Jump to content

Pwning Routers Via Dns


bobbyb1980

Recommended Posts

Hey guys, quick question on how DNS works. I am trying to demonstrate an attack for a client that if a router can be compromised, then in theory the entire connection and anyone using it is also compromised.

I can get into a router, and change the DNS server to my own DNS server. The problem is that sometimes it works, sometimes it doesn't.

My question is, is where does the router get it's DNS info from? I imagine that when the router receives an IP over the WAN via DHCP then the ISP's DNS servers are included in it? Some routers seem to not care about this, other routers seem to always go with the ISP DNS.

Any ideas?

Link to comment
Share on other sites

It all depends on the router and how it is configured. Mine is hardcoded to use google dns but others just take the one offered by the ISP. It also depends on what the client is told to do, when I'm in the office I hardcode google DNS as they use opendns and it breaks some stuff I use.

Link to comment
Share on other sites

Bad assumption, you would have to have a specific vulnerability to be able to extract firmware, if you have XSS or CSRF then they are both vulnerabilities but a long way away from extracting firmware. Some routers don't even allow firmware upgrades.

Link to comment
Share on other sites

So there are two major reasons it will sometimes won't work.

1. Like was already said, if the client is hardcoded it won't listen to the dns set on the router.

2. Once you change it, the clients have to refresh their connection due to them having already received the information from the router when they first connected. (I find you can get past that often by rebooting said router once you make the change to the dns, forcing the clients to reconnect)

Link to comment
Share on other sites

By the time you get that far, there's no reason to change anything on the router. unless you want to own EVERYTHING, but that's going to throw up major red flags.

Besides by that time you can already do what you need to within the network and have done one of the following to get there;

1. Your internal and you can exploit / mess with what you want

2. you've exploited something now your in and you can pivot by exploiting, arp /dns spoofing

3. you've social engineered, whether or not they've installed something, put in a flash drive, or got phished, etc, etc.

4. You broke or snuck in, in order to compromise the network.

I guess it really depends on what your after, or what your trying to present (as you've mentioned) to go as far as the router your demonstrating how to completely disrupt the company's operations. If your showing them how some one can gain valuable information, you're better off leaving the router alone, and targeting a select few machines to keep things quiet.

On a somewhat related subject, I've never really seen the point with touching the networks routers, unless you need to in order to pivot / maneuver through the network, and unless you're out to disrupt the company's operations (you might as well just DOS it then though). Is there any reason I'm not seeing where you'd want to actually mess with routers? I'm not talking wireless here.

Link to comment
Share on other sites

Your answers are valid if access has been gained from the inside, if it has been gained from the outside then your access to the internal network could still be very restricted. If the only access you have is to the web interface then changing DNS is probably the best attack you've got. Change the DNS to one you own and have it fake responses from common sites, set those sites up to drop browser exploits which you then use to own the internal machines. From a web interface you won't be able to pivot or do any ARP or DNS poisoning.

Link to comment
Share on other sites

Hey guys. What happened was, I was referred a client and all I had was their Skype info. Usually I'd just get them to click a link (trying to change my game a little) but I first sent them a file with some details of how I work, and in turn I got their IP.

I scanned the IP to find SMTP was enabled w/a public community string and telnet was listening w/a default password. If I could just slide my DNS server in there I could have complete pwnage without any interaction and I'd just say look bud, you're a sitting duck, here's what we're going to do, get paid, move on and repeat : ) Unfortunately this router wasn't vulnerable to this type of attack.

I try to use ARP attacks as a last resort, they're easily detectable, you need to be inside (which I'm not) and they're easily stopped. My goal for this job isn't to gain complete axx to their network either, there are certain sites this company uses and by simply phishing pw's I would be able to demonstrate a potential financial loss much greater than the value of any data they may or may not have sitting around.

Link to comment
Share on other sites

If they have any sense then all you need to do is to explain that having these interfaces listening on the public side of the router is a bad idea and tell them why. You shouldn't need to have to demo it as it is a pretty obviously bad set up.

Link to comment
Share on other sites

Finally got around to playing around with this idea on the pineapple and it seems to work. I'm using an open mesh though and not the new one.

All I had to do was edit /etc/config/dhcp to the standard ICS format, set addresses, subnet, etc etc. The one that we all use as stock ICS. Except on the default form it has 2 options for DNS, the local openmesh router address and 8.8.8.8.

I then changed that to a remote address that was running digininja's DNS MiTM module and it works well. IMO a lot less resource intensive than using arp based attacks. I also tried the fake dns server ms module but I prefer digininja's as u can edit individual responses.

Since this setup is an open mesh w/EEE as attacking machine my resources are limited. However in theory one could host digininja's DNS MiTM module from the mkIV and edit individual DNS responses to say facebook.com, and gmail.com. I just wonder if a little router, even the mk4, is capable of functionally operating this DNS server + whatever else it's using.

I personally had an open mesh w/ICS setup. The open mesh gave normal DHCP leases except pointing a remote DNS server. The DNS server only has one edited entry forwarding all google responses to the same address which is apache running w/a java attack.

I also found a few routers that are vulnerable to this attack (changing DNS server).

In conclusion, DNS = pwnage : )

Link to comment
Share on other sites

Hey guys. What happened was, I was referred a client and all I had was their Skype info. Usually I'd just get them to click a link (trying to change my game a little) but I first sent them a file with some details of how I work, and in turn I got their IP.

I scanned the IP to find SMTP was enabled w/a public community string and telnet was listening w/a default password. If I could just slide my DNS server in there I could have complete pwnage without any interaction and I'd just say look bud, you're a sitting duck, here's what we're going to do, get paid, move on and repeat : ) Unfortunately this router wasn't vulnerable to this type of attack.

I try to use ARP attacks as a last resort, they're easily detectable, you need to be inside (which I'm not) and they're easily stopped. My goal for this job isn't to gain complete axx to their network either, there are certain sites this company uses and by simply phishing pw's I would be able to demonstrate a potential financial loss much greater than the value of any data they may or may not have sitting around.

If you've gained access to the router you should be able to sniff every packet that passes through.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...