
DNS: qdCount:1  anCount:4
DNS: nsCount:0  arCount:0
DNS::Question: name:www.www.com
DNS::Question: type:1  class:1
DNS::RR: name:www.www.com
DNS::RR: type:5  class:1  ttl:64  rdlength:16
DNS::RR::CNAME: cname:www.Johnny.com
DNS::RR: name:www.www.com
DNS::RR: type:5  class:1  ttl:64  rdlength:17
DNS::RR::CNAME: cname:www.Fingers.com
DNS::RR: name:www.www.com
DNS::RR: type:1  class:1  ttl:64  rdlength:4
DNS::RR::A: address:25.7.42.197
DNS::RR: name:www.www.com
DNS::RR: type:1  class:1  ttl:64  rdlength:4
DNS::RR::A: address:73.156.82.200

But upon some decoding ...

ppc> print join " ", ssnExtract $packet;
Johnny Fingers 01/01/1990 234-98-1576

Uh-oh! It's using CNAME to pass first and last name and the A records to encode date and social security number as IP addresses. Not terribly innovative, but also not terribly hard to do. Can DNS firewalls or data leak prevention catch this?

This little exercise created with Perl Packet Crafter.

No comments :

 

Copyright © VinsWorld. All Rights Reserved.