HD Moore’s Company BreakingPoint Suffers DNS Attack

Use Netsparker

It’s somewhat ironic that shortly after the Kaminsky DNS bug went wild and almost immediately got ported into Metasploit that it was then used to attack HD Moore’s very own company BreakingPoint.

It happened just a couple of days ago, it doesnt seem to have been a targeted attack though more like mass spammers/scammers leveraging on this flaw (as expected) to divert people to scam sites.

It happened on Tuesday morning, when Moore’s company, BreakingPoint, had some of its Internet traffic redirected to a fake Google page that was being run by a scammer. According to Moore, the hacker was able to do this by launching what’s known as a cache poisoning attack on a DNS server on AT&T’s network that was serving the Austin, Texas, area. One of BreakingPoint’s servers was forwarding DNS (Domain Name System) traffic to the AT&T server, so when it was compromised, so was HD Moore’s company.

When Moore tried to visit Google.com, he was actually redirected to a fake page that served up a Google page in one HTML frame along with three other pages designed to automatically click on advertisements.

It seems more of a problem with the ISP than BreakingPoint itself, but it still shows, if you rely on your ISPs DNS servers you don’t know what kind of fake content is getting served up to you.

Better safe than sorry right?

The flaw has to do with the way that DNS programs share information over the Internet. In a cache poisoning attack, the attacker tricks a DNS server into associating malicious IP addresses with legitimate domains, such as Google.com. Security experts say that this type of flaw could lead to very successful phishing attacks against Web surfers whose ISPs have not patched their servers.

Because of the nature of the AT&T hack, Moore doesn’t believe that he was targeted by the hackers. Even BreakingPoint employees didn’t realize that their internal DNS server had been configured to use the AT&T machine. Instead, he thinks that the hackers were simply trying to make a quick buck.

AT&T representatives were not immediately available to comment on the incident.

Moore believes that this type of attack may be going on at other ISPs as well.

I wonder if they managed to con anyone? And I wonder if AT&T has fixed this problem yet? It’s surprising that such a large ISP is still susceptible to this flaw after the amount of publicity the DNS bug has gotten.

Just be on the watch out!

Source: InfoWorld (Thanks Navin)

Posted in: Exploits/Vulnerabilities, Networking Hacking, Spammers & Scammers

, , , , , , ,

Latest Posts:

Malcom - Malware Communication Analyzer Malcom – Malware Communication Analyzer
Malcom is a Malware Communication Analyzer designed to analyze a system's network communication using graphical representations of network traffic.
WepAttack - WLAN 802.11 WEP Key Hacking Tool WepAttack – WLAN 802.11 WEP Key Hacking Tool
WepAttack is a WLAN open source Linux WEP key hacking tool for breaking 802.11 WEP keys using a wordlist based dictionary attack.
Eraser - Windows Secure Erase Hard Drive Wiper Eraser – Windows Secure Erase Hard Drive Wiper
Eraser is a hard drive wiper for Windows which allows you to run a secure erase and completely remove sensitive data from your hard drive by overwriting it several times with carefully selected patterns.
Insecure software versions are a problem Web Security Stats Show XSS & Outdated Software Are Major Problems
Netsparker just published some anonymized Web Security Stats about the security vulnerabilities their online solution identified on their users’ web applications and web services during the last 3 years.
CTFR - Abuse Certificate Transparency Logs For HTTPS Subdomains CTFR – Abuse Certificate Transparency Logs For HTTPS Subdomains
CTFR is a Python-based tool to Abuse Certificate Transparency Logs to get subdomains from a HTTPS website in a few seconds.
testssl.sh - Test SSL Security Including Ciphers, Protocols & Detect Flaws testssl.sh – Test SSL Security Including Ciphers, Protocols & Detect Flaws
testssl.sh is a free command line tool to test SSL security, it checks a server's service on any port for the support of TLS/SSL ciphers, protocols as well as recent cryptographic flaws and more.

12 Responses to HD Moore’s Company BreakingPoint Suffers DNS Attack

  1. Morgan Storey August 6, 2008 at 1:34 pm #

    I was thinking this might be some DNS patchers trying to buy themselves some time by stopping the first tool to hack their DNS servers.
    Devices behind NAT are still shown to be vulnerable so we need a fix there too people.

    @Darknet: Have fun on holidays.

  2. Navin August 6, 2008 at 2:02 pm #

    cheers!! :)

    BTW have fun on your break…. believe me, U deserve it!!

  3. CG August 6, 2008 at 3:47 pm #

    old news and over hyped

    “It seems more of a problem with the ISP than BreakingPoint itself”

    …tisk tisk for your post title

  4. zupakomputer August 6, 2008 at 5:44 pm #

    I may have a dewy-eyed view of Malaysia but it must be hard picking a better holiday destination when you’re in a tropical paradise already! Iceland perhaps, something a bit different…..or it works out better cause you don’t have to travel at all, just holiday in the same country.

    This DNS thing – what if you tried to complain to your ISP that their caching was poisoned, but their own website was redirecting to a fake ad site too……

  5. Brill August 7, 2008 at 8:42 am #

    Today was the lecture of Dan Kaminsky at Black Hat, altough his presentation is not available yet at Black Hat site, you can find it in Dan’s site http://www.doxpara.com/DMK_BO2K8.ppt
    Has anyone attended who can provide some feedback?.

  6. Morgan Storey August 7, 2008 at 11:30 am #

    @Brill: yeah I found a link to the MP3, I just downloaded it from here http://blackhat.com/html/webinars/kaminsky-DNS.html

    It is pretty long, I’ll listen to it at lunch tomorrow. I should have listened to the webcast live.

  7. Darknet August 9, 2008 at 8:51 am #

    Just relax, nothing disappears, posting the same thing 10 times then I have to go through each one and see which ones are the same and which ones are different and which one I should post and which I should delete – now that’s annoying. Everything will get through, just wait I’m on holiday.

  8. lyz August 12, 2008 at 3:49 pm #

    weehee.. This post is just in time for my re-echo of the Hackacon 2008 event I’ve attended here in our country.

  9. Brill August 12, 2008 at 10:03 pm #

    @Morgan, Thanks for the link!!… Linking it with the presentation it will be the nearest I will have to be at any Black Hat presentation.

    I will try to save some time to hear it with calm…

    This one received a lot of publicity but, Does anyone of the lucky guys that could attend recomend any other presentation?

  10. Brill August 12, 2008 at 10:06 pm #

    Here you have some recent news!! it seems that the patch for this security hole doesn’t solve the vulnerability!!…. there have been some sucessfull test on servers already patched and not with just a proof o concept but with a whole functional exploit.
    Here the overall comment from NY Times
    And here the original comment in the post of the Russian physicist who discover it.

  11. Morgan Storey August 14, 2008 at 2:34 am #

    @Brill: Yeah NAT negates the patch in most parts as the NAT doesn’t randomise the port. Dan even said the patch doesn’t 100% fix it, just makes it harder to guess the next port. So it was only a matter of time before someone “brute forced” the port. Scary that they did it this fast, but really they did it over Gige in 10 hours. So most DNS servers that are doing resolves for clients, are probably not even on 20mbs of bandwidth, and latency 10+ times that of ethernet. So you could say it would take 10+ times longer to do this over the internet, so 100hours. Someone will hopefully notice at around hour 20…
    I blogged about this, I think we need to have signed or ssl DNS forwarding and root servers, it wouldn’t be that hard to implement.

  12. Morgan Storey August 14, 2008 at 5:21 am #

    so I am the first to admit I have gaps in my knowledge.
    Never heard of DNSSEC, now I that have listened to the Blackhat talk I have heard about it. I had a quick look at wikipedia and the official site and it is interesting. Of course windows servers only support it as a secondary, also the glaring-hole of non NSEC3 servers allowing enumeration of sites is just plain silly. Seriously just hash The users request domain “Not Found” and add it to the RFC, done.
    I think it should include the option for encrypting replies, may as well, could be useful for higher secure organisations.