• Welcome to TechPowerUp Forums, Guest! Please check out our forum guidelines for info related to our community.

Educational: Anatomy of a public DNS breakin

Solaris17

Super Dainty Moderator
Staff member
Joined
Aug 16, 2005
Messages
25,674 (3.80/day)
Location
Alabama
System Name Rocinante
Processor I9 13900ks
Motherboard EVGA z690 Dark KINGPIN
Cooling EK-AIO Elite 360 D-RGB
Memory 64GB Gskill Trident Z5 DDR5 6000 @6400
Video Card(s) MSI SUPRIM Liquid X 4090
Storage 1x 500GB 980 Pro | 1x 1TB 980 Pro | 1x 8TB Corsair MP400
Display(s) Odyssey OLED G9 G95SC
Case Lian Li o11 Evo Dynamic White
Audio Device(s) Moondrop S8's on Schiit Hel 2e
Power Supply Bequiet! Power Pro 12 1500w
Mouse Lamzu Atlantis (White)
Keyboard Monsgeek M3 Lavender, Akko Crystal Blues
VR HMD Quest 3
Software Windows 11
Benchmark Scores I dont have time for that.
Introduction

Hiya, Today I am going to walk you through discovering and potentially leveraging open DNS servers in an effort to show you why you should be careful with the DNS blocking tools that have steadily become popular.

I am NOT affiliated, sponsored, represent, or paid by any security firm or corporation. I do not officially represent any entity while posting under my USN in TPU.

I am a normal guy that wants to bring as much security information to this forum as I have time to do. I understand that it isn't really the focus of this site but the more eyes and DIYs that can see it the better.

What I am doing is for education. BE WARNED that what is being done is POTENTIALLY ILLEGAL and can result in CRIMINAL CHARGES. NEVER pentest or modify a computer system WITHOUT CONSENT.

We will be tackling this with free tools in windows.

I will try to keep this short.

Taking a look

Today's internet is full of devices that are becoming popular in regards, to security and privacy. Some of these devices show in the form of DNS filtering agents. This is because other than adblockers this is the easiest way to protect an entire network.

Devices and software like:
  • Bitdefender Box
  • Firewalla
  • Fingbox
  • Winston
  • Pi-hole
  • AdGuard
Have more or less the same features, and one of the biggest and most useful are there abilities to block DNS queries based on a reputation system that has definitions we call "lists". Of course we have been doing things like this for years on our personal computers. Modification of the 'hosts' file is in essence what these devices do only on a much broader scale. So what is the big deal with these kinds of devices and why might there be a problem?

The issue stems from availability without much education. I have covered DNS basics and even went over the setup of a Pi-hole in a previous guide (I promise to fix the pictures). Basically, convenience is our enemy here and when installing these devices more privacy/hobbyist minded individuals make modifications to these systems (with some just being vulnerable to being with) that promote bad internet hygiene and expose them to more risk.

Primer

I am going to be picking on pi-hole today. I should get it out of the way that in this case pi-hole as a product is safe and its defaults are also safe. The issue stems from its misconfiguration by individuals and its widespread adoption by DIYers combined with a lack of understanding on how DNS works.

To start lets go over why an open DNS server that is, a DNS server that can be used publicly is bad. I have an example myself but for a more bulleted list we can look here https://securitytrails.com/blog/most-popular-types-dns-attacks. Now to reiterate it should be noted that even the pi-hole staff and much of the people 'in the know' do NOT want you to open DNS to the public. DNS servers exposed to the public and ran by amatures is such a bad idea that there are several lists available exposing them.

Abusing DNS is bad, and I've said it four different ways already. If you didn't read any of the links I posted it boils down to these potential problems.
  • DDoS of the DNS service
  • Poisoning DNS servers
  • Hijacking DNS requests
  • Amplification (reflection) attacks utilizing public DNS servers to overwhelm a specific domain
  • Waste of bandwidth
You can read what CISA thinks about amplification attacks here. They are the easiest and most abused aspect of public DNS servers. In most of my guides I try to educate and most of the cases involve some examples. However, I understand that is not enough for some people. To some security articles are nothing more than a pentester or security professional soap boxing on a public forum.

Getting dirty

So let's break into public DNS servers. First we want to make it appeal to the masses. Lets really drive home how easy it is to disrupt people and break privacy.

What if we imposed rules? Hm. How about.
  • It has to be with free tools
  • They don't need to be installed
  • They don't require a user account
That's a little rough. No burp suite, no nmap no normal pentesting kit tools. However if we stick to those rules in theory anyone with a PC can do it.


1580067849879.png

To start Let's think critically. We do need SOME info. How about something simple? How about we go with a name? Most of these products brand themselves so we will start with "pihole".

Now how about we plug this into a website that scans IoT things?


Oh my, even without a user account.

1.png

Ok, So shodan lets us dive in. What does the request actually look like? What else may have been detected on this server? I mean, what if they are hosting a public FTP server that we can access as well? The possibilities are scary and are only limited to web hostable content.

2.png

Neat, so they are running pihole on port 8089 on this specific IP address. Let's try to go to it.

3.png

Sad face. It looks like its responding however.

What if we tacked on something? What if we did a little URL modification? Say for example we attempted to access the admin page of the unit? That has a default path of I think
Code:
/admin/index.php
.

1580069484196.png

Yikes! and its out of date! Not only is it public but let's not forget that products can have CVEs.

As we can see though this one requires login at least. Maybe we can use it as a DNS server? Lets see if it accepts outside connections.

To do this on Linux you can use the
Code:
dig
command However, for windows we can use
Code:
nslookup

Something like <command> <domain I want> <server I want to use>

Lets take a look.

4.png

Nope, no open resolver. Just an open web interface. Still bad, but we are looking for quick targets. Let's move on and try a few more.

1580070182764.png

Wow. Words cannot communicate how ridiculous this is.

Anyone fancy changing there upstream DNS server to your own so you can re-route traffic?

1580070330285.png

Or maybe you want to stop the service? Maybe shut down the device?

1580070366713.png

Danger Zone indeed!

Other than hijacking there DNS requests to a server you run, or making their lives miserable but disabling DNS resolution. Or otherwise peeking on there lives, or man maybe even getting to know there work schedule by monitoring the DNS request graph.

1580070488162.png


Can it actually resolve public DNS though? Or did they just remove the password on the admin CP?

5.png

Wow. We can even abuse it via DNS itself.

Buttoning up

According to the command list it appears that installers are utilizing
Code:
pihole -a -p
to change the -admin -password and simply leaving the field blank. This would effectively disable the password requirement that the pihole actually FORCES during install by randomly generating a password that is displayed to you.

Let's take a moment to remember our honorable mentions, like the knockoff products that customize the existing code of existing products. In the pi-holes example "Adgone" and "Rootswitch" after investigation not only provide public resolves based off of the product but themselves charge customers for access to there public resolver as part of a product stack that they ripped off.

It's important to understand the risks and consequences of this. In a broad sense.

Some DIYers setup these devices and consciously know they are exposing it to the internet. This allows them to customize phones or laptops when they are not on the LAN to use the filter settings they setup. However there are MUCH better ways to do this. Others simply have no idea. There routers could be port forwarding port 53 (DNS) and 80 or 443 (HTTP/s) by default and the intent was just to use it like normal. Some going further may have believed the forwards necessary for functionality.

In either case this is not limited to the pi-hole. Or even privacy/security/filtering products like this, or the ones mentioned. You should always be aware that a network is just that. A collection of devices working together. All parts of a network should be examined. Routers should be checked. Firewalls in network devices need to be examined.

If you don't; I'll do it for you. On my lunch break.

Things we did today.

  • Found your devices admin panel
  • Broke into your device
  • Found out if I could use your device for bad things
  • Found out you work 10-6pm EST
  • Followed you on instagram
  • Took note of the number of devices on your network
  • Took note of your device names
  • Found the local address of the other servers you run on your network

Conclusion

Stay safe, know what you are buying and how to set it up. If you don't find someone who does. Check your devices. Typing this literally took longer than it took me to find 271 exposed devices and I managed to find 13 I could admin access before I finished writing this sentence.

Hope you learned something. Thanks for reading!
 

Attachments

  • 1.png
    1.png
    93.8 KB · Views: 264
  • 3.png
    3.png
    9.7 KB · Views: 235
Joined
Jun 5, 2007
Messages
2,147 (0.35/day)
Location
Metro Manila, Philippines
System Name Zangief (Reborn)
Processor AMD Ryzen R7 1700X @ 3.825ghz , 1.35v
Motherboard Gigabyte GA-AX370 Gaming K7 Rev 1.0 BIOS F51e
Cooling Noctua NH-D15 Push / Push Config | 2x ML120 | 2x Phanteks 120 mm
Memory 2x8GB G.Skill Trident Z @ 3200mhz cl 16 @ 1.45v
Video Card(s) Gigabyte Aorus GTX 1080 +100 core / +550 mem
Storage 250 GB Samsung Evo 850 / 1tb WD Black / 4tb WD Blue / 512GB Adata XPG Pro SX8200
Display(s) Acer Predator XB271HU |Asus VX239H 23" AH-IPS Led
Case Phanteks Enthoo Pro M TG
Audio Device(s) On Board Realtek HD / Logitech G633/G933 Gaming Headset / Corsair H70 Pro Wireless
Power Supply Corsair HX750i
Mouse Logitech G903 and G602 Wireless Gaming | Logitech Proteus Core G502
Keyboard Corsair K70 Cherry Red | Corsair K70 RGB MK.2 Cherry Browns | Akko 3908N TTC Flame Reds
Software Windows 11 Pro
Thank you for sharing, these sort of things are truly a resource for learning, keep up the good work!
 

Solaris17

Super Dainty Moderator
Staff member
Joined
Aug 16, 2005
Messages
25,674 (3.80/day)
Location
Alabama
System Name Rocinante
Processor I9 13900ks
Motherboard EVGA z690 Dark KINGPIN
Cooling EK-AIO Elite 360 D-RGB
Memory 64GB Gskill Trident Z5 DDR5 6000 @6400
Video Card(s) MSI SUPRIM Liquid X 4090
Storage 1x 500GB 980 Pro | 1x 1TB 980 Pro | 1x 8TB Corsair MP400
Display(s) Odyssey OLED G9 G95SC
Case Lian Li o11 Evo Dynamic White
Audio Device(s) Moondrop S8's on Schiit Hel 2e
Power Supply Bequiet! Power Pro 12 1500w
Mouse Lamzu Atlantis (White)
Keyboard Monsgeek M3 Lavender, Akko Crystal Blues
VR HMD Quest 3
Software Windows 11
Benchmark Scores I dont have time for that.
Thanks, stay safe out there!
 
D

Deleted member 158293

Guest
Nice write-up!

Yes be careful out there, the amount of bots scanning addresses & ports is seriously impressive. Not knowing what you are doing especially with regards to networking is asking for trouble, big trouble.
 

silentbogo

Moderator
Staff member
Joined
Nov 20, 2013
Messages
5,467 (1.46/day)
Location
Kyiv, Ukraine
System Name WS#1337
Processor Ryzen 7 3800X
Motherboard ASUS X570-PLUS TUF Gaming
Cooling Xigmatek Scylla 240mm AIO
Memory 4x8GB Samsung DDR4 ECC UDIMM
Video Card(s) Inno3D RTX 3070 Ti iChill
Storage ADATA Legend 2TB + ADATA SX8200 Pro 1TB
Display(s) Samsung U24E590D (4K/UHD)
Case ghetto CM Cosmos RC-1000
Audio Device(s) ALC1220
Power Supply SeaSonic SSR-550FX (80+ GOLD)
Mouse Logitech G603
Keyboard Modecom Volcano Blade (Kailh choc LP)
VR HMD Google dreamview headset(aka fancy cardboard)
Software Windows 11, Ubuntu 20.04 LTS
Thx, Dave. I was contemplating on this recently as well...
Maybe not directly related to this topic, but I was looking through our server logs and noticed a significant increase in probing for misconfigured single-board computers (not just RPi, but also other popular models like Pine64, OrangePi etc.), and a significant increase in new(crappy and simple, to be honest) DNS manipulation malware on random laptops that I occasionally get in my workshop.
Did a write-up a few years ago on IPcam abuse, and was really surprised how easy it was to find certain model of vulnerable cameras (w/ static IPs as well) just by googling some typical strings from a config file :nutkick:
 

Solaris17

Super Dainty Moderator
Staff member
Joined
Aug 16, 2005
Messages
25,674 (3.80/day)
Location
Alabama
System Name Rocinante
Processor I9 13900ks
Motherboard EVGA z690 Dark KINGPIN
Cooling EK-AIO Elite 360 D-RGB
Memory 64GB Gskill Trident Z5 DDR5 6000 @6400
Video Card(s) MSI SUPRIM Liquid X 4090
Storage 1x 500GB 980 Pro | 1x 1TB 980 Pro | 1x 8TB Corsair MP400
Display(s) Odyssey OLED G9 G95SC
Case Lian Li o11 Evo Dynamic White
Audio Device(s) Moondrop S8's on Schiit Hel 2e
Power Supply Bequiet! Power Pro 12 1500w
Mouse Lamzu Atlantis (White)
Keyboard Monsgeek M3 Lavender, Akko Crystal Blues
VR HMD Quest 3
Software Windows 11
Benchmark Scores I dont have time for that.
Thx, Dave. I was contemplating on this recently as well...
Maybe not directly related to this topic, but I was looking through our server logs and noticed a significant increase in probing for misconfigured single-board computers (not just RPi, but also other popular models like Pine64, OrangePi etc.), and a significant increase in new(crappy and simple, to be honest) DNS manipulation malware on random laptops that I occasionally get in my workshop.
Did a write-up a few years ago on IPcam abuse, and was really surprised how easy it was to find certain model of vulnerable cameras (w/ static IPs as well) just by googling some typical strings from a config file :nutkick:

Thanks. Yeah cameras are bad about it. I've seen an uptick in actual DVR systems as well. Recently within the last 6 months a surprising amount of printers.
 
Joined
Mar 10, 2015
Messages
3,984 (1.22/day)
System Name Wut?
Processor 3900X
Motherboard ASRock Taichi X570
Cooling Water
Memory 32GB GSkill CL16 3600mhz
Video Card(s) Vega 56
Storage 2 x AData XPG 8200 Pro 1TB
Display(s) 3440 x 1440
Case Thermaltake Tower 900
Power Supply Seasonic Prime Ultra Platinum
Thanks, stay safe out there!

Just so everyone knows before they go trying some of these, it is not exactly legal to access these devices without explicit written permission. Just because they are open to the world does not absolve the requirement for permission.

Be safe, and smart.
 

Solaris17

Super Dainty Moderator
Staff member
Joined
Aug 16, 2005
Messages
25,674 (3.80/day)
Location
Alabama
System Name Rocinante
Processor I9 13900ks
Motherboard EVGA z690 Dark KINGPIN
Cooling EK-AIO Elite 360 D-RGB
Memory 64GB Gskill Trident Z5 DDR5 6000 @6400
Video Card(s) MSI SUPRIM Liquid X 4090
Storage 1x 500GB 980 Pro | 1x 1TB 980 Pro | 1x 8TB Corsair MP400
Display(s) Odyssey OLED G9 G95SC
Case Lian Li o11 Evo Dynamic White
Audio Device(s) Moondrop S8's on Schiit Hel 2e
Power Supply Bequiet! Power Pro 12 1500w
Mouse Lamzu Atlantis (White)
Keyboard Monsgeek M3 Lavender, Akko Crystal Blues
VR HMD Quest 3
Software Windows 11
Benchmark Scores I dont have time for that.
Just so everyone knows before they go trying some of these, it is not exactly legal to access these devices without explicit written permission. Just because they are open to the world does not absolve the requirement for permission.

Be safe, and smart.

yup, bids mentioning again. Hoping people dont miss the large red text I put in the beginning, but who knows.
 
Joined
Mar 10, 2015
Messages
3,984 (1.22/day)
System Name Wut?
Processor 3900X
Motherboard ASRock Taichi X570
Cooling Water
Memory 32GB GSkill CL16 3600mhz
Video Card(s) Vega 56
Storage 2 x AData XPG 8200 Pro 1TB
Display(s) 3440 x 1440
Case Thermaltake Tower 900
Power Supply Seasonic Prime Ultra Platinum
yup, bids mentioning again. Hoping people dont miss the large red text I put in the beginning, but who knows.

I actually scrolled past it the first time in my phone.
 
Top