0

There was some specific cyber security challenge (Cyber Cube 2018, GE). In one of the tasks, objective was to gain the access to some specific file that server included.

After successfully solving some steps, there was a base64 encoded string:

bmFtZTogZXRlcm5hbHJvbWFuY2UsIHByb3RvY29sOiBkbnMoNTMvdGNwKQo=

Decoding this string gave following output:

'name: eternalromance, protocol: dns(53/tcp)\n'

I figured that the only way to access the server was to perform a DNS attack.

Creators of this challenge gave a hint that choosing TCP port over UDP for DNS may cause certain vulnerabilities.

I'm not experienced in domain name systems, but I know that generally DNS uses UDP port 53 to serve requests - DNS queries require single UDP datagram request and require single UDP datagram response. Main reasons to choose TCP protocol is to respond with data that is larger than 512 bytes (although some DNS implementations can allow UDP datagram responses up to 4096 bytes by my knowledge), and for DNS zone transfers.

But what vulnerabilities may DNS have when TCP is used over UDP?

Thank you.

ShellRox
  • 161
  • 8
  • TCP is not used "over" UDP, but "instead of" UDP in some cases. Is this what you meant? – schroeder May 08 '18 at 13:23
  • You are making a lot of assumptions. Did you perform a DNS zone transfer to see what you would get? Why do you assume that there must be vulnerabilities? Why could it not have been more clues? – schroeder May 08 '18 at 13:44
  • @schroeder Yes, I meant instead of UDP (apologies for my English). No I didn't perform DNS zone transfer but I've read that information from wikipedia (I'm assuming that TCP is used for DNS zone transfer in most of the cases). Also, I didn't understand that either, creator of this challenge told me that if DNS exists on TCP port, there are some vulnerabilities, there were no other clues. – ShellRox May 08 '18 at 14:40

1 Answers1

0

Although it's impossible to know for sure, one option would have been AFXR.

AFXR

What does it do?

AFXR would give you a list of all of the records on the server.

Why does TCP affect it?

RFC 5936, section 4 says:

AXFR sessions are currently restricted to TCP by Section 4.3.5 of RFC 1034, which states:

Because accuracy is essential, TCP or some other reliable protocol

must be used for AXFR requests.

The restriction to TCP is also mentioned in Section 6.1.3.2 of "Requirements for Internet Hosts - Application and Support" [RFC1123].

[Source]

How could it have been used?

These records could have contained either a flag, or clues to the next step.

Community
  • 1
jrtapsell
  • 3,169
  • 15
  • 30