dns attack - clarkson university · web viewdns is an internet service that translates domain names...
TRANSCRIPT
Dalia Solomon
DNS Attack
DNS BACKGROUND
DNS is Short for Domain Name System (or Service or Server). DNS is an Internet service that translates domain names into IP addresses. The fact that domain names are alphabetic, they are easier for people to remember. The Internet traffic however, is really based on IP addresses. Every time you use a domain name, therefore, a DNS service must translate the name into the corresponding IP address. For example, the domain name www.example.com might translate to 198.134.272.5.
CONFIGURATION
The trace used in this experiment was taken on a private network. Two Laptops and a Linux Bind DNS server were connected via Nat router. The router was connected to a Clarkson Internet routable address for Internet connectivity.
1
Attacker Laptop AIP: 192.168.0.4Mac: 00-0c-29-df-af-9b
Laptop BIP: 192.168.0.2
Dalia Solomon
Man in the Middle- A “man in the middle” attack, performed when a malicious user is able to read, and possibly modify at will, messages between two parties without letting either party know that they have been attacked. The malicious computer will forward frames between the two computers; so communications are not interrupted. In our case laptop A will be the “middle man” between laptop B and the DNS server.
This particular attack- With this particular attack a program was used to mimic a real DNS server only returning A records to its own IP address. In other words no matter what domain you ask for you get the attacking computers address in return. This, in itself, is useless unless you can tell the computers on your network that you are really the DNS server. This is where the MAC address spoofing comes in. With the MAC address spoof you can convince the computers on your LAN that the MAC address (and thus the NIC card to talk to) of the DNS server is your own computer.
KNOPPIX
"Knoppix STD” STD stands for security tools distribution. Knoppix-STD is a customized distribution of the Knoppix Live Linux CD. Knoppix STD is a bootable CD, with Linux OS, Linux kernel 2.4.2, with an emphasis on information security tools. STD focuses on information security and network management tools.The tools are divided into the following categories:
Authentication Encryption utilities Firewalls Penetration tools Vulnerability assessment Forensic tools Honeypots Intrusion detection Packet sniffers and assemblers Network utilities Wireless tools Password auditing (crackers) Servers
2
Dalia Solomon
Step I
Laptop A Was booted from CD drive, with Knoppix STD. Laptop B Runs Ethereal 0.10.3.
Step II
On laptop A, I type the following command:
Arpspoof intercepts packets on a switched LAN.
Laptop A, constantly sends the victim computer, laptop B, ARP replies telling him that the MAC address (00-0c-29-df-af-9b) belongs to the IP of the DNS server (192.168.0.3), which is actually our MAC address. Almost immediately the victim computer, laptop B, will believe us and makes a wrong entry in his ARP cache. (The poor implementation of the ARP protocols was not intentional. The coding for the protocols has been used for quite some time; in the original design security was not an issue.) When Laptop B wants to send an IP packet to the DNS server it sends the Ethernet frame to Laptop’s A MAC address so actually laptop A gets the IP packet.
3
arpspoof –i eth0 192.168.0.3
arpspoof [-i interface] [-t target] host-i interface
Specify the interface to use. -t target
Specify a particular host to ARP poison (if not specified, all hosts on the LAN).
host Specify the host you wish to intercept packets for (usually the local gateway).
Dalia Solomon
On laptop A, we have the following screen:
The above screenshot shows us the status of the MAC spoofing. It lets us know each time a reply packet is sent. The first column is the MAC of the attacking computer (Laptop A), the second is the Ethernet broadcast address (to send it to everyone on our switch’s broadcast domain) the 7 th
column is address of the real DNS server and the 9th columns is again the MAC address of the attacker (laptop A). This means that: the attacking machine (Laptop A) tells the entire network, the attacking computer’s MAC resolves back to the real DNS server’s IP address. Once we have this in place we have affectively told every computer on our LAN that we are indeed the real DNS server.
The following is an ethereal trace taken on Laptop B, showing the ARP reply
4
Dalia Solomon
Notice, when I type the command (on Laptop B):
We see that both, laptop A and the DNS server have the same MAC address, 00-0c-29-df-af-9b. The command arp –a shows us the local machines arp table. This table gives the machine a set of remembered MAC addresses for IP address so that it does not need to repeatedly broadcast to find this information for each network transmission. The exploit of our arpspoof depends on the fact that when a machine receives an arp reply it assumes it sent the request and puts it into its arp table without question. If the arp code were to be modified to check to see if a request was sent before making an addendum to its table all the switched network exploits would become useless.
NSLOOKUP
Nslookup is a DNS testing tool. Nslookup allows you to make a command line request for a DNS resolution. It will let you know if it finds a CNAME record and returns the referenced name with it’s A record or, if there is no CNAME, it will return the A record (the IP of the host). For further exploration a Linux tool called Dig can give you more verbose results about DNS resolutions as well as traces in recursive queries.
The following screenshot shows that every time Laptop B enters any domain name, the IP address will be 192.168.0.4,which is actually laptops A IP address.
5
arp -a
Dalia Solomon
Step III I open another bash shell on laptop A, and type the following command:
This command will allow laptop A to see all the websites laptop B is trying to reach.
6
dnsspoof
Dalia Solomon
Here is a list of websites laptop B accessed.
From our screenshot of dnsspoof, we can see that this program will simply return A records to its own address for any queries received. This can be useful information to track where users are going. As you can see from the last column we have the content of the web names asked by the tricked computer so we can see what sites they intended explore.
Step IV
On laptop A,a) /etc/init.d/apache start
7
Dalia Solomon
Laptop A doing the spoofing is 192.168.0.4 and laptop B is being spoofed is 192.168.0.2. If I am on 192.168.0.2 and I put www.google.com in the browser, my laptop (B) has www.google.com resolve to 192.168.0.4 so it sends a request to 192.168.0.4, which is laptop A. If 192.168.0.4 has no web server running 192.168.0.2 will get an error and no page will load, but if there is a web server then it will get whatever page we have as index.htm.
The following screenshot illustrates the scenario where the laptop B enter an invalid URL and get the default index.htm of laptop A, which is the Apache index page in our case.
Note: This will work only where Laptop B requests a URL is the main page (www.google.com). All other cases such as www.google.com/example, Laptop B will get 404 Error, page not found.
b) edit /var/www/index.htm
8
Dalia Solomon
c) Write the html code. In our case “you’ve been spoofed”.
What we are doing here is since our spoofed DNS server replies to any request with the IP address of our computer (Laptop A); we need a web server running to answer these requests. In our example, I started apache web server and then modified the intex.htm to what the spoofed computer (Laptop B) to see. Every time Laptop B tries to access a specific web site, he will get the screen with the message “you’ve been spoofed”
Laptop B attempt to access www.google.com
9
Dalia Solomon
Packets 832-837 and 839 are the packets with index.htm. If you follow TCP stream you get the following screen. Notice in the red text it lists Host as www.google.com.
10
