Category: web

Random web server stuff.

Anatomy of a public DNS breakin

Anatomy of a public DNS breakin

Introduction

Hiya, Today I am going to walk you through discovering and potentially leveraging open DNS servers in an effort to show you why you should be careful with the DNS blocking tools that have steadily become popular.

I am NOT affiliated, sponsored, represent, or paid by any security firm or corporation. I do not officially represent any entity while posting under my USN.

I am a normal guy that wants to bring as much security information to this forum as I have time to do. I understand that it isn’t really the focus of this site but the more eyes and DIYs that can see it the better.

What I am doing is for education. BE WARNED that what is being done is POTENTIALLY ILLEGAL and can result in CRIMINAL CHARGES. NEVER pentest or modify a computer system WITHOUT CONSENT.

We will be tackling this with free tools in windows.

I will try to keep this short.

Taking a look

Today’s internet is full of devices that are becoming popular in regards, to security and privacy. Some of these devices show in the form of DNS filtering agents. This is because other than adblockers this is the easiest way to protect an entire network.

Devices and software like:

  • Bitdefender Box
  • Firewalla
  • Fingbox
  • Winston
  • Pi-hole
  • AdGuard

Have more or less the same features, and one of the biggest and most useful are there abilities to block DNS queries based on a reputation system that has definitions we call “lists”. Of course we have been doing things like this for years on our personal computers. Modification of the ‘hosts’ file is in essence what these devices do only on a much broader scale. So what is the big deal with these kinds of devices and why might there be a problem?

The issue stems from availability without much education. I have covered DNS basics and even went over the setup of a Pi-hole in a previous guide (I promise to fix the pictures). Basically, convenience is our enemy here and when installing these devices more privacy/hobbyist minded individuals make modifications to these systems (with some just being vulnerable to being with) that promote bad internet hygiene and expose them to more risk.

Primer

I am going to be picking on pi-hole today. I should get it out of the way that in this case pi-hole as a product is safe and its defaults are also safe. The issue stems from its misconfiguration by individuals and its widespread adoption by DIYers combined with a lack of understanding on how DNS works.

To start lets go over why an open DNS server that is, a DNS server that can be used publicly is bad. I have an example myself but for a more bulleted list we can look here https://securitytrails.com/blog/most-popular-types-dns-attacks. Now to reiterate it should be noted that even the pi-hole staff and much of the people ‘in the know’ do NOT want you to open DNS to the public. DNS servers exposed to the public and ran by amatures is such a bad idea that there are several lists available exposing them.

Abusing DNS is bad, and I’ve said it four different ways already. If you didn’t read any of the links I posted it boils down to these potential problems.

  • DDoS of the DNS service
  • Poisoning DNS servers
  • Hijacking DNS requests
  • Amplification (reflection) attacks utilizing public DNS servers to overwhelm a specific domain
  • Waste of bandwidth

You can read what CISA thinks about amplification attacks here. They are the easiest and most abused aspect of public DNS servers. In most of my guides I try to educate and most of the cases involve some examples. However, I understand that is not enough for some people. To some security articles are nothing more than a pentester or security professional soap boxing on a public forum.

Getting dirty

So let’s break into public DNS servers. First we want to make it appeal to the masses. Lets really drive home how easy it is to disrupt people and break privacy.

What if we imposed rules? Hm. How about.

  • It has to be with free tools
  • They don’t need to be installed
  • They don’t require a user account

That’s a little rough. No burp suite, no nmap no normal pentesting kit tools. However if we stick to those rules in theory anyone with a PC can do it.

To start Let’s think critically. We do need SOME info. How about something simple? How about we go with a name? Most of these products brand themselves so we will start with “pihole”.

Now how about we plug this into a website that scans IoT things?

https://www.shodan.io/

Oh my, even without a user account.

Ok, So shodan lets us dive in. What does the request actually look like? What else may have been detected on this server? I mean, what if they are hosting a public FTP server that we can access as well? The possibilities are scary and are only limited to web hostable content.

Neat, so they are running pihole on port 8089 on this specific IP address. Let’s try to go to it.

Sad face. It looks like its responding however.

What if we tacked on something? What if we did a little URL modification? Say for example we attempted to access the admin page of the unit? That has a default path of I think

/admin/index.php

Yikes! and its out of date! Not only is it public but let’s not forget that products can have CVEs.

As we can see though this one requires login at least. Maybe we can use it as a DNS server? Lets see if it accepts outside connections.

To do this on Linux you can use the ‘dig’ command. However, for windows we can use ‘nslookup’.

Something like <command> <domain I want> <server I want to use>

Let’s take a look.

Nope, no open resolver. Just an open web interface. Still bad, but we are looking for quick targets. Let’s move on and try a few more.

Wow. Words cannot communicate how ridiculous this is.

Anyone fancy changing there upstream DNS server to your own so you can re-route traffic?


Or maybe you want to stop the service? Maybe shut down the device?

Danger Zone indeed!

Other than hijacking there DNS requests to a server you run, or making their lives miserable but disabling DNS resolution. Or otherwise peeking on their lives, or man maybe even getting to know there work schedule by monitoring the DNS request graph.

Can it actually resolve public DNS though? Or did they just remove the password on the admin CP?

Wow. We can even abuse it via DNS itself.

Buttoning up

According to the command list it appears that installers are utilizing

pihole -a -p

to change the -admin -password and simply leaving the field blank. This would effectively disable the password requirement that the pihole actually FORCES during install by randomly generating a password that is displayed to you.

Let’s take a moment to remember our honorable mentions, like the knockoff products that customize the existing code of existing products. In the pi-holes example “Adgone” and “Rootswitch” after investigation not only provide public resolves based off of the product but themselves charge customers for access to there public resolver as part of a product stack that they ripped off.

It’s important to understand the risks and consequences of this. In a broad sense. 

Some DIYers setup these devices and consciously know they are exposing it to the internet. This allows them to customize phones or laptops when they are not on the LAN to use the filter settings they setup. However there are MUCH better ways to do this. Others simply have no idea. There routers could be port forwarding port 53 (DNS) and 80 or 443 (HTTP/s) by default and the intent was just to use it like normal. Some going further may have believed the forwards necessary for functionality.

In either case this is not limited to the pi-hole. Or even privacy/security/filtering products like this, or the ones mentioned. You should always be aware that a network is just that. A collection of devices working together. All parts of a network should be examined. Routers should be checked. Firewalls in network devices need to be examined. 

If you don’t I’ll do it for you on my lunch break.

Things we did today.

  • Found your devices admin panel
  • Broke into your device
  • Found out if I could use your device for bad things
  • Found out you work 10-6pm EST
  • Followed you on instagram
  • Took note of the number of devices on your network
  • Took note of your device names
  • Found the local address of the other servers you run on your network

Conclusion

Stay safe, know what you are buying and how to set it up. If you don’t find someone who does. Check your devices. Typing this literally took longer than it took me to find 271 exposed devices and I managed to find 13 I could admin access before I finished writing this sentence.

Hope you learned something. Thanks for reading!

Pi-Graphs

Pi-Graphs

But not thew way you think. I got bored this evening and while it is nowhere close to completion I decided to install grafana on my rasberryPI B+.

To do this I first downloaded Ubuntu server 19.04 from the Pi site.

From here after the normal install and updates etc it was time to stand it up so I can feel productive later. First and foremost I needed to make sure that I could poll network equipment and pretty much anything that supported SNMP. So lets get that out of the way.

sudo apt install snmp

Now that we have snmp we can probe things, but we aren’t going to get anything we can read so we need the MIBs to translate the info from the various manufacturers.

sudo apt install snmp-mibs-downloader

Now that we have the downloader lets go get the actual MIBs

sudo download-mibs

Sweet, now we need to tell snmp to use them, so lets edit the config.

sudo nano /etc/snmp/snmp.conf

and now lets change the default value to

mibs +ALL

save and exit and cool beans.

Now we have the networking stuff installed so now we need to go grab grafana. Its a seperate repo so we will need to tell ubuntu where to look for it. In this case I dont want betas, so I’ll be using the stable repo.

Lets make sure we have this

apt-get install -y software-properties-common

now we need to make sure we can do https transport just in case.

sudo apt-get install -y apt-transport-https

Lets add the repo now so ubuntu knows where to find grafana

sudo add-apt-repository "deb https://packages.grafana.com/oss/deb stable main"

Ubuntu is going to get mad unless we make sure this repo is legit so lets add the key for it

wget -q -O - https://packages.grafana.com/gpg.key | sudo apt-key add -

wew. Ok now we need to do an update so that ubuntu knows to check that repo when we ask it to install things.

sudo apt update

Now lets install grafana.

sudo apt install grafana

Cool, now we need to start it and set it to start at boot.

sudo service grafana-server start
sudo systemctl enable grafana-server.service

We will need InfluxDB because its what I want to use anyway so we can log stuff. So lets install it.

sudo apt install influxdb

Now, you do need to continue and create a data base in influx with a username and password. I’m stopping here though. Since I’m not sure what I want to do with it yet.

The Grafana default port is 3000 so you should get something like this if you nav to your IP and port 3000.

Now I just need to set it up more and play with it. Will be polling stuff for no reason in no time. Here is a peek at my home setup.


Permissions to the rescue

Permissions to the rescue

Last night I was changing my default tabs in chrome and decided to add my site as one of them. I figured if I did this it would push me to write more.

Imagine my shock when I was greeted with a 502 proxy error by nginx. After a little digging I found some errors in nginx error.log, specifically.

unix:/var/run/php/php7.2-fpm.sock failed (13: Permission denied) while connecting to upstream

After looking online I saw some old security patches for php5 regarding process ownership and some recommendations regarding www.conf. None of them applied of course and I was stuck again. However, after a little more digging it turns out that this may have been because of an update. As such permissions were modified. It also turns out on older OSs ‘nginx’ is not by default part of the www-data group.

Now while the site was working at some point I figured the problem was because of this broken group/user relationship and thats when I found the command to re-add it to the group.

usermod -a -G www-data nginx

That worked great! Now the site was up! A new problem arose though. I needed to commit some updates to wordpress but some of the plugins would not take. Some were complaining about write permissions. The paths seemed to indicate issues with their respective home directories. A quick glance at permissions showed that either because of initial problems during my install or otherwise the ownership of the folder was set incorrectly.

A quick chown sudo chown -R www-data:stuff and we were back in business. Now my coffee was lukewarm and I have to get ready for work. Atleast I get to complain about things on the internet now though.

Hello world!

Hello world!

Well that was hard. So it’s been I think a year? Since I blogged about my random misadventures in IT. Specifically since I had my misadventure into flash cache and SAN storage. I ended up losing everything in a freak HDD failure combined with an SSD cache drive failing.

So.. last night I spent the time and actually stood up my wordpress install. I configured NGINX a few weeks ago and just never got around to actually doing anything with my domains as I rebuilt my internal services.

What a mess, I think for the most part I do things in a more complex manner than needed. In this case it took me a bit to figure out why my database server wasn’t linking to my nginx server. It ended up being a interface bind issue, but it had been so long that I had to ask myself if it wouldn’t just be easier to install mysql on the web server.

I was adamant though, and continued on. Now I have some semblance of an active website maybe, if not.. well I have another project I guess.