So I recently had a thought about how browsers have natural looks to them and what makes people click buttons without thinking.

For example if I was a Vista user I might get annoyed by the constant string of “Do you want to allow this program to make changes to your computer?” dialogues, and will probably heed this warnings less and less every time.

So taking this idea into practice, what other warnings are we very likely to deem “meh” and just click past? What “styles” of access controls do we just trust by default?

Legit Firefox Warning

For example the “Server not found” dialogue is very common to a Firefox user if he uses the browser at all.

So what happens if we just copy the HTML source of this page and modify it slightly?

modifiedpagenotfound

Looks maybe legit? OK. So not perfect but it looks pretty good right? (Also on a weird note this page was hosting on my server but could reference locally stored browser CSS pages which is neat!)

Of course technical people might not fall for this but I’d be pretty sure that most computer users wouldn’t think twice about this type of thing.

It brings up the question of just how many attacks could leverage this idea – are their any dialogues you trust? Muscle memory “oh that’s a dumb dialogue *click*” can really come back to haunt you in many situations!

I’ll probably revisit this idea later when I can think of more dialogues that can be attacked this way but until then it’s a very interesting idea to consider.

-mandat0ry

After having a personal interest in DNS tunneling I tried setting up iodine and quickly found out that it’s not a fun process (it involves a user controlled server and some DNS configurations). The idea, however, is definitely super cool.

So what the hell is useful about DNS tunneling?

Many pay for wifi services will block all types of traffic unless you pay an often insane amount. Why would I pay $10.00 for a one day pass for wifi? That’s insanity! DNS tunneling comes in handy here because these services often do not block DNS traffic so you can “hide” your normal traffic in DNS queries and evade their blocks altogether.

Why?

In a simplified way, your computer does DNS something like this:

*Your computer checks to see if it has the DNS record in it’s cache…Nope!*

PC -> Root Nameserver: “I need the IP for thehackerblog.com”

Root Nameserver -> PC: “Ah .com I see. My buddy TLD has that I think, check with him man.”

PC -> TLD: “I need the IP for thehackerblog.com”

TLD -> PC: “Yea man my friend ‘Authoritative Nameserver’ has that I think!”

PC -> Authoritative Nameserver: “Yea boy I got what you crave! The IP for that is 127.0.0.1!”

*PC puts that down in it’s cache so it doesn’t have to deal with those ghetto nameservers again*

So that’s how it normally works (granted it may be a little less “ghetto”) but I wonder how it’d work if the wifi service redirected all DNS to it’s own servers?

*Your computer checks to see if it has the DNS record in it’s cache…Nope!*

PC -> Root Namerserver: “What’s the IP for thehackerblog.com?”

*The wifi service intercepts this request and responds with it’s own server*

WIFI SERVER -> PC: “Yes, that IP is *cough* 1.3.3.7 (the WIFI SERVER’S IP)”

*PC thinks this is pretty legit and adds it to it’s cache*

So now when you try to go to thehackerblog.com your computer will not go to thehackerblog.com but rather their own server because the computer’s record shows that the IP address is 1.3.3.7. This seems great for the time being but imagine that you do pay for the expensive wifi server and they let you use their precious interweb service.

Now your DNS will work something like this:

*Your computer checks to see if it has the DNS record in it’s cache…Yep! thehackerblog.com is at 1.3.3.7*

Uh oh! Now the poor little PC thinks that the domain is at the wrong IP! This will end up confusing the end user for sure! Especially because this IP is probably an internal IP address so it will probably just show a connection error.

Not good, because of this, the pay-for wifi services usually allow DNS requests but modify the TCP/UDP data to redirect your browser to their pay page.

**Good news everyone!

**

This is good because it means we can communicate with the outside world over DNS! How exciting!

As much as I’d love to have a cute explanation how to hide information in DNS requests suffice to say that it’s possible and can be done (and is being done!).

(If you are interested in what a DNS packet would look like see here: http://www.firewall.cx/networking-topics/protocols/domain-name-system-dns/160-protocols-dns-query.html)

The nice thing is you can do the same thing over ICMP via a ping tunnel. This basically works in the same general way – you shove your requests inside ICMP packets and then send them off to your server who decodes/processes it and sends you data back in even more stuffed ICMP packets.

Sounds complicated, but I don’t want to have to set all this stuff up!

Glad you say that, it’s a pain in the butt to do, but you’re in luck!

Their is a service called “Wi-free” that actually provides this cool tunneling for a reasonable charge.

http://www.wi-free.com/

Their plans are pretty reasonable and if you travel a lot you’ll end up saving a good amount, not to mention it works as a normal VPN as well. They have been around for years and are a very reputable company.

HFjdgPJ[1]

 

So if you’re like me you’d prefer this service over setting up a complicated tunneling scheme for this sort of thing.

But if you’d prefer the geek route be my guest!

-mandat0ry