DNS ID Hacking -part -4
resume here
<the question part>
+------------------------------------------------------------------------+
| name of the question = [3|w|w|w|5|h|e|i|k|e|3|c|o|m|0] |
+------------------------------------------------------------------------+
| type of question = htons(1) | type of query=htons(1) |
+---------------------------------+--------------------------------------+
here is for the question.
now let's stare the answer of ns.heike.com
ns.heike.com:53 -->[IP of www.heike.com is 31.33.7.44] --> ns.bibi.com:53
+---------------------------------+---------------------------------------+
| ID = 1999 | QR=1 opcode=0 RD=1 AA =1 RA=1 |
+---------------------------------+---------------------------------------+
| numbers of questions = htons(1) | numbers of answers = htons(1) |
+---------------------------------+---------------------------------------+
| number of RR authoritative = 0 | number of supplementary RR = 0 |
+---------------------------------+---------------------------------------+
+-------------------------------------------------------------------------+
| name of the question = [3|w|w|w|5|h|e|i|k|e|3|c|o|m|0] |
+-------------------------------------------------------------------------+
| type of question = htons(1) | type of query = htons(1) |
+-------------------------------------------------------------------------+
+-------------------------------------------------------------------------+
| name of the domain = [3|w|w|w|5|h|e|i|k|e|3|c|o|m|0] |
+-------------------------------------------------------------------------+
| type = htons(1) | class = htons(1) |
+-------------------------------------------------------------------------+
| time to live = 999999 |
+-------------------------------------------------------------------------+
| resource data length = htons(4) | resource data=inet_addr("31.33.7.44") |
+-------------------------------------------------------------------------+
Yah! That's all for now :))
Here is an analysis:
In the answer QR = 1 because it's an answer :)
AA = 1 because the name server has authority in its domain
RA = 1 because recursion is available
Good =) I hope you understood that cause you will need it for the following
events.
--[2.0]-- DNS ID hack/spoof
Now it's time to explain clearly what DNS ID hacking/spoofing is.
Like I explained before, the only way for the DNS daemon to recognize
the different questions/answers is the ID flag in the packet. Look at this
example:
ns.bibi.com;53 ----->[?www.heike.com] ------> ns.heike.com:53
So you only have to spoof the ip of ns.heike.com and answer your false
information before ns.heike.com to ns.bibi.com!
ns.bibi.com <------- . . . . . . . . . . . ns.heike.com
|
|<--[IP for www.heike.com is 1.2.3.4]<-- hum.roxor.com
But in practice you have to guess the good ID :) If you are on a LAN, you
can sniff to get this ID and answer before the name server (it's easy on a
Local Network :)
If you want to do this remotely you don't have a lot a choices, you only
have 4 basics methods:
1.) Randomly test all the possible values of the ID flag. You must answer
before the ns ! (ns.heike.com in this example). This method is obsolete
unless you want to know the ID .. or any other favorable condition to
its prediction.
2.) Send some DNS requests (200 or 300) in order to increase the chances
of falling on the good ID.
3.) Flood the DNS in order to avoid its work. The name server will crash
and show the following error!
>> Oct 06 05:18:12 ADM named[1913]: db_free: DB_F_ACTIVE set - ABORT
at this time named daemon is out of order :)
4.) Or you can use the vulnerability in BIND discovered by SNI (Secure
Networks, Inc.) with ID prediction (we will discuss this in a bit).
##################### Windows ID Vulnerability ###########################
I found a heavy vulnerability in Windows 95 (I haven't tested it on
WinNT), lets imagine my little friend that's on Windows 95.
Windows ID's are extremely easy to predict because it's "1" by default :)))
and "2" for the second question (if they are 2 questions at the same time).
######################## BIND Vulnerability ##############################
There is a vulnerability in BIND (discovered by SNI as stated earlier).
In fact, DNS IS are easily predictable, you only have to sniff a DNS in
order to do what you want. Let me explain...
The DNS uses a random ID at the beginning but it only increase this ID for
next questions ... =)))
It's easy to exploit this vulnerability.
Here is the way:
1. Be able to sniff easily the messages that comes to a random DNS (ex.
ns.dede.com for this sample).
2. You ask NS.victim.com to resolve (random).dede.com. NS.victim.com will
ask to ns.dede.com to resolve (random).dede.com
ns.victim.com ---> [?(rand).dede.com ID = 444] ---> ns.dede.com
3. Now you have the ID of the message from NS.victim.com, now you know what
ID area you'll have to use. (ID = 444 in this sample).
4. You then make your resolution request. ex. www.microsoft.com to
NS.victim.com
(you) ---> [?www.microsoft.com] ---> ns.victim.com
ns.victim.com --> [?www.microsoft.com ID = 446 ] --> ns.microsoft.com
5. Flood the name server ns.victim.com with the ID (444) you already have and
then you increase this one.
ns.microsoft.com --> [www.microsoft.com = 1.1.1.1 ID = 444] --> ns.victim.com
ns.microsoft.com --> [www.microsoft.com = 1.1.1.1 ID = 445] --> ns.victim.com
ns.microsoft.com --> [www.microsoft.com = 1.1.1.1 ID = 446] --> ns.victim.com
ns.microsoft.com --> [www.microsoft.com = 1.1.1.1 ID = 447] --> ns.victim.com
ns.microsoft.com --> [www.microsoft.com = 1.1.1.1 ID = 448] --> ns.victim.com
ns.microsoft.com --> [www.microsoft.com = 1.1.1.1 ID = 449] --> ns.victim.com
(now you know that DNS IDs are predictable, and they only increase. You
flood ns.victim.com with spoofed answers with the ID 444+ ;)
*** ADMsnOOfID does this.
There is another way to exploit this vulnerability without a root on
any DNS
The mechanism is very simple. Here is the explaination
We send to ns.victim.com a resolution request for *.provnet.fr
(you) ----------[?(random).provnet.fr] -------> ns.victim.com
Then, ns.victim.com asks ns1.provnet.fr to resolve (random).provnet.fr.
There is nothing new here, but the interesting part begins here.
From this point you begin to flood ns.victim.com with spoofed answers
(with ns1.provnet.fr IP) with ids from 100 to 110...
(spoof) ----[(random).provnet.fr is 1.2.3.4 ID=100] --> ns.victim.com
(spoof) ----[(random).provnet.fr is 1.2.3.4 ID=101] --> ns.victim.com
(spoof) ----[(random).provnet.fr is 1.2.3.4 ID=102] --> ns.victim.com
(spoof) ----[(random).provnet.fr is 1.2.3.4 ID=103] --> ns.victim.com
.....
After that, we ask ns.victim.com if (random).provnet.fr has an IP.
If ns.victim.com give us an IP for (random).provnet.fr then we have
found the correct ID :) Otherwise we have to repeat this attack until we
find the ID. It's a bit long but it's effective. And nothing forbides you
to do this with friends ;)
This is how ADMnOg00d works ;)
-------------------------------
##########################################################################
Here you will find 5 programs
ADMkillDNS - very simple DNS spoofer
ADMsniffID - sniff a LAN and reply false DNS answers before the NS
ADMsnOOfID - a DNS ID spoofer (you'll need to be root on a NS)
ADMnOg00d - a DNS ID predictor (no need to be root on a NS)
ADNdnsfuckr - a very simple denial of service attack to disable DNS
Have fun!! :)
Note: You can find source and binaries of this progs at
ftp.janova.org/pub/ADM. I'm going to make a little HOWTO soon, which would
be on janova. You need to install libpcap on your machine before any
compilation of the ADMID proggies :)
ADM Crew.
resume here
<the question part>
+------------------------------------------------------------------------+
| name of the question = [3|w|w|w|5|h|e|i|k|e|3|c|o|m|0] |
+------------------------------------------------------------------------+
| type of question = htons(1) | type of query=htons(1) |
+---------------------------------+--------------------------------------+
here is for the question.
now let's stare the answer of ns.heike.com
ns.heike.com:53 -->[IP of www.heike.com is 31.33.7.44] --> ns.bibi.com:53
+---------------------------------+---------------------------------------+
| ID = 1999 | QR=1 opcode=0 RD=1 AA =1 RA=1 |
+---------------------------------+---------------------------------------+
| numbers of questions = htons(1) | numbers of answers = htons(1) |
+---------------------------------+---------------------------------------+
| number of RR authoritative = 0 | number of supplementary RR = 0 |
+---------------------------------+---------------------------------------+
+-------------------------------------------------------------------------+
| name of the question = [3|w|w|w|5|h|e|i|k|e|3|c|o|m|0] |
+-------------------------------------------------------------------------+
| type of question = htons(1) | type of query = htons(1) |
+-------------------------------------------------------------------------+
+-------------------------------------------------------------------------+
| name of the domain = [3|w|w|w|5|h|e|i|k|e|3|c|o|m|0] |
+-------------------------------------------------------------------------+
| type = htons(1) | class = htons(1) |
+-------------------------------------------------------------------------+
| time to live = 999999 |
+-------------------------------------------------------------------------+
| resource data length = htons(4) | resource data=inet_addr("31.33.7.44") |
+-------------------------------------------------------------------------+
Yah! That's all for now :))
Here is an analysis:
In the answer QR = 1 because it's an answer :)
AA = 1 because the name server has authority in its domain
RA = 1 because recursion is available
Good =) I hope you understood that cause you will need it for the following
events.
--[2.0]-- DNS ID hack/spoof
Now it's time to explain clearly what DNS ID hacking/spoofing is.
Like I explained before, the only way for the DNS daemon to recognize
the different questions/answers is the ID flag in the packet. Look at this
example:
ns.bibi.com;53 ----->[?www.heike.com] ------> ns.heike.com:53
So you only have to spoof the ip of ns.heike.com and answer your false
information before ns.heike.com to ns.bibi.com!
ns.bibi.com <------- . . . . . . . . . . . ns.heike.com
|
|<--[IP for www.heike.com is 1.2.3.4]<-- hum.roxor.com
But in practice you have to guess the good ID :) If you are on a LAN, you
can sniff to get this ID and answer before the name server (it's easy on a
Local Network :)
If you want to do this remotely you don't have a lot a choices, you only
have 4 basics methods:
1.) Randomly test all the possible values of the ID flag. You must answer
before the ns ! (ns.heike.com in this example). This method is obsolete
unless you want to know the ID .. or any other favorable condition to
its prediction.
2.) Send some DNS requests (200 or 300) in order to increase the chances
of falling on the good ID.
3.) Flood the DNS in order to avoid its work. The name server will crash
and show the following error!
>> Oct 06 05:18:12 ADM named[1913]: db_free: DB_F_ACTIVE set - ABORT
at this time named daemon is out of order :)
4.) Or you can use the vulnerability in BIND discovered by SNI (Secure
Networks, Inc.) with ID prediction (we will discuss this in a bit).
##################### Windows ID Vulnerability ###########################
I found a heavy vulnerability in Windows 95 (I haven't tested it on
WinNT), lets imagine my little friend that's on Windows 95.
Windows ID's are extremely easy to predict because it's "1" by default :)))
and "2" for the second question (if they are 2 questions at the same time).
######################## BIND Vulnerability ##############################
There is a vulnerability in BIND (discovered by SNI as stated earlier).
In fact, DNS IS are easily predictable, you only have to sniff a DNS in
order to do what you want. Let me explain...
The DNS uses a random ID at the beginning but it only increase this ID for
next questions ... =)))
It's easy to exploit this vulnerability.
Here is the way:
1. Be able to sniff easily the messages that comes to a random DNS (ex.
ns.dede.com for this sample).
2. You ask NS.victim.com to resolve (random).dede.com. NS.victim.com will
ask to ns.dede.com to resolve (random).dede.com
ns.victim.com ---> [?(rand).dede.com ID = 444] ---> ns.dede.com
3. Now you have the ID of the message from NS.victim.com, now you know what
ID area you'll have to use. (ID = 444 in this sample).
4. You then make your resolution request. ex. www.microsoft.com to
NS.victim.com
(you) ---> [?www.microsoft.com] ---> ns.victim.com
ns.victim.com --> [?www.microsoft.com ID = 446 ] --> ns.microsoft.com
5. Flood the name server ns.victim.com with the ID (444) you already have and
then you increase this one.
ns.microsoft.com --> [www.microsoft.com = 1.1.1.1 ID = 444] --> ns.victim.com
ns.microsoft.com --> [www.microsoft.com = 1.1.1.1 ID = 445] --> ns.victim.com
ns.microsoft.com --> [www.microsoft.com = 1.1.1.1 ID = 446] --> ns.victim.com
ns.microsoft.com --> [www.microsoft.com = 1.1.1.1 ID = 447] --> ns.victim.com
ns.microsoft.com --> [www.microsoft.com = 1.1.1.1 ID = 448] --> ns.victim.com
ns.microsoft.com --> [www.microsoft.com = 1.1.1.1 ID = 449] --> ns.victim.com
(now you know that DNS IDs are predictable, and they only increase. You
flood ns.victim.com with spoofed answers with the ID 444+ ;)
*** ADMsnOOfID does this.
There is another way to exploit this vulnerability without a root on
any DNS
The mechanism is very simple. Here is the explaination
We send to ns.victim.com a resolution request for *.provnet.fr
(you) ----------[?(random).provnet.fr] -------> ns.victim.com
Then, ns.victim.com asks ns1.provnet.fr to resolve (random).provnet.fr.
There is nothing new here, but the interesting part begins here.
From this point you begin to flood ns.victim.com with spoofed answers
(with ns1.provnet.fr IP) with ids from 100 to 110...
(spoof) ----[(random).provnet.fr is 1.2.3.4 ID=100] --> ns.victim.com
(spoof) ----[(random).provnet.fr is 1.2.3.4 ID=101] --> ns.victim.com
(spoof) ----[(random).provnet.fr is 1.2.3.4 ID=102] --> ns.victim.com
(spoof) ----[(random).provnet.fr is 1.2.3.4 ID=103] --> ns.victim.com
.....
After that, we ask ns.victim.com if (random).provnet.fr has an IP.
If ns.victim.com give us an IP for (random).provnet.fr then we have
found the correct ID :) Otherwise we have to repeat this attack until we
find the ID. It's a bit long but it's effective. And nothing forbides you
to do this with friends ;)
This is how ADMnOg00d works ;)
-------------------------------
##########################################################################
Here you will find 5 programs
ADMkillDNS - very simple DNS spoofer
ADMsniffID - sniff a LAN and reply false DNS answers before the NS
ADMsnOOfID - a DNS ID spoofer (you'll need to be root on a NS)
ADMnOg00d - a DNS ID predictor (no need to be root on a NS)
ADNdnsfuckr - a very simple denial of service attack to disable DNS
Have fun!! :)
Note: You can find source and binaries of this progs at
ftp.janova.org/pub/ADM. I'm going to make a little HOWTO soon, which would
be on janova. You need to install libpcap on your machine before any
compilation of the ADMID proggies :)
ADM Crew.
0 comments:
Post a Comment
mobile here