Let me share with you a case where I got a chance to be a part and study a hack of a website, one of the most popular sites in Nelson. I won't be sharing the website link or name but I will portrait the case.
One of my friend working as a Web/IT Manage ringed me early in the morning on 12 August 2019. He was very anxious and said that the website that he managed has been hacked. He shouted help from me as I was good with the system and pursuing a career in IT security. He explained that it was working fine a day before. He was doing his regular web content posting. The next morning the site is directed to some Chinese pornography site.
I understand the actual case, there was a DNS hacking. As I was learning penetration testing and never faced such a case in the web application before except malware injection in the local machines during my previous job. It was good learning for me to be involved in such an issue and I went to his workplace on his approval from his boss. I did some preliminary research about the attack. What is DNS hacking? how does it occur? What are its types? What is the technique to resolve the problem?
During my preliminary research, here are the general ideas I gather about DNS hacking. Most of the hackers use this technique and with a motive to halt the web service. Well, DNS hacking is the Domain Name Server (DNS) redirection. Here the users request to a server are unexpectedly redirect to malicious sites due to an incorrect resolve of DNS Queries. The attackers breach the user computer, network router or DNS communication by installing malware. The malware compromises the functioning of the system and alters the DNS request to a malicious site.
DNS hacking is used for phishing and pharming, The hackers cheat the users who access those site and seat data or credentials of the users or they may gain revenue through the unwanted display of ads.
Here is a figure that clarifies how DNS hacking takes place.
When a user requests a webpage in a web server, the request from the user browser transmit through various network components with different protocols towards the legitimate server but the attacker compromises either the local DNS or Router or the DNS server of ISPs that redirect the request to a malicious website. This is how the DNS Attack occurs.
Similarly, on the nature of the attack and compromise component in the network, DNS attacks can be classified into four types.
Local DNS Attack: This is also called local DNS hijack where attackers use Trojan to compromise the DNS configuration of local machines that compile to redirect the user to malicious sites.
Router DNS Attack: Since routers also act as a DNS server due to some vulnerabilities in the frameware and login credential the attack may overwrite DNS setting and affect the user that access that router.
Man In Middle DNS Attack: In this attack, the attacker modifies the destination IP address of the packets directing to a malicious site through intercepting the communication between the user and the server.
Rogue DNS Server: In this attack, the attacker compromises the DNS server and changes the DNS records and queries to request malicious sites.
Once I gathered these information, then I went to investigate the scenario. Following are the task that I conducted.
First of all, I need to confirm the attack type. So, the first thing I can do is to investigate if the local system is compromised or not. I confirmed host file of C:\Windows\System32\drivers\etc location as there might be any alteration. But the file hasnot been modified.
Then, I planned to access the router and study about any alter in it. As the router is of latest frameware and login credential is secured with password policy, there is a low chance of tampering.
Once I confirmed about that then I suggested to consult ISP and verify about the DNS pointing through their server. They also confirmed from their end and its is totally working .Finally, I was planning to investigate the server and querying any recent change had he made in the system. And my friend informed that he had used some free plugin in the server a day before. As we don't have access to the server. I requested them to consult the server administrator. The server administrator confirmed the security measures and reset the DNS setting and the problem was solved.
Overall this is the real case that I got chance to face and how technology and security is growing so does the hacking techniques. We do need the precaution measure and action plan to overcome such issue if occurs and protect the information and system from exploitation.
Opmerkingen