It's DNS again 😢 Did you know this Malware Hack? 

Chris Greer is back to show us Malware that Hackers could use to attack you (in this case using DNS). Chris is the man I talk to about Wireshark! Did you learn something new in this video? Big thanks to Brilliant for sponsoring this video! Get started with a free 30 day trial and 20% discount: brilliant.org/DavidBombal // Chris SOCIAL // RU-vid: ru-vid.com Wireshark course: davidbombal.wiki/chriswireshark Nmap course: davidbombal.wiki/chrisnmap LinkedIn: www.linkedin.com/in/cgreer/ Twitter: twitter.com/packetpioneer // David SOCIAL // Discord: discord.com/invite/usKSyzb Twitter: twitter.com/davidbombal Instagram: instagram.com/davidbombal LinkedIn: www.linkedin.com/in/davidbombal Facebook: facebook.com/davidbombal.co TikTok: tiktok.com/@davidbombal RU-vid: ru-vid.com Chris Greer Playlist: ru-vid.com/group/PLhfrWIlLOoKO8522T1OAhR5Bb2mD6Qy_l // MENU // 00:00 Coming Up 00:27 Thanks Brilliant! 01:58 Did you know this? 02:41 DNS Misconceptions 03:16 DNS Example 04:38 Cloudflare / What Is DNS? 05:38 Virustotal 07:01 DNS String 08:52 Base-64 Decode 10:24 T Shark 12:25 Cyberchef 14:30 How Does The Hack Start? 14:54 Phishing Attacks 15:59 How DNS Attacks Started 16:57 Packets 17:53 Outro Please note that links listed may be affiliate links and provide me with a small percentage/kickback should you use them to purchase any of the items listed or recommended. Thank you for supporting me and this channel! Disclaimer: This video is for educational purposes only. #malware #hack #wireshark

When David and Chris bring out new videos out it's just a Christmas for me. Love both your channels and learning a lot in past years thanks to you two. Keep up the fantastic job guys!

I almost fell from my chair laughing. "ostrykebs" from this Polish URL is literally tanslated as "spicy kebab" I'm dying laughing, oh my god.

Absolutely brilliant, presentation is top notch as per usual without getting too heavy. As someone who is relatively competent but unqualified in IT, currently doing A+ with a view to Net+ then Sec+ this is fantastic, thank you both. Hopefully having additional knowledge of tools like this and knowing when to use it will be advantageous in getting a job in IT/cybersecurity.

Excellent interview and especially the technical information, which helps us learn about vulnerabilities

Loved it , love all your videos with Chris , full house of information

This is super cool man thank you for dropping this !

it's always great to see collabs with Chris and see how he explains things thanks for this David

This was soo much informative video david. Thanks for making all us more aware about it. Now ill be looking out for supecious dns queries. That was totally a new learning for me, i really like the full broken down of info where it starts making sense for us cybersecurity enthusiasts. Thanks for covering this david and chris ❤❤

Best lesson about DNS tunneling, thank you David Bombal and Chris Greer, I hope that in future you will show us how can be established that connection and sent real malicious commands

That technic I already know but I thanks you for sharing it. Good explained - I like your videos.

Thanks, David great info

Nice demonstration. Thank you David, thank you Chris

Thank you, Dave and Chris, for this great informative video.

Great content, short but concise deep dive of DNS malware

It was a great enlightenment, and sir this sort of content is what we look forward to, if we could get more recent attack patterns and techniques and how they work, how to mitigate them, it would be great The channel is amazing, your knowledge, experience and humility towards teaching is commendable ❤❤ Great work

Thanks. Great session. 👍

Thank you for the information!

This was an awesome video,I can always watch Chris and his packet talk lol.

Great video. Picked up a few new gems about DNS. Thank you.

Another great informative video by David and Chris. Thanks guys👍🏻

Very cool. Would like definitely to see more videos like this.

iv heard about them before.. But didnt know this Done some custom email creation. There i met with dns txt registries for 1st time gosh jolly this was clarifying. LOVE EVERY VID u folks make.

DNS TXT records have been used for a long time for all sorts of things, we used to them for digital scavenger hunts way back when, they are still often used today for Command and Control of botnets. However this is the first time I've seen it used to propagate a potential malware script. Pretty slick! Thanks for the info!

thanks David for sharing.

This video is amazing! I really like how everything has been explained, easy and clear. Wireshark is not easy to use, at least for me, I absolutely need to document myself before any operstion, otherwise it's really hard to find the information I'm looking for. Plus, this attack shouldn't be undervalued, as DNS is something that is not so secure as we may think. Recently I've got my whole home network hacked: all devices were compromised, including the main router and smartphones. Well, the point of failure in my case wasn't discovered, but there's an high chance that DNS had been compromised while disconnecting from a VPN service, or at least while using it. I've saved some pcap files on some devices in this network, but after watching this video, I think that I wouldn't find this script injection, if it happened, then it happened before the pcap recording :-/ Be careful with VPNs services, your traffic will be camouflaged, but remember that you are not aware on where each node is located, and who has access to it. Cheers

it's great, thanks so much teacher David

Another gifts my two Best teatcher i learn so much from you guys keep giving

Enlightening as always David ji

thank you! you read my mind David, I was gonna ask to do a video on DNS

I'm still a bit confused on how the attack starts. Is it just by clicking a link? Or does the victim have to have run a script to interpret the TXT record?

Helpful video sir ❤

I really appreciate this Sir.👍🏻

I did not know this could be done. Kudos!

Chris is the wireshark king, I've learnt so much from him! Thanks for a great and interesting video

Cool stuff. Thanks.

Excellent video as always. Seems like more of a reason to use quad9 an top of other protections.

very interesting, I'll keep this in mind

great video----very usefull

Didn't know DNS could do that.Really amazing and educational video

I had no idea David :D But thanks for learning us again

I had not seen this attack method before, and I just finished 2 associates degrees (Cyberdefense & Digital Forensics, and Network Technologies Administration) and just passed my Security+, so, very cool stuff, here. I thought the DNS text record was what a RA would have an admin modify to prove ownership/control of a domain to satisfy a CA. Guess I was off. David, any time you have Chris or Ed Harmoush (of PracNet) on, it's an absolute treat!

Good stuff guys !😎

Thank you both for helping all of us learn about everything with Wireshark !

DNS: the root of all all evil. This is proof. Thanks for posting, David, & Chris.

Packet capture is always fascinate me, thanks for sharing this mate. My question for Chris, is there any good place or training for whose who wants to learn packet capturing? I have also wonder what certification could we do which included packet analysis by wireshark.

Glad to see you are still out here David. I have been out of the game for a while. I am working on getting into pentesting

How does it keep asking for the next TXT records? Certainly the first DNS call which may be from a phishing link couldn't execute any code from the TXT record?

Always intresting stuff

I love this kind of staff

Cheers Mate.

Best WireShark instructional videos I’ve seen for length/ learning time. The quality and quantity of videos you produce is incredible. Thanks!

@davidbombal where is the link of chris's threat hunting course ?

Are there valid uses of the TXT DNS record type that are still in use today?

A question i am asking myself is there any actual legitmate use for the dns txt request type left? If no then there would be no good reason to keep it at all honestly

Amazing content!!!

Great lessons please David engage Chris for future explain how to capture Packets

I had no idea but it makes sense how it could happen

Great video, thank you so much. What can we do to protect ourselves from this kind of attacks? Are there any recommendations for firewall setup?

I was aware of the existence of DNS TXT records from my dealing with setting up domain names for myself and others. I knew they could contain potentially malicious information, but I didn't know they could be used to piece together a set of commands to run a powershell command to further compromise a machine.

My Friend, you don't need to make these faces on thumbnails to get youtube clicks, you are way beyond that, awesome content, loving it!!!

This is utterly terrifying. Thank you for pointing out what can happen if you carelessly switch to a well known DNS, expecting nothing bad and than kaboom....

You are a saint,Thank you.

In the old days we used to call this executing data. It was a big no-no. In these days of publicly accessible networks I’m shocked it’s not only allowed, but permitted even in high level code! If I were a hacker this would be so easy and obvious.

Love these types.

Everyday is a school day when you work in security. Thanks guys for a brilliant video ☺️

That was a great analysis, but what about DoH/DoT?

From layer 1 to 7 it's mean deep working magnificent, especially hardware building

Stok did a great video on a bug bounty where he used DNS to interact with a server and extract information like etc/passwd all through DNS and using burp collab

Very interesting no i did not know this existed. Now to see if i can mitigate with my pfsense

Did not know, thanks for the heads up. They should just close off this DNS text field, no knew it was there any way, so no one will miss it.

How does chris have so maNY IPs up and being shown???? I never see any IPs. certain filter??? Great videos David. you have been such a great tool for a n newbie like me. You're dope bro! and the videos with your daughter are adorable and put a smile on my face after a long day of construction

Very creative. Love this ! Newbie here, but am slight edging all the way.

Yes, but that proces of data extraction from captured stream is awesome 🙂

Nice video David! It's always DNS ha! I can say with confidence that I did know this :D. I've used a similar method on a test to escape firewall resitrctions. There is a neat tool called Iodine which you can use to set up a tunnel between boxes and all commmunication is done through DNS. You can then SSH to the box over DNS... pretty remarkable. It's a common technique used by malware to call back to C2's. There is a video on my channel about the set up process if you wanted to see it in action. Takes you through setting up the DNS records to deploying the server and then initiating the connection.

I have heard of this method, but I had never seen it demonstrated. I still wonder why the host system would actually run the initial script contained within the initial TXT query... I understand how the script could run its loop and pull down the entire 17 packets and assemble itself - but why would an initial query actually start the subsequent process?

What I would like to know is who thought it would be a good idea to enable a library/framework to execute code stored in a text record like that in the first place. If it was originally intended to simply store human-readable comments, then why is it even a thing for something else to execute code stored in a text record? What library/framework(s) allow executing code from a text record? Why hasn't this been disabled?

If I understand correctly, can be done w ICMP too.

Another excellent one, thanks David :D

Where could we download the pcap file? Thanks in advance.

I did not know that about adding machine readable txt

I developed the DNS server with C++ programming, then used the certificate and private key generated by openssl, then I installed the certificate in my browser, and it worked, Encrypted data can only be decrypted with a matching private key, making it difficult to brute force with SSL encryption

Hello DAVID, this is not concerning this video but a recent video you did with PHILLIP WYLIE on Pentester Roadmap. I want to acknowledge you for hosting nerds like that, I really like everything he said from start to finish. They were very informative and I like the fact that at a point you mentioned you are an introvert. That is another part I am interested in. Can you please make videos on introverts who want to get into or are already into IT and Cybersecurity. I believe that would really be helpful for people who are very introverted but passionate in such careers. Thank you beforehand. If you can also make a video giving an overview of your studio and everything you use for streaming your contents that would also be good. Thanks once again

Using a dns to attack is one of the few things i do know.

@DavidBombal - I never knew this type of attack was possible 🤯

how can i get the pcap used in presentation?

I am a bit new in this area. I have few questions: 1. How is the call initiated? It is said that by email? 1.1. Then, we click a link, it starts communication using dns server. 1.2. Then, the reply of dns server, they send txt as type of query. (We need a tutorial for dns queries). 1.3. So, does the dns, server were the hacker or sending scripts? 1.4. The clicked site, is sending scripts? 2. We need one more example to show after the packets were made up as a full string (script), then who (browser) will run the script?. So, far I know, we run serverside code to run any applications or a process on client laptop. 3. Or the script will run by browser as java script and do intended hack? 4. In what extent such scripts can do harm? For example, is it possible to get an .exe file to bring by script and paste in client pc.

Hey everyone, I just got a simple question is it ok to continue using the google DNS, I'm not a network savvy user neither English is my mother tongue so it is not helping me to understand very well

@DavidBombal ; Thanks for this video - I knew that DNS did more than IP/Hostname resolutions, but wasn't aware of this specific text field within DNS, nor that that field could be configured to be malicious, so thanks for this!! I recently got subscribed to the Udemy classes you put out, including the CCNA, SSL, & WireShark. I'm currently going thru the SSL course, & am VERY excited to start the WireShark courses - I'm HOPING that I'm going to come out the other side knowing more than I already do, thanks to @ChrisGreer ! I can't wait!! Thanks again! 🙏❤️👌

Extremely new to me but outstanding how things in systems and networks are still weak. With where we are today in should we not be above and over with criminals on the net?

How is it that the packets of code in the TXT records actually get run? It didn't seem like he explained that.

I got something weird file while downloading txt file from messanger. It was in zip. And I red flagged it. What was that I'm still wondering

So how does the file run once it's downloaded trough dns? further social engineering?

What I still don't understand is how the script gets executed... Yes invoke expression but from where if that's par of the script

Awesome❤

a question - we passed the strings to txt file, but what made the client machine to run the initial txt instructions?

Which book was that? (in the end)

This Is INTERESTING❗😃

It's basically fetching payloads using DNS to bypass anti-virus

Yep