FaresMorcy
  • Whoami
  • Footprinting Labs
    • Lab - Easy
    • Lab - Medium
    • Lab - Hard
  • Shells & Payloads
    • The Live Engagement
  • Password Attacks
    • Lab - Easy
    • Lab - Medium
    • Lab - Hard
  • SOC Hackthebox Notes & Labs
    • Security Monitoring & SIEM Fundamentals Module
    • Windows Event Logs & Finding Evil Module
    • Introduction to Threat Hunting & Hunting With Elastic Module
    • Understanding Log Sources & Investigating with Splunk Module
      • Introduction To Splunk & SPL
      • Using Splunk Applications
      • Intrusion Detection With Splunk (Real-world Scenario)
      • Detecting Attacker Behavior With Splunk Based On TTPs
      • Detecting Attacker Behavior With Splunk Based On Analytics
      • Skills Assessment
    • Windows Attacks & Defense
      • Kerberoasting
      • AS-REProasting
      • GPP Passwords
      • GPO Permissions/GPO Files
      • Credentials in Shares
      • Credentials in Object Properties
      • DCSync
      • Golden Ticket
      • Kerberos Constrained Delegation
      • Print Spooler & NTLM Relaying
      • Coercing Attacks & Unconstrained Delegation
      • Object ACLs
      • PKI - ESC1
      • Skills Assessment
    • Intro to Network Traffic Analysis Module
    • YARA & Sigma for SOC Analysts Module
      • Developing YARA Rules
      • Hunting Evil with YARA (Windows Edition)
      • Hunting Evil with YARA (Linux Edition)
      • Sigma and Sigma Rules
      • Developing Sigma Rules
      • Hunting Evil with Sigma (Chainsaw Edition)
      • Hunting Evil with Sigma (Splunk Edition)
      • Skills Assessment
  • TryHackme SOC 1
    • TShark
      • TShark: The Basics
      • TShark: CLI Wireshark Features
      • TShark Challenge I: Teamwork
      • TShark Challenge II: Directory
    • Tempest
    • Boogeyman 1
    • Boogeyman 2
    • Boogeyman 3
  • TryHackme SOC 2
    • Advanced Splunk
      • Splunk: Exploring SPL
      • Splunk: Setting up a SOC Lab
      • Splunk: Dashboards and Reports
      • Splunk: Data Manipulation
      • Fixit
    • Advanced ELK
      • Slingshot
    • Threat Hunting
      • Threat Hunting: Foothold
      • Threat Hunting: Pivoting
      • Threat Hunting: Endgame
  • TryHackme Rooms
    • Investigating Windows
    • Splunk 2
    • Windows Network Analysis
  • Powershell Scripting Fundamentals
  • SANS SEC504 & Labs
    • Book one
      • Live Examination
      • Network Investigations
      • Memory Investigations
      • Malware Investigations
      • Accelerating IR with Generative AI
      • Bootcamp: Linux Olympics
      • Bootcamp: Powershell Olympics
    • Book Two
      • Hacker Tools and Techniques Introduction
      • Target Discovery and Enumeration
      • Discovery and Scanning with Nmap
      • Cloud Spotlight: Cloud Scanning
      • SMB Security
      • Defense Spotlight: Hayabusa and Sigma Rules
    • Book Three
      • Password Attacks
      • Cloud Spotlight: Microsoft 365 Password Attacks
      • Understanding Password Hashes
      • Password Cracking
      • Cloud Spotlight: Insecure Storage
      • Multipurpose Netcat
    • Book Four
      • Metasploit Framework
      • Drive-By Attacks
      • Command Injection
      • Cross-Site Scripting
      • SQL Injection
      • Cloud Spotlight: SSRF and IMDS
    • Book Five
      • Endpoint Security Bypass
      • Pivoting and Lateral Movement
      • Hijacking Attacks
      • Establishing Persistence
      • Defense Spotlight: RITA
      • Cloud Spotlight: Cloud Post-Exploitation
  • SANS SEC511 & Labs
    • Resources
      • Primers
      • References
      • Tools
        • Network
        • Elastic Stack
      • Printable Versions
    • Book One
      • Part One
      • Part Two
      • Part Three
    • Book Two
      • Part One
      • Part Two
      • Part Three
      • Part Four
    • Book Three
      • Part One
      • Part Two
      • Part Three
      • Part Four
    • Book Four
      • Part One
      • Part Two
      • Part Three Lab
      • Part Four Lab
    • Book Five
      • Part One Lab
      • Part Two Lab
      • Part Three Lab
  • CyberDefenders
    • XXE Infiltration Lab
    • T1594 Lab
    • RetailBreach Lab
    • DanaBot Lab
    • OpenWire Lab
    • BlueSky Ransomware Lab
    • Openfire Lab
    • Boss Of The SOC v1 Lab
    • GoldenSpray Lab
    • REvil Lab
    • ShadowRoast Lab
    • SolarDisruption Lab
    • Kerberoasted Lab
    • T1197 Lab
    • Amadey Lab
    • Malware Traffic Analysis 1 Lab
    • Insider Lab
    • Volatility Traces Lab
    • FalconEye Lab
    • GitTheGate Lab
    • Trident Lab
    • NerisBot Lab
  • Practical Windows Forensics
    • Data Collection
    • Examination
    • Disk Analysis Introduction
    • User Behavior
    • Overview of disk structures, partitions and file systems
    • Finding Evidence of Deleted Files with USN Journal Analysis
    • Analyzing Evidence of Program Execution
    • Finding Evidence of Persistence Mechanisms
    • Uncover Malicious Activity with Windows Event Log Analysis
    • Windows Memory Forensic Analysis
  • Hackthebox Rooms
    • Campfire-1
    • Compromised
    • Brutus
    • Trent
    • CrownJewel-1
  • WEInnovate Training
    • Weinnovate - Active Directory Task One
    • Build ELK Lab
      • Configure Elasticsearch and Kibana setup in ubuntu
      • Configure Fluent-Bit to send logs to ELK
      • Set up Winlogbeat & Filebeat for log collection
      • Send Logs from Winlogbeat through Logstash to ELK
      • Enable Windows Audit Policy & Winlogbeat
      • Elasticsearch API and Ingestion Pipeline
    • SOAR
      • Send Alerts To Email & Telegram Bot
      • Integrate Tines with ELK
    • SOC Practical Assessment
    • Lumma C2
    • Network Analysis
  • Build ELK Lab
    • Configure Elasticsearch and Kibana setup in ubuntu
    • Configure Fluent-Bit to send logs to ELK
    • Set up Winlogbeat & Filebeat for log collection
    • Send Logs from Winlogbeat through Logstash to ELK
    • Enable Windows Audit Policy & Winlogbeat
    • Elasticsearch API and Ingestion Pipeline
  • Build Home Lab - SOC Automation
    • Install & configure Sysmon for deep Windows event logging
    • Set up Wazuh & TheHive for threat detection & case management
    • Execute Mimikatz & create detection rules in Wazuh
    • Automate everything with Shuffle
    • Response to SSH Attack Using Shuffle, Wazuh, and TheHive
  • Home Lab (Attack & Defense Scenarios)
    • Pass-the-Hash Attack & Defense
    • Scheduled Task Attack & Defense
    • Kerberoasting Attack & Defense
    • Kerberos Constrained Delegation
    • Password Spraying Attack & Defense
    • Golden Ticket Attack & Defense
    • AS-REProasting Attack & Defense
    • DCSync Attack & Defense
  • Home Lab (FIN7 (Carbanak Group) – Point of Sale (POS) Attack on Hospitality Chains)
  • Home Lab (Lumma Stealer)
Powered by GitBook
On this page
  1. SANS SEC511 & Labs
  2. Book Five

Part Three Lab

The main purpose of DoH is to enhance privacy and security by encrypting DNS queries, preventing third parties from easily observing or tampering with the DNS requests made by a user.

How DNS over HTTP Works

  1. Traditional DNS:

    • In traditional DNS, queries are typically sent in plaintext over UDP or TCP using port 53. These requests can be intercepted and monitored by attackers or even by the ISP (Internet Service Provider).

  2. DNS over HTTPS:

    • With DoH, DNS queries and responses are wrapped inside HTTPS requests, which makes it harder for external observers (such as ISPs or hackers) to see what websites or services a user is trying to access.

    • The DNS query is sent over an encrypted HTTPS connection, making it secure and private.

Lab 5.3 - DNS over HTTPS (DoH)

Objectives:

  • Acquire hands-on experience with DNS over HTTPS (DoH)

  • Configure Firefox to directly use the Security511 cloud-based DoH server at https://dns.sec511.com/dns-query

  • Sniff encrypted DoH traffic with Wireshark

  • Export the pre-master secret from Firefox and import into Wireshark

  • Analyze decrypted DoH

A Note on the Pre-Master Secret:

As covered in 511.2, TLS traffic can be decrypted using either the web server's RSA private key (as demonstrated in the 511.2 exercise) or the browser's pre-master secret (as we'll do in this lab).

A quick overview of the pre-master secret (from slide 511.2, "HTTPS: TLS Handshake"):

The TLS handshake process works as follows:

  1. Client Hello: The client starts the handshake by sending a "hello" message to the server. This includes the supported TLS version, cipher suites, and a random byte string ("client random").

  2. Server Hello: The server responds with its own "hello" message, which contains its SSL certificate, chosen cipher suite, and a random byte string ("server random").

  3. Authentication: The client verifies the server's SSL certificate with the certificate authority, confirming the server's identity.

  4. Premaster Secret: The client sends a randomly generated "premaster secret" encrypted with the server's public key (from its SSL certificate). Only the server can decrypt it with its private key.

  5. Session Key Generation: Both the client and server generate session keys using the client random, server random, and premaster secret. Both parties should arrive at the same session key.

  6. Client Finished: The client sends a "finished" message encrypted with the session key.

  7. Server Finished: The server responds with its own "finished" message encrypted with the session key.

  8. Secure Encryption: The handshake is complete, and communication continues using the session keys for encrypted data exchange.

The browser's pre-master secret can be exported to decrypt all TLS traffic, including TLS 1.3. However, the server's RSA private key cannot decrypt TLS 1.3 because of Perfect Forward Secrecy (PFS).

Challenges:

  • Configure Firefox to use this DoH server: https://dns.sec511.com/dns-query

  • Use Wireshark to verify Firefox is resolving DNS names via DoH

  • Inspect DoH traffic with Wireshark

  • View the Server Name Indication (SNI) of https://dns.sec511.com

  • Import the key log (which includes the pre-master secret) into Wireshark

  • Decrypt and analyze DoH traffic From Firefox in Wireshark

Let's start by clicking the menu icon in Firefox in the upper-right corner, then select "Settings."

Then, we'll scroll down to the "Network Settings" section at the bottom and click on "Settings."

Let's scroll to the bottom of the page and enable "DNS over HTTPS." Then, select "Custom" and choose Security511's cloud-based server by entering: https://dns.sec511.com/dns-query

Let's open Wireshark and double-click on the "eth0" interface to start capturing network traffic.

Now let's close Firefox completely to ensure all TLS connections with https://dns.sec511.com are terminated. Then, reopen Firefox and open a new tab and surf to: https://www.sans.org/

Next, Let's open a terminal and run the following command to find the IP address of "dns.sec511.com":

dig dns.sec511.com

Let's filter by this IP Address in Wireshark.

tcp.port == 443 && ip.addr == 3.140.31.159

The data shows "dns.sec511.com," which is the Server Name Indication (SNI). In Wireshark, this is referred to as "tls.handshake.extensions_server_name."

Let's use the following Wireshark display filter to view only these packets:

tcp.port == 443 && ip.addr == 3.140.31.159 && tls.handshake.extensions_server_name

  • TLSv1.3 Record Layer: Handshake Protocol: Client Hello

  • Handshake Protocol: Client Hello

  • Extension: server_name (len=19)

  • Server Name Indication extension

The Server Name Indication (SNI) is "dns.sec511.com," which serves as the server's virtual host name.

In Wireshark, let's navigate to Edit and select Preferences.

Next, scroll down to the "TLS" section under Protocols. At the bottom, locate the "(Pre)-Master-Secret log filename" field. Click "Browse," navigate to /home/student/keylog.log, and click "OK."

Now, let's stop the current capture by clicking the red "stop" icon. Then, to restart the capture, click the green shark fin icon and select "Continue without Saving."

Now, let's close Firefox again to initiate a new TLS session with https://dns.sec511.com upon reopening, then restart the browser.

After restarting, visit https://www.sans.org.

Let's filter by the same filter in Wireshark again.

tcp.port == 443 && ip.addr == 3.140.31.159

As we scroll down, the decrypted "DoH" packets become visible.

Now, let's use the following display filter to view only decrypted TLS traffic sent to or from IP address 3.140.31.159:

tcp.port == 443 && ip.addr == 3.140.31.159 && http
tcp.port == 443 and ip.addr==3.140.31.159 and http and dns.resp.name=="www.sans.org"

The next display filter will show decrypted HTTP traffic that is not related to the IP address 3.140.31.159 (non-DoH decrypted TLS traffic).

tcp.port == 443 && not ip.addr == 3.140.31.159 && http

Wireshark treats HTTP and HTTP/2 as separate protocols. This display filter will show both.

tcp.port == 443 && not ip.addr == 3.140.31.159 && (http or http2)

Finally, let's reconfigure Firefox to use its original DNS settings as described at the start of this lab.

PreviousPart Two LabNextCyberDefenders

Last updated 4 months ago

The requested DNS records, including , are encrypted. Our next step is to decrypt the DoH (DNS over HTTPS) traffic using Firefox's pre-master secret. As mentioned earlier, the Firefox key log file can be used to decrypt all TLS traffic originating from the browser.

Let's use the following display filter to view the DNS response for "":

www.sans.org
www.sans.org