DNS poisoning exploit

This is definitely a really serious issue, and now that exploit code has been posted, it's only a matter of hours before someone starts screwing around with DNS servers.
 
So can someone put this in simple terms for us? What exactly is it that hacker will be able to do with this exploit?
 
Change the address so that when you type in www.cocoontech.com it actually goes to a spoofed site.

Probably not a problem with cocoontech, but imagine all the financial sites that someone could spoof and all the personal information you could get. If the spoof site is good (and they usually are) there would be no way for the individual to know. Afterall, they are using the same site to access their accounts as they always have - except they aren't due to the hack.
 
lol This is similar to how I proposed to my wife. I created a duplicate of geocaching.com and set a local page as a cache too good to pass up. Then I hid the cache and had the proposal and ring inside, it was great! lol


DNS is the service that converts domain names (cocoontech.com) to IP addresses (66.39.151.151).

So an attacker might be able to change this relationship so cocoontech.com now = 64.233.167.99, this would route all cocoontech traffic to google's webserver.

I'm sure you can see where this is going with online banking, paypal, eBay it's pretty limitless unless you surf the web by IP address.
 
Hmmmm. There has always been spoofing and phishing, etc of sites like PayPal and banks but you could always tell because you were actually redirected to another site and your url would change. But if they can now spoof the DNS you would never know you were at another site - yea, this can very VERY dangerous.
 
Let me ask a stupid question. Wouldn't one way to quickly find out if you are at a spoofed site is to deliberately put in a fake user name and password to your bank site and see if you get a log on error? Wouldn't a spoofed site not know that these were incorrect credentials and try to log it for their use?
 
:ph34r: [evil] Wouldn't you design your spoof to always error regaurdless? [/evil] :ph34r:

This is how I really make my $, thinking like a scumbag!
 
CollinR said:
:ph34r: [evil] Wouldn't you design your spoof to always error regaurdless? [/evil] :ph34r:

This is how I really make my $, thinking like a scumbag!
Click to expand...
Your starting to scare me Collin! (and I don't scare easily) :eek:

I went to THIS site to check my DNS servers and got the results below:

Your name server, at 68.105.28.207, appears to be safe, but make sure the ports listed below aren't following an obvious pattern.
--------------------------------------------------------------------------------
Requests seen for c0c0e1b389e7.toorrr.com:
68.105.28.207:46297 TXID=27739
68.105.28.207:51920 TXID=37825
68.105.28.207:46575 TXID=26634
68.105.28.207:58340 TXID=13487
68.105.28.207:2847 TXID=3547

Can someone tell me what an "obvious pattern" is that I should be watching for?
 
BraveSirRobbin said:
Let me ask a stupid question. Wouldn't one way to quickly find out if you are at a spoofed site is to deliberately put in a fake user name and password to your bank site and see if you get a log on error? Wouldn't a spoofed site not know that these were incorrect credentials and try to log it for their use?
Click to expand...

That's probably true, and probably a good test.

The other thing that can help is the new system that a lot of financial services are using where you enter your username on one page, then you get an image that you pre-selected before you enter your password. The theory is that a spoofed site wouldn't know what image you pre-selected, so if you are on a spoofed site then you'll know not to enter your password. If your financial institutions allow you to enable that type of security then it would definitely be prudent to do so - especially in light of this exploit.

Brett
 
BraveSirRobbin said:
Let me ask a stupid question. Wouldn't one way to quickly find out if you are at a spoofed site is to deliberately put in a fake user name and password to your bank site and see if you get a log on error? Wouldn't a spoofed site not know that these were incorrect credentials and try to log it for their use?
Click to expand...

another risk aside from the login stealing would be the site could install malware on your machine just by you visiting it or clicking 'login' (depending on what patches you've installed on your browser & OS, etc.)
 
BraveSirRobbin said:
CollinR said:
:ph34r: [evil] Wouldn't you design your spoof to always error regaurdless? [/evil] :ph34r:

This is how I really make my $, thinking like a scumbag!
Click to expand...
Your starting to scare me Collin! (and I don't scare easily) :eek:

I went to THIS site to check my DNS servers and got the results below:

Your name server, at 68.105.28.207, appears to be safe, but make sure the ports listed below aren't following an obvious pattern.
--------------------------------------------------------------------------------
Requests seen for c0c0e1b389e7.toorrr.com:
68.105.28.207:46297 TXID=27739
68.105.28.207:51920 TXID=37825
68.105.28.207:46575 TXID=26634
68.105.28.207:58340 TXID=13487
68.105.28.207:2847 TXID=3547

Can someone tell me what an "obvious pattern" is that I should be watching for?
Click to expand...


I don't fully understand the exploit, but it seems like some DNS requests are made on ports that increase incrementally. Where your ports are 46297, 51920, 46575, 58340 and 2847 a DNS server that could be exploited would make requests on ports 46297, 46298, 46299, 46300, 46301 and this is what the thing checks for. However, it sounds like it would be bad if the ports progress in any recognizable pattern (instead of increasing by 1 they increase by 20 each time, or the first one increases by 10, the next one increases by 100, etc)... some predictible way that someone could use to predict what port the next request was going to come from. In your case, they appear to be totally random and it should be safe.

HTH,
Brett
 
BrettS said:
BraveSirRobbin said:
Let me ask a stupid question. Wouldn't one way to quickly find out if you are at a spoofed site is to deliberately put in a fake user name and password to your bank site and see if you get a log on error? Wouldn't a spoofed site not know that these were incorrect credentials and try to log it for their use?
Click to expand...

That's probably true, and probably a good test.

The other thing that can help is the new system that a lot of financial services are using where you enter your username on one page, then you get an image that you pre-selected before you enter your password. The theory is that a spoofed site wouldn't know what image you pre-selected, so if you are on a spoofed site then you'll know not to enter your password. If your financial institutions allow you to enable that type of security then it would definitely be prudent to do so - especially in light of this exploit.
Click to expand...
I have heard that evil sites can simply take the info you enter, record it for later use and pass it to the good web site. That way you still get into your bank, but now they can come in later and do evil things. They can also pass your login name to the proper site, grab the site key image, pass it to you and sucker you. This may all be wrong/urban legend as I am no security expert.
 
You must log in or register to reply here.

Similar threads

Steve
OmniPro II Ethernet Issue
Replies
4
Views
368
BraveSirRobbin
BraveSirRobbin
J
Elk M1G and Z-wave - how (current availability)?
Replies
4
Views
252
Ira
I
C
Serial Communication with HAI OMNI IIe
Replies
11
Views
554
pete_c
pete_c
pete_c
Securing the Smart Home Network: The Risks of the IoT
Replies
3
Views
318
sic0048
S
pete_c
PFSense + Teardop (VPS) and OpenVPN
2 3
Replies
35
Views
2K
pete_c
pete_c
Back
Top