Chris Greer is back to show us Malware that Hackers could use to attack you (in this case using DNS). Chris is the man I talk to about Wireshark! Did you learn something new in this video? Big thanks to Brilliant for sponsoring this video! Get started with a free 30 day trial and 20% discount: brilliant.org/DavidBombal // Chris SOCIAL // KZread: kzread.info Wireshark course: davidbombal.wiki/chriswireshark Nmap course: davidbombal.wiki/chrisnmap LinkedIn: www.linkedin.com/in/cgreer/ Twitter: twitter.com/packetpioneer // David SOCIAL // Discord: discord.com/invite/usKSyzb Twitter: twitter.com/davidbombal Instagram: instagram.com/davidbombal LinkedIn: www.linkedin.com/in/davidbombal Facebook: facebook.com/davidbombal.co TikTok: tiktok.com/@davidbombal KZread: kzread.info Chris Greer Playlist: kzread.info/head/PLhfrWIlLOoKO8522T1OAhR5Bb2mD6Qy_l // MENU // 00:00 Coming Up 00:27 Thanks Brilliant! 01:58 Did you know this? 02:41 DNS Misconceptions 03:16 DNS Example 04:38 Cloudflare / What Is DNS? 05:38 Virustotal 07:01 DNS String 08:52 Base-64 Decode 10:24 T Shark 12:25 Cyberchef 14:30 How Does The Hack Start? 14:54 Phishing Attacks 15:59 How DNS Attacks Started 16:57 Packets 17:53 Outro Please note that links listed may be affiliate links and provide me with a small percentage/kickback should you use them to purchase any of the items listed or recommended. Thank you for supporting me and this channel! Disclaimer: This video is for educational purposes only. #malware #hack #wireshark

@tailsorange2872

Жыл бұрын

DNS = Did Not Search properly.

@davidbombal

Жыл бұрын

@@tailsorange2872 😂

@pd1jdw630

Жыл бұрын

So here is a question: Do Certs by like Hack The Box to name one, have any value for us in Europe? Ore are there better Certs to get for real world employment.

@ChrisGreer

Жыл бұрын

Thanks for having me back David!

@davidbombal

Жыл бұрын

Thanks so much for sharing your knowledge and experience with us Chris!

I almost fell from my chair laughing. "ostrykebs" from this Polish URL is literally tanslated as "spicy kebab" I'm dying laughing, oh my god.

@nezu_cc

Жыл бұрын

same XD. I initially didn't notice it due to how he pronounced it but then it hit me.

@davidbombal

Жыл бұрын

Thanks for translating! That's funny!

@kawalier1

9 ай бұрын

Yeah this mean spicy kebabs

@user-nm7ju5ph6u

9 ай бұрын

It's malware because a good one burns twice. SRAM always makes my old ass giggle 👀

When David and Chris bring out new videos out it's just a Christmas for me. Love both your channels and learning a lot in past years thanks to you two. Keep up the fantastic job guys!

Best lesson about DNS tunneling, thank you David Bombal and Chris Greer, I hope that in future you will show us how can be established that connection and sent real malicious commands

@davidbombal

Жыл бұрын

Thank you

Absolutely brilliant, presentation is top notch as per usual without getting too heavy. As someone who is relatively competent but unqualified in IT, currently doing A+ with a view to Net+ then Sec+ this is fantastic, thank you both. Hopefully having additional knowledge of tools like this and knowing when to use it will be advantageous in getting a job in IT/cybersecurity.

Excellent interview and especially the technical information, which helps us learn about vulnerabilities

it's always great to see collabs with Chris and see how he explains things thanks for this David

@ChrisGreer

Жыл бұрын

Thank you!

@davidbombal

Жыл бұрын

Agreed. Chris is amazing!

DNS TXT records have been used for a long time for all sorts of things, we used to them for digital scavenger hunts way back when, they are still often used today for Command and Control of botnets. However this is the first time I've seen it used to propagate a potential malware script. Pretty slick! Thanks for the info!

@davidbombal

Жыл бұрын

Glad you enjoyed the video Dave! Nice detailed explanation here: unit42.paloaltonetworks.com/dns-tunneling-how-dns-can-be-abused-by-malicious-actors/

This was soo much informative video david. Thanks for making all us more aware about it. Now ill be looking out for supecious dns queries. That was totally a new learning for me, i really like the full broken down of info where it starts making sense for us cybersecurity enthusiasts. Thanks for covering this david and chris ❤❤

@davidbombal

Жыл бұрын

You're welcome! If you want to read more, some cool information here: unit42.paloaltonetworks.com/dns-tunneling-how-dns-can-be-abused-by-malicious-actors/

This is super cool man thank you for dropping this !

It was a great enlightenment, and sir this sort of content is what we look forward to, if we could get more recent attack patterns and techniques and how they work, how to mitigate them, it would be great The channel is amazing, your knowledge, experience and humility towards teaching is commendable ❤❤ Great work

@davidbombal

Жыл бұрын

Thank you!

Loved it , love all your videos with Chris , full house of information

Thanks, David great info

That technic I already know but I thanks you for sharing it. Good explained - I like your videos.

Nice demonstration. Thank you David, thank you Chris

Great content, short but concise deep dive of DNS malware

Thank you, Dave and Chris, for this great informative video.

Another gifts my two Best teatcher i learn so much from you guys keep giving

@davidbombal

Жыл бұрын

Sharing knowledge is caring! Thank you for your support Majid

Thank you for the information!

Thanks. Great session. 👍

This video is amazing! I really like how everything has been explained, easy and clear. Wireshark is not easy to use, at least for me, I absolutely need to document myself before any operstion, otherwise it's really hard to find the information I'm looking for. Plus, this attack shouldn't be undervalued, as DNS is something that is not so secure as we may think. Recently I've got my whole home network hacked: all devices were compromised, including the main router and smartphones. Well, the point of failure in my case wasn't discovered, but there's an high chance that DNS had been compromised while disconnecting from a VPN service, or at least while using it. I've saved some pcap files on some devices in this network, but after watching this video, I think that I wouldn't find this script injection, if it happened, then it happened before the pcap recording :-/ Be careful with VPNs services, your traffic will be camouflaged, but remember that you are not aware on where each node is located, and who has access to it. Cheers

Great video. Picked up a few new gems about DNS. Thank you.

@davidbombal

Жыл бұрын

Great! Glad you learned something new :)

iv heard about them before.. But didnt know this Done some custom email creation. There i met with dns txt registries for 1st time gosh jolly this was clarifying. LOVE EVERY VID u folks make.

Another great informative video by David and Chris. Thanks guys👍🏻

@davidbombal

Жыл бұрын

You're welcome Hazy!

Very cool. Would like definitely to see more videos like this.

Excellent video as always. Seems like more of a reason to use quad9 an top of other protections.

@davidbombal

Жыл бұрын

Nice detailed explanation of this attack: unit42.paloaltonetworks.com/dns-tunneling-how-dns-can-be-abused-by-malicious-actors/

Did not know, thanks for the heads up. They should just close off this DNS text field, no knew it was there any way, so no one will miss it.

@thebrewster2234

Жыл бұрын

Except it's used for various reasons, main one I come across is verifying you own the domain when connecting it to a service

thanks David for sharing.

Stok did a great video on a bug bounty where he used DNS to interact with a server and extract information like etc/passwd all through DNS and using burp collab

@davidbombal

Жыл бұрын

You got a link to his video?

@kenough90

Жыл бұрын

@@davidbombal I'd love to see a collab with the both of you

I had not seen this attack method before, and I just finished 2 associates degrees (Cyberdefense & Digital Forensics, and Network Technologies Administration) and just passed my Security+, so, very cool stuff, here. I thought the DNS text record was what a RA would have an admin modify to prove ownership/control of a domain to satisfy a CA. Guess I was off. David, any time you have Chris or Ed Harmoush (of PracNet) on, it's an absolute treat!

@davidbombal

Жыл бұрын

Thank you Scott! Agreed, Chris and Ed are amazing 😀

it's great, thanks so much teacher David

This was an awesome video,I can always watch Chris and his packet talk lol.

thank you! you read my mind David, I was gonna ask to do a video on DNS

Enlightening as always David ji

I'm still a bit confused on how the attack starts. Is it just by clicking a link? Or does the victim have to have run a script to interpret the TXT record?

Chris is the wireshark king, I've learnt so much from him! Thanks for a great and interesting video

@davidbombal

Жыл бұрын

Agreed! Chris is amazing! Glad you enjoyed the video

In the old days we used to call this executing data. It was a big no-no. In these days of publicly accessible networks I’m shocked it’s not only allowed, but permitted even in high level code! If I were a hacker this would be so easy and obvious.

This is utterly terrifying. Thank you for pointing out what can happen if you carelessly switch to a well known DNS, expecting nothing bad and than kaboom....

@nonlinearsound-001

Жыл бұрын

Well it might be worth pointing out, your operating system alone will not take harm from Powershell code being present on some DNS entries. There already has to be malicious code on your box that just uses the DNS entries as an online repository for even more malicious code to be downloaded and executed after that. So the infection vectors are the same as always.

@etliberarahastenichgesehen

Жыл бұрын

@@nonlinearsound-001 Thanks for pointing this out. If I may ask, what would you consider the most likely exploit that would „benefit“ the most of this kind of attack?

@nonlinearsound-001

Жыл бұрын

@@etliberarahastenichgesehen That varies a lot. It strongly depends on the code that is being read from the DNS entries. As Powershell is a scripting environment with a lot of connections deep into the operating system, the attacker can come up with all sorts of different attacks. Most likely though it will be a network and file system discovery phase to see how the attacker or the program can move laterally, a C2 contact attempt to establish a reverse shell environment or to send back information about the attacked box. With more information, a possible exploit can be chosen to setup persistence on the box or to brute force passwords and such. In corporate environments its always a good target to become a priviledged user on the domain to gain more information or rights to move further laterally.

Didn't know DNS could do that.Really amazing and educational video

Glad to see you are still out here David. I have been out of the game for a while. I am working on getting into pentesting

@davidbombal

Жыл бұрын

Never give up on your dreams!

@BeauWilliams-ir6rx

Жыл бұрын

@@davidbombal Thank you. 🙂

Thank you both for helping all of us learn about everything with Wireshark !

Helpful video sir ❤

I really appreciate this Sir.👍🏻

DNS: the root of all all evil. This is proof. Thanks for posting, David, & Chris.

@davidbombal

Жыл бұрын

It's always DNS! :( Edit: Some people didn't get that this is a meme / joke, so leaving that here.

@pogo55555

Жыл бұрын

LOL. Good one. Root of all evil.

@jonperryman6477

Жыл бұрын

DNS is not the problem. The hacker could easily use a webpage, FTP or many other possibilities for the the malicious program. The hacker chose DNS because it's a simple data file that is really easy to use and doesn't check the data for validity. A PTR record should have a domain name but it could be the malicious program. TXT records can be anything the record owner wants and is very rarely used.

I was aware of the existence of DNS TXT records from my dealing with setting up domain names for myself and others. I knew they could contain potentially malicious information, but I didn't know they could be used to piece together a set of commands to run a powershell command to further compromise a machine.

@davidbombal

Жыл бұрын

Nice detailed explanation here: unit42.paloaltonetworks.com/dns-tunneling-how-dns-can-be-abused-by-malicious-actors/

Best WireShark instructional videos I’ve seen for length/ learning time. The quality and quantity of videos you produce is incredible. Thanks!

@davidbombal

Жыл бұрын

Thank you! Chris is amazing!

I am a bit new in this area. I have few questions: 1. How is the call initiated? It is said that by email? 1.1. Then, we click a link, it starts communication using dns server. 1.2. Then, the reply of dns server, they send txt as type of query. (We need a tutorial for dns queries). 1.3. So, does the dns, server were the hacker or sending scripts? 1.4. The clicked site, is sending scripts? 2. We need one more example to show after the packets were made up as a full string (script), then who (browser) will run the script?. So, far I know, we run serverside code to run any applications or a process on client laptop. 3. Or the script will run by browser as java script and do intended hack? 4. In what extent such scripts can do harm? For example, is it possible to get an .exe file to bring by script and paste in client pc.

I did not know this could be done. Kudos!

Cool stuff. Thanks.

Great lessons please David engage Chris for future explain how to capture Packets

very interesting, I'll keep this in mind

great video----very usefull

I had no idea David :D But thanks for learning us again

What I would like to know is who thought it would be a good idea to enable a library/framework to execute code stored in a text record like that in the first place. If it was originally intended to simply store human-readable comments, then why is it even a thing for something else to execute code stored in a text record? What library/framework(s) allow executing code from a text record? Why hasn't this been disabled?

I love this kind of staff

Great video, thank you so much. What can we do to protect ourselves from this kind of attacks? Are there any recommendations for firewall setup?

@davidbombal

Жыл бұрын

Extract from: unit42.paloaltonetworks.com/dns-tunneling-how-dns-can-be-abused-by-malicious-actors/ "Organizations can defend themselves against DNS tunneling in many different ways, whether using Palo Alto Networks’ Security Operating Platform, or Open Source technology. Defense can take many different forms such as, but not limited to, the following: - Blocking domain-names (or IPs or geolocation regions) based on known reputation or perceived danger; - Rules around “strange looking” DNS query strings; - Rules around the length, type, or size of both outbound or inbound DNS queries; - General hardening of the client operating systems and understanding the name resolution capabilities as well as their specific search order; - User and/or system behavior analytics that automatically spot anomalies, such as new domains being accessed especially when the method of access and frequency are abnormal. - Palo Alto Networks recently introduced a new DNS security service focused on blocking access to malicious domain names."

Hello DAVID, this is not concerning this video but a recent video you did with PHILLIP WYLIE on Pentester Roadmap. I want to acknowledge you for hosting nerds like that, I really like everything he said from start to finish. They were very informative and I like the fact that at a point you mentioned you are an introvert. That is another part I am interested in. Can you please make videos on introverts who want to get into or are already into IT and Cybersecurity. I believe that would really be helpful for people who are very introverted but passionate in such careers. Thank you beforehand. If you can also make a video giving an overview of your studio and everything you use for streaming your contents that would also be good. Thanks once again

@davidbombal

Жыл бұрын

Thank you. Phillip is a amazing and a wonderful person! Great suggestions :)

Packet capture is always fascinate me, thanks for sharing this mate. My question for Chris, is there any good place or training for whose who wants to learn packet capturing? I have also wonder what certification could we do which included packet analysis by wireshark.

From layer 1 to 7 it's mean deep working magnificent, especially hardware building

How does chris have so maNY IPs up and being shown???? I never see any IPs. certain filter??? Great videos David. you have been such a great tool for a n newbie like me. You're dope bro! and the videos with your daughter are adorable and put a smile on my face after a long day of construction

Always intresting stuff

I had no idea but it makes sense how it could happen

@DavidBombal ; Thanks for this video - I knew that DNS did more than IP/Hostname resolutions, but wasn't aware of this specific text field within DNS, nor that that field could be configured to be malicious, so thanks for this!! I recently got subscribed to the Udemy classes you put out, including the CCNA, SSL, & WireShark. I'm currently going thru the SSL course, & am VERY excited to start the WireShark courses - I'm HOPING that I'm going to come out the other side knowing more than I already do, thanks to @ChrisGreer ! I can't wait!! Thanks again! 🙏❤️👌

@davidbombal

Жыл бұрын

Glad you learned something Mike. Nice detailed explanation here if you are interested: unit42.paloaltonetworks.com/dns-tunneling-how-dns-can-be-abused-by-malicious-actors/

@Mike.Kachar

Жыл бұрын

@@davidbombal awesome info, David - thanks!

Good stuff guys !😎

Amazing content!!!

@davidbombal

Жыл бұрын

Thank you!

Cheers Mate.

Using a dns to attack is one of the few things i do know.

Yes, but that proces of data extraction from captured stream is awesome 🙂

How does it keep asking for the next TXT records? Certainly the first DNS call which may be from a phishing link couldn't execute any code from the TXT record?

If I understand correctly, can be done w ICMP too.

Love these types.

@davidbombal

Жыл бұрын

Glad you enjoyed the video!

Very creative. Love this ! Newbie here, but am slight edging all the way.

@davidbombal

Жыл бұрын

Try to spend some time every day learning something and you'll be amazed at how much you can learn. I really like the book Atomic Habits - small increases = big rewards.

You are a saint,Thank you.

That was a great analysis, but what about DoH/DoT?

My Friend, you don't need to make these faces on thumbnails to get youtube clicks, you are way beyond that, awesome content, loving it!!!

Very interesting no i did not know this existed. Now to see if i can mitigate with my pfsense

I developed the DNS server with C++ programming, then used the certificate and private key generated by openssl, then I installed the certificate in my browser, and it worked, Encrypted data can only be decrypted with a matching private key, making it difficult to brute force with SSL encryption

It's basically fetching payloads using DNS to bypass anti-virus

What I still don't understand is how the script gets executed... Yes invoke expression but from where if that's par of the script

Nice video David! It's always DNS ha! I can say with confidence that I did know this :D. I've used a similar method on a test to escape firewall resitrctions. There is a neat tool called Iodine which you can use to set up a tunnel between boxes and all commmunication is done through DNS. You can then SSH to the box over DNS... pretty remarkable. It's a common technique used by malware to call back to C2's. There is a video on my channel about the set up process if you wanted to see it in action. Takes you through setting up the DNS records to deploying the server and then initiating the connection.

@ahmed_goodgame995

Жыл бұрын

i have a simple question how does the code run on the target machine even though it is a text record?

@haXez_org

Жыл бұрын

​@@ahmed_goodgame995 I could be wrong but afaik there would need to be a client of some kind on the victim machine that processes the code within the DNS responses. I believe It's more of an obfuscation technique. I would be surprised if there was a direct way to perform RCE on a box from DNS responses. That would cause chaos.

@ahmed_goodgame995

Жыл бұрын

that means that there is no way to get full access using link?

@haXez_org

Жыл бұрын

@@ahmed_goodgame995 I think you would need a trigger first. For example, a hacker could send a link to victim. The victim clicks link which then downloads some malware. The malware then performs DNS requests to the malicious domain and extracts the data in the TXT record and executes it. It can be useful as it can make the malware more dynamic and less detectable as it doesn’t contain the payload itself. Plus most organizations have DNS open so its likely to get through the firewall. Other than that, I honestly don’t see how it would work unless there is some huge vulnerability in DNS that I’m not aware of. Can you imagine the carnage it would cause if you could easily perform code execution through standard DNS request/responses?

@haXez_org

Жыл бұрын

​@@ahmed_goodgame995 But never say never, if someone found a bug in a popular Operating System and the way it handles DNS then maybe it could be used to execute code. Something like a traditional overflow or sequence of characters contained within a TXT record that when processed by the client service causes unexpected behaviour. That’s speculation though and I’m sure these things are tested regularly. The thought of that is actually terrifying.

@5:40 be careful when putting data on virustotal, especially when you are doing an audit (pentest) for a client.

@_itis8809

Жыл бұрын

without the enterprise licence this data is public so... yeah.

@_itis8809

Жыл бұрын

@Narutoes all your activity - including samples you uploaded (as long as you are on the free account/API) is public [or "considered" public].

Everyday is a school day when you work in security. Thanks guys for a brilliant video ☺️

I did not know that about adding machine readable txt

Are there valid uses of the TXT DNS record type that are still in use today?

A question i am asking myself is there any actual legitmate use for the dns txt request type left? If no then there would be no good reason to keep it at all honestly

@DavidBombal - I never knew this type of attack was possible 🤯

Extremely new to me but outstanding how things in systems and networks are still weak. With where we are today in should we not be above and over with criminals on the net?

I have heard of this method, but I had never seen it demonstrated. I still wonder why the host system would actually run the initial script contained within the initial TXT query... I understand how the script could run its loop and pull down the entire 17 packets and assemble itself - but why would an initial query actually start the subsequent process?

In the late 90's I hacked a RTL driver to send/receive encoded messages in ping requests, it was a little slow but you don't need a lot of code to get something running.

@4lfie-

Жыл бұрын

what does RTL stand for?

I've seen DNS used to smuggle data out of secure(ish) systems that stopped outgoing requests to unknown addresses but not via DNS.

@davidbombal

Жыл бұрын

Glad you learned something Benjamin. Nice detailed explanation here if you are interested: unit42.paloaltonetworks.com/dns-tunneling-how-dns-can-be-abused-by-malicious-actors/

@davidbombal where is the link of chris's threat hunting course ?

It should be stopped at source, ie the DNS provider. Just put some validation and checking in place to prevent this method of injection and close it down.

In Iran, the first level of web filtering is applied by the IRGC government with DNS hijacking. please talk more about filtering .

Nope. Didn't know that one. I came up with a data exfiltration method against hardened internal corporate networks using DNS about 15 years ago. I've not seen it ever mentioned, so it may still be novel.

@davidbombal

Жыл бұрын

Glad you learned something new!

a question - we passed the strings to txt file, but what made the client machine to run the initial txt instructions?

@norsie45

Жыл бұрын

7:09 or so, the first command

@shriram5494

Жыл бұрын

@@paulus9660 Yeah if the client machine is already compromised, you can't really say DNS is the culprit here. They might as well get the code payload from a normal http request.

@norsie45

Жыл бұрын

@@paulus9660 thank you!

it looks like a stage, it will connect to the c2 to download and install the payload

Who ever heard of text in a DNS reply. We were fine with RFC 1035() which had a limit of 512 "octets" then came RFC 2671 replaced by RFC 6891, which extends the payload to over 1k. Anything over 512 bytes should be suspect.

So just to reiterate, the victim executes a script which then makes DNS requests, assembles the txt resource records, executes that assembled text file which makes a callback to a C2/attacker....?

@davidbombal

Жыл бұрын

Nice detailed explanation here: unit42.paloaltonetworks.com/dns-tunneling-how-dns-can-be-abused-by-malicious-actors/

ima network security student its very interesting to learn it

how can i get the pcap used in presentation?