A guide to DNS Search Suffix Wi-Fi attacks

Wicus Ross, Lead Security Researcher, and Lauren Rudman, Junior Security Researcher, SecureData, show us how even the most security-savvy employees can fall foul of DNS Suffix Wi-Fi attacks. 
Ever get a feeling that despite your VPN, public Wi-Fi networks could still be a significant risk?
Last year, when two of our employees were connected to the complimentary Wi-Fi at the same hotel, their laptops were assigned a connection-specific DNS Suffix of ‘domain.com’ by the hotel’s Wi-Fi Access Point.
Such DNS suffixes are used when there is a DNS query without a Fully Qualified Domain Name (FQDN). For example, if your computer makes use of a server or service within your private network it can often be configured without specifying its full and complete Internet name.
That ‘short’ name makes no sense on the actual Internet, however, so a ‘search suffix’ is often prescribed by the network as a way of completing the services full, internet name.
When our employee’s laptops attempted to connect automatically to a previously mapped network share, it triggered an alarm in the SecureData Managed Threat Detection System highlighting outbound network traffic on port 445.
This was because the network shares were not using FQDNs, as they belonged to SecureData’s internal network, so the search suffix ‘domain.com’ was prescribed by the Access Point and appended to the end in order to create a FQDN.
Resulting in the new share names being ‘domain.com’ subdomains. For example, ‘sde-file-share’ became ‘share-file-share.domain.com’, which surprisingly translated to an actual IP address on the internet. The reason for this is that ‘domain.com’ is a wild-card resolver and will resolve most sub-domains to a single IP address.
Windows network traffic associated with network shares uses the Server Message Block (SMB) protocol on port 445 and, is usually blocked by organisations firewalls if the connection is going out to the internet. This is due to the fact that attackers can use these connection attempts to gather Windows credentials.
SMB is not blocked by the hotel’s network, however, creating the risk that SMB traffic might actually be sent out the IP address mapped to ‘domain.com’ in the DNS.
Also of interest: It’s time to kill the VPN

Copyright Lyonsdown Limited 2020