Chris Greer is back to show us Malware that Hackers could use to attack you (in this case using DNS). Chris is the man I talk to about Wireshark! Did you learn something new in this video? Big thanks to Brilliant for sponsoring this video! Get started with a free 30 day trial and 20% discount: brilliant.org/DavidBombal // Chris SOCIAL // KZfaq: kzfaq.info Wireshark course: davidbombal.wiki/chriswireshark Nmap course: davidbombal.wiki/chrisnmap LinkedIn: www.linkedin.com/in/cgreer/ Twitter: twitter.com/packetpioneer // David SOCIAL // Discord: discord.com/invite/usKSyzb Twitter: twitter.com/davidbombal Instagram: instagram.com/davidbombal LinkedIn: www.linkedin.com/in/davidbombal Facebook: facebook.com/davidbombal.co TikTok: tiktok.com/@davidbombal KZfaq: kzfaq.info Chris Greer Playlist: kzfaq.info/sun/PLhfrWIlLOoKO8522T1OAhR5Bb2mD6Qy_l // MENU // 00:00 Coming Up 00:27 Thanks Brilliant! 01:58 Did you know this? 02:41 DNS Misconceptions 03:16 DNS Example 04:38 Cloudflare / What Is DNS? 05:38 Virustotal 07:01 DNS String 08:52 Base-64 Decode 10:24 T Shark 12:25 Cyberchef 14:30 How Does The Hack Start? 14:54 Phishing Attacks 15:59 How DNS Attacks Started 16:57 Packets 17:53 Outro Please note that links listed may be affiliate links and provide me with a small percentage/kickback should you use them to purchase any of the items listed or recommended. Thank you for supporting me and this channel! Disclaimer: This video is for educational purposes only. #malware #hack #wireshark

I almost fell from my chair laughing. "ostrykebs" from this Polish URL is literally tanslated as "spicy kebab" I'm dying laughing, oh my god.

When David and Chris bring out new videos out it's just a Christmas for me. Love both your channels and learning a lot in past years thanks to you two. Keep up the fantastic job guys!

Absolutely brilliant, presentation is top notch as per usual without getting too heavy. As someone who is relatively competent but unqualified in IT, currently doing A+ with a view to Net+ then Sec+ this is fantastic, thank you both. Hopefully having additional knowledge of tools like this and knowing when to use it will be advantageous in getting a job in IT/cybersecurity.

Excellent interview and especially the technical information, which helps us learn about vulnerabilities

Best lesson about DNS tunneling, thank you David Bombal and Chris Greer, I hope that in future you will show us how can be established that connection and sent real malicious commands

it's always great to see collabs with Chris and see how he explains things thanks for this David

This was soo much informative video david. Thanks for making all us more aware about it. Now ill be looking out for supecious dns queries. That was totally a new learning for me, i really like the full broken down of info where it starts making sense for us cybersecurity enthusiasts. Thanks for covering this david and chris ❤❤

This is super cool man thank you for dropping this !

It was a great enlightenment, and sir this sort of content is what we look forward to, if we could get more recent attack patterns and techniques and how they work, how to mitigate them, it would be great The channel is amazing, your knowledge, experience and humility towards teaching is commendable ❤❤ Great work

Loved it , love all your videos with Chris , full house of information

Nice demonstration. Thank you David, thank you Chris

That technic I already know but I thanks you for sharing it. Good explained - I like your videos.

Great content, short but concise deep dive of DNS malware

DNS TXT records have been used for a long time for all sorts of things, we used to them for digital scavenger hunts way back when, they are still often used today for Command and Control of botnets. However this is the first time I've seen it used to propagate a potential malware script. Pretty slick! Thanks for the info!

This video is amazing! I really like how everything has been explained, easy and clear. Wireshark is not easy to use, at least for me, I absolutely need to document myself before any operstion, otherwise it's really hard to find the information I'm looking for. Plus, this attack shouldn't be undervalued, as DNS is something that is not so secure as we may think. Recently I've got my whole home network hacked: all devices were compromised, including the main router and smartphones. Well, the point of failure in my case wasn't discovered, but there's an high chance that DNS had been compromised while disconnecting from a VPN service, or at least while using it. I've saved some pcap files on some devices in this network, but after watching this video, I think that I wouldn't find this script injection, if it happened, then it happened before the pcap recording :-/ Be careful with VPNs services, your traffic will be camouflaged, but remember that you are not aware on where each node is located, and who has access to it. Cheers

Thank you, Dave and Chris, for this great informative video.

Another gifts my two Best teatcher i learn so much from you guys keep giving

Thanks, David great info

Great video. Picked up a few new gems about DNS. Thank you.

This was an awesome video,I can always watch Chris and his packet talk lol.

Another great informative video by David and Chris. Thanks guys👍🏻

Very cool. Would like definitely to see more videos like this.

Thank you for the information!

Thanks. Great session. 👍

thank you! you read my mind David, I was gonna ask to do a video on DNS

Excellent video as always. Seems like more of a reason to use quad9 an top of other protections.

Didn't know DNS could do that.Really amazing and educational video

Enlightening as always David ji

iv heard about them before.. But didnt know this Done some custom email creation. There i met with dns txt registries for 1st time gosh jolly this was clarifying. LOVE EVERY VID u folks make.

I had not seen this attack method before, and I just finished 2 associates degrees (Cyberdefense & Digital Forensics, and Network Technologies Administration) and just passed my Security+, so, very cool stuff, here. I thought the DNS text record was what a RA would have an admin modify to prove ownership/control of a domain to satisfy a CA. Guess I was off. David, any time you have Chris or Ed Harmoush (of PracNet) on, it's an absolute treat!

thanks David for sharing.

I'm still a bit confused on how the attack starts. Is it just by clicking a link? Or does the victim have to have run a script to interpret the TXT record?

Chris is the wireshark king, I've learnt so much from him! Thanks for a great and interesting video

it's great, thanks so much teacher David

Thank you both for helping all of us learn about everything with Wireshark !

I did not know this could be done. Kudos!

Best WireShark instructional videos I’ve seen for length/ learning time. The quality and quantity of videos you produce is incredible. Thanks!

I really appreciate this Sir.👍🏻

Did not know, thanks for the heads up. They should just close off this DNS text field, no knew it was there any way, so no one will miss it.

Glad to see you are still out here David. I have been out of the game for a while. I am working on getting into pentesting

Helpful video sir ❤

I had no idea David :D But thanks for learning us again

I was aware of the existence of DNS TXT records from my dealing with setting up domain names for myself and others. I knew they could contain potentially malicious information, but I didn't know they could be used to piece together a set of commands to run a powershell command to further compromise a machine.

In the old days we used to call this executing data. It was a big no-no. In these days of publicly accessible networks I’m shocked it’s not only allowed, but permitted even in high level code! If I were a hacker this would be so easy and obvious.

DNS: the root of all all evil. This is proof. Thanks for posting, David, & Chris.

Stok did a great video on a bug bounty where he used DNS to interact with a server and extract information like etc/passwd all through DNS and using burp collab

Good stuff guys !😎

My Friend, you don't need to make these faces on thumbnails to get youtube clicks, you are way beyond that, awesome content, loving it!!!

Great lessons please David engage Chris for future explain how to capture Packets

great video----very usefull

very interesting, I'll keep this in mind

This is utterly terrifying. Thank you for pointing out what can happen if you carelessly switch to a well known DNS, expecting nothing bad and than kaboom....

Cool stuff. Thanks.

@DavidBombal ; Thanks for this video - I knew that DNS did more than IP/Hostname resolutions, but wasn't aware of this specific text field within DNS, nor that that field could be configured to be malicious, so thanks for this!! I recently got subscribed to the Udemy classes you put out, including the CCNA, SSL, & WireShark. I'm currently going thru the SSL course, & am VERY excited to start the WireShark courses - I'm HOPING that I'm going to come out the other side knowing more than I already do, thanks to @ChrisGreer ! I can't wait!! Thanks again! 🙏❤️👌

Packet capture is always fascinate me, thanks for sharing this mate. My question for Chris, is there any good place or training for whose who wants to learn packet capturing? I have also wonder what certification could we do which included packet analysis by wireshark.

I am a bit new in this area. I have few questions: 1. How is the call initiated? It is said that by email? 1.1. Then, we click a link, it starts communication using dns server. 1.2. Then, the reply of dns server, they send txt as type of query. (We need a tutorial for dns queries). 1.3. So, does the dns, server were the hacker or sending scripts? 1.4. The clicked site, is sending scripts? 2. We need one more example to show after the packets were made up as a full string (script), then who (browser) will run the script?. So, far I know, we run serverside code to run any applications or a process on client laptop. 3. Or the script will run by browser as java script and do intended hack? 4. In what extent such scripts can do harm? For example, is it possible to get an .exe file to bring by script and paste in client pc.

Always intresting stuff

Everyday is a school day when you work in security. Thanks guys for a brilliant video ☺️

Amazing content!!!

Hello DAVID, this is not concerning this video but a recent video you did with PHILLIP WYLIE on Pentester Roadmap. I want to acknowledge you for hosting nerds like that, I really like everything he said from start to finish. They were very informative and I like the fact that at a point you mentioned you are an introvert. That is another part I am interested in. Can you please make videos on introverts who want to get into or are already into IT and Cybersecurity. I believe that would really be helpful for people who are very introverted but passionate in such careers. Thank you beforehand. If you can also make a video giving an overview of your studio and everything you use for streaming your contents that would also be good. Thanks once again

I love this kind of staff

What I would like to know is who thought it would be a good idea to enable a library/framework to execute code stored in a text record like that in the first place. If it was originally intended to simply store human-readable comments, then why is it even a thing for something else to execute code stored in a text record? What library/framework(s) allow executing code from a text record? Why hasn't this been disabled?

How does chris have so maNY IPs up and being shown???? I never see any IPs. certain filter??? Great videos David. you have been such a great tool for a n newbie like me. You're dope bro! and the videos with your daughter are adorable and put a smile on my face after a long day of construction

Great video, thank you so much. What can we do to protect ourselves from this kind of attacks? Are there any recommendations for firewall setup?

Very creative. Love this ! Newbie here, but am slight edging all the way.

You are a saint,Thank you.

From layer 1 to 7 it's mean deep working magnificent, especially hardware building

Love these types.

Using a dns to attack is one of the few things i do know.

Very interesting no i did not know this existed. Now to see if i can mitigate with my pfsense

Cheers Mate.

I had no idea but it makes sense how it could happen

I have heard of this method, but I had never seen it demonstrated. I still wonder why the host system would actually run the initial script contained within the initial TXT query... I understand how the script could run its loop and pull down the entire 17 packets and assemble itself - but why would an initial query actually start the subsequent process?

Yes, but that proces of data extraction from captured stream is awesome 🙂

If I understand correctly, can be done w ICMP too.

It's basically fetching payloads using DNS to bypass anti-virus

How does it keep asking for the next TXT records? Certainly the first DNS call which may be from a phishing link couldn't execute any code from the TXT record?

@5:40 be careful when putting data on virustotal, especially when you are doing an audit (pentest) for a client.

What I still don't understand is how the script gets executed... Yes invoke expression but from where if that's par of the script

I developed the DNS server with C++ programming, then used the certificate and private key generated by openssl, then I installed the certificate in my browser, and it worked, Encrypted data can only be decrypted with a matching private key, making it difficult to brute force with SSL encryption

That was a great analysis, but what about DoH/DoT?

Nice video David! It's always DNS ha! I can say with confidence that I did know this :D. I've used a similar method on a test to escape firewall resitrctions. There is a neat tool called Iodine which you can use to set up a tunnel between boxes and all commmunication is done through DNS. You can then SSH to the box over DNS... pretty remarkable. It's a common technique used by malware to call back to C2's. There is a video on my channel about the set up process if you wanted to see it in action. Takes you through setting up the DNS records to deploying the server and then initiating the connection.

A question i am asking myself is there any actual legitmate use for the dns txt request type left? If no then there would be no good reason to keep it at all honestly

In the late 90's I hacked a RTL driver to send/receive encoded messages in ping requests, it was a little slow but you don't need a lot of code to get something running.

a question - we passed the strings to txt file, but what made the client machine to run the initial txt instructions?

Extremely new to me but outstanding how things in systems and networks are still weak. With where we are today in should we not be above and over with criminals on the net?

@DavidBombal - I never knew this type of attack was possible 🤯

I've seen DNS used to smuggle data out of secure(ish) systems that stopped outgoing requests to unknown addresses but not via DNS.

So just to reiterate, the victim executes a script which then makes DNS requests, assembles the txt resource records, executes that assembled text file which makes a callback to a C2/attacker....?

I did not know that about adding machine readable txt

Another excellent one, thanks David :D

Are there valid uses of the TXT DNS record type that are still in use today?

Awesome❤

@davidbombal where is the link of chris's threat hunting course ?

Nope. Didn't know that one. I came up with a data exfiltration method against hardened internal corporate networks using DNS about 15 years ago. I've not seen it ever mentioned, so it may still be novel.

This Is INTERESTING❗😃

it's always DNS 😄, nice video

In Iran, the first level of web filtering is applied by the IRGC government with DNS hijacking. please talk more about filtering .

So how does the file run once it's downloaded trough dns? further social engineering?