The Hacker Mind Podcast: Hacking .Mil And Other TLD Domains (Ethically)

Robert Vamosi
July 13, 2023
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Internet domains are brittle. One could hack into a military, a foreign government, or even global commercial web services domain using flaws in the underlying architecture. Fredrik Nordberg Almroth, co-founder of Detectify, talks about how he did just that -- hack .mil, hack the top level domain of the Democratic Republic of Congo, and even Gamil or Wordpress -- just by looking for basic misconfigurations.

The Hacker Mind is available on all podcast platforms.

[Heads Up: This transcription was autogenerated, so there may be errors.]

VAMOSI: So when you access a website, you don’t care what server it’s on. I mean, for IPv4, we don’t type in the numerical address of the site we want to contact. You type in TheHackerMind.com and it automagically takes you there. How?

There are Domain Name System servers that keep updated lists, like tracking telephone exchanges, that say today TheHackerMind.com is at this address. But maybe we change the ISP hosting the site to another server. No matter, you type in TheHackerMind.com and the DNS takes you to the proper page.

Several years ago, based on my reputation as an infosec writer, I was hired to do some contract work for one for the thirteen root-level DNS registrars. It’s crazy, but the different extensions of a URL that you see --what are called TopLevelDomains or TLDs such as .com and .net, and now we have generic top level domains or gTLDs -- like .info or .security -- they have to be managed by these different domain authorities. 

For example, there’s the Internet Corporation for Assigned Names and Numbers or ICANN. They are responsible for coordinating the maintenance and procedures of several databases related to the namespaces and numerical spaces of the Internet, ensuring the network's stable and secure operation.

The occasion was a very credible threat against this domain authority, on a specific date, at a specific time. And an attack on one is an attack on all, I remember the organization was in contact with the root domains as well. Fortunately, as the appointed hour came and went, no activity was seen, but I documented the activities the organization took, with an eye toward having that document for any future events.

My point is, the architecture of the internet is old, based on a simpler time. Our needs today are more complex. And, as you’ve heard me say before, complexity is often the enemy of security. The more complicated your make something, more the likely it is that you’ll have a misconfiguration or a vulnerability that someone, like my next guest, can easily exploit. 

[music]

Welcome to the hacker mind, an original podcast from ForAllSecure. It’s about challenging our expectations about people who hack for a living. I’m your host Robert Vamosi and in this episode I’m discussing how one might exploit misconfigurations in DNS, and how to secure your organization from this increasingly popular mode of attack.

[music]

VAMOSI: We are going to hear from a researcher who is known for hacking a military site; hacking a foreign government's entire domain; and finally hacking the largest email service in the world.

ALMROTH: My name is Frederick Norberg Almroth. I am a security researcher and co-founder of Detectify. Detectify is an attack surface monitoring solution, which makes us a bit of application security with ethical hacking. So during that, I don't know how long the past decade I've been on and off playing around with DNS. 

VAMOSI: So we're going to hear the term Ethical Hacker. This term is, well, hard to pin down. Of course hackers are ethical, so why qualify it? Well, people don't always say criminal hackers -- that certainly needs to be qualified. And that's what the Hacker Mind has set out to do, take back the word hacker, and qualify it with criminal where we're talking about bad actors. But ethical hackers?

ALMROTH: That's right. I am an ethical hacker. So I've been participating in what seemed like I believe you're referring to as a bug bounty hunter, along with like, random hacker woman but all of those. So I've been a pretty early adopter of the anti bug bounty mentality. But you're right. Once upon a time, I've been working as a penetration tester as well. mostly focused on web apps.

VAMOSI: That's either a good thing or a bad thing to identify yourself as an ethical hacker. 

ALMROTH: Yeah, you have a point. I've been doing a lot of bug bounty to say that. That's what I mean by ethical hacking.

VAMOSI: So, bug bounties, where you are invited to hacker a company and if you find anything report it for money. I talk about this culture more in Episode 9 of the The Hacker mind.

ALMROTH: is that if a vulnerability is a software I would go to the vendor first, prior to making a public announcement if I even do that.

VAMOSI: And it's kind of sad that we have to identify it as ethical hacking.

ALMROTH: Yeah, that's a different discussion. I suppose. That is correct. Yeah, professionally, and I do security offensive security.

VAMOSI: So do you get a lot of questions?

ALMROTH: I do. And I rather make myself clear upfront. Before you're saying hacker. If someone here that that's not a part of the industry, you get very mixed responses. So a friend of mine you have a friend is a police officer and we were out having beers and I said something along the line Oh yes. The wrapped up this fantastic company. went public. But he reacted like What do you mean? I was like, Yeah, I have this company. And he's red flags went off. The blue label was a criminal. Well, that was not the intent.

--[music]--

VAMOSI: warnings about DNS misconfigurations and compromises are not new.

ALMROTH: I believe the first announcement we made as protective phi in regards to DNS research was back in 2014 and made a blog post about subdomain takeovers, which was novel at the time. I hadn't stopped poking since.

VAMOSI:. You were looking at DNS, you were looking at subdomains and stuff my limited knowledge tells me that if you own the top level domain, you should own the sub domains. Or are there nuances?

ALMROTH: There are definitely nuances if you get to compromise a CNAME pointer. 

VAMOSI: A CNAME or Conanical Name is an alias that maps back to a conical domain name. For example, CName records are typically used to map to a subdomian.

ALMROTH:  Say you have a modern source provider, say Heroku or something like a platform as a service. And I get to create my own app and associated with your subdomain, then I don't have full control over the DNS space. It's more of an amputation than your bike which is facilitated through DNS, and then the impact is, of course, more limited. But if you purely look at it on a DNS layer, say that your name server expires, and they buy it. I have full control over the DNS records that can be served. 

VAMOSI So this is where it gets interesting.

ALMROTH: DNS, on its own, is redundant. By design. So you have multiple endless records, right. So if one goes down, the other should back it up. 

VAMOSI: thats good you dont want your site or email to go down.

ALMROTH: But that can also be a flaw in the system. Because if one domain expires, they will not be the one to tell you about it. Your domain will still be operable. And that creates a venue for attack. 

VAMOSI: So here's where redundancy in DNS can be a bad thing.

ALMROTH: So that once again, can come along, and some million, get access to that faulty name server delegation. And then get the split of your DNS traffic by both can read it. So you want any incoming requests are in your name servers, or I can respond to it and say that the site address your website. Now it should go over there instead to malicious server.

VAMOSI: so is it as simple as lapsed DNS registration?

ALMROTH: It can be. It really depends. I mean, you'd have vulnerabilities in the name servers themselves, of course, like any other like a buffer overflow or something I've been looking into. I guess we'll touch upon that in a bit. But there is an opcode in DNS.

VAMOSI:  An opcode is the portion of a machine language instruction that specifies the operation to be performed.

ALMROTH:  Typically with query information, you read the data from the name server, imagine the name servers or database or your DNS records, but recent opcode opcode five. It was defined back in 1997 and RFC 2146. That little anecdote, but that allows you to not only read the great new records, delete existing ones and modify them as well. So then you more or less have a little oracle, a state machine you can read, write and affect the availability and everything on the domain. So that is quite rare. I have seen it a handful of times. So I developed a proof of concept like a little scanner, which resolves the name servers for some domain and then tries to create a new sub domain with a random record. And if I don't consider that random record, and I was reading a query that I mean, that I knew that my attacker worked, I could insert a DNS record. So I gathered that Tom of domains must be over 100,000 domains, at minimum, probably close to a million. This was some time ago. But one domain stood out. It was an WC of navy.mil and its name servers.

--[music]

VAMOSI : so frederick just admitted to hacking onto a domain using a vulnerability. That domain just happened to be a US military domain, .mil, owned by the UNited States Navy.

ALMROTH: Random dot mil name servers, but those name servers allowed me to write my own records. So because of the thing with ethical hacking again, the Department of Defense they have Asterix look me and wildcard dot mail domains, that's a scope for the responsible disclosure program. So that's why I targeted the US Navy.

VAMOSI: So you got into the US Navy using a wildcard domian.

ALMROTH: Yeah, that's right. I can modify their DNS records. So what did you all say that solid proof of concept just adding a random TXT record? Doesn't say a lot. But I created my own subdomain.

VAMOSI hacking the US Navy is one thing. Being able to prove it is another.

ALMROTH: the IP address associated with that domain went home to me from Sweden.

VAMOSI: Wait. What?

ALMROTH:  I figured there is a court in SMTP. So if you want to deliver emails, what you typically do is to add MX records or main routing. But If none exist, the email will be attempted to be delivered to the at record the IP address associated with the domain. And that's it now have a subdomain and it goes to like the address the IP is so under my control, I should be able to start receiving emails, right. The stars are aligning. 

VAMOSI: No kidding. Using a vulnerability and using a flaw in DNS itself, Frederick could have been email intended for a .mil address.

ALMROTH:  I remember this old anecdote: it was from a life hacking event organized by Hacker One was in New York. I can't remember the year 2018 Maybe. But then the US Air Force was this target. And our friend of mine, Franz Rosen, did something similar. But in order to show the impact in signing up for the Washington Post, because if you have a document or a.gov email address, you're considered a veteran and the Washington Post are supposed to give you a lifetime subscription for free. And now I am in possession of mainly myself, so I did just that. I created my own account, the Washington Post, and I have it right here right now. words, phrases, things. So I brought all of these in the input. Here is basically the opcode I did for this Listening service. This domain pointed to Sweden and got the signal and now I have a Washington Post. That's a proof of concept. I thought it was fun, and I thought it was really really creepy.

VAMOSI: So you're probably wondering what the US military thought of all this.

ALMROTH: So in January last year, I got rewarded the researcher of the month by the DoD for this winner ability. I have haven't prior to this announced how I went about attack and what was contained in that report.

VAMOSI: So is it systemic or is it specific to how the ISPs roll it out?

ALMROTH: It is a misconfiguration, this opcode is still in use clearly. But what should be happening is that you need to verify the authenticity of the or the query you need to seek signature and all that stuff. It needed to be cryptographically signed and all the time should this be allowed. But there was no such checks here. I escaped that entire park completely unauthenticated and worked and if it works it works. You don't even need to get it right once to win, so to say.

VAMOSI: Right. So it's systemic and how the DNS records are constructed, but you can configure to mitigate it. And in this case, that meal was not configured to mitigate against

ALMROTH: Yep, that’s correct.

--[music]

VAMOSI: Frederick looked at 1000s of companies, or rather their domains, and found that there were others that also were misconfigured in a similar way. 

ALMROTH: Yes, that's right. Okay. Exactly that and on the topic of where we started with expired domains and everything, and that's something very similar, but on a bigger level.

VAMOSI: So ethically hacking the US military is one thing. How about hacking an entire nation?

ALMROTH: You mentioned top domains in my world, that's when .cd -- the .se for me here in Sweden-- Congo. The Democratic Republic of Congo, they have .cd. And this happened, which we discussed. 

VAMOSI: So Frederick took over the top level domain for the Republic of Congo.

ALMROTH: the name server expired. So they had this redundancy wave with six named sort of delegations to adopt net domain or to sorry, free to adopt net domain free to a.com domain and attire.com domain have expired. I was looking for interest like I can see the Whois record. 

VAMOSI ; The whois record identifies the owner. You can make that info private, so only the ISP is identified. 

ALMROTH: We talked about the redemption period that typically means when someone has forgotten to pay their invoice right, but that happens all the time and things he has sold itself. But this was so peculiar as it was the main service for the top level domain. So I kept my eyes on it. made that little script to notify me on a status change, become operable again, or will it actually expire and be up to grabs for anyone? 

VAMOSI: This happens if you forget to pay your 19 dollar domaon registration. An skyrocket to a 1000 dollars if you are on an unscrupulous site.

ALMROTH:  this was, I believe, one or two days before Christmas, in 2020. Mid pandemic, and it happened. The domain expired. It was late at night. I don't know 11pm or something. And my phone started shouting at me. Like this domain is now expired. What do you do? about it? I was about to fall asleep. What's going on? So I went to Amazon being my domain provider, and the app that is domain se to the network.com and press buy. And lo and behold, it was available. I was like okay, let's, let's go. Let's uh, let's buy it. Let's see what happens.

VAMOSI: SO Frederick casually bought the top level domain for the entire country of the Republic of Congo.

ALMROTH: I can't remember how much it costs. It was like $19. But I got it and they became one of my controls. It's like, well, wait a minute. What data you're still now. What are the consequences of this? I didn't really put much thought into it. But while doing so mitigated a bigger attack. If this were to fall into the wrong hands, all kinds of crazy stuff could have happened. 

VAMOSI: All things considered, this was a good thing at least the Republic of Congo didn’t have to pay a thousand dollars. But what could someone do this top level domain?

ALMROTH: So when you control a top level domain, as you said, All subdomains 100 You control those two. So Google operating combo google.cd Which means your spike and the other sub domain. Now, the regular top domains are vulnerable, all of them. So hypothetically, I could have redirected Google to somewhere else. With the issue of SSL certificates for the world that's through means like Let's Encrypt. Yeah, not an outer DNS traffic, greatest single out the individual was on request, like I know this organization has their own recursive resolver. It will now hit my name servers. And if I can do that attribution, I can target individual companies as a method for you, and only you this domain now points over there. Really scary stuff. Right. So not only undermining that photography for each, yes. But you also get to control where the traffic is routed to, and who is scoring what, to an extent you will see the recursive resolvers IP address is not the individual you know, people.

VAMOSI: So, as an ethical hacker, you buy this top level domain for $19 or whatever it was, how then do you unravel that? Obviously you disclose it to you then you have to transfer it back over?

ALMROTH: Yeah, that was super tricky. I never been in that position myself. And I haven't really heard of anyone that's been but what do you do? You basically compromised a foreign nation. Who do you go to and who do you talk to? So that puts me in a weird position. I figured that there should be some radius around for the top level domain. I believe it was found on Aiyana and might have been ICANN. Not about two email addresses. So I sent an email and explained the situation. I own this domain now. Either I transfer to you, and I need the validation code, or you reconfigure city to no longer points to this domain. I believe I have a third solution also on how we could go about mitigating it. 

VAMOSI: Seems reasonable. You report that you the domain so no one else could and you to transfer it to its rightful owners.

ALMROTH: But the crazy thing was, it took them I got one email back with the first dude in this email, saying, Oh, it's not my problem. Refer to the other guy. And that's it. That's the entire correspondence, never said anything. Else, before or after end up official mail correspondence, but the vulnerability was fixed. I think it was fixed even before I got the initial reply. So someone escalated up the chain and it got solved very quickly. That's super weird.

VAMOSI: But you still own the top level domain.

ALMROTH: So what they did was they changed the DNS delegations for CD to another domain. I said I own SMTP network.com They bought SATs. network.net. So now they had a domain controller. And everything was nice and fixed. So sure I owned that initial domain, but it wasn't now stale, mitigated was not being used by anyone. So that's how the mitigation happened. Right? 

VAMOSI: Whoew. So crisis averted right? Well not really.

ALMROTH: Really interesting thing though, later in November. Remember I told you this was in December 2020 November 2021. I got a tweet. directly to me from a re historical been named and they told me Oh, it's happened again. So now this new patched domain has clean network dotnet was misconfigured and tired to be broke once again.

--[MUSIC] --

VAMOSI: So yeah, I mean, even like a consumer going in buying, you know, registering a domain for themselves. It's complicated. You've got to stay up on it. If you lapse, someone can steal your name and take over cetera, et cetera. But this is a problem and so you've got a scanner that goes out there and looks to identify these misconfigurations to look for the registrations. What is that process that the scanner is doing

ALMROTH: Most of the time, I mean, I've made many different concepts through the years. I've tried different approaches, but I've settled now to be purely DNS and HTTP based. So there are different characteristics of these kinds of vulnerabilities. Some are on the main server delegations themselves. So I'll say now that I know they have six main servers, right? And I query one of these named server domains. I should expect all of them to work and the operative gave me some kind of reply with some IP addresses. But if I never get a reply, that's a red flag, it might look at something that will be a warning or an alert. Then of course, it's getting more and more popular with different cloud services and sauce providers. That allows them to put up something under your domain. That's a subdomain, like you have a blog, for example, or you have documentation. And there are companies that manage such solutions for you. That is, everything is cloud based, that you still need to do an MS. Not sorry, I see your name pointer to that party. Sometimes to adopt misaligned, you might have a typo on your ceiling might or might not even be an account on the third party provider that is supposed to deserving your documentation. When that happens it can also be a venue for that.

VAMOSI Now we are getting beyond our country's domain. Now we are talking about hacking the world.

ALMROTH: So say, you know, you have your blog, blog of acumen.com. Right. And he pointed to I don't know WordPress hosting something, something will come and when I as a regular visitor domain, I get the 404 in my face, doesn't seem anything. It's your stuff defined webapp. But as an attacker, if I see that CNAME record, and I go to the WordPress hosting provider, I claim that yes, I am indeed this subdomain. I enter my credit card. More often than not, that is the only validation there is. You need a CNAME pointer to this app. And it already exists. I have my credit card so my one legitimate customer only that I get this sort of content under your domain. 

VAMOSI So Frederick makes it all sound so interesting.

ALMROTH: So to summarize i When scanning I limit myself to DNS, and HTTP, I no longer do anything who is related. Should be some special occasion if I really find that outlier somewhere, doing more of exploratory research.

VAMOSI: So this, of course, opens the door to a supply chain attack that you could insert yourself into a larger organization or as you pointed out to the government and be treated as a legitimate entity, but in fact, you're not.

ALMROTH:Yeah, exactly. So imagine you have a content security policy that says that asterix.microsoft.com is allowed. They get to send requests around and everything is fine. And the violation to that is this allowed the JavaScript Tomcat to execute. Now say some subdomain takeover scenarios explain to you, you will be whitelisted. So you have penetrated the perimeter. Now we get to do all kinds of crazy things. 

VAMOSI this is what every pen tester says.

ALMROTH: Of course, it's very context dependent but what you get to do when you cannot do but that's just the tip of the iceberg. Imagine that you have some Android app, for example. They will kinds of crazy requests in the background that you and I as consumers won't see. But if you sit and analyze the traffic, there will be cases where you see that this domain did in fact, not resolve or it didn't resolve to something which is misconfigured in one way or another. And that is something different. 

VAMOSI: There can also be innocent reasons for subdomains as well.

ALMROTH Even worse, say that you have a marketing team, right? And you want to do some A/B testing. So through Google tag manager, the marketing team add this little JavaScript blob to your website, Mike, okay, might be fine. Now, this company no longer exists, bought up or something that domain is still there, or the JavaScript still there being served from a web page. But the rest of the world has changed. So now that domain doesn't work anymore. If I get the compromised domain, I now have persistent cross site scripting on the webpage. Which means I prophetically say there's a login button somewhere I can redirect that send over the credentials to my c&c server similarly. Imagine all the ad companies out there. There are so many advertisements for all cinder block lists for your piehole or your browser extension, maybe a huge one with just tons and tons of domains. What if one of those expires or gets misconfigured? You know, the sky is really the limit. But the limit is kind of narrowed down to what target you managed to compromise, that's the type thing about supply chain attacks. You can do some preliminary reconnaissance to figure out who's using what. But more often than not, they will be side effects. And that's very hard to predict. When playing around with domains and DNS.

--[MUSIC]

VAMOSI: So are there things that IT departments should be doing their best practices?

ALMROTH: Yeah, definitely. I mean, I am in the business of protecting my customers' attack surface and this is the attack surface. So I would say reduce it to its bare minimum. If you don't need to expose something on the internet, don't don't do it. And if you are exposing someone, something to the internet, make sure that it's operable and up to date. And it goes as far as looking into your Google Tag Manager looking at the prompt and Security Policy headers. Maybe even have a split between say which services should be internal to you in your network and not exposed also turn it out to the greater Internet have like a split horizon DNS setup. Zero trust is a good way to go. But it's still ways to go. I believe in the industry as a whole.

VAMOSI: So, is it also that people aren't thinking of this as the attack surface?

ALMROTH:I believe so. I mean, if you have a domain, and it doesn't resolve and where you broke out a web browser, and all you see is like a generic error page from Chrome. It won't tell you the DNS errors if there are any. If they are saying oh this domain does not exist, but in reality, it might very well it exists but yes be completely misconfigured on a DNS layer. So you need something or someone to link the monitoring to make sure that everything is working as intended. And that doesn't just go for businesses, but everything, everything that touches us. It's not Oh joke. Oh, it's not DNS. It can't be DNS. It was DNS. So I am willing to agree.

VAMOSI: So this might sound like a really dumb question, but it feel that might come up. We're not talking about the difference between ipv4 and ipv6, are we?

ALMROTH: Oh, that's a different kettle of worms. Yeah, right. Yeah. So purely on DNS. How should I phrase it through name server delegation, so that stuff? It works with any kind of transport protocol. Be it ipv4, ipv6, of course, for the client and the server needs to be compatible with it can assume that everything is competitive fighting before and this time and age. But there are differences when it comes to say SPF policies and how reverse DNS works and a lot of stuff around that. 

VAMOSI: An SPF policy Sender Policy Framework (SPF) is an email authentication protocol and part of email cybersecurity used to stop phishing attacks. It allows your company to specify who is allowed to send email on behalf of your domain

ALMROTH: So if you have say shown on to the search engine for the Internet, index and port scan all the IP addresses on the internet, ipv4 Because of the size of it, it's only 4.2 billion addresses. You can do an exhaustive search, and continuously make sure things are up to date, IP version six. You can't really do that. Its total power is 128. That's a vastly superior number to the number of atoms in the universe. So it's a huge, huge amount of possible ipv6 addresses. So you can't read or scan it that way. But there are quirks in DNS for how reverse DNS lookups work when it comes to pointer six records. I believe it was research back in 2012. I cannot remember his name. But there are ways so if you want the domain name from an IP address, that's the reverse part. So you can ask the Domain Name System. Hey, give me a domain for this IP. What happens behind the scenes for regular ipv4 Is that that query will be sent to a really crazy domain. It's like the IP address reversed.il Dash addr but ARPA and even Baskin for a PTR record. 

VAMOSI: A PTR record, also known as a Pointer Record, is a piece of information (a record) that is attached to an email message. The purpose of the PTR record is to verify that the sender matches the IP address it claims to be using. This email ID check process is also known as reverse DNS lookup.

ALMROTH: a PTR record.That is the container for the host name on it. Right? And that you can get some domain that most of the time and I progression, 60s Awesome work. It's a bit different. So instead, you split up this 128 bits of the ipv6 address, and they split them up in chunks of four bytes, so you won't have 16 possible combinations. Then you have a whole bunch of them online to one another. So for us like a really, really long domain name where every subdomain indicates a tiny little fraction of ipv6. So now you can do well. More or less divide and conquer packs. So I asked if that's zero, that is x RP exists. And the internet I know doesn't. Now I have already reduced a whole bunch of entropy. I know that that's our then you should not go down. Eventually I'll refine that to IP six or five do exist. Okay, very nice. Now wherever it is four bits on entropy for like six hours down the chain. And what will you end up getting at the very end? It's of course, the reverse. The name of the ipv6 addresses the reverse DNS lookup of ipv6. B

VAMOSI: So for all the domain addresses, we’ve whittled it down to a few that you need to worry about.

ALMROTH: But here's the trick. So you don't necessarily get an AI or these PTR records back. The only thing you might have to go on is that you get the difference in the opcodes. So you might get a no error. All the way down to some trace address, which signals to you that this ipv6 exists somewhere on the internet connected to some domain. I believe it's like a bike or an implementation, whatever kind of bike but an oversight in our DNS is designed in this regard. So you can in ways figure out which ipv6 addresses are in use. Our domain is actually getting the reverse name back. Lots of different capital firms and finally do reconnaissance and ipv6. Through the unis. It's very possible. Also taught I believe in chaos communication Congress in 2017 or 18, about this topic. So there are some references out there.

VAMOSI: The thing is none of this particularly new here. We've known how to do some of these things since, well, Edward Snowlden back in 2014.

ALMROTH: Oh, yeah. In terms of the supply chain, thanks. Yeah. My tangent here. So the NSA have known about this. It was a part of the Snowden leaks. They call it quantum was wired in March of 2014. And it's a big article about it. And it basically touches upon the things I've been discussing here, compromising name server delegations do all kinds of crazy things. can leave a bit about the injected packets. So when I query for a domain, it flows through some box on the internet, which is under NSS control. And they inject the response fast to me faster than that real response. But what's happening is what my computer will be trusting that response. So this has been kind of known. It's been out there, but haven't really been talked about. And that's kind of what piqued my interest. As the dates they kind of align. When I started looking more and more into DNS was around the time of the Snowden leaks. Kind of good. Put me on this path. Like yes, things like typosquatting and big squatting, all of that exists very much so in DNS. And you can say, by common type of squat, so your domain and make sure that no one else gets to do that. Bit squat thing is mostly overlooked. So imagine, right? You have a massive massive web service, say G Suite, and you're routing EMS around the internet. So me to testify. We have big use G Suite. So what you do is you get five MX records from Google that you need to configure. Google with Gmail is absolutely massive. Everyone on the internet is using it. Right. So it just if it comes to a little cosmic ray or you have 40 followers somewhere on the internet, at just the right time, right, just right place, a bit might be flipped. So SEO becomes a one or a one becomes a zero. And if that happens in the DNS correspondence, and I just happen to own a bit flipped domain, I have to control that correspondence. So this was actually the case with Google and Gmail. There was, I believe it was 2016 and I tried this attack. So back then you got three google.com MX records, and two for google gmail.com. And all the permutations of the bits being flipped for Google. com they were bought. Google knew about this. That's been mitigated since for ages, but Google gmail.com was overlooked. So, I got some big flood barriers. You may look on Slack is this actual physical apart, they have solid for good contact clearly. It is something worth mitigating. But they overlook this domain. What happens if I if I do it? And I set up a listener on port 25 for SMTP correspondence, and I started seeing more and more packets rolling in from all over the internet. The catch here is I can't really grab the correspondence. I can't be receiving data not only would that be highly unethical, but the email will also be considered delivered. So I can't just, you know, intercept random emails on LinkedIn, super bad stuff. But I reported it to Google, and they fixed it now a bunch of years back. Seven years back.

VAMOSI: So given that Snowden alluded to this 10 years ago, and you found this and you reported it, is it still a problem today? I mean, it seems like if it's been identified, haven't we addressed it?

ALMROTH: The thing is a temporary limited rest. You'll need to look at it in its context. Now, Google had Amissah. We worked this mode, but this is a fundamental problem to how we do internet. Bets will always be flipped with current technology. And that just needs to be created on where and how that can happen. For this to be a practical attack to pull off, if you want to do that, then you also need the scale of things. Yes, that's the biggest hassle identifying such places where it's highly sensitive and highly used and then get the opportunity to mess around. But yeah, I I would like to say it's been mitigated, but I can't because the sky's the limit and only looks so much different services out there. I bet there's plenty more that's been overlooked.

VAMOSI: So, you you kind of mentioned this is it is it that you know when we created the internet for commercial purposes, as opposed to DARPA and whenever the commercial Internet we've outlived that original schema. You know, maybe the architecture just doesn't hold for today's uses. I know this is kind of a hypothetical large question.

ALMROTH: It's very high level indeed. I'm going to come up with workarounds for it. I believe you have a pointer. I mean, what are title patching? what's already out there? Building on top of it. Yes. Look at WebSockets for them. So you do this entire chain. You start with the DNS hooked up to get the IP, and then you connect, you know, from HTTP to a web server. And then you start another socket on top of the HTTP web socket. It's really an arbitrary proximity to send any data back and forth. It's bi directional or synchronous. So why what's the point kind of why not settle with a regular subject as it was intended? Even more on the topic of DNS and domains DNS over TLS or HTTPS. That's even crazier, because first you kind of need to resolve the domain name. Then you need to make an encrypted connection to some web server. Then you post data to the server containing your DNS request. Like any other API, what comes back is a binary blob of the DNS response. That's very metal built on top of things that's already supposed to be solved. So yeah, I do believe you have a point. We are building more and more things that worked because we don't care to share or change the foundation.

VAMOSI: But it seems unlikely that you would rip the foundation out at this point.

ALMROTH: Yeah, I don't think you can do that. What's realistically interesting regardless, more and more things are moving out to use the land as well. And protocols are advancing in a way so that the now kind of solving real world use cases. I mean, just look at http, it's no longer TCP based. You have the anti quick and used to be three things. A reasonable TCP was invented to solve all the hassles but now it's considered too slow. So you reinvent the wheel on the unit instead? Yeah. Well, it's interesting. Yes.

Share this post

How about some Mayhem in your inbox?

Subscribe to our monthly newsletter for expert insights and news on DevSecOps topics, plus Mayhem tips and tutorials.

By subscribing, you're agreeing to our website terms and privacy policy.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Add Mayhem to Your DevSecOps for Free.

Get a full-featured 30 day free trial.

Complete API Security in 5 Minutes

Get started with Mayhem today for fast, comprehensive, API security. 

Get Mayhem

Maximize Code Coverage in Minutes

Mayhem is an award-winning AI that autonomously finds new exploitable bugs and improves your test suites.

Get Mayhem