DNS spoofing

Others 2019-12-28 11:45:12 views: null
DNS spoofing

  DNS Spoofing is a middle attacks form, it is an attacker posing as domain name servers of a fraud, it is mainly used to provide information to the host DNS error when the user tries to browse the Web, such as IP address XXX.XX.XX. XX, available at www.bankofamerica.com, and indeed actually www.bankofamerica.com on the IP address of YYY.YY.YY.YY logged in, the user can only see the Internet home page of the attacker, not the user wants web site made the home page, this URL is the URL for an attacker to steal fake online banking login credentials and account information, DNS spoofing is actually not really "black out" the other side of the site, but an imposter, a trickster nothing. The whole process is actually very simple operation, we will explore the following DNS spoofing attack is how to achieve and how to defend against such attacks.

  Normal DNS Communication

  Domain Name System (DNS) protocol in RFC 1034/1035 is defined as: It is considered the Internet to use the most important protocol one. When you enter the URL in the browser (eg http://www.google.com), will be the DNS server sends a DNS request to the URL in order to find the corresponding IP address. This is because the Internet interconnection routing and the device does not know google.com, they only know the IP address, such as 74.125.95.103.

  DNS Servers Work itself is stored IP address to DNS name mapping record (called resource records) database, contact these resource records with the client and the server resource records linked to other DNS. The entire enterprise and the entire Internet DNS server architecture is somewhat complicated, in fact, there are many specialized books on DNS architecture, but in this article we will not cover all the different DNS DNS architecture or communication types of content, but we will introduce DNS basic communication, as shown in FIG.

  DNS queries and responses

  FIG 1: DNS queries and responses

  DNS function is part of the query / response type of format, when the client wants to resolve DNS name to an IP address, it will send a query to a DNS server, then the server will reply as corresponding. From the client's point of view, seeing only two packets: query and response.

DNS query and response packets

  FIG 2: DNS query and response packets

  And when we further consider DNS recursion problem, the situation becomes even more complicated. Because of the hierarchical structure of the Internet DNS, DNS servers need to be able to communicate with each other in order to obtain a query sent by the client corresponding to the answer. Our internal DNS server may know the IP address of the local LAN server mapping, but we can not expect to know the IP address of the internal DNS servers worldwide network mapping. This is recursively into play, when the name is to send a DNS server on behalf of a client to another DNS server query request, i.e., in this case, DNS server into a client, as shown in FIG 3 shows.

 DNS queries and responses by recursive 

FIG 3: DNS queries and responses by recursive

  DNS spoofing

  There are many ways to perform DNS spoofing, where we will use a technique called DNS ID spoofing technology.

  Each DNS request sent via the Internet contains a unique identification code, it is an object identification queries and responses, and the corresponding query and response are paired together. This means that if our attacking computer can intercept a DNS query sent by the target device, we just have to do a fake packet containing the identification code, so that the target computer will accept the results of our inquiry sent under the identification code.

  We will use a simple tool in two steps to complete the entire operation. First, we target devices ARP cache poisoning attack to re-route via the communication device attacks target host, so that we can intercept the DNS query requests, then we can send spoofed packets. The aim is to allow users to visit a malicious Web site of the target network we create, rather than trying to access their Web site, as shown in Fig.

  Use DNS ID spoofing method of DNS spoofing attack

  Figure 4: The method of DNS ID spoofing DNS spoofing

  There are several different tools can be used to perform DNS spoofing attack, we chose to use Ettercap, which contains two windows and Linux versions, you can click here to download the tool. If you look a little this web site you will find Ettercap includes many functions other DNS spoofing outside, it can be used in many forms of middle attack.

  If you are installing Ettercap in the windows system, you will find that it contains a very powerful graphical user interface, but in the case of DNS spoofing, we only need to use the command line interface.

  Before operating Ettercap, some configuration is required. Ettercap is the core packet sniffer, the main use different plugins to perform different attacks. dns_spoof plug-in is a tool for example in this article, so we need to change associated with the plug-in configuration file. In the windows system, the file is located in C: \ Program Files (x86) \ EttercapNG \ share \ etter.dns and /usr/share/ettercap/etter.dns, this document is very simple and contains the DNS records you want deception. For our part, we hope that all attempts to open yahoo.com users are directed to the host on the local network, so we added some entries, as shown in Figure 5.

Add fraudulent DNS records to etter.dns 

Figure 5: Adding fraudulent DNS record to etter.dns

  This information is to tell such information dns_spoof plug-ins: When it finds for the time yahoo.com www.yahoo.com or DNS query request, it sends the IP address 172.16.16.100 response. In practice, 172.16.16.100 would be running some kind of web server software to show fake site to users.

  Once configured and saved the file, we can execute a command string to attack, command string, use the following options:

  -T - specified text interface

  -q - operating in silent mode command so that captured packets are not output to the screen

  -P dns_spoof - plug-specified dns_spoof

  -M arp - launched middleman ARP poisoning attacks to intercept data packets between hosts

  // // - Specify the whole network as the target of attacks

  We need to string a final order is:

  Ettercap.exe –T –q –P dns_spoof –M arp // //

  Running this command will start a two-stage attack, first is the network equipment ARP cache poisoning attack, and then send fake DNS query response information.

Parsing the-middle attack spoofing --DNS  

Figure 6: Ettercap actively search queries DNS

  Once activated, any user tries to open www.yahoo.com will be redirected to our malicious Web site.

From the user point of view to see the results of DNS spoofing

  Figure 7: seen from the perspective of the user of the result of DNS spoofing

  How to resist the DNS spoofing attack

  DNS spoofing attacks are difficult to defend against, because most such attacks are essentially passive. Under normal circumstances, unless spoofing attack, otherwise you can not know your DNS had been lied to, you just open the pages and pages you want to see something different. In many targeted attacks, users are not aware that they have to enter the online bank account information to the wrong URL until the bank received a call this account when it purchased certain big-ticket items the user will know. That is to say, in terms against this type of attack or tracked:

  Internal protection equipment: attack like this most of the implementation of the attack, if your internal network from the network equipment is secure , then the host of those infected it is difficult to launch a spoofing attack to your device.

  Do not rely on DNS: in highly sensitive and secure systems, you usually do not browse the Web on these systems, and finally do not use DNS. If you have software that rely on the host name to run, you can manually specify the device host file.

  Use Intrusion Detection System: ARP cache poisoning attack when properly deployed and configured, using intrusion detection system can detect most forms and DNS spoofing attacks.

  Use DNSSEC: DNSSEC is a better choice of alternative DNS, it uses the digital front DNS records to ensure the effectiveness of query responses, DNSSEC is not yet widely used, but has been recognized as the future direction of the DNS, it is also true , US Department of Defense has asked all MIL and GOV domain name must begin using DNSSEC.

  to sum up

  From the technical level attacks and malicious intent of view, DNS spoofing attack is very lethal form of middleman attacks, the use of this technology we can use phishing attacks to steal login information technology, exploited to install malicious software or cause a denial of service. In the next article, we will analyze a "hash value is passed" attack and see how they are used to log windows computer, without the need for account information.

 

Guess you like

Origin www.cnblogs.com/P201721440032/p/12111073.html
Recommended
Ranking
Business team with OKR removed a stumbling block on the road of success
Huihai Semiconductor Boost LED Constant Current Driver Chip H6911 Solution
Leetcode 128. Longest Consecutive Sequence (Hash + Optimization)
JVM学习笔记(六)JMM和Volatile
java review-Calendar class
LeetCode Brushing Diary Hash Table I
Spring Cloud Config uses SVN as configuration source
__enter __, __ exit__ difference
Remove null values in String array
Basic difference --- child burst suffix array yxs bare title board title monotonous simple application stack string study to understand problems
Daily
More
2024-07-29(0)
2024-07-28(0)
2024-07-27(0)
2024-07-26(0)
2024-07-25(0)
2024-07-24(0)
2024-07-23(0)
2024-07-22(0)
2024-07-21(0)
2024-07-20(0)

Code World

© 2018 codetd.com