DNS ID Hacking Presentation Part-2
resume here
[ns.internic.net] [ns.bibi.com]
198.41.0.4:53 ------>[ns for.com is 144.44.44.4]------> 111.1.2.222:53
Here we can see that ns.internic.net answered to ns.bibi.com (which is the
DNS that has authority over the domain bibi.com), that the name server
of for.com has the IP 144.44.44.4 [let's call it ns.for.com]. Now our
ns.bibi.com will ask to ns.for.com for the address of www.heike.com,
but this one doesn't have it and will forward the request to the DNS of
heike.com which has authority for heike.com.
[ns.bibi.com] [ns.for.com]
111.1.2.222:53 ------>[?www.heike.com]-----> 144.44.44.4:53
answer from ns.for.com
[ns.for.com] [ns.bibi.com]
144.44.44.4:53 ------>[ns for heike.com is 31.33.7.4]---> 144.44.44.4:53
Now that we know which IP address has authority on the domain "heike.com"
[we'll call it ns.heike.com], we ask it what's the IP of the machine www
[www.heike.com then :)].
[ns.bibi.com] [ns.heike.com]
111.1.2.222:53 ----->[?www.heike.com]----> 31.33.7.4:53
And now we at least have our answer!!
[ns.heike.com] [ns.bibi.com]
31.33.7.4:53 ------->[www.heike.com == 31.33.7.44] ----> 111.1.2.222:53
Great we have the answer, we can forward it to our client bla.bibi.com.
[ns.bibi.com] [bla.bibi.com]
111.1.2.222:53 ------->[www.heike.com == 31.33.7.44]----> 111.1.2.123:1999
Hehe now bla.bibi.com knows the IP of www.heike.com :)
So.. now let's imagine that we'd like to have the name of a machine from its
IP, in order to do that, the way to proceed will be a little different
because the IP will have to be transformed:
example:
100.20.40.3 will become 3.40.20.100.in-addr.arpa
Attention!! This method is only for the IP resolution request (reverse DNS)
So let's look in practical when we take the IP of www.heike.com (31.33.7.44
or "44.7.33.31.in-addr.arpa" after the translation into a comprehensible
format by DNS).
...
gethostbyaddr("31.33.7.44");
...
[bla.bibi.com] [ns.bibi.com]
111.1.2.123:2600 ----->[?44.7.33.31.in-addr.arpa]-----> 111.1.2.222:53
We sent our request to ns.bibi.com
[ns.bibi.com] [ns.internic.net]
111.1.2.222:53 ----->[?44.7.33.31.in-addr.arpa]------> 198.41.0.4:53
ns.internic.net will send the IP of a name server which has authority on
'31.in-addr.arpa'.
[ns.internic.net] [ns.bibi.com]
198.41.0.4:53 --> [DNS for 31.in-addr.arpa is 144.44.44.4] -> 111.1.2.222:53
Now ns.bibi.com will ask the same question to the DNS at 144.44.44.4.
[ns.bibi.com] [ns.for.com]
111.1.2.222:53 ----->[?44.7.33.31.in-addr.arpa]------> 144.44.44.4:53
and so on...
In fact the mechanism is nearly the same that was used for name
resolution
I hope you understood the dialog on how DNS works. Now let's study DNS
messages format.
--[1.2]-- DNS packet
Here is the format of a DNS message :
+---------------------------+---------------------------+
| ID (the famous :) | flags |
+---------------------------+---------------------------+
| numbers of questions | numbers of answer |
+---------------------------+---------------------------+
| number of RR authority |number of supplementary RR |
+---------------------------+---------------------------+
| |
\ \
\ QUESTION \
| |
+-------------------------------------------------------+
| |
\ \
\ ANSWER \
| |
+-------------------------------------------------------+
| |
\ \
\ Stuff etc.. No matter \
| |
+-------------------------------------------------------+
--[1.3]-- Structure of DNS packets.
__ID__
The ID permits to identify each DNS packet, since exchanges between name
servers are from port 53 to port 53, and more it might be more than one
request at a time, so the ID is the only way to recognize the different DNS
requests. Well talk about it later..
__flags__
The flags area is divided into several parts :
4 bits 3 bits (always 0)
| |
| |
[QR | opcode | AA| TC| RD| RA | zero | rcode ]
|
| |__|__|__| |______ 4 bits
| |_ 1 bit
resume here
[ns.internic.net] [ns.bibi.com]
198.41.0.4:53 ------>[ns for.com is 144.44.44.4]------> 111.1.2.222:53
Here we can see that ns.internic.net answered to ns.bibi.com (which is the
DNS that has authority over the domain bibi.com), that the name server
of for.com has the IP 144.44.44.4 [let's call it ns.for.com]. Now our
ns.bibi.com will ask to ns.for.com for the address of www.heike.com,
but this one doesn't have it and will forward the request to the DNS of
heike.com which has authority for heike.com.
[ns.bibi.com] [ns.for.com]
111.1.2.222:53 ------>[?www.heike.com]-----> 144.44.44.4:53
answer from ns.for.com
[ns.for.com] [ns.bibi.com]
144.44.44.4:53 ------>[ns for heike.com is 31.33.7.4]---> 144.44.44.4:53
Now that we know which IP address has authority on the domain "heike.com"
[we'll call it ns.heike.com], we ask it what's the IP of the machine www
[www.heike.com then :)].
[ns.bibi.com] [ns.heike.com]
111.1.2.222:53 ----->[?www.heike.com]----> 31.33.7.4:53
And now we at least have our answer!!
[ns.heike.com] [ns.bibi.com]
31.33.7.4:53 ------->[www.heike.com == 31.33.7.44] ----> 111.1.2.222:53
Great we have the answer, we can forward it to our client bla.bibi.com.
[ns.bibi.com] [bla.bibi.com]
111.1.2.222:53 ------->[www.heike.com == 31.33.7.44]----> 111.1.2.123:1999
Hehe now bla.bibi.com knows the IP of www.heike.com :)
So.. now let's imagine that we'd like to have the name of a machine from its
IP, in order to do that, the way to proceed will be a little different
because the IP will have to be transformed:
example:
100.20.40.3 will become 3.40.20.100.in-addr.arpa
Attention!! This method is only for the IP resolution request (reverse DNS)
So let's look in practical when we take the IP of www.heike.com (31.33.7.44
or "44.7.33.31.in-addr.arpa" after the translation into a comprehensible
format by DNS).
...
gethostbyaddr("31.33.7.44");
...
[bla.bibi.com] [ns.bibi.com]
111.1.2.123:2600 ----->[?44.7.33.31.in-addr.arpa]-----> 111.1.2.222:53
We sent our request to ns.bibi.com
[ns.bibi.com] [ns.internic.net]
111.1.2.222:53 ----->[?44.7.33.31.in-addr.arpa]------> 198.41.0.4:53
ns.internic.net will send the IP of a name server which has authority on
'31.in-addr.arpa'.
[ns.internic.net] [ns.bibi.com]
198.41.0.4:53 --> [DNS for 31.in-addr.arpa is 144.44.44.4] -> 111.1.2.222:53
Now ns.bibi.com will ask the same question to the DNS at 144.44.44.4.
[ns.bibi.com] [ns.for.com]
111.1.2.222:53 ----->[?44.7.33.31.in-addr.arpa]------> 144.44.44.4:53
and so on...
In fact the mechanism is nearly the same that was used for name
resolution
I hope you understood the dialog on how DNS works. Now let's study DNS
messages format.
--[1.2]-- DNS packet
Here is the format of a DNS message :
+---------------------------+---------------------------+
| ID (the famous :) | flags |
+---------------------------+---------------------------+
| numbers of questions | numbers of answer |
+---------------------------+---------------------------+
| number of RR authority |number of supplementary RR |
+---------------------------+---------------------------+
| |
\ \
\ QUESTION \
| |
+-------------------------------------------------------+
| |
\ \
\ ANSWER \
| |
+-------------------------------------------------------+
| |
\ \
\ Stuff etc.. No matter \
| |
+-------------------------------------------------------+
--[1.3]-- Structure of DNS packets.
__ID__
The ID permits to identify each DNS packet, since exchanges between name
servers are from port 53 to port 53, and more it might be more than one
request at a time, so the ID is the only way to recognize the different DNS
requests. Well talk about it later..
__flags__
The flags area is divided into several parts :
4 bits 3 bits (always 0)
| |
| |
[QR | opcode | AA| TC| RD| RA | zero | rcode ]
|
| |__|__|__| |______ 4 bits
| |_ 1 bit
0 comments:
Post a Comment
mobile here