Off The Record - Weaponizing DHCP DNS Dynamic Updates

Logo
Presented by

Ori David - Security Researcher & Dan Petrillo - Security Strategy Director

About this talk

Attackers love DNS spoofing. The ability to redirect unsuspecting victim's traffic is very appealing to the bad guys, and can lead to all sorts of devastating consequences - sensitive data exposure, credential compromise, and even remote code execution. As every sysadmin knows - DNS is hard. It is a complex ecosystem with many moving pieces. One such "piece" is a seemingly harmless feature in the DHCP protocol called "DHCP DNS Dynamic Update", which allows a DHCP server to register DNS records on behalf of its clients. This feature is also present and enabled by default in the Microsoft DHCP server, one of the most common DHCP servers in the market. In this session, we will explore this feature and show the attack surface it exposes in Microsoft environments - we will detail a novel attack tactic that could allow unauthenticated attackers to spoof arbitrary DNS records in Active Directory DNS zones, and show how this could be abused to intercept authentication and achieve remote code execution. We will examine the different security settings that should prevent these attacks, and show how they fail to do so in some cases. Finally, we will release 2 open-source tools; the first one is meant to detect risky DHCP misconfigurations, and the second one - to exploit them.

Related topics:

More from this channel

Upcoming talks (3)
On-demand talks (224)
Subscribers (20914)
Leading companies worldwide choose Akamai to build, deliver, and secure their digital experiences — helping billions of people live, work, and play every day. Akamai Connected Cloud, a massively distributed edge and cloud platform, puts apps and experiences closer to users and keeps threats farther away. Learn more about Akamai’s cloud computing, security, and content delivery solutions.