DNS Spoofing techniques By Spacefox, Secure Sphere Crew - January 23rd, 2002



Similar documents
Session Hijacking Exploiting TCP, UDP and HTTP Sessions

ARP and DNS. ARP entries are cached by network devices to save time, these cached entries make up a table

Local DNS Attack Lab. 1 Lab Overview. 2 Lab Environment. SEED Labs Local DNS Attack Lab 1

This Lecture. The Internet and Sockets. The Start If everyone just sends a small packet of data, they can all use the line at the same.

Introduction to Network Operating Systems

PaperCut Payment Gateway Module - RBS WorldPay Quick Start Guide

Attack Lab: Attacks on TCP/IP Protocols

Wireless Security: Secure and Public Networks Kory Kirk

1. LAB SNIFFING LAB ID: 10

Step-by-Step Configuration

Network Security. Mobin Javed. October 5, 2011

An Intrusion Detection System for Kaminsky DNS Cache poisoning

Chapter 8 Security Pt 2

BASIC ANALYSIS OF TCP/IP NETWORKS

CYBER ATTACKS EXPLAINED: THE MAN IN THE MIDDLE

VIDEO Intypedia013en LESSON 13: DNS SECURITY. AUTHOR: Javier Osuna García-Malo de Molina. GMV Head of Security and Process Consulting Division

Ethical Hacking as a Professional Penetration Testing Technique

Lab - Observing DNS Resolution

Predictability of Windows DNS resolver. ing. Roberto Larcher robertolarcher@hotmail.com

First Midterm for ECE374 03/09/12 Solution!!

Packet Sniffing and Spoofing Lab

Guideline for setting up a functional VPN

DNS Basics. DNS Basics

INTERNATIONAL JOURNAL OF PURE AND APPLIED RESEARCH IN ENGINEERING AND TECHNOLOGY

DNS Pharming Attack Lab

Chapter 10 Troubleshooting

CSE 127: Computer Security. Network Security. Kirill Levchenko

Packet Sniffer Detection with AntiSniff

Network Security. Chapter 3. Cornelius Diekmann. Version: October 21, Lehrstuhl für Netzarchitekturen und Netzdienste Institut für Informatik

A Research Study on Packet Sniffing Tool TCPDUMP

Intrusion Detection Systems. Darren R. Davis Student Computing Labs

Procedure: You can find the problem sheet on Drive D: of the lab PCs. 1. IP address for this host computer 2. Subnet mask 3. Default gateway address

Content Distribution Networks (CDN)

Ethereal Lab: DNS. 1. nslookup

Network Basics GRAPHISOFT. for connecting to a BIM Server (version 1.0)

DNS Pharming Attack Lab

TCP/IP Security Problems. History that still teaches

DOMAIN NAME SECURITY EXTENSIONS

DNS Cache Poisoning Vulnerability Explanation and Remedies Viareggio, Italy October 2008

Computer Networks I Laboratory Exercise 1

Internet Security [1] VU Engin Kirda

Sniffing in a Switched Network

Network Security - ISA 656 Application Firewalls

Final for ECE374 05/06/13 Solution!!

INTRUDER DETECTION MONITORING APPLICATION USING SNMP PROTOCOL

Packet Sniffing on Layer 2 Switched Local Area Networks

Outline. CSc 466/566. Computer Security. 18 : Network Security Introduction. Network Topology. Network Topology. Christian Collberg

Networking Guide Redwood Manager 3.0 August 2013

Own your LAN with Arp Poison Routing

Ref: A. Leon Garcia and I. Widjaja, Communication Networks, 2 nd Ed. McGraw Hill, 2006 Latest update of this lecture was on

Note! The problem set consists of two parts: Part I: The problem specifications pages Part II: The answer pages

Remote DNS Cache Poisoning Attack Lab

Internet Control Protocols Reading: Chapter 3

Network Fundamentals Carnegie Mellon University

Zero Configuration VPN Clients for Mobile Users

Lecture 2 CS An example of a middleware service: DNS Domain Name System

Network Security - ISA 656 Firewalls & NATs

Lab 7.1.9b Introduction to Fluke Protocol Inspector

Customer Tips. Network Packet Analyzer Tips. for the user. Purpose. Introduction to Packet Capture. Xerox Multifunction Devices.

The Domain Name System from a security point of view

Computer Networks: Domain Name System

20-CS X Network Security Spring, An Introduction To. Network Security. Week 1. January 7

Computer Networks: DNS a2acks CS 1951e - Computer Systems Security: Principles and Prac>ce. Domain Name System

STEP 5: Giving Feedback

TCP/IP Attack Lab. 1 Lab Overview. 2 Lab Environment. 2.1 Environment Setup. SEED Labs TCP/IP Attack Lab 1

Using a Malicious Proxy to Pilfer Data & Wreak Havoc. Edward J. Zaborowski ed@thezees.net

Quick Start for Network Agent. 5-Step Quick Start. What is Network Agent?

Firewall implementation and testing

How Does Ping Really Work?

How To - Configure Virtual Host using FQDN How To Configure Virtual Host using FQDN

Lab - Using Wireshark to View Network Traffic

SWE 444 Internet and Web Application Development. Introduction to Web Technology. Dr. Ahmed Youssef. Internet

Intrusion Detection, Packet Sniffing

CCNA Discovery Networking for Homes and Small Businesses Student Packet Tracer Lab Manual

co Characterizing and Tracing Packet Floods Using Cisco R

DNS Resolving using nslookup

NETWORKS AND THE INTERNET

Module 6.3 Client Catcher The Sequence (Already Buying Leads)

EKT 332/4 COMPUTER NETWORK

CSCE 465 Computer & Network Security

Introduction on Low level Network tools

Wireshark DNS. Introduction. nslookup

WRITING PROOFS. Christopher Heil Georgia Institute of Technology

Deep analysis of a modern web site

Lab VI Capturing and monitoring the network traffic

Linux Network Security

Cape Girardeau Career Center CISCO Networking Academy Bill Link, Instructor. 2.,,,, and are key services that ISPs can provide to all customers.

5 DNS Security Risks That Keep You Up At Night (And How To Get Back To Sleep)

Midterm Exam CMPSCI 453: Computer Networks Fall 2011 Prof. Jim Kurose

Earn Money Sharing YouTube Videos

Lab exercise: Working with Wireshark and Snort for Intrusion Detection

Forouzan: Chapter 17. Domain Name System (DNS)

During your session you will have access to the following lab configuration. CLIENT1 (Windows XP Workstation) /24

SSL VPN Technology White Paper

Chapter 25 Domain Name System Copyright The McGraw-Hill Companies, Inc. Permission required for reproduction or display.

Enterprise Architecture Office Resource Document Design Note - Domain Name System (DNS)

Figure 1. Wireshark Menu Bar

Transcription:

DNS Spoofing techniques By Spacefox, spacefox@securesphere.net Secure Sphere Crew - January 23rd, 2002 "What you must learn is that these rules are no different than the rules of a computer system. Some of them can be bent, others can be broken." - Matrix - Overview : What is DNS Spoofing? DNS Spoofing is the art of making a DNS entry to point to an another IP than it would be supposed to point to. To understand better, let's see an example. You're on your web browser and wish to see the news on www.cnn.com, without to think of it, you just enter this URL in your address bar and press enter. Now, what's happening behind the scenes? Well... basically, your browser is going to send a request to a DNS Server to get the matching IP address for www.cnn.com, then the DNS server tells your browser the IP address of CNN, so your browser to connect to CNN's IP address and display the content of the main page. Hold on a minute... You get a message saying that CNN's web site has closed because they don't have anymore money to pay for their web site. You're so amazed, you call and tell that to your best friend on the phone, of course he's laughing at you, but to be sure, he goes to CNN web site to check by himself. You are surprised when he tells you he can see the news of the day as usual and you start to wonder what's going on. Are you sure you are talking to the good IP address? Let's check. You ask your friend to fire up his favorite DNS resolving tool (or simply ping) and to give you the IP address he's getting for www.cnn.com. Once you got it, you put it in your browser URL bar : http://212.153.32.65 You feel ridiculous and frustrated when you see CNN's web page with its daily news. Well you've just been the witness of a DNS hijacking scenario. You're wondering what happened, did the DNS Server told you the wrong IP address? Maybe... At least this is the most obvious answer coming to our mind. In fact there are two techniques for accomplishing this DNS hijacking. Let's see the first one, the "DNS ID Spoofing" technique. - A) DNS Cache Poisoning As you can imagine, a DNS server can't store information about all existing names/ip on the net in its own memory space. That's why DNS server have a cache, it enables them to keep a DNS record for a while. In fact, A DNS Server has the records only for the machines of the domain it has the authority, if it needs to know about machines out of his domain, it has to send a request to the DNS Server which handles these machines and since it doesn't want to ask all the time about records, it can store in its cache the replies returned by other DNS servers. Now let's see how someone could poison the cache of our DNS Server. An attacker his running is own domain (attacker.net) with his own hacked DNS Server (ns.attacker.net) Note that I said hacked DNS Server because the attacker customized the records in his own DNS server, for instance one record could be www.cnn.com=81.81.81.81 1 of 7 10/2/05 3:17 PM

1) The attacker sends a request to your DNS Server asking it to resolve www.attacker.net 2) Your DNS Server is not aware of this machine IP address, it doesn't belongs to his domain, so it needs to asks to the responsible name server. 3) The hacked DNS Server is replying to your DNS server, and at the same time, giving all his records (including his record concerning www.cnn.com) Note : this process is called a zone transfer. 4) The DNS server is not "poisoned". The attacker got his IP, but who cares, his goal was not to get the IP address of his web server but to force a zone transfer and make your DNS server poisoned as long as the cache will not be cleared or updated. 5) Now if you ask your DNS server, about www.cnn.com IP address it will give you 172.50.50.50, where the attacker run his own web server. Or even simple, the attacker could just run a bouncer forwarding all packets to the real web site and vice versa, so you would see the real web site, but all your traffic would be passing through the attacker's web site. - B) DNS ID Spoofing We saw that when a machine X wants to communicate with a machine Y, the former always needs the latter IP address. However in most of cases, X only has the name of Y, in that case, the DNS protocol is used to resolve the name of Y into its IP address. Therefore, a DNS request is sent to a DNS Server declared at X, asking for the IP address of the machine Y. Meanwhile, the machine X assigned a pseudo random identification number to its request which should be present in the answer from the DNS server. Then when the answer from the DNS server will be received by X, it will just have to compare both numbers if they're the same, in this case, the answer is taken as valid, otherwise it will be simply ignored by X. Does this concept is safe? Not completely. Anyone could lead an attack getting this ID number. If you're for example on LAN, someone who runs a sniffer could intercept DNS requests on the fly, see the request ID number and send you a fake reply with the correct ID number... but with the IP address of his choice. Then, without to realize it, the machine X will be talking to the IP of attacker's choice thinking it's Y. By the way, the DNS protocol relies on UDP for requests (TCP is used only for zone 2 of 7 10/2/05 3:17 PM

transferts), which means that it is easy to send a packet coming from a fake IP since there are no SYN/ACK numbers (Unlike TCP, UDP doesn't provide a minimum of protection against IP spoofing). Nevertheless, there are some limitations to accomplish this attack. In my example above, the attacker runs a sniffer, intercept the ID number and replies to his victim with the same ID number and with a reply of his choice. In the other hand, even if the attacker intercepted your request, it will be transmitted to the DNS Server anyway which will also reply to the request (unless the attacker is blocking the request at the gateway or carry out ARP cache poisoning which would make the attack possible on a switched network by the way). That means that the attacker has to reply BEFORE the real DNS server, which means that to succeed this attack, the attacker MUST be on the same LAN so to have a very quick ping to your machine, and also to be able to capture your packets. Practical example (to be done a network for testing purposes ONLY) To see yourself how to hijack a connection from a machine on your local area network, we can do the followings : First step : Poison the ARP cache of the victim's machine (tools and explanations for realizing this task can be found at http://www.arp-sk.org) Second step : Now, outgoing packets of the target will be redirected to your host, but you have to forward the traffic to the real gateway, this can be achieved with a tool like Winroute Pro. Third step : We then use WinDNSSpoof, developed by valgasu (www.securiteinfo.org) which is a tool that greatly help to carry out DNS ID Spoofing. (Before to use this tool be sure you have the Winpcap library installed on your machine, see http://winpcap.polito.it). We run it in the cmd like : wds -n www.cnn.com -i 123.123.123.123 -g 00-C0-26-DD-59-CF -v This will make www.cnn.com to point to 123.123.123.123 on the victim's machine. 00-C0-26-DD-59-C being the MAC Address of the gateway or DNS server. WARNING : Please keep in mind that the use of these tools on a network without explicit authorization of the administrator is strictly forbidden. - C) Making the attack more accurate with the Birthday Paradox What is that Birthday Paradox? 3 of 7 10/2/05 3:17 PM

The birthday paradox gets its name from the "strange" fact that in a gathering of 23 persons, it's likely that 2 of these persons will have the same birthday date. To understand it, no need to be an ace in mathematics. You're in a party and you go to ask someone his birthday date, the chances that you not sharing the same birthday date with this person are 364/365 or 0.997, therefore the probability that you do share the same birthday date is 1-0.997 = 0.003 Now if you ask somebody else, the chances that you don't share the same birthday date than him AND the guy before are (364/365) x (363/365) = 0.992 and so we can deduce that the probability that at least, 2 of all of you share the same birthday date is 1-0.992 = 0.008 If we carry on these computations for some time, we find out that in a group of 23 persons, the chances are 50% that you someone finds someone else who has the same birthday date than him. You can use the following C code snippet to see how chances are evoluating in function of the number of persons. #define POSSIBILITIES 365.0 void main (void) float chances; int i, j; for (i = 1; i < 100; i++) for (j = 1, chances = 1; j < i; j++) chances *= (float)((possibilities - j) / POSSIBILITIES); printf("for %d people, chances are %f\n", i, 1-chances); For people unable to compile this code, here's an interesting array of outputed values : People 2 9 16 23 30 37 44 65 79 Chances 0.0027 0.0946 0.2836 0.5073 0.7063 0.8487 0.9329 0.9977 0.9999 Let's get back to our attack, in a conventionnal DNS spoofing attack as explained previously, our attacker was wiretapping on the network so as to get the ID number of the request from X and to send a reply with the same ID but containing an IP of the attacker's choice. As I said before, this attack requires the attacker to be able to wiretap the DNS network traffic generated by X. Does this means that the attacker can't carry out this attack without running a sniffer? What about trying to "guess" this ID instead? Why not, but the ID number is coded on 2 bytes, in other words... 65535 possible values! That means that if he wishes to succeed this attack, he would need to fire 65535 fake replies with different ID numbers so at least one packet would contain the correct ID number. This would require a good bandwidth/ping and the main problem is to know WHEN to send the replies? He would have to know when the request has been made, and fire up his packets RIGHT after that, and wishes that his fake replies reach X at the right moment (that is to say, before the real reply from the DNS server gets to X). 4 of 7 10/2/05 3:17 PM

Let's take an another point of view, we saw before that it is possible to "poison" directly the DNS server. To remind you, the attacker was asking a DNS server to resolve www.attacker.net, and then thanks to the zone transfert with malicious records from the ns.attacker.net, the attacker was able to poison the cache of our DNS server. Once again, the limitation of this attack is that the attacker must run its own DNS server with malicious records in it. What if this attacker does not have ability to sniff your traffic or run its own name server, would that mean that you are safe from any DNS hijacking technique? The answer is, not at all. As I mentionned earlier, the DNS protocol is relying on UDP, I also remind you that UDP is not a "connected" protocol, in the way that we just send and receive data without creating a session like TCP. It is then, pretty easy to send an UDP packet with an IP of your choice. So why the attacker woud give himself hard time by setting up a malicious DNS server, when he could send spoofed packet from any DNS server? He could just ask the victim's DNS server to resolve www.cnn.com, and then immediately send a spoofed reply from the nameserver of www.cnn.com with a fake IP address. Yes, in timing matter, it's feasible, the problem is that the victim's DNS server is going to send a query to ns.cnn.com to get www.cnn.com IP address with an ID number, once again the attacker would have to send 65535 spoofed packets with ns.cnn.com as source address to the victim's name server. At least one answer would be correct. This "could" be successfull. Now here's the interesting part... what if the attacker would send let's say 100 requests to the victim's DNS server for resolving www.cnn.com? Well ns.victim.com would send also 100 requests to ns.cnn.com, then what if we would send 100 spoofed replies from ns.cnn.com to ns.victim.com? Well if you understood the Birthday Paradox mentionned earlier, you should understand that probabilities of collision are seriously increased compared to the other method. But there's still a small detail which needs to be taken in account, the source port! Yes, think of it, ns.victim.com is going to send a request to ns.cnn.com, the UDP header would be like this : Source address : ns.victim.com Destination address : ns.cnn.com Source port : 1256 (choosed randomly and > 1024) Destination port : 53 (DNS port) Data : What is the IP of www.cnn.com? It is obvious that the attacker must send the spoofed DNS reply on the source port of ns.victim.com as a destination port, which would be like this : Source address : ns.cnn.com Destination address : ns.victim.com Source port : 53 Destination port : 1256 5 of 7 10/2/05 3:17 PM

Data : The IP of www.cnn.com is 81.81.81.81 So how to guess this source port if we are not sniffing? Well unfortunately on most of the DNS server, the source port will not change for each client, so an attacker could know the source port currently used by ns.victim.com pretty easily. For instance, if he would be running an authoritative nameserver, he could just send a request for a DNS lookup of a hostname of his domain, the received recursive query packet would contain the source port currently used by ns.victim.com for sending DNS queries. Ok, now that we know how we can find the source port, you may wonder what are the probabilities of this attack to be successful, and this is exactly what we are going to study now, and Why not to carry out some changes to our C program to calculate all this? #define POSSIBILITIES 65535.0 void main (void) float chances; int i, j; for (i = 0; i < 800; i+=50) for (j = 1, chances = 1; j < i; j++) chances *= (float)((possibilities - j) / POSSIBILITIES); printf("for %d fake replies, chances are %f\n", i, 1-chances); And here's the reported array : Queries 50 100 150 200 250 300 350 400 500 550 650 750 Chances 0.0185 0.0728 0.1569 0.2621 0.3785 0.4961 0.6069 0.7048 0.8517 0.9008 0.9604 0.9865 We can see that, after that for 650 queries/fake replies, chances are about 0.960411, that is almost 100%! For more detailed informations, I advice you to read the following articles : http://www.kb.cert.org/vuls/id/457875 http://www.securityfocus.com/guest/17905 - Conclusion : In this article, I took the example of www.cnn.com, which is not really interesting for an attacker to redirect. But the problem is much more important when accessing to your bank, to your online book store or even to your web mail cause all given information could be easily read by the attacker. The counter-measures which can be taken by administrators to reduce the risks are mainly : 6 of 7 10/2/05 3:17 PM

- To limit the cache and check that it's not keeping additional records. - Not to make security systems to use/rely on DNS. - Use cryptography like SSL, even if the problem remains the same, it increase difficulty level for the attacker (See article on Man in the Middle) Any comments, remarks or critics are welcome at spacefox@securesphere.net Spacefox, SecureSphere Crew, January 2003 7 of 7 10/2/05 3:17 PM

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information