Hello all , here is a tool to exploit domain name server, poisoning the cache in order to redirect a dns to another.
Infos:
DNS Multiple Race Exploiter: DNS Cache Poisoner/Overwriter
Abstract
DNS Multiple Race Exploiter is a tool that exploits an inherent flaw in the DNS Server Cache. By sending many queries to a DNS server along with fake replies, an attacker can successfuly writes a fake new entry in the DNS cache. Also, this type of attack can overwrite an existing entry. For example, if the DNS server's cache already has www.example.com => 1.2.3.4, the attack can overwrite it with www.example.com => 4.3.2.1. The attack is made easy since the majority of DNS servers does not randomize the UDP source port number. Patched DNS servers randomize the UDP source port number, however, that will not eliminate the flaw; it will only increase the time required to poison the cache. Poisoning unpatched systems would take a period seconds, however, poisoning patched systems would take a period of hours. DNS Multiple Race Exploiter is made to attack both patched and upatched systems.
The attack has been discovered by Dan Kaminsky, and announced by him in July 2008.
DNS Multiple Race Exploiting tool has the following features:
[A] The tool can attack both unpatched DNS systems as well as patched DNS systems. Attacking a patched system requires a much longer time than an unpatched system.
[B] The tool can launch two modes of attack; one is against DNS server that supports recursion, and the second mode is against DNS
server configured with forwarder DNS. The attack modes differ in the "flags" carried in the DNS fake replies. Since a DNS with server forwarder(s) sends a query with the "recursion desired" bit set, the reply has to have this bit set, too. Also, the reply has to have the "recursion available" bit set. On the other hand, a DNS server with recursion sends query with the recursion bit unset (i.e. iteration query), the reply has to have this bit unset, too.
[C] The tool spoofs the source IP address of the queries. This is useful if the attacker does not want leave any trace of his IP address on the server.
[D] The tool utilizes CNAME Record Type to inject the false entry. The way the poisoning is implemented is by sending two answer Resource Records (RRs): One is a CNAME RR, and the second is an A record. Every fake reply contains something like:
[1] abdc.example.com is a CNAME of IN Class for www.example.com
[2] www.example.com is an A of IN Class for IP 11.22.33.44
[E] The tool sends multiple fake replies with different TXIDs to increase the probability of hitting the correct TXID. This is useful in reducing the time needed to generate a "hit". For a server that does not randomize the source port number, the maximum number of iterations needed is 65546 (an average would 32768). However, by sending 10 to 15 TXIDs, for example, the probability of
making a "hit" is higher in a shorter time; an average of ~3000 iterations are needed.
DNS Multiple Race Exploiter -- version 1.0: dns_mre-v1.0.tar.gz
TODO: (in the next realse)
1- Automatic finding of Name Server IPs of the target domain. This only works if the attacked DNS server supports recursion. For DNS server configured with forwarder, the user (attack/pentester) has to manually find the forwarder IP.
2- Randomized TTL values in all replies.
3- A better algorithm to attack "patched" systems; that is, poisoning a patched system in the shortest possible time.
the tool:
**Hidden Content: To see this hidden content your post count must be 15 or greater.**
Reply With Quote
