Predictability of Windows DNS resolver. ing. Roberto Larcher - http://webteca.altervista.org - robertolarcher@hotmail.com



Similar documents
Session Hijacking Exploiting TCP, UDP and HTTP Sessions

Packet Sniffing on Layer 2 Switched Local Area Networks

Internetworking Microsoft TCP/IP on Microsoft Windows NT 4.0

How To - Configure Virtual Host using FQDN How To Configure Virtual Host using FQDN

ARP and DNS. ARP entries are cached by network devices to save time, these cached entries make up a table

Linux Network Security

Procedure: You can find the problem sheet on Drive D: of the lab PCs. 1. IP address for this host computer 2. Subnet mask 3. Default gateway address

The Trivial Cisco IP Phones Compromise

1 Data information is sent onto the network cable using which of the following? A Communication protocol B Data packet

Load Balancing. Final Network Exam LSNAT. Sommaire. How works a "traditional" NAT? Un article de Le wiki des TPs RSM.

1 hours, 30 minutes, 38 seconds Heavy scan. All scanned network resources. Copyright 2001, FTP access obtained

Chapter 1 Personal Computer Hardware hours

M2M Series Routers. Port Forwarding / DMZ Setup

Proxies. Chapter 4. Network & Security Gildas Avoine

Hosting more than one FortiOS instance on. VLANs. 1. Network topology

VPN Configuration Guide. Linksys (Belkin) LRT214 / LRT224 Gigabit VPN Router

Computer Networks: DNS a2acks CS 1951e - Computer Systems Security: Principles and Prac>ce. Domain Name System

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

LAN TCP/IP and DHCP Setup

Implementing, Managing, and Maintaining a Microsoft Windows Server 2003 Network Infrastructure

Network Virtualization Network Admission Control Deployment Guide

Essential Curriculum Computer Networking 1. PC Systems Fundamentals 35 hours teaching time

BASIC ANALYSIS OF TCP/IP NETWORKS

Figure 41-1 IP Filter Rules

Multifunctional Broadband Router User Guide. Copyright Statement

CS5008: Internet Computing

SSVP SIP School VoIP Professional Certification

H0/H2/H4 -ECOM100 DHCP & HTML Configuration. H0/H2/H4--ECOM100 DHCP Disabling DHCP and Assigning a Static IP Address Using HTML Configuration

TCP/IP Security Problems. History that still teaches

Post-Class Quiz: Telecommunication & Network Security Domain

Lesson Plans Managing a Windows 2003 Network Infrastructure

Local DNS Attack Lab. 1 Lab Overview. 2 Lab Environment. SEED Labs Local DNS Attack Lab 1

CSE 127: Computer Security. Network Security. Kirill Levchenko

Firewall VPN Router. Quick Installation Guide M73-APO09-380

Application Note. SIP Domain Management

Lesson 13: DNS Security. Javier Osuna GMV Head of Security and Process Consulting Division

JOB READY ASSESSMENT BLUEPRINT COMPUTER NETWORKING FUNDAMENTALS - PILOT. Test Code: 4514 Version: 01

Packet Sniffers Submitted in partial fulfillment of the requirement for the award of degree Of MCA

Network System Design Lesson Objectives

DEPLOYMENT GUIDE Version 1.1. DNS Traffic Management using the BIG-IP Local Traffic Manager

Wireless Security Overview. Ann Geyer Partner, Tunitas Group Chair, Mobile Healthcare Alliance

Computer Networks CCNA Module 1

2008 DNS Cache Poisoning Vulnerability Cairo, Egypt November 2008

Lab PC Network TCP/IP Configuration

CYBER ATTACKS EXPLAINED: THE MAN IN THE MIDDLE

Using Remote Desktop Software with the LAN-Cell

VLAN 802.1Q. 1. VLAN Overview. 1. VLAN Overview. 2. VLAN Trunk. 3. Why use VLANs? 4. LAN to LAN communication. 5. Management port

Network Concepts. IT 4823 Information Security Concepts and Administration. The Network Environment. Resilience. Network Topology. Transmission Media

TALKSWITCH VOIP NETWORK TROUBLESHOOTING GUIDE

CS 665: Computer System Security. Network Security. Usage environment. Sources of vulnerabilities. Information Assurance Module

How To Understand and Configure Your Network for IntraVUE

N-CAP Users Guide Everything You Need to Know About Using the Internet! How Firewalls Work

IMF Tune Quarantine & Reporting Running SQL behind a Firewall. WinDeveloper Software Ltd.

Tools for Attacking Layer 2 Network Infrastructure

NEFSIS DEDICATED SERVER

Basic IPv6 WAN and LAN Configuration

Final Network Exam 01-02

WAN Traffic Management with PowerLink Pro100

Using Remote Desktop Software with the LAN-Cell 3

Chapter 7. Address Translation

This chapter covers the following topics:

Top-Down Network Design

Using IPM to Measure Network Performance

Lab Organizing CCENT Objectives by OSI Layer

What is VLAN Routing?

A S B

UPPER LAYER SWITCHING

Guide to DDoS Attacks December 2014 Authored by: Lee Myers, SOC Analyst

Own your LAN with Arp Poison Routing

Knowledgebase Solution

Chapter 8 Security Pt 2

IPv6 SECURITY. May The Government of the Hong Kong Special Administrative Region

Agenda. Distributed System Structures. Why Distributed Systems? Motivation

Traffic Analyzer Based on Data Flow Patterns

Configuration Notes 0215

Computer Networking. Definitions. Introduction

SY system so that an unauthorized individual can take over an authorized session, or to disrupt service to authorized users.

CMPT 471 Networking II

CompTIA Network+ (Exam N10-005)

Basic Network Configuration

DNS Pharming Attack Lab

Network Configuration Settings

Attack Lab: Attacks on TCP/IP Protocols

Technical Support Information Belkin internal use only

Deploying Secure Internet Connectivity

- Introduction to PIX/ASA Firewalls -

Industrial Network Security for SCADA, Automation, Process Control and PLC Systems. Contents. 1 An Introduction to Industrial Network Security 1

Multi-Homing Dual WAN Firewall Router

CCNA R&S: Introduction to Networks. Chapter 5: Ethernet

Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN

Implementing, Managing, and Maintaining a Microsoft Windows Server 2003 Network Infrastructure

Packet Sniffer Detection with AntiSniff

Network Security. Topology. Spring This is the logical topology of the network environment used for testing.

Lab Developing ACLs to Implement Firewall Rule Sets

Network: several computers who can communicate. bus. Main example: Ethernet (1980 today: coaxial cable, twisted pair, 10Mb 1000Gb).

Introduction to Computer Security Benoit Donnet Academic Year

An Intrusion Detection System for Kaminsky DNS Cache poisoning

Proxy Server, Network Address Translator, Firewall. Proxy Server

DNS Best Practices. Mike Jager Network Startup Resource Center

INTERNET SECURITY: THE ROLE OF FIREWALL SYSTEM

Transcription:

Predictability of Windows DNS resolver ing. Roberto Larcher - http://webteca.altervista.org - robertolarcher@hotmail.com rev. 1 - March 11, 2004

Abstract The main DNS security issues have very often focused on server side 1 problems and vulnerabilities. This paper focuses on Windows client DNS service, also called DNS resolver. This paper explains how it is often possible to predict the Transaction ID and the UDP port number used by Windows DNS Resolver. With this information it will be shown how it is possible, under certain conditions, to win the race against the regular DNS server and hijack, for example, a TCP/IP session. Even if this problem has been reported to Microsoft s security experts and we both agreed that there is no immediate threat or security vulnerability, it may be used to attack Windows LAN and WAN clients for example at startup. In WLAN too, which shares the medium and then is subjected to the well-known DNS attacks based on sniffing, this predictability increases the chances of being effectively attacked. Microsoft informed me that the concerns mentioned in this paper will be addressed in future versions of its products. The problem The problem is that the "Transaction ID" and the "UDP port number" used in client DNS queries are predictable. According to [2] RFC 1035 Domain Names - Implementation And Specification, Transaction ID is: a 16 bit identifier assigned by the program that generates any kind of query. This identifier is copied in the corresponding reply and can be used by the requester to match up replies to outstanding queries. Since we are going to send fake replies to regular queries we also need to know the UPD port used by the client to send datagrams. According to [3] RFC 768 User Datagram Protocol, UDP source port indicates the port of the sending process. To test it you can simply flush the DNS client cache if enabled and do some pings to whichever internet site you want. With a network analyzer 2, for instance Politecnico di Torino's Analyzer, it is easy to intercept the packets needed for this brief analysis. Different OS versions behave differently: WinXP sp1 with DNS client service enabled: 1 09:28:45.535209 IP: 10.36.0.35 => 10.36.0.14 (63) UDP: Length= 43, Port (3453 => 53) DNS: Query: Name to Address 2 09:28:46.755663 IP: 10.36.0.35 => 10.36.0.14 (62) UDP: Length= 42, Port (3453 => 53) DNS: Query: Name to Address 3 09:28:53.313006 IP: 10.36.0.35 => 10.36.0.14 (60) UDP: Length= 40, Port (3453 => 53) DNS: Query: Name to Address 4 09:28:56.514783 IP: 10.36.0.35 => 10.36.0.14 (59) UDP: Length= 39, Port (3453 => 53) DNS: Query: Name to Address 5 09:29:00.673814 IP: 10.36.0.35 => 10.36.0.14 (63) UDP: Length= 43, Port (3453 => 53) DNS: Query: Name to Address As far as my tests are concerned, it seems that all the queries are sent with the same UDP port number (in bold in this example). Moreover, when the Client DNS service is (re)started, the transaction ID (not shown in the example) is set to 1 and it is then incremented on each query. 1 For example: [1] Security Issue with DNS Florent Carli SANS Institute, 2003 2 The analyzer has to run on the same client if you are in a switched network and you cannot monitor it. If you try to test your DNS server with the nslookup command-line tool, you may get a different behavior. It seems that nslookup does not use the DNS resolver (it increments both the Transaction ID and the UDP port number ). This is comprehensible: if it used the DSN revolver, it would get the information from its cache and not from the server. 2

WinXP sp1 with DNS client service disabled: 1 09:00:59.350310 IP: 10.36.0.35 => 10.36.0.14 (63) UDP: Length= 43, Port (3440 => 53) DNS: Query: Name to Address 2 09:01:00.788318 IP: 10.36.0.35 => 10.36.0.14 (62) UDP: Length= 42, Port (3441 => 53) DNS: Query: Name to Address 3 09:01:07.143486 IP: 10.36.0.35 => 10.36.0.14 (60) UDP: Length= 40, Port (3442 => 53) DNS: Query: Name to Address 4 09:01:10.448216 IP: 10.36.0.35 => 10.36.0.14 (59) UDP: Length= 39, Port (3443 => 53) DNS: Query: Name to Address 5 09:01:14.744673 IP: 10.36.0.35 => 10.36.0.14 (63) UDP: Length= 43, Port (3444 => 53) DNS: Query: Name to Address In this case the UDP port is incremented in each query and the transaction ID is always set to 1. WinNT sp5, WinNT sp6 and WinNT Server sp6: 1 07:3 8:58.881531 IP: 10.36.0.31 => 10.36.0.14 (63) UDP: Length= 43, Port (1031 => 53) DNS: Query: Name to Address 2 07:38:59.044741 IP: 10.36.0.31 => 10.36.0.14 (62) UDP: Length= 42, Port (1032 => 53) DNS: Query: Name to Address 3 07:39:00.346721 IP: 10.36.0.31 => 10.36.0.14 (60) UDP: Length= 40, Port (1033 => 53) DNS: Query: Name to Address 4 07:39:00.651171 IP: 10.36.0.31 => 10.36.0.14 (59) UDP: Length= 39, Port (1034 => 53) DNS: Query: Name to Address 5 07:39:00.813969 IP: 10.36.0.31 => 10.36.0.14 (63) UDP: Length= 43, Port (1035 => 53) DNS: Query: Name to Address In this case the UDP port is incremented in each query and the transaction ID is always set to 1. Please note that WinNT has no client DNS cache. Win2000 sp3 with DNS client service enabled: 1 10:03:46.152742 IP: 10.36.0.50 => 10.36.0.14 (63) UDP: Length= 43, Port (2579 => 53) DNS: Query: Name to Address 2 10:03:46.456406 IP: 10.36.0.50 => 10.36.0.14 (62) UDP: Length= 42, Port (2580 => 53) DNS: Query: Name to Address 3 10:03:48.060385 IP: 10.36.0.50 => 10.36.0.14 (60) UDP: Length= 40, Port (2581 => 53) DNS: Query: Name to Address 4 10:03:48.249590 IP: 10.36.0.50 => 10.36.0.14 (59) UDP: Length= 39, Port (2582 => 53) DNS: Query: Name to Address 5 10:03:48.425597 IP: 10.36.0.50 => 10.36.0.14 (63) UDP: Length= 43, Port (2583 => 53) DNS: Query: Name to Address In this case the UDP port is incremented in each query and the transaction ID is always set to 1. Win2000 sp4 with DNS client service enabled: 1 07:31:27.221489 IP: 10.36.0.15 => 10.36.0.14 (63) UDP: Length= 43, Port (1041 => 53) DNS: Query: Name to Address 2 07:31:27.448766 IP: 10.36.0.15 => 10.36.0.14 (62) UDP: Length= 42, Port (1042 => 53) DNS: Query: Name to Address 3 07:31:28.608191 IP: 10.36.0.15 => 10.36.0.14 (60) UDP: Length= 40, Port (1043 => 53) DNS: Query: Name to Address 4 07:31:28.784089 IP: 10.36.0.15 => 10.36.0.14 (59) UDP: Length= 39, Port (1044 => 53) DNS: Query: Name to Address 5 07:31:28.917098 IP: 10.36.0.15 => 10.36.0.14 (63) UDP: Length= 43, Port (1045 => 53) DNS: Query: Name to Address In this case the UDP port is incremented in each query and the transaction ID seems to be random. Win2000 sp4 with DNS client service disabled: 1 10:14:33.811720 IP: 10.36.0.15 => 10.36.0.14 (63) UDP: Length= 43, Port (1057 => 53) DNS: Query: Name to Address 2 10:14:34.121979 IP: 10.36.0.15 => 10.36.0.14 (62) UDP: Length= 42, Port (1058 => 53) DNS: Query: Name to Address 3 10:14:35.255329 IP: 10.36.0.15 => 10.36.0.14 (60) UDP: Length= 40, Port (1059 => 53) DNS: Query: Name to Address 4 10:14:35.394092 IP: 10.36.0.15 => 10.36.0.14 (59) UDP: Length= 39, Port (1060 => 53) DNS: Query: Name to Address 5 10:14:35.529493 IP: 10.36.0.15 => 10.36.0.14 (63) UDP: Length= 43, Port (1061 => 53) DNS: Query: Name to Address In this case the UDP port is incremented in each query and the transaction ID seems to be random. Real-life network monitoring sessions tracking all the DNS client requests [alternative: every/each DNS client request] were made and, when DNS cache is enabled, both transaction ID and UDP port number are low-ranged. 3

More on WinXP SP1 More extended tests were made on WinXP SP1 (the latest Windows client version with the latest Service Pack at the moment of writing) and it seems very easy to guess the UDP port number assigned to the DNS resolver. It seems actually to be the first free UDP port at the moment of the first DNS request. Moreover, in the standard configuration, i.e. with Internet Time Server enabled and set to time.windows.com, at startup before the logon WinXP tries to synchronize and makes a DNS request. So the DNS resolver always gets a low UDP port number in my tests 1027 is the more frequent, followed by 1028 or 1029. The sample application In order to make real-life tests, an application has been developed. This application, dnspoison 3, tries to corrupt a client DNS cache by flooding it with fake DNS replies. The application takes this set of parameters: dnspoison [-i interface] [-t target] [-s real_dns_ip] [-f fake_ip] [-p port_number] [-r id_range] [-q question_name] By flooding a client with a forged DNS response on UDP port 1027, a specific FQDN 4 transaction ID cyclically ranging from 0 to 20, the DNS cache has been corrupted: and www.test.net ---------------------------------------- Record name..... : www.test.net Record type..... : 1 Time To Live..... : 3588 Data Length..... : 4 Section....... : Answer Record A (Host)... : 192.168.0.11 As you can see, a Internet FQDN has been mapped to a local LAN address. Obviously a lot of attacks can be done once the client has been fooled about the IP 5. For instance I hijacked the internet browser traffic to a fake proxy without any problem. See later for a complete example. 3 You can download it here http://webteca.altervista.org/dnspoison.htm 4 FQDN: A fully qualified domain name consists of a host and domain name, including top-level domain. For example, webteca.altervista.org is a fully qualified domain name; webteca is the host, altervista is the second-level domain, and.org is the top level domain. (http://www.webopedia.com/term/f/fqdn.html) 5 A compete set of attacks can be found in : [5] DNS ID prediction and exploitation, Gamma - August 1998 4

How this problem can be used: some topology scenarios This flaw can be exploited to try to hijack TCP/IP sessions. Any time a client requests an IP address to a DNS server you can use this predictability to increase your chances to win the race against the server itself. Suppose that an attacker wants to hijack the TCP/IP session to a specific FQDN. Different scenarios are vulnerable 6 in different ways. Switched Ethernet In this case an attacker cannot see any packet form the net 7, so he have to: guess the Transaction ID, guess the UDP port number, be faster than the real DNS. The first two points are covered by the reported predictability. The third is deeply dependant on the layout of the net. Consider this picture: attacker target Internet or Private WAN Firewall LAN DNS Server outside inside In this case, the DNS server, the target and the attacker are on the same net. So the attacker has to be quicker than the DNS Server. If we consider an application like dnspoison that cycles the transaction ID, for example, from 0 to 200, the chances to win the race are few. Other techniques, such as DNS Server flooding to try to slow it down, may help. 6 Strictly speaking is not any mayor vulnerability, but it is possible that the predictability reported in this paper could issue security concerns for some users, such as corporate ones. 7 Of course he can be on a monitoring port, or use ARP poisoning or port stealing, but in this cases, why should he use other techniques? 5

But what if the requested FQDN is not in the local DNS Server cache? Often the DNS is configured to ask some other trusted DNS servers located in Internet or in a private network. Trusted DNS Server attacker target Internet or Private WAN Firewall LAN Local DNS Server outside inside In such cases a hop (or even more) is needed to retrieve the required data to the client. So the attacker has much more time to deliver its attack, and consequently, its chances of success will be higher. It may also happen that, for whatever reason, the DNS is located in the DMZ: Trusted DNS Server attacker target Internet or Private WAN Firewall LAN DMZ Local DNS Server outside inside In this case the firewall introduces a delay in the packet dispatching, which, again, delays the DNS response. 6

Switched Ethernet cross VLANs cache corruption In this case we suppose that the attacker and the target are on different VLANs. In this scenario, the VLANs can of course see each other via a routing device (for example a router or a multilayer switch not shown in the picture). The attacker cannot see any packet form the target, either using techniques like ARP spoofing or using port stealing. As in the above scenario, he needs to: guess the Transaction ID, guess the UDP port number, be faster than the real DNS. Trusted DNS Server attacker target Internet or Private WAN Firewall LAN VLAN 1 VLAN 2 VLAN 3 DMZ Local DNS Server outside inside According to my test, a client s DNS cache can be effectively corrupted over VLANs. In this case, the predictability of the Transaction ID and the UDP port number opens/causes more severe problems to the security of the net. In fact, it can be regarded as a less efficient arp-spoofing-like technique over VLANs. Let s examine this definition: Less efficient, since you still have to guess the right Transaction ID and the UDP port Number, arp-spoofing-like, since the final effect is quite similar to arp-spoofing: here you fool a LAN client into believing that a FQDN has a fake IP address, there you fool a LAN client into believing that a particular IP address has a fake MAC address, over VLANs since the attacker and the target are in two different VLANs. 7

Shared environments Obviously in shared environments, such as Ethernet on hubs, Token ring or 802.11 wireless LANs, it is easier to hijack TCP/IP sessions. In this case you can simply monitor the medium in order to get a DNS request and once you have found a suitable request, you simply forge the right answer 8. You do not need to guess anything: you need only to win the race with the regular server. But if you have a DNS request packet, you will know the client UDP port number, and since the Transaction ID is predictable, you will know all the parameters for the next request and the next reply too. In this case, you can flood the client with only the right next answer, and your chances to win the race increase a lot 9. How this problem can be used: some corporate scenarios Corporate scenarios Browser Settings The typical corporate PC especially in large companies comes with fixed configuration. This helps administrators to manage huge numbers of computers. But it also may help an attacker to set up some attacks. Think, for example, about a corporate PC with WinXP sp1 that: has fixed, armored configuration, opens the corporate Intranet site at startup, uses a FQDN to specify the proxy to connect to Internet. In this case it is quite easy for an internal attacker to get the information needed to fool the browser about the proxy IP address and hijack all the Internet traffic. He actually has: the FQDN to impersonate, the UPD port number, low-numbered since Internet Time is enabled by default, the transaction ID, low-numbered since the corporate Intranet opens at startup I tried to accomplish this with the DNS one hop far from the target and I got the client fooled. 8 This is a well-known attack. Again, for example: [5] DNS ID prediction and exploitation 9 For example consider the second or the third switched Ethernet pictures and apply them to shared Ethernet. 8

Corporate scenarios WAN Large companies may have branches that are connected through WAN (or VPNs). In this case it is quite frequent that the DNS is located in the corporate main site or HQ. A branch s PC can be more than a hop far from the server. So an attacker can flood a target locally and even remotely. target Branch A attacker Internet or Private WAN Branch B HQ DNS Server Conclusions In this paper it has been shown that some versions of Windows DNS resolver (client side) present some problems about predictability of the Transaction ID and the UDP port Number. Even if I do not think that this kind of problems is a vulnerability and there is no immediate threat, there are (however) some scenarios in which some security issues can arise. Tests were made in order to check if these problems can lead to client side cache corruption in real life situations. This can be done under certain conditions. Acknowledgements I am greatly thankful to Marco Favaretto who revised this paper. Thanks also to my sister Cinzia for additional corrections. Of course any mistake in this paper is only my responsibility. 9

References [1] Security Issue with DNS Florent Carli SANS Institute, 2003 http://www.sans.org/rr/papers/17/1069.pdf [2] RFC 1035: Domain Names - Implementation And Specification P. Mockapetris ISI, November 1987 http://www.faqs.org/rfcs/rfc1035.html [3] RFC 768: User Datagram Protocol J. Postel- ISI, 28 August 1980 http://www.faqs.org/rfcs/rfc768.html [4] DNS ID prediction and exploitation Gamma, August 1998 http://c0vertl.tripod.com/text/dnsattack.txt [5] DNS Cache Poisoning - The Next Generation Joe Stewart, Jan 27 2003 http://www.securityfocus.com/guest/17905 [6] Strange Attractors and TCP/IP Sequence Number Analysis Michal Zalewski, 2001 http://razor.bindview.com/publish/papers/tcpseq.html [7] The dsniff suite Dug Song http://naughty.monkey.org/~dugsong/dsniff/faq.html 10

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information