Value of Client DNS Cache

Viewing 4 reply threads
  • Author
    Posts
    • #3646
      timmedin
      Participant

      For an incident responder or forensic analyst I understand the value, but I don’t quite understand the value for a Pen Tester. I can see how it would be useful for social engineering, but is there much beyond that? What am I missing?

    • #23523
      Ketchup
      Participant

      One value I can think of is DNS Cache poisoning?  If you poison the client’s DNS cache, of let’s say Gmail, you can capture logon credentials by configuring your own version of the site. 

    • #23524
      RoleReversal
      Participant

      Timmedin,

      this is something that has just been touched on over at Commandline Kung-fu. One advantage discussed is that once you own a box, you can get a feel for where the user has been recently (may help with SE, ‘Hi, just seen your LinkedIn account, can we be friends…’).

      Another possibility may be that it may give away internal network topology and resources. For example you may find a cached entry for ‘my.firewall/admin’. May just make you take notice and start coming up with new ideas. 😀

      I’m sure there’s more that I’ve missed, but that would be my first thoughts.

    • #23525
      former33t
      Participant

      I can’t really think of anything else here that would be of any value when discussing from an exploit perspective.  The only thing I could add is that I might want to know what sites a user frequents so I could re-infect his machine (if it were rebuilt/restored from pre-implant backup) with some cache poisoning attack.  Other than that, I can’t imagine how I can tie a user’s DNS cache to an initial access exploit.

      Now as mentioned by timmedin, I love the DNS cache from a forensics perspective.  I do think that its time has come to an end though with high bandwidth links replacing dial up speeds.  Probably ought to retire this along with NetBIOS (which also still caches…).

    • #23526
      timmedin
      Participant

      @former33t wrote:

      I can’t really think of anything else here that would be of any value when discussing from an exploit perspective.  The only thing I could add is that I might want to know what sites a user frequents so I could re-infect his machine (if it were rebuilt/restored from pre-implant backup) with some cache poisoning attack.  Other than that, I can’t imagine how I can tie a user’s DNS cache to an initial access exploit.

      Now as mentioned by timmedin, I love the DNS cache from a forensics perspective.  I do think that its time has come to an end though with high bandwidth links replacing dial up speeds.  Probably ought to retire this along with NetBIOS (which also still caches…).

      I was thinking the same as you. Either great minds think or we are both oblivous.  😉

Viewing 4 reply threads
  • You must be logged in to reply to this topic.

Copyright ©2021 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?