Friday, November 9, 2018

DNS issues at ISP Scale... who doesn't love a little internal/DMZ IP & Metadata Leakage

I don't like to publicly disclose in this manner... but I'm frankly tired of banging my head against the wall with RCN.

Backstory:
I accidentally discovered a number of issues with RCN's DNS servers. After *multiple attempts* to alert their engineering team and security folks to this issue, I've been told it"s "by design", they have *no issue with public disclosure*, etc. I.E. "You don't know what you're talking about." el oh el.

So, here we are.

This is, more than anything, "day one' footprinting and DNS recon... essentially novice hacking/pentesting.

1.You can perform a zone transfer of RCN.net through client equipment.
After running a few DNS tools inside of a network, I discovered due to a slight configuration error, that RCN allows you to Zone Transfer RCN.NET through their equipment. I have no idea if this works *outside* of their equpiment/services, but you can do so with ease. During this little expedition, I found a snippet of internal non-routables in the database that was transferred.
RCN says they're "limited" and nothing to worry about. Yes... being able to zone transfer their DNS Zone is "no big deal."

2. They did not setup split horizon DNS on the RCN.net zone, allowing for farming of internal/DMZ non-routable IPs, discovery of services/metadata on structure and a whole lot of other information through PUBLIC DNS queries.

No, not a joke. You can look for yourself!

If you're a novice to DNS security, this is where it gets interesting.

Since the internal IP address range is leaking (10.x.x.x) through queries, you can essentially brute force a map of their entire DNS zone.. and in turn their internal network.

Ex. proxy01.corp.rcn.net resolves to 10 dot 156 dot 1 dot 25 (You can dig/nslookup/resolve this yourself)

What does that mean? I've effectively determined where a network proxy is *internally*, so if you can compromise the network, you know one of the first things to aim at or avoid.

Even better, queries like jabber.corp will resolve to 10 dot 156 dot 11 dot 15. So now, I know they run a piece of possibly vulnerable software, I know where to find it, I know that I can spoof or otherwise use that as a pivot point.

If you're paying attention so far, you probably noticed that CORP zone in there as well. I'm *pretty sure* this is their corporate network as queries like this are resolving quite a few internal IP addresses.

There are a number of other "interesting" subdomains.. like NOC, CABLE, DEV, etc. You can easily farm them for more metadata and information.

Throw enough wordlists at it and you'll start noticing "themes" like greek/norse gods, spaceballs movie references, etc. Want to get the IP of their helpdesk? Try helpdesk.rcn.net.

Needless to say, this is a *HUGE* hole and metadata/recon mapping 101. I confirmed *multiple times* that RCN doesn't see this as an issue and they have no problem with public disclosure.

BONUS: The potential for this to seriously impact their client networks is there as well. Misconfigured internal DNS resolvers and servers will essentially "blackhole" traffic. Ex. If your DNS is appending/resolving queries (Say your internal HELPDESK server), and you forgot to fix that, your traffic is being shunted to a non-existent, non-routable.


tl;dr? It's a nice lesson in basic DNS security.