HD Moore’s Company BreakingPoint Suffers DNS Attack

It’s somewhat ironic that shortly after the Kaminsky DNS bug went wild and almost immediately got ported into Metasploit that it was then used to attack HD Moore’s very own company BreakingPoint.

It happened just a couple of days ago, it doesnt seem to have been a targeted attack though more like mass spammers/scammers leveraging on this flaw (as expected) to divert people to scam sites.

It happened on Tuesday morning, when Moore’s company, BreakingPoint, had some of its Internet traffic redirected to a fake Google page that was being run by a scammer. According to Moore, the hacker was able to do this by launching what’s known as a cache poisoning attack on a DNS server on AT&T’s network that was serving the Austin, Texas, area. One of BreakingPoint’s servers was forwarding DNS (Domain Name System) traffic to the AT&T server, so when it was compromised, so was HD Moore’s company.

When Moore tried to visit Google.com, he was actually redirected to a fake page that served up a Google page in one HTML frame along with three other pages designed to automatically click on advertisements.

It seems more of a problem with the ISP than BreakingPoint itself, but it still shows, if you rely on your ISPs DNS servers you don’t know what kind of fake content is getting served up to you.

Better safe than sorry right?

The flaw has to do with the way that DNS programs share information over the Internet. In a cache poisoning attack, the attacker tricks a DNS server into associating malicious IP addresses with legitimate domains, such as Google.com. Security experts say that this type of flaw could lead to very successful phishing attacks against Web surfers whose ISPs have not patched their servers.

Because of the nature of the AT&T hack, Moore doesn’t believe that he was targeted by the hackers. Even BreakingPoint employees didn’t realize that their internal DNS server had been configured to use the AT&T machine. Instead, he thinks that the hackers were simply trying to make a quick buck.

AT&T representatives were not immediately available to comment on the incident.

Moore believes that this type of attack may be going on at other ISPs as well.

I wonder if they managed to con anyone? And I wonder if AT&T has fixed this problem yet? It’s surprising that such a large ISP is still susceptible to this flaw after the amount of publicity the DNS bug has gotten.

Just be on the watch out!

Source: InfoWorld (Thanks Navin)

Posted in: Exploits/Vulnerabilities, Networking Hacking Tools, Spammers & Scammers

, , , , , , ,

Latest Posts:

Socialscan - Command-Line Tool To Check For Email And Social Media Username Usage Socialscan – Command-Line Tool To Check For Email And Social Media Username Usage
socialscan is an accurate command-line tool to check For email and social media username usage on online platforms, given an email address or username,
CFRipper - CloudFormation Security Scanning & Audit Tool CFRipper – CloudFormation Security Scanning & Audit Tool
CFRipper is a Python-based Library and CLI security analyzer that functions as an AWS CloudFormation security scanning and audit tool
CredNinja - Test Credential Validity of Dumped Credentials or Hashes CredNinja – Test Credential Validity of Dumped Credentials or Hashes
CredNinja is a tool to quickly test credential validity of dumped credentials (or hashes) across an entire network or domain very efficiently.
assetfinder - Find Related Domains and Subdomains assetfinder – Find Related Domains and Subdomains
assetfinder is a Go-based tool to find related domains and subdomains that are related to a given domain from a variety of sources including Facebook and more.
Karkinos - Beginner Friendly Penetration Testing Tool Karkinos – Beginner Friendly Penetration Testing Tool
Karkinos is a light-weight Beginner Friendly Penetration Testing Tool, which is basically a 'Swiss Army Knife' for pen-testing and/or hacking CTF's.
Aclpwn.Py - Exploit ACL Based Privilege Escalation Paths in Active Directory Aclpwn.Py – Exploit ACL Based Privilege Escalation Paths in Active Directory
Aclpwn.py is a tool that interacts with BloodHound< to identify and exploit ACL based privilege escalation paths.

12 Responses to HD Moore’s Company BreakingPoint Suffers DNS Attack

  1. Morgan Storey August 6, 2008 at 1:34 pm #

    I was thinking this might be some DNS patchers trying to buy themselves some time by stopping the first tool to hack their DNS servers.
    Devices behind NAT are still shown to be vulnerable so we need a fix there too people.

    @Darknet: Have fun on holidays.

  2. Navin August 6, 2008 at 2:02 pm #

    cheers!! :)

    BTW have fun on your break…. believe me, U deserve it!!

  3. CG August 6, 2008 at 3:47 pm #

    old news and over hyped

    “It seems more of a problem with the ISP than BreakingPoint itself”

    …tisk tisk for your post title

  4. zupakomputer August 6, 2008 at 5:44 pm #

    I may have a dewy-eyed view of Malaysia but it must be hard picking a better holiday destination when you’re in a tropical paradise already! Iceland perhaps, something a bit different…..or it works out better cause you don’t have to travel at all, just holiday in the same country.

    This DNS thing – what if you tried to complain to your ISP that their caching was poisoned, but their own website was redirecting to a fake ad site too……

  5. Brill August 7, 2008 at 8:42 am #

    Today was the lecture of Dan Kaminsky at Black Hat, altough his presentation is not available yet at Black Hat site, you can find it in Dan’s site http://www.doxpara.com/DMK_BO2K8.ppt
    Has anyone attended who can provide some feedback?.

  6. Morgan Storey August 7, 2008 at 11:30 am #

    @Brill: yeah I found a link to the MP3, I just downloaded it from here http://blackhat.com/html/webinars/kaminsky-DNS.html

    It is pretty long, I’ll listen to it at lunch tomorrow. I should have listened to the webcast live.

  7. Darknet August 9, 2008 at 8:51 am #

    Just relax, nothing disappears, posting the same thing 10 times then I have to go through each one and see which ones are the same and which ones are different and which one I should post and which I should delete – now that’s annoying. Everything will get through, just wait I’m on holiday.

  8. lyz August 12, 2008 at 3:49 pm #

    weehee.. This post is just in time for my re-echo of the Hackacon 2008 event I’ve attended here in our country.

  9. Brill August 12, 2008 at 10:03 pm #

    @Morgan, Thanks for the link!!… Linking it with the presentation it will be the nearest I will have to be at any Black Hat presentation.

    I will try to save some time to hear it with calm…

    This one received a lot of publicity but, Does anyone of the lucky guys that could attend recomend any other presentation?

  10. Brill August 12, 2008 at 10:06 pm #

    Here you have some recent news!! it seems that the patch for this security hole doesn’t solve the vulnerability!!…. there have been some sucessfull test on servers already patched and not with just a proof o concept but with a whole functional exploit.
    Here the overall comment from NY Times
    And here the original comment in the post of the Russian physicist who discover it.

  11. Morgan Storey August 14, 2008 at 2:34 am #

    @Brill: Yeah NAT negates the patch in most parts as the NAT doesn’t randomise the port. Dan even said the patch doesn’t 100% fix it, just makes it harder to guess the next port. So it was only a matter of time before someone “brute forced” the port. Scary that they did it this fast, but really they did it over Gige in 10 hours. So most DNS servers that are doing resolves for clients, are probably not even on 20mbs of bandwidth, and latency 10+ times that of ethernet. So you could say it would take 10+ times longer to do this over the internet, so 100hours. Someone will hopefully notice at around hour 20…
    I blogged about this, I think we need to have signed or ssl DNS forwarding and root servers, it wouldn’t be that hard to implement.

  12. Morgan Storey August 14, 2008 at 5:21 am #

    so I am the first to admit I have gaps in my knowledge.
    Never heard of DNSSEC, now I that have listened to the Blackhat talk I have heard about it. I had a quick look at wikipedia and the official site and it is interesting. Of course windows servers only support it as a secondary, also the glaring-hole of non NSEC3 servers allowing enumeration of sites is just plain silly. Seriously just hash The users request domain “Not Found” and add it to the RFC, done.
    I think it should include the option for encrypting replies, may as well, could be useful for higher secure organisations.