Google Analytics hack | Dns smuggling
i'll discuss the technique that is used for this and somehow you have to do this stuff on your own
Alright, to pull this off, The only tough thing you have to pull off is getting control of the target’s DNS somehow. More specifically, we need to at least control the resolution to a single specific DNS record. There’s dozens of ways to do this, including, but not limited to..:
Interestingly, Google makes this easy for us, in that we don’t have to worry about SSL, or certificate errors. We probably don’t have a way to make our web server’s SSL certificate match the one for Google’s, but that’s okay. In the javascript included on web pages that use it, Google Analytics actually checks to see if the site is being accessed via SSL, and if so, it calls the Analytics code from an entirely different host name, ssl.google-analytics.com, rather than www.
This means that if the victim accesses a site using Google Analytics over SSL from the start, we don’t get access, but the user also doesn’t get alerted. However, if the site initially loads unencrypted, we can hijack things and replace any links to https with regular http links from then on out.
i'll discuss the technique that is used for this and somehow you have to do this stuff on your own
Alright, to pull this off, The only tough thing you have to pull off is getting control of the target’s DNS somehow. More specifically, we need to at least control the resolution to a single specific DNS record. There’s dozens of ways to do this, including, but not limited to..:
- Actually being a man-in-the-midde, and using dnsspoof, ettercap, what have you.
- Compromising the victim’s DNS server. Less likely if they’re using a major provider, but maybe you’re pen-testing an organization that runs one internally.
- Add a record to the victim’s hosts file. This obviously requires some access already, but it would give you some additional permanence on a box, and help escalate you past what you have access to without their web passwords. It’s also not likely to be noticed if the victim doesn’t have some kind of file integrity tripwire set up.
- Changing the DNS server on a router. Easy to do on your average home wireless router run by the inept, and still possible if an organization hasn’t properly secured their routers.
- Run a fake DHCP server, and hand out your DNS server’s address to clients. This can go along well with PwnPlugs, for example.
Interestingly, Google makes this easy for us, in that we don’t have to worry about SSL, or certificate errors. We probably don’t have a way to make our web server’s SSL certificate match the one for Google’s, but that’s okay. In the javascript included on web pages that use it, Google Analytics actually checks to see if the site is being accessed via SSL, and if so, it calls the Analytics code from an entirely different host name, ssl.google-analytics.com, rather than www.
This means that if the victim accesses a site using Google Analytics over SSL from the start, we don’t get access, but the user also doesn’t get alerted. However, if the site initially loads unencrypted, we can hijack things and replace any links to https with regular http links from then on out.
No comments:
Post a Comment