How I Turned VPN over DNS Into a Retroactive Wiretapping Mechanism

THOTCON 0x5

Presented by: John Bambenek
Date: Friday April 25, 2014
Time: 12:30 - 12:50
Location: IB
Track: Turbo

Imagine your first day at a client site and you spend your time figuring out what’s going on with the network. You query passive DNS to find tons of apparently VPN over DNS endpoints on your network. What starts as a simple incident investigation process sees the tables turned on those who used the protocol to hide their tracks. This talk will discuss reverse engineering VPN over DNS (vpnoverdns.com) and how weaknesses in using DNS tunneling makes it trivial to retroactively wiretap all communications over the protocol long after the fact.

John Bambenek

John Bambenek is a handler with the SANS Internet Storm Center and President of Bambenek Consulting. He has contributed to many of the SANS courses and GIAC certification exams and has over 15 years experience as an information security professional. He is the only known hacker who is also a politician.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats