Nico Leidecker

Title: Introducing Heyoka: DNS Tunneling 2.0.

Bio:
Nico got his degree in Computer Science at the Karl-Ruprechts University of Heidelberg, Germany, with a Thesis regarding an Authority Based Extension to the ARP Protocol to prevent MITM attacks. He now works as a penetration tester for Portcullis Computer Security, and in his spare time enjoys analyzing the security of databases and developing various security tools

Abstract:
DNS Tunneling is a well known technique, and various free tools are available to play with it. However, its full power has not been fully unleashed yet: several of the existing tools are mostly targeted to read email for free from an airport lounge and not to be used as a deadly post-exploitation weapon. Also, they all suffer from the fact that a DNS tunnel is painfully slow and quite easy to detect and locate.

In this talk Nico with Alberto Revelli will introduce a few new tricks that will allow us to:

• Improve the tunnel speed, by leveraging the fact that most DNS servers are happy to process packets that are not exactly 100% compliant to the RFCs
• Make the DNS tunnel a lot harder to detect, by spoofing the source IP address of the queries, therefore spreading the traffic signature among all the hosts of the subnet.

We will see how such a tunnel can be extremely useful both for a penetration tester to own a network, and for the bad guys to exfiltrate data using spoofed packets and without even having the victim to create a direct connection to their box.

The talk will hopefully be interesting for penetration testers, but even more for security managers and network administrators to better understand the risks involved in allowing internal hosts to resolve external names.

Of course there will be a demo, in which we will introduce a first version of Heyoka, a brand new tool implementing these ideas.