internet: authoritive dns servers resolver: gethostbyname() server: is 1.2.3.4 client caching dns...
TRANSCRIPT
HOW IT WORKS
● DNS CHACHE POISIONING
● IP FILTERING
● URL FILTERING
● PACKET FILTERING
● TCP CONNECTION RESET
HACK ATTACKING
● REDIRECT USER TO A WEBSITE OR SERVER UNDER THE ATTACKERS’ CONTROL
● SEND MALIOUS INFORMATION(I.E. WORMS, VIRUS), PRETENDING IT IS WHAT USER ASK FOR
Internet: AuthoritiveDNS Servers
A SHORT OVERVIEW ON DNS
Resolver: gethostbyname(www.microsoft.com)
Server: www.microsoft.c
om is 1.2.3.4
Client
CachingDNS Server
dns.microsoft.com
dns.hacker.com
A SIMPLE ATTACK – SENDING ADDITIONAL RESOURCE RECORDS
gethostbyname(www.hacker.com)
www.hacker.com is 1.2.3.4
And www.microsoft.com is 5.5.5.5
Server
DNS Cache:www.hacker.com = 1.2.3.4www.microsoft.com = 5.5.5.5
Client
AN EVEN EASIER ATTACK – JUST LYING
gethostbyname(www.microsoft.com)
www.microsoft.com is 6.6.6.6
Server
Client
THE PROBLEM
• DNS IS NOT A SECURE PROTOCOL
• EVERY HOST ON THE INTERNET CAN CLAIM THAT IT IS AN AUTHORITY FOR RESOLVING QUERIES
• EVEN IF A DNS SERVER IS AUTHORITATIVE FOR DOMAIN A, IT DOES NOT MEAN IT CAN BE TRUSTED TO GIVE TRUE ANSWERS FOR DOMAIN B
• ALL ANSWERS ARE ASSUMED TO BE TRUE
QUERY ID
• EACH DNS QUERY CONTAINS AN ID
• A RESPONSE CONTAINS THE MATCHING QUERY ID
• THE ID IS GENERATED BY A PRNG
• IN MOST PAST IMPLEMENTATIONS THE ID WAS GENERATED BY A WEAK PRNG FUNCTION.
PRNG ATTACK
gethostbyname(www.microsoft.com)
Server
www.microsoft.com is 6.6.6.6
I don’t know…I better ask
somebody else
www.micr
osof
t.com
is 1
.2.3
.4
geth
ostb
ynam
e(www.m
icroso
ft.co
m)
First answer wins!
Client
PRNG ATTACK (CONT)
• IN OLDER SYSTEMS IT WAS POSSIBLE TO PREDICT THE NEXT PRNG NUMBER BY OBSERVING ONLY THE LAST NUMBER GENERATED.
• IN NEWER SYSTEMS IT IS POSSIBLE TO PREDICT THE NEXT NUMBER WITH SUCCESS PROBABILITY OF 0.2 BY OBSERVING THE LAST 5000 NUMBERS.
• MUCH BETTER, BUT STILL NOT PERFECT.
THE TOOLS AND TECHNIQUES
• DNS POISONING IN THEORY
• WIRESHARK
• SOCKET PROGRAMMING
• C/JAVA/PYTHON
• HOSTS FILE (LOCAL DNS POISONING)
THE CHALLENGE
1. USE WIRESHARK TO ANALYZE HTTP TRAFFIC TO A POPULAR WEBSITE
2. REDIRECT TRAFFIC TO/FROM THAT WEBSITE THROUGH YOUR LOCAL COMPUTER
3. CREATE A PROGRAM TO ROUTE TRAFFIC THROUGH YOUR COMPUTER TO THE WEBSITE IN QUESTION
4. CHANGE THE FORMATTING OF THE HTTP TO ENSURE THE DATA IS ACCESSIBLE
5. CENSOR/CHANGE THE CONTENT AS YOU SEE FITRequest Request
ContentCensorshi
p