Using DNS to Find High Value Targets

Wednesday, June 16, 2010

Cross-Posted from Robert "Rsnake" Hansen's blog at:

With the impending release of Fierce 2.0 I thought I’d spend a minute talking about finding high value targets. I was working with a company in a specific vertical when I realized they use a very large single back end provider (essentially a cloud-based SaaS). But they aren’t the only large company using that SaaS - there are many hundreds of other companies using them as well. But because I’m not in that particular industry and having not worked much in that vertical, I had never even heard of them before. Frankly, I had no idea that they even existed. Now let’s take a typical Fierce DNS enumeration scan; it can find a lot of non-contiguous IP space, sure. But what about when I launch scans against hundreds of companies in that same vertical? Some interesting results start bubbling up.

Because companies tend to point their DNS to those SaaS providers for white labeling, often you’ll see a convergence of a lot of sub-domains all pointing to a single IP address or set of IP addresses. It doesn’t take a rocket scientist to realize that you don’t need to attack the target you’re interested in, you can attack the SaaS provider and take over not just one but all of those companies in that vertical that use that provider. Even though that may not be obvious by just probing the external network, DNS can sometimes help to uncover those sorts of details. This happens a lot more than most people realize, and in my experience those cloud based SaaS providers aren’t any more secure than anyone else. It’s a lot more interesting to compromise hundreds of companies for the price of one.

Vulnerabilities Webappsec->General
Post Rating I Like this!
Anthony M. Freed Rsnake,

How will the pending domain name system changes fit into this scenario?

"The Domain Name System (DNS) is undergoing a change that was started in December of 2009 and is intended to complete in July of this year, 2010. In the light of a number of exploits of vulnerabilities with DNS identified over the past year or so, a more secure implementation is being brought into play which could cause problems with connectivity in some cases..."