攻撃ツールがリリースされている模様。
パッチを当ててない人はお急ぎを!
================================================================================
DNS Multiple Race Exploiting Tool
================================================================================
0x00 Introduction
0x01 Features
0x02 Notes
0x03 Installation
0x04 Running the Tool
0x05 Copyright
0x06 Disclaimer
0x07 Credits
0x00 Introduction
-----------------
DNS Multiple Race Exploiting Tool exploits an inherent bug in the implementation
of DNS Cache. The result of this exploitation is cache poisoning/overwriting with
new entries. The exploitation happens by querying a DNS server, that either
supports recursion or is configured with forwarders, for non-existent hostnames
for a target domain. Along with the queries are fake reply/replies with static
Transaction ID(s). Every query will generate another query from the DNS server
with a random TXID. If one of the replies contains this specific TXID, the cache
is poisoned. Because the replies are sent directly after the query, they will
arrive at the DNS server must earlier than the legitimate reply from some Name
Server.
This attack was discovered and announced by Dan Kaminsky of Doxpara Research in
July 2008.
0x01 Features
-------------
A. The tool can attack both unpatched DNS systems as well as patched DNS
systems. Attacking a patched system requires a much longer time than an
unpatched system.
B. DNS Multiple Race Exploiting Tool can launch two modes of attack; one is
against DNS server that supports recursion, and the second mode is against DNS
server configured with forwarder DNS. The attack modes differ in the "flags"
carried in the DNS fake replies. Since a DNS with server forwarder(s) sends a
query with the "recursion desired" bit set, the reply has to have this bit set,
too. Also, the reply has to have the "recursion available" bit set. On the other
hand, a DNS server with recursion sends query with the recursion bit unset (i.e.
iteration query), the reply has to have this bit unset, too.
C. The tool spoofs the source IP address of the queries. This is useful if the
attacker wants not leave any trace of his IP address on the server.
D. The tool utilities CNAME Record Type to inject the false entry. The way the
poisoning is implemented is by sending two answer Resource Records (RRs): One is
a CNAME RR, and the second is an A record. Every fake reply contains something
like:
[1] abdc.example.com is a CNAME of IN Class for www.example.com
[2] www.example.com is an A of IN Class for IP 11.22.33.44
E. The tool sends multiple fake replies with different TXIDs to increase the
probability of hitting the correct TXID. This is useful in reducing the time
needed to generate a "hit". For a server that does not randomize the source port
number, the maximum number of iterations needed is 65546 (an average would
32768). However, by sending 10 to 15 TXIDs, for example, the probability of
making a "hit" is higher in a shorter time; an average of ~3000 iterations are
needed.
0x02 Notes
-----------
[*] There is a sleeping time between sending the Query and the Replies. The
currently configured value of this time is 100 Milliseconds. This is important
because during the test, I found that if the reply is sent directly along the
query, the fake reply would arrive at the server because the server sends its
own query and the fake reply would eventually be ignored.
[*] There is another sleeping time between every iteration (query+replies).
This "time" is meant to control the amount of packets per second. Currently,
this "time" is 100 Milliseconds.
0x03 Running the Tool
----------------------
The command syntax is:
The options are:
-t <target> The target DNS server to poison (required)
-n <nameserver> The Name Server used to impersonate (required)
-s <spoofed_ip> A spoofed client IP address (optional)
-p <port> Source port address used by target to send queries
(required)
-y <type> Type of the attack (optional; default 1)
0 for Patched Systems
1 for Unpatched Systems
-m <mode> Attack mode (optional; default 0)
0 Attacking DNS Servers that perform recursive queries
1 Attacking DNS servers configured with forwarders
-x <no_txids> Number of Transaction IDs to use (optional; default 15)
0x05 Copyright
---------------
The tool is released under the GPL license. Check COPYING file for more info.
0x06 Disclaimer
----------------
The tool is made for legal reseach purposes, such as permitted penetration
testing or ethical hacking.
パッチを当ててない人はお急ぎを!
================================================================================
DNS Multiple Race Exploiting Tool
================================================================================
0x00 Introduction
0x01 Features
0x02 Notes
0x03 Installation
0x04 Running the Tool
0x05 Copyright
0x06 Disclaimer
0x07 Credits
0x00 Introduction
-----------------
DNS Multiple Race Exploiting Tool exploits an inherent bug in the implementation
of DNS Cache. The result of this exploitation is cache poisoning/overwriting with
new entries. The exploitation happens by querying a DNS server, that either
supports recursion or is configured with forwarders, for non-existent hostnames
for a target domain. Along with the queries are fake reply/replies with static
Transaction ID(s). Every query will generate another query from the DNS server
with a random TXID. If one of the replies contains this specific TXID, the cache
is poisoned. Because the replies are sent directly after the query, they will
arrive at the DNS server must earlier than the legitimate reply from some Name
Server.
This attack was discovered and announced by Dan Kaminsky of Doxpara Research in
July 2008.
0x01 Features
-------------
A. The tool can attack both unpatched DNS systems as well as patched DNS
systems. Attacking a patched system requires a much longer time than an
unpatched system.
B. DNS Multiple Race Exploiting Tool can launch two modes of attack; one is
against DNS server that supports recursion, and the second mode is against DNS
server configured with forwarder DNS. The attack modes differ in the "flags"
carried in the DNS fake replies. Since a DNS with server forwarder(s) sends a
query with the "recursion desired" bit set, the reply has to have this bit set,
too. Also, the reply has to have the "recursion available" bit set. On the other
hand, a DNS server with recursion sends query with the recursion bit unset (i.e.
iteration query), the reply has to have this bit unset, too.
C. The tool spoofs the source IP address of the queries. This is useful if the
attacker wants not leave any trace of his IP address on the server.
D. The tool utilities CNAME Record Type to inject the false entry. The way the
poisoning is implemented is by sending two answer Resource Records (RRs): One is
a CNAME RR, and the second is an A record. Every fake reply contains something
like:
[1] abdc.example.com is a CNAME of IN Class for www.example.com
[2] www.example.com is an A of IN Class for IP 11.22.33.44
E. The tool sends multiple fake replies with different TXIDs to increase the
probability of hitting the correct TXID. This is useful in reducing the time
needed to generate a "hit". For a server that does not randomize the source port
number, the maximum number of iterations needed is 65546 (an average would
32768). However, by sending 10 to 15 TXIDs, for example, the probability of
making a "hit" is higher in a shorter time; an average of ~3000 iterations are
needed.
0x02 Notes
-----------
[*] There is a sleeping time between sending the Query and the Replies. The
currently configured value of this time is 100 Milliseconds. This is important
because during the test, I found that if the reply is sent directly along the
query, the fake reply would arrive at the server because the server sends its
own query and the fake reply would eventually be ignored.
[*] There is another sleeping time between every iteration (query+replies).
This "time" is meant to control the amount of packets per second. Currently,
this "time" is 100 Milliseconds.
0x03 Running the Tool
----------------------
The command syntax is:
The options are:
-t <target> The target DNS server to poison (required)
-n <nameserver> The Name Server used to impersonate (required)
-s <spoofed_ip> A spoofed client IP address (optional)
-p <port> Source port address used by target to send queries
(required)
-y <type> Type of the attack (optional; default 1)
0 for Patched Systems
1 for Unpatched Systems
-m <mode> Attack mode (optional; default 0)
0 Attacking DNS Servers that perform recursive queries
1 Attacking DNS servers configured with forwarders
-x <no_txids> Number of Transaction IDs to use (optional; default 15)
0x05 Copyright
---------------
The tool is released under the GPL license. Check COPYING file for more info.
0x06 Disclaimer
----------------
The tool is made for legal reseach purposes, such as permitted penetration
testing or ethical hacking.