0x20 hack

0x20 HackDefending like it’s 2008

2008 DNS vulnerabilities are teh shitz The Dan Kaminskys find a way to do

dns cache poisoning… on the Internet

Everyone freaks out He gives some solutions like DNSSEC Everyone goes… yeah right. See you

in 2013 People freak out again

DNS Cache Poisoning Inject a fake DNS result into a caching DNS server Clients requesting that hostname will be given

the malicious response Works for as long as TTL is set Example:

› Vulnerability in BIND exploited› Injects a cached response for www.google.com› Grandma goes to www.google.com, and is redirected

Mitigations DNSSEC (we’re getting there) Patch your DNS server (yes of course, but not an actual

solution) Disable caching (not realistic in most cases) Randomize Name Servers (helps limit the affect of a poison) Prepending a nonce to queries (balls930282-

fwq.www.rochester2600.com - effective but “omg what’s a nonce”)

Removing duplicate queries (mitigate birthday attack) 0x20 Hack

0x20 Hack

0x20 Hack Refers to the simplest hack to modify the case of a DNS

requests 0x20 bit manipulation is lower CPU cost compared to for

example Python to change the case of a string Turns out every DNS server ever can handle this hack Requests need to generate a random bitmask Only works if the DNS server does not pay attention to

case No entropy for TLR or number domains but helps most

hostnames

Examplewww.rochester2600.comWWW.ROCHESTER2600.COMwWw.rOChesTer2600.CoMwWW.ROCheSTeR2600.comWWW.roCHEsTeR2600.COM

000 0000000000000 000111 1111111111111 111010 0110001000000 101011 1110011010011 000111 0011101010000 111

Result

Attackers must brute force all possible combinations of upper and lower to successfully poison your cache

Why?

I didn’t know about this and love it’s simplicity

Hipster Tor

What did you learn

A and a are 0x20 apart The 0x20 hack No one uses this anymore…history

lesson Nothing. You’re not even looking at the

screen right now.

End.