RCS and DNS: The NAPTR Record
Over the last year, with recent updates to iOS and Android, RCS (Rich Communication Services) has become an increasingly used protocol [1]. RCS is supposed to eventually replace SMS, and in addition to richer formatting, provides added (but optional) security. RCS messages may be end-to-end encrypted and digitally signed. Unlike SMS, which was "bolted on" to existing voice-focused phone standards. The SMS standard was based on old-fashioned pagers and allowed for limited clear-text communications. RCS is built from the ground up around modern IP-based network infrastructure and behaves more like IP chat services (think iMessage, WhatsApp...). RCS defines the message format, while protocols like SIP are used to establish connections and transport messages.
"Do as you say", I do from time to time take a look at odd DNS traffic on my network. An activity I recommend when teaching SEC503. Recently, I noticed more "NAPTR" queries, a record type I had not seen before. The record type is defined in RFC 2915 [2], which was ratified in 2000. It is not a new record. But so far, at least in my network, it has not really shown up before.
The description of the record sounds rather ominous:
"a Resource Record that included a regular expression that would be used by a client program to rewrite a string into a domain name."
Wow. Regular expressions to rewrite resource records? What could possibly go wrong? However, right now, I just want to talk about how it "goes right" and how these records are currently being used for RCS.
Below is the relevant part of the t-shark decode of a record typical for what I have seen in my network:
Queries
fp-us-verizon.rcs.telephony.goog: type NAPTR, class IN
Name: fp-us-verizon.rcs.telephony.goog
[Name Length: 32]
[Label Count: 4]
Type: NAPTR (35) (Naming Authority Pointer)
Class: IN (0x0001)
Answers
fp-us-verizon.rcs.telephony.goog: type NAPTR, class IN, order 100, preference 100, flags s
Name: fp-us-verizon.rcs.telephony.goog
Type: NAPTR (35) (Naming Authority Pointer)
Class: IN (0x0001)
Time to live: 295 (4 minutes, 55 seconds)
Data length: 61
Order: 100
Preference: 100
Flags Length: 1
Flags: s
Service Length: 8
Service: SIPS+D2T
Regex Length: 0
Regex:
[Replacement Length: 43]
Replacement: _sips._tcp.fp-us-verizon.rcs.telephony.goog
This was the only applicable NAPTR record, so order and preference do not matter in this case. The "S" flag indicates that the next lookup should be a SRV record. And indeed, we do have a SRV query (see below). Only a "U" flag would result in a URI.
Remember that this record is about URIs, not IP addresses? The "Service" field indicates what service we may find at the to-be-determined URI. In this case, it is SIPS+D2T. SIPS+D2T is a transport protocol defined in the SIP standard (RFC 3263). SIPS+D2T stands for "Secure SIP Direct to TCP". So we will be using SIP over TLS with TCP as the transport protocol. The SIP standard specifically calls for NAPTR records to find SIP servers. The reason for the NAPTR record is to allow URIs to be returned, not just IP addresses/hostnames (as an SRV record would).
Lucky for us (and the DNS server), the regular expression is empty. And this appears to be normal for this use case. Instead, we just get a "SRV" record to request:
Queries???????
_sips._tcp.fp-us-verizon.rcs.telephony.goog: type SRV, class IN
Name: _sips._tcp.fp-us-verizon.rcs.telephony.goog
[Name Length: 43]
[Label Count: 6]
Type: SRV (33) (Server Selection)
Class: IN (0x0001)
Answers
_sips._tcp.fp-us-verizon.rcs.telephony.goog: type SRV, class IN, priority 20, weight 0, port 5223, target fp-us-verizon.rcs.telephony.goog
Service: _sips
Protocol: _tcp
Name: fp-us-verizon.rcs.telephony.goog
Type: SRV (33) (Server Selection)
Class: IN (0x0001)
Time to live: 300 (5 minutes)
Data length: 40
Priority: 20
Weight: 0
Port: 5223
Target: fp-us-verizon.rcs.telephony.goog
_sips._tcp.fp-us-verizon.rcs.telephony.goog: type SRV, class IN, priority 30, weight 0, port 443, target fp-us-verizon.rcs.telephony.goog
Service: _sips
Protocol: _tcp
Name: fp-us-verizon.rcs.telephony.goog
Type: SRV (33) (Server Selection)
Class: IN (0x0001)
Time to live: 300 (5 minutes)
Data length: 40
Priority: 30
Weight: 0
Port: 443
Target: fp-us-verizon.rcs.telephony.goog
And yes, in the end, there is a "normal" A and AAAA lookup for fp-us-verizon.rcs.telephony.goog.
So far, NAPTR records do not appear to be used to their full potential. I am sure that the use of regular expressions will be of interest to bug hunters and penetration testers.
[1] https://support.google.com/messages/answer/13508703?hl=en
[2] https://www.ietf.org/rfc/rfc2915.txt
--
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|
Why Ask Credentials If There Are Secret Codes?
This morning, an interesting phishing email hit my mailbox. It targets Metamask[1], a cryptocurrency wallet, available as a browser extension and a mobile app, that lets users store, send, and receive crypto money. It’s pretty popular, so a juicy target for criminals. In February, I already mentioned a campaign against them[2].
Today’s email was different and used another approach. Most services that we use daily ask us to implement a 2nd authentication factor. That makes simple credentials useless if you can’t interact with the victim and grab the temporary token, code, …
But most services also offer a “password recovery” process. In the case of Metamask, it’s based on your secret security phrase that you created during the account creation process[3]. That’s exactly the target of this phishing campaign. They ask you to provide this secret phrase.
First, they put some pressure on you, pretending that your wallet is at risk:

Then, they ask you to provide your secret phrase:

The campaing relies on the domain captchasolve[.]help that has been registered two days ago.
[1] https://metamask.io
[2] https://isc.sans.edu/diary/Fake+Incident+Report+Used+in+Phishing+Campaign/32722
[3] https://support.metamask.io/configure/wallet/how-can-i-reset-my-password/
Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key
0 Comments

0 Comments