OWNerchestration - DNS Reconnaissance

Once a foothold has been gained inside the cluster, an attacker with interactive access to the network can begin to preform some recon and enumeration operations to aid in expanding access within the target network.

Most of these cluster will have an internal DNS service that will use a locally resolvable Top Level Domain (TLD). Many times the TLD of “.mesos” will be used for the cluster and making simple DNS queries for common service names with the “.mesos” will result in discovery of which servers are hosting each service.

Commonly used names include:

  • master.mesos
  • marathon.mesos
  • chronos.mesos
  • etcd.mesos

An attacker can easily query these domains using the following commands within Empire…

(Empire)> agents
(Empire: agents)> interact IHCY2HLZ
(Empire: IHCY2HLZ)> usemodule situational_awareness/network/gethostbyname
(Empire: python/situational_awareness/network/gethostbyname)> set Target master.mesos
(Empire: python/situational_awareness/network/gethostbyname)> execute
job 1 started
master.mesos resolved to !

You can see a quick overview of creating an Empire pyInstaller ELF binary and performing recon within a DC/OS cluster in the following video…

Bryce KunzComment