SlideShare a Scribd company logo

DNS Cache White Paper

Ryan Ellingson
Ryan Ellingson

1. The document discusses DNS cache poisoning using a man-in-the-middle attack. It provides details on setting up the attack using Kali Linux, Windows Server 2008, and Windows 7. It clones the Facebook website and poisons the DNS cache so traffic is redirected to the fake site. 2. Testing confirms the attack was successful when pinging the fake Facebook site returns the IP of the Kali machine for both Windows systems. The document also proposes short and long-term solutions to prevent DNS cache poisoning attacks, such as disabling open recursive name servers and implementing DNSSEC. 3. In conclusion, the document notes that while DNS cache poisoning is easy to setup, protection requires more effort but is still important for network

1 of 28
Downloaded 16 times
DNS Cache Poisoning Using Man-in-the-middle attack Ryan Ellingson Herzing University 3/23/15
1 Table of Contents I. Executive Summary............................................................................................... 2 II. Project Planning .................................................................................................... 3 Network Diagram Technical Planning Linux Client Specifications Windows Server Specifications Windows Client Specifications III. Implementation..................................................................................................... 5 Installation of Kali Linux Installation of Windows Server 2008 Installation of Windows 7 Cloning http://www.facebook.com Editing Configuration Files Using Ettercap IV. DNS Cache Poisoning (with MITM) Plan Testing ............................................10 V. Preventing DNS Cache Poisoning (with MITM Attack) ..................................................................................................................12 VI. Conclusion............................................................................................................13 VII. Appendix...............................................................................................................14
Executive Summary DNS Cache Poisoning is posing an imminent threat to open internet networks. It can be set up in only a matter of minutes, and utilized in such a way that information such as accounts, emails, and passwords can be compromised with minimal work. Creating some policies against this could just help save any business that relies on the use of their internet network for a source of income, or for any business that cares about the safety and integrity of their network as a whole. *DNS Cache Poisoning is illegal. This paper is for educational purposes only. Do not try this on anyone’s network.*
DNS CACHE POISONING - MARCH 2015 3 Project Planning For this project, the planning is relatively simple. A simple understanding of DNS Cache Poisoning and Man-in-the-Middle attacks are necessary. DNS Cache Poisoning - computer hacking attack, whereby data is introduced into a DNS name server's cache database, causing the name server to return an incorrect IP address, diverting traffic to another computer. Man-in-the-Middle - a form of active eavesdropping in which the attacker makes independent connections with the victims and relays messages between them. This project is manageable on both a large-scale network, a small-scale network, or for testing purposes on virtual machines without any notable issues. Network Diagram Figure 1 Network Diagram
DNS CACHE POISONING - MARCH 2015 4 Technical Planning The following specifications were used as part of the technical planning of the project entities. For this project, make a Kali Linux machine, Windows (7) client, 1 Windows Server (2008) client, and a router. Linux Client Specifications Operating System Kali Linux Memory 1 GB Hard Disk 15 GB Network Cards 1 NIC Figure 2 Linux Client Specifications Windows Server Specifications Operating System Windows Server 2008 Memory 2 GB Hard Disk 60 GB Network Cards 1 NIC Figure 3 Server Specifications Windows Client Specifications Operating System Windows 7 Memory 2 GB Hard Disk 20 GB Network Cards 1 NIC Figure 3 Windows Client Specifications
DNS CACHE POISONING - MARCH 2015 5 Implementation Implementation (for the purpose of this project) was done on VMware Workstation 10.0.1. Depending on the network, the time that implementation will take may vary. Installation of Kali Linux When installing Kali Linux, follow all the prompts and use all the default options. Once fully installed, configure the IP Address, Network Mask, and Gateway. (Letting it get an IP via DHCP is alright too) Next, ping 8.8.8.8. If 8.8.8.8 cannot be reached, make sure to go back and check the configurations again. Installation of Windows Server 2008 Install Windows Server 2008 like normal. Set a user and root password. Make sure to write them down so you will not forget them. Be sure to set up the DNS server role on the server. This will be the DNS Server that the Windows 7 Machine will use. Installation of Windows 7 Install Windows 7 like normal. Set a user and password. Make sure to write them down so you will not forget it. Be sure to point the DNS towards the Windows Server 2008 Machine. Cloning http://www.facebook.com Open the terminal. Type “setoolkit”. This starts the process for cloning Facebook. Figure 4 Setoolkit
DNS CACHE POISONING - MARCH 2015 6 Next, enter “1” for Social –Engineering Attacks. Second, enter “2” for Website Attack Vectors. Third, enter “3” for Credential Harvester Attack Method. Fourth, enter “2” for Site Cloner. After everything is entered, find out what the IP address of the Kali Linux Machine is by typing “ifconfig” into another terminal. Enter this IP address into the prompt that comes after selecting Site Cloner. Figure 5 Entering in IP Address Once the IP address of the Kali Linux Machine has been entered, type the web address of the website being cloned. In this case, http://www.facebook.com is being used. At last, there will be a prompt for starting the Apache Server for the cloned site to be run on. Simply type “y” and the Apache Server will be started. Figure 6 Running Apache Server
DNS CACHE POISONING - MARCH 2015 7 Editing Configuration Files Open the terminal and enter “leafpad /etc/ettercap/etter.conf”. This will open the etter.conf file that needs to be edited. Near the top of the document, there will be two lines that say “ec_uid = 65534” and “ec_gid = 65534”. Change the numbers to “0” and save the document. Figure 7 Editing etter.conf file Next, change directories to /etc/ettercap by typing “cd /etc/ettercap” into the terminal. Type “ls” to see the content of the directory. Locate the etter.dns file by typing “locate etter.dns”. This is a good way to double check that the etter.dns file is in the correct directory. Change the permissions on the file by typing “chmod 777 /etc/ettercap/etter.dns” into the terminal, and then open the document by typing “leafpad /etc/ettercap/etter.dns”.
DNS CACHE POISONING - MARCH 2015 8 Figure 8 Editing etter.dns file Scroll down to where the document shows Microsoft.com along with some IP addresses (as shown in figure 6). Replace the words “Microsoft” with “Facebook”. Replace the IP address to the right of the URL with the IP address of the Kali Linux Machine. Save the document. Using Ettercap Open the program “Ettercap”. At the top of the program, click “Sniff” > “Unified sniffing…” > “OK”. Second, click “Hosts” > “Scan for hosts”. This will check the network for other machines available on the network. Third, click “Hosts” > “Host List” to see all the available targets. Add the router to Target 1 and the DNS server to Target 2. Fourth, click “Mitm” > “Arp poisoning…” and check the box for “Sniff remote connections. Press “OK”. Fifth, click “Plugins” > “Manage the plugins” and double click “dns_spoof”. Lastly, click “Start” > “Start sniffing”.
DNS CACHE POISONING - MARCH 2015 9 Figure 9 Start sniffing network
DNS CACHE POISONING - MARCH 2015 10 DNS Cache Poisoning (with MITM) Plan Testing Windows Server 2008 On the Windows Server 2008 Machine, open the web browser and go to http://www.facebook.com. This should come up with the cloned website made in previous steps. To make sure that it is, open the command prompt and type “ping facebook.com”. If the IP address matches the IP address of the Kali Linux machine, the attack was successful. Figure 10 Ping response from cloned website to Windows Server 2008 Machine Also, to be sure that the Kali Linux Machine has picked up on this, go back to Ettercap and check to see if anything was spoofed. Figure 11 Ettercap spoof confirmation Windows 7 Go to the Windows 7 Machine. Make sure the DNS is pointed towards the DNS server. Open up any browser and go to http://www.facebook.com. If the cloned website/Kali Linux IP address was saved into the DNS Server’s cache, this should take you to the very same cloned website that the Windows Server 2008 went to earlier. Again, to find out if the attack was successful, open the command prompt and type “ping facebook.com”. If the IP address matches that of the Kali Linux Machine, the attack was successful.
DNS CACHE POISONING - MARCH 2015 11 Figure 12 Ping response from cloned website to Windows 7 Machine Also be sure to check back in the Ettercap to see if yet another machine has been spoofed. Figure 13 Ettercap spoof confirmation
DNS CACHE POISONING - MARCH 2015 12 Preventing DNS Cache Poisoning (with MITM Attack) Short-term solutions 1. Maximize the amount of randomness a. Most implementations use randomized transaction numbers. There was a risk with it years ago, but has been fixed since. b. Most implementations do not randomize the port numbers. Most always use the same port number. c. The patches that have been released in the last few months work by randomizing the source port for the recursive server. 2. Disable open recursive name servers a. The attack is not effective if the attacker cannot send question packets to the name server. b. If a recursive name server must be run, limit access to only the computers that need it. Long-term solutions 1. Introduce security to the DNS a. The DNS is insecure. Upgrade the DNS for security. b. DNSSEC is the current answer to this problem.
DNS CACHE POISONING - MARCH 2015 13 Conclusion To conclude, DNS Cache Poisoning (with MITM Attack) is fairly simple and quick to set up. Protecting against it is not nearly as simple, but it has to be something that has to be looked at if a network’s integrity is necessary in the business (which it most likely is). References Wilson, C. (2014, October). Assistance Cann, J. (2014, October). Assistance https://www.youtube.com/watch?v=4k760wQ9rhI http://moinkhans.blogspot.com/2013/05/social-engineering-toolkit-kali-linux.html https://www.iana.org/about/presentations/davies-viareggio-entropyvuln-081002.pdf
DNS CACHE POISONING - MARCH 2015 14 Appendix Figure 14 Selecting Social-Engineering Attacks Figure 15 Selecting Website Attack Vectors
DNS CACHE POISONING - MARCH 2015 15 Figure 16 Selecting Credential Harvester Attack Method Figure 17 Selecting Site Cloner
DNS CACHE POISONING - MARCH 2015 16 Figure 18 Finding IP address of Kali Linux Machine Figure 19 Input IP address into setools prompt
DNS CACHE POISONING - MARCH 2015 17 Figure 20 Input web address into setools prompt Figure 21 Starting Apache Server
DNS CACHE POISONING - MARCH 2015 18 Figure 22 Editing /etc/ettercap/etter.conf file Figure 23 Before editing document
DNS CACHE POISONING - MARCH 2015 19 Figure 24 After editing document Figure 25 Change permission to etter.dns
DNS CACHE POISONING - MARCH 2015 20 Figure 26 Opening /.etter/ettercap/etter.dns Figure 27 Before making changes
DNS CACHE POISONING - MARCH 2015 21 Figure 28 After making changes Figure 29 Opening ettercap
DNS CACHE POISONING - MARCH 2015 22 Figure 30 Choosing the interface Figure 31 Opeinging host list
DNS CACHE POISONING - MARCH 2015 23 Figure 32 Selecting router for Target 1 Figure 33 Selecting Windows Server 2008 for Target 2
DNS CACHE POISONING - MARCH 2015 24 Figure 34 Selecting dns spoof in Plugins Figure 35 Selecting MITM Attack
DNS CACHE POISONING - MARCH 2015 25 Figure 36 Starting Sniffing Figure 37 Going to Facebook on Windows Server 2008
DNS CACHE POISONING - MARCH 2015 26 Figure 38 Spoof Windows Server 2008 in Ettercap Figure 39 Ping Facebook on Windows Server 2008 Figure 40 Spoof Facebook from cache of Windows Server 2008 on Windows 7 Machine
DNS CACHE POISONING - MARCH 2015 27 Figure 41 Checking Ettercap to see if Windows 7 Machine was impacted Figure 42 Pinging Facebook from Windows 7 Machine
Ad

Recommended

Grey H@t - DNS Cache Poisoning
Grey H@t - DNS Cache PoisoningGrey H@t - DNS Cache Poisoning
Grey H@t - DNS Cache Poisoning
Christopher Grayson
 
DNS Cache Poisoning
DNS Cache PoisoningDNS Cache Poisoning
DNS Cache Poisoning
Christiaan Ottow
 
Cloudstone - Sharpening Your Weapons Through Big Data
Cloudstone - Sharpening Your Weapons Through Big DataCloudstone - Sharpening Your Weapons Through Big Data
Cloudstone - Sharpening Your Weapons Through Big Data
Christopher Grayson
 
Windows 2012 and DNSSEC
Windows 2012 and DNSSECWindows 2012 and DNSSEC
Windows 2012 and DNSSEC
Men and Mice
 
DNS Security
DNS SecurityDNS Security
DNS Security
johnmcclure00
 
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
APNIC
 
DNSSEC - WHAT IS IT ? INSTALL AND CONFIGURE IN CHROOT JAIL
DNSSEC - WHAT IS IT ? INSTALL AND CONFIGURE IN CHROOT JAILDNSSEC - WHAT IS IT ? INSTALL AND CONFIGURE IN CHROOT JAIL
DNSSEC - WHAT IS IT ? INSTALL AND CONFIGURE IN CHROOT JAIL
Utah Networxs Consultoria e Treinamento
 
Encrypted DNS - DNS over TLS / DNS over HTTPS
Encrypted DNS - DNS over TLS / DNS over HTTPSEncrypted DNS - DNS over TLS / DNS over HTTPS
Encrypted DNS - DNS over TLS / DNS over HTTPS
Alex Mayrhofer
 
Introduction DNSSec
Introduction DNSSecIntroduction DNSSec
Introduction DNSSec
AFRINIC
 
Dns security
Dns securityDns security
Dns security
Dhaval Kapil
 
Re-Engineering the DNS – One Resolver at a Time
Re-Engineering the DNS – One Resolver at a Time Re-Engineering the DNS – One Resolver at a Time
Re-Engineering the DNS – One Resolver at a Time
Bangladesh Network Operators Group
 
DNS DDoS Attack and Risk
DNS DDoS Attack and RiskDNS DDoS Attack and Risk
DNS DDoS Attack and Risk
Sukbum Hong
 
Dns protocol design attacks and security
Dns protocol design attacks and securityDns protocol design attacks and security
Dns protocol design attacks and security
Michael Earls
 
@dtmsecurity Mitre ATT&CKcon - Playing Devil's Advocate to Security Initiativ...
@dtmsecurity Mitre ATT&CKcon - Playing Devil's Advocate to Security Initiativ...@dtmsecurity Mitre ATT&CKcon - Playing Devil's Advocate to Security Initiativ...
@dtmsecurity Mitre ATT&CKcon - Playing Devil's Advocate to Security Initiativ...
DTM Security
 
CNIT 40: 1: The Importance of DNS Security
CNIT 40: 1: The Importance of DNS SecurityCNIT 40: 1: The Importance of DNS Security
CNIT 40: 1: The Importance of DNS Security
Sam Bowne
 
Dnssec
DnssecDnssec
Dnssec
guest3131f85
 
Domain Name System (DNS)
Domain Name System (DNS)Domain Name System (DNS)
Domain Name System (DNS)
Venkatesh Jambulingam
 
CNIT 40: 2: DNS Protocol and Architecture
CNIT 40: 2: DNS Protocol and ArchitectureCNIT 40: 2: DNS Protocol and Architecture
CNIT 40: 2: DNS Protocol and Architecture
Sam Bowne
 
CNIT 40: 3: DNS vulnerabilities
CNIT 40: 3: DNS vulnerabilitiesCNIT 40: 3: DNS vulnerabilities
CNIT 40: 3: DNS vulnerabilities
Sam Bowne
 
Part 2 - Local Name Resolution in Windows Networks
Part 2 - Local Name Resolution in Windows NetworksPart 2 - Local Name Resolution in Windows Networks
Part 2 - Local Name Resolution in Windows Networks
Men and Mice
 
DNS/DNSSEC by Nurul Islam
DNS/DNSSEC by Nurul IslamDNS/DNSSEC by Nurul Islam
DNS/DNSSEC by Nurul Islam
MyNOG
 
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
APNIC
 
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionCNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
Sam Bowne
 
Namespaces for Local Networks
Namespaces for Local NetworksNamespaces for Local Networks
Namespaces for Local Networks
Men and Mice
 
IPv6 Threat Presentation
IPv6 Threat PresentationIPv6 Threat Presentation
IPv6 Threat Presentation
johnmcclure00
 
Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)
Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)
Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)
Dan York
 
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOS
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOSPart 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOS
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOS
Men and Mice
 
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionCNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
Sam Bowne
 
Microsoft Lync Server 2010 Installation
Microsoft Lync Server 2010 InstallationMicrosoft Lync Server 2010 Installation
Microsoft Lync Server 2010 Installation
Shahab Al Yamin Chawdhury
 
Lab-10 Malware Creation and Denial of Service (DoS) In t.docx
Lab-10 Malware Creation and Denial of Service (DoS) In t.docxLab-10 Malware Creation and Denial of Service (DoS) In t.docx
Lab-10 Malware Creation and Denial of Service (DoS) In t.docx
pauline234567
 
Ad

More Related Content

What's hot (20)

Introduction DNSSec
Introduction DNSSecIntroduction DNSSec
Introduction DNSSec
AFRINIC
 
Dns security
Dns securityDns security
Dns security
Dhaval Kapil
 
Re-Engineering the DNS – One Resolver at a Time
Re-Engineering the DNS – One Resolver at a Time Re-Engineering the DNS – One Resolver at a Time
Re-Engineering the DNS – One Resolver at a Time
Bangladesh Network Operators Group
 
DNS DDoS Attack and Risk
DNS DDoS Attack and RiskDNS DDoS Attack and Risk
DNS DDoS Attack and Risk
Sukbum Hong
 
Dns protocol design attacks and security
Dns protocol design attacks and securityDns protocol design attacks and security
Dns protocol design attacks and security
Michael Earls
 
@dtmsecurity Mitre ATT&CKcon - Playing Devil's Advocate to Security Initiativ...
@dtmsecurity Mitre ATT&CKcon - Playing Devil's Advocate to Security Initiativ...@dtmsecurity Mitre ATT&CKcon - Playing Devil's Advocate to Security Initiativ...
@dtmsecurity Mitre ATT&CKcon - Playing Devil's Advocate to Security Initiativ...
DTM Security
 
CNIT 40: 1: The Importance of DNS Security
CNIT 40: 1: The Importance of DNS SecurityCNIT 40: 1: The Importance of DNS Security
CNIT 40: 1: The Importance of DNS Security
Sam Bowne
 
Dnssec
DnssecDnssec
Dnssec
guest3131f85
 
Domain Name System (DNS)
Domain Name System (DNS)Domain Name System (DNS)
Domain Name System (DNS)
Venkatesh Jambulingam
 
CNIT 40: 2: DNS Protocol and Architecture
CNIT 40: 2: DNS Protocol and ArchitectureCNIT 40: 2: DNS Protocol and Architecture
CNIT 40: 2: DNS Protocol and Architecture
Sam Bowne
 
CNIT 40: 3: DNS vulnerabilities
CNIT 40: 3: DNS vulnerabilitiesCNIT 40: 3: DNS vulnerabilities
CNIT 40: 3: DNS vulnerabilities
Sam Bowne
 
Part 2 - Local Name Resolution in Windows Networks
Part 2 - Local Name Resolution in Windows NetworksPart 2 - Local Name Resolution in Windows Networks
Part 2 - Local Name Resolution in Windows Networks
Men and Mice
 
DNS/DNSSEC by Nurul Islam
DNS/DNSSEC by Nurul IslamDNS/DNSSEC by Nurul Islam
DNS/DNSSEC by Nurul Islam
MyNOG
 
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
APNIC
 
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionCNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
Sam Bowne
 
Namespaces for Local Networks
Namespaces for Local NetworksNamespaces for Local Networks
Namespaces for Local Networks
Men and Mice
 
IPv6 Threat Presentation
IPv6 Threat PresentationIPv6 Threat Presentation
IPv6 Threat Presentation
johnmcclure00
 
Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)
Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)
Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)
Dan York
 
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOS
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOSPart 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOS
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOS
Men and Mice
 
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionCNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
Sam Bowne
 
Introduction DNSSec
Introduction DNSSecIntroduction DNSSec
Introduction DNSSec
AFRINIC
 
Dns security
Dns securityDns security
Dns security
Dhaval Kapil
 
Re-Engineering the DNS – One Resolver at a Time
Re-Engineering the DNS – One Resolver at a Time Re-Engineering the DNS – One Resolver at a Time
Re-Engineering the DNS – One Resolver at a Time
Bangladesh Network Operators Group
 
DNS DDoS Attack and Risk
DNS DDoS Attack and RiskDNS DDoS Attack and Risk
DNS DDoS Attack and Risk
Sukbum Hong
 
Dns protocol design attacks and security
Dns protocol design attacks and securityDns protocol design attacks and security
Dns protocol design attacks and security
Michael Earls
 
@dtmsecurity Mitre ATT&CKcon - Playing Devil's Advocate to Security Initiativ...
@dtmsecurity Mitre ATT&CKcon - Playing Devil's Advocate to Security Initiativ...@dtmsecurity Mitre ATT&CKcon - Playing Devil's Advocate to Security Initiativ...
@dtmsecurity Mitre ATT&CKcon - Playing Devil's Advocate to Security Initiativ...
DTM Security
 
CNIT 40: 1: The Importance of DNS Security
CNIT 40: 1: The Importance of DNS SecurityCNIT 40: 1: The Importance of DNS Security
CNIT 40: 1: The Importance of DNS Security
Sam Bowne
 
Dnssec
DnssecDnssec
Dnssec
guest3131f85
 
Domain Name System (DNS)
Domain Name System (DNS)Domain Name System (DNS)
Domain Name System (DNS)
Venkatesh Jambulingam
 
CNIT 40: 2: DNS Protocol and Architecture
CNIT 40: 2: DNS Protocol and ArchitectureCNIT 40: 2: DNS Protocol and Architecture
CNIT 40: 2: DNS Protocol and Architecture
Sam Bowne
 
CNIT 40: 3: DNS vulnerabilities
CNIT 40: 3: DNS vulnerabilitiesCNIT 40: 3: DNS vulnerabilities
CNIT 40: 3: DNS vulnerabilities
Sam Bowne
 
Part 2 - Local Name Resolution in Windows Networks
Part 2 - Local Name Resolution in Windows NetworksPart 2 - Local Name Resolution in Windows Networks
Part 2 - Local Name Resolution in Windows Networks
Men and Mice
 
DNS/DNSSEC by Nurul Islam
DNS/DNSSEC by Nurul IslamDNS/DNSSEC by Nurul Islam
DNS/DNSSEC by Nurul Islam
MyNOG
 
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
APNIC
 
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionCNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
Sam Bowne
 
Namespaces for Local Networks
Namespaces for Local NetworksNamespaces for Local Networks
Namespaces for Local Networks
Men and Mice
 
IPv6 Threat Presentation
IPv6 Threat PresentationIPv6 Threat Presentation
IPv6 Threat Presentation
johnmcclure00
 
Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)
Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)
Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)
Dan York
 
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOS
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOSPart 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOS
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOS
Men and Mice
 
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionCNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
Sam Bowne
 

Similar to DNS Cache White Paper (20)

Microsoft Lync Server 2010 Installation
Microsoft Lync Server 2010 InstallationMicrosoft Lync Server 2010 Installation
Microsoft Lync Server 2010 Installation
Shahab Al Yamin Chawdhury
 
Lab-10 Malware Creation and Denial of Service (DoS) In t.docx
Lab-10 Malware Creation and Denial of Service (DoS) In t.docxLab-10 Malware Creation and Denial of Service (DoS) In t.docx
Lab-10 Malware Creation and Denial of Service (DoS) In t.docx
pauline234567
 
Blockchain - Hyperledger Fabric v1.0 Running on LinuxONE, see it in action!
Blockchain - Hyperledger Fabric v1.0 Running on LinuxONE, see it in action!Blockchain - Hyperledger Fabric v1.0 Running on LinuxONE, see it in action!
Blockchain - Hyperledger Fabric v1.0 Running on LinuxONE, see it in action!
Anderson Bassani
 
Cloud adoption fails - 5 ways deployments go wrong and 5 solutions
Cloud adoption fails - 5 ways deployments go wrong and 5 solutionsCloud adoption fails - 5 ways deployments go wrong and 5 solutions
Cloud adoption fails - 5 ways deployments go wrong and 5 solutions
Yevgeniy Brikman
 
[Bind DNS + Zimbra + SpamAssassin] Antispam Installation Guide
[Bind DNS + Zimbra + SpamAssassin] Antispam Installation Guide[Bind DNS + Zimbra + SpamAssassin] Antispam Installation Guide
[Bind DNS + Zimbra + SpamAssassin] Antispam Installation Guide
Mạnh Nguyễn Văn
 
Handson1 6 federp
Handson1 6 federpHandson1 6 federp
Handson1 6 federp
federpmatc
 
Client Server Live Hosting Documentation
Client Server Live Hosting Documentation Client Server Live Hosting Documentation
Client Server Live Hosting Documentation
Khwaja Yunus Ali Medical University
 
27.2.12 lab interpret http and dns data to isolate threat actor
27.2.12 lab interpret http and dns data to isolate threat actor27.2.12 lab interpret http and dns data to isolate threat actor
27.2.12 lab interpret http and dns data to isolate threat actor
Freddy Buenaño
 
software Documentation Certificate in department of computer
software Documentation Certificate in department of computersoftware Documentation Certificate in department of computer
software Documentation Certificate in department of computer
shriyanshrauthan833
 
Tutorial CentOS 5 untuk Webhosting
Tutorial CentOS 5 untuk WebhostingTutorial CentOS 5 untuk Webhosting
Tutorial CentOS 5 untuk Webhosting
Beni Krisbiantoro
 
Part 4 Scripting and Virtualization (due Week 7)Objectives1. .docx
Part 4 Scripting and Virtualization (due Week 7)Objectives1. .docxPart 4 Scripting and Virtualization (due Week 7)Objectives1. .docx
Part 4 Scripting and Virtualization (due Week 7)Objectives1. .docx
karlhennesey
 
Devry gsp 215 week 7 i lab networking and a tiny web server new
Devry gsp 215 week 7 i lab networking and a tiny web server newDevry gsp 215 week 7 i lab networking and a tiny web server new
Devry gsp 215 week 7 i lab networking and a tiny web server new
williamethan912
 
Resilience Testing
Resilience Testing Resilience Testing
Resilience Testing
Ran Levy
 
Final opensource record 2019
Final opensource record 2019Final opensource record 2019
Final opensource record 2019
Karthik Sekhar
 
DNS Cache Poisoning
DNS Cache PoisoningDNS Cache Poisoning
DNS Cache Poisoning
Kourosh Sajjadi
 
Smiley033
Smiley033Smiley033
Smiley033
subhajitmondalglb
 
Research Assignment For Active Directory
Research Assignment For Active DirectoryResearch Assignment For Active Directory
Research Assignment For Active Directory
Jessica Myers
 
Project Pt1
Project Pt1Project Pt1
Project Pt1
Emmanuel McCain
 
Squid proxy-configuration-guide
Squid proxy-configuration-guideSquid proxy-configuration-guide
Squid proxy-configuration-guide
jasembo
 
Install nagios
Install nagiosInstall nagios
Install nagios
hassandb
 
Microsoft Lync Server 2010 Installation
Microsoft Lync Server 2010 InstallationMicrosoft Lync Server 2010 Installation
Microsoft Lync Server 2010 Installation
Shahab Al Yamin Chawdhury
 
Lab-10 Malware Creation and Denial of Service (DoS) In t.docx
Lab-10 Malware Creation and Denial of Service (DoS) In t.docxLab-10 Malware Creation and Denial of Service (DoS) In t.docx
Lab-10 Malware Creation and Denial of Service (DoS) In t.docx
pauline234567
 
Blockchain - Hyperledger Fabric v1.0 Running on LinuxONE, see it in action!
Blockchain - Hyperledger Fabric v1.0 Running on LinuxONE, see it in action!Blockchain - Hyperledger Fabric v1.0 Running on LinuxONE, see it in action!
Blockchain - Hyperledger Fabric v1.0 Running on LinuxONE, see it in action!
Anderson Bassani
 
Cloud adoption fails - 5 ways deployments go wrong and 5 solutions
Cloud adoption fails - 5 ways deployments go wrong and 5 solutionsCloud adoption fails - 5 ways deployments go wrong and 5 solutions
Cloud adoption fails - 5 ways deployments go wrong and 5 solutions
Yevgeniy Brikman
 
[Bind DNS + Zimbra + SpamAssassin] Antispam Installation Guide
[Bind DNS + Zimbra + SpamAssassin] Antispam Installation Guide[Bind DNS + Zimbra + SpamAssassin] Antispam Installation Guide
[Bind DNS + Zimbra + SpamAssassin] Antispam Installation Guide
Mạnh Nguyễn Văn
 
Handson1 6 federp
Handson1 6 federpHandson1 6 federp
Handson1 6 federp
federpmatc
 
Client Server Live Hosting Documentation
Client Server Live Hosting Documentation Client Server Live Hosting Documentation
Client Server Live Hosting Documentation
Khwaja Yunus Ali Medical University
 
27.2.12 lab interpret http and dns data to isolate threat actor
27.2.12 lab interpret http and dns data to isolate threat actor27.2.12 lab interpret http and dns data to isolate threat actor
27.2.12 lab interpret http and dns data to isolate threat actor
Freddy Buenaño
 
software Documentation Certificate in department of computer
software Documentation Certificate in department of computersoftware Documentation Certificate in department of computer
software Documentation Certificate in department of computer
shriyanshrauthan833
 
Tutorial CentOS 5 untuk Webhosting
Tutorial CentOS 5 untuk WebhostingTutorial CentOS 5 untuk Webhosting
Tutorial CentOS 5 untuk Webhosting
Beni Krisbiantoro
 
Part 4 Scripting and Virtualization (due Week 7)Objectives1. .docx
Part 4 Scripting and Virtualization (due Week 7)Objectives1. .docxPart 4 Scripting and Virtualization (due Week 7)Objectives1. .docx
Part 4 Scripting and Virtualization (due Week 7)Objectives1. .docx
karlhennesey
 
Devry gsp 215 week 7 i lab networking and a tiny web server new
Devry gsp 215 week 7 i lab networking and a tiny web server newDevry gsp 215 week 7 i lab networking and a tiny web server new
Devry gsp 215 week 7 i lab networking and a tiny web server new
williamethan912
 
Resilience Testing
Resilience Testing Resilience Testing
Resilience Testing
Ran Levy
 
Final opensource record 2019
Final opensource record 2019Final opensource record 2019
Final opensource record 2019
Karthik Sekhar
 
DNS Cache Poisoning
DNS Cache PoisoningDNS Cache Poisoning
DNS Cache Poisoning
Kourosh Sajjadi
 
Smiley033
Smiley033Smiley033
Smiley033
subhajitmondalglb
 
Research Assignment For Active Directory
Research Assignment For Active DirectoryResearch Assignment For Active Directory
Research Assignment For Active Directory
Jessica Myers
 
Project Pt1
Project Pt1Project Pt1
Project Pt1
Emmanuel McCain
 
Squid proxy-configuration-guide
Squid proxy-configuration-guideSquid proxy-configuration-guide
Squid proxy-configuration-guide
jasembo
 
Install nagios
Install nagiosInstall nagios
Install nagios
hassandb
 
Ad

DNS Cache White Paper

  • 1. DNS Cache Poisoning Using Man-in-the-middle attack Ryan Ellingson Herzing University 3/23/15
  • 2. 1 Table of Contents I. Executive Summary............................................................................................... 2 II. Project Planning .................................................................................................... 3 Network Diagram Technical Planning Linux Client Specifications Windows Server Specifications Windows Client Specifications III. Implementation..................................................................................................... 5 Installation of Kali Linux Installation of Windows Server 2008 Installation of Windows 7 Cloning http://www.facebook.com Editing Configuration Files Using Ettercap IV. DNS Cache Poisoning (with MITM) Plan Testing ............................................10 V. Preventing DNS Cache Poisoning (with MITM Attack) ..................................................................................................................12 VI. Conclusion............................................................................................................13 VII. Appendix...............................................................................................................14
  • 3. Executive Summary DNS Cache Poisoning is posing an imminent threat to open internet networks. It can be set up in only a matter of minutes, and utilized in such a way that information such as accounts, emails, and passwords can be compromised with minimal work. Creating some policies against this could just help save any business that relies on the use of their internet network for a source of income, or for any business that cares about the safety and integrity of their network as a whole. *DNS Cache Poisoning is illegal. This paper is for educational purposes only. Do not try this on anyone’s network.*
  • 4. DNS CACHE POISONING - MARCH 2015 3 Project Planning For this project, the planning is relatively simple. A simple understanding of DNS Cache Poisoning and Man-in-the-Middle attacks are necessary. DNS Cache Poisoning - computer hacking attack, whereby data is introduced into a DNS name server's cache database, causing the name server to return an incorrect IP address, diverting traffic to another computer. Man-in-the-Middle - a form of active eavesdropping in which the attacker makes independent connections with the victims and relays messages between them. This project is manageable on both a large-scale network, a small-scale network, or for testing purposes on virtual machines without any notable issues. Network Diagram Figure 1 Network Diagram
  • 5. DNS CACHE POISONING - MARCH 2015 4 Technical Planning The following specifications were used as part of the technical planning of the project entities. For this project, make a Kali Linux machine, Windows (7) client, 1 Windows Server (2008) client, and a router. Linux Client Specifications Operating System Kali Linux Memory 1 GB Hard Disk 15 GB Network Cards 1 NIC Figure 2 Linux Client Specifications Windows Server Specifications Operating System Windows Server 2008 Memory 2 GB Hard Disk 60 GB Network Cards 1 NIC Figure 3 Server Specifications Windows Client Specifications Operating System Windows 7 Memory 2 GB Hard Disk 20 GB Network Cards 1 NIC Figure 3 Windows Client Specifications
  • 6. DNS CACHE POISONING - MARCH 2015 5 Implementation Implementation (for the purpose of this project) was done on VMware Workstation 10.0.1. Depending on the network, the time that implementation will take may vary. Installation of Kali Linux When installing Kali Linux, follow all the prompts and use all the default options. Once fully installed, configure the IP Address, Network Mask, and Gateway. (Letting it get an IP via DHCP is alright too) Next, ping 8.8.8.8. If 8.8.8.8 cannot be reached, make sure to go back and check the configurations again. Installation of Windows Server 2008 Install Windows Server 2008 like normal. Set a user and root password. Make sure to write them down so you will not forget them. Be sure to set up the DNS server role on the server. This will be the DNS Server that the Windows 7 Machine will use. Installation of Windows 7 Install Windows 7 like normal. Set a user and password. Make sure to write them down so you will not forget it. Be sure to point the DNS towards the Windows Server 2008 Machine. Cloning http://www.facebook.com Open the terminal. Type “setoolkit”. This starts the process for cloning Facebook. Figure 4 Setoolkit
  • 7. DNS CACHE POISONING - MARCH 2015 6 Next, enter “1” for Social –Engineering Attacks. Second, enter “2” for Website Attack Vectors. Third, enter “3” for Credential Harvester Attack Method. Fourth, enter “2” for Site Cloner. After everything is entered, find out what the IP address of the Kali Linux Machine is by typing “ifconfig” into another terminal. Enter this IP address into the prompt that comes after selecting Site Cloner. Figure 5 Entering in IP Address Once the IP address of the Kali Linux Machine has been entered, type the web address of the website being cloned. In this case, http://www.facebook.com is being used. At last, there will be a prompt for starting the Apache Server for the cloned site to be run on. Simply type “y” and the Apache Server will be started. Figure 6 Running Apache Server
  • 8. DNS CACHE POISONING - MARCH 2015 7 Editing Configuration Files Open the terminal and enter “leafpad /etc/ettercap/etter.conf”. This will open the etter.conf file that needs to be edited. Near the top of the document, there will be two lines that say “ec_uid = 65534” and “ec_gid = 65534”. Change the numbers to “0” and save the document. Figure 7 Editing etter.conf file Next, change directories to /etc/ettercap by typing “cd /etc/ettercap” into the terminal. Type “ls” to see the content of the directory. Locate the etter.dns file by typing “locate etter.dns”. This is a good way to double check that the etter.dns file is in the correct directory. Change the permissions on the file by typing “chmod 777 /etc/ettercap/etter.dns” into the terminal, and then open the document by typing “leafpad /etc/ettercap/etter.dns”.
  • 9. DNS CACHE POISONING - MARCH 2015 8 Figure 8 Editing etter.dns file Scroll down to where the document shows Microsoft.com along with some IP addresses (as shown in figure 6). Replace the words “Microsoft” with “Facebook”. Replace the IP address to the right of the URL with the IP address of the Kali Linux Machine. Save the document. Using Ettercap Open the program “Ettercap”. At the top of the program, click “Sniff” > “Unified sniffing…” > “OK”. Second, click “Hosts” > “Scan for hosts”. This will check the network for other machines available on the network. Third, click “Hosts” > “Host List” to see all the available targets. Add the router to Target 1 and the DNS server to Target 2. Fourth, click “Mitm” > “Arp poisoning…” and check the box for “Sniff remote connections. Press “OK”. Fifth, click “Plugins” > “Manage the plugins” and double click “dns_spoof”. Lastly, click “Start” > “Start sniffing”.
  • 10. DNS CACHE POISONING - MARCH 2015 9 Figure 9 Start sniffing network
  • 11. DNS CACHE POISONING - MARCH 2015 10 DNS Cache Poisoning (with MITM) Plan Testing Windows Server 2008 On the Windows Server 2008 Machine, open the web browser and go to http://www.facebook.com. This should come up with the cloned website made in previous steps. To make sure that it is, open the command prompt and type “ping facebook.com”. If the IP address matches the IP address of the Kali Linux machine, the attack was successful. Figure 10 Ping response from cloned website to Windows Server 2008 Machine Also, to be sure that the Kali Linux Machine has picked up on this, go back to Ettercap and check to see if anything was spoofed. Figure 11 Ettercap spoof confirmation Windows 7 Go to the Windows 7 Machine. Make sure the DNS is pointed towards the DNS server. Open up any browser and go to http://www.facebook.com. If the cloned website/Kali Linux IP address was saved into the DNS Server’s cache, this should take you to the very same cloned website that the Windows Server 2008 went to earlier. Again, to find out if the attack was successful, open the command prompt and type “ping facebook.com”. If the IP address matches that of the Kali Linux Machine, the attack was successful.
  • 12. DNS CACHE POISONING - MARCH 2015 11 Figure 12 Ping response from cloned website to Windows 7 Machine Also be sure to check back in the Ettercap to see if yet another machine has been spoofed. Figure 13 Ettercap spoof confirmation
  • 13. DNS CACHE POISONING - MARCH 2015 12 Preventing DNS Cache Poisoning (with MITM Attack) Short-term solutions 1. Maximize the amount of randomness a. Most implementations use randomized transaction numbers. There was a risk with it years ago, but has been fixed since. b. Most implementations do not randomize the port numbers. Most always use the same port number. c. The patches that have been released in the last few months work by randomizing the source port for the recursive server. 2. Disable open recursive name servers a. The attack is not effective if the attacker cannot send question packets to the name server. b. If a recursive name server must be run, limit access to only the computers that need it. Long-term solutions 1. Introduce security to the DNS a. The DNS is insecure. Upgrade the DNS for security. b. DNSSEC is the current answer to this problem.
  • 14. DNS CACHE POISONING - MARCH 2015 13 Conclusion To conclude, DNS Cache Poisoning (with MITM Attack) is fairly simple and quick to set up. Protecting against it is not nearly as simple, but it has to be something that has to be looked at if a network’s integrity is necessary in the business (which it most likely is). References Wilson, C. (2014, October). Assistance Cann, J. (2014, October). Assistance https://www.youtube.com/watch?v=4k760wQ9rhI http://moinkhans.blogspot.com/2013/05/social-engineering-toolkit-kali-linux.html https://www.iana.org/about/presentations/davies-viareggio-entropyvuln-081002.pdf
  • 15. DNS CACHE POISONING - MARCH 2015 14 Appendix Figure 14 Selecting Social-Engineering Attacks Figure 15 Selecting Website Attack Vectors
  • 16. DNS CACHE POISONING - MARCH 2015 15 Figure 16 Selecting Credential Harvester Attack Method Figure 17 Selecting Site Cloner
  • 17. DNS CACHE POISONING - MARCH 2015 16 Figure 18 Finding IP address of Kali Linux Machine Figure 19 Input IP address into setools prompt
  • 18. DNS CACHE POISONING - MARCH 2015 17 Figure 20 Input web address into setools prompt Figure 21 Starting Apache Server
  • 19. DNS CACHE POISONING - MARCH 2015 18 Figure 22 Editing /etc/ettercap/etter.conf file Figure 23 Before editing document
  • 20. DNS CACHE POISONING - MARCH 2015 19 Figure 24 After editing document Figure 25 Change permission to etter.dns
  • 21. DNS CACHE POISONING - MARCH 2015 20 Figure 26 Opening /.etter/ettercap/etter.dns Figure 27 Before making changes
  • 22. DNS CACHE POISONING - MARCH 2015 21 Figure 28 After making changes Figure 29 Opening ettercap
  • 23. DNS CACHE POISONING - MARCH 2015 22 Figure 30 Choosing the interface Figure 31 Opeinging host list
  • 24. DNS CACHE POISONING - MARCH 2015 23 Figure 32 Selecting router for Target 1 Figure 33 Selecting Windows Server 2008 for Target 2
  • 25. DNS CACHE POISONING - MARCH 2015 24 Figure 34 Selecting dns spoof in Plugins Figure 35 Selecting MITM Attack
  • 26. DNS CACHE POISONING - MARCH 2015 25 Figure 36 Starting Sniffing Figure 37 Going to Facebook on Windows Server 2008
  • 27. DNS CACHE POISONING - MARCH 2015 26 Figure 38 Spoof Windows Server 2008 in Ettercap Figure 39 Ping Facebook on Windows Server 2008 Figure 40 Spoof Facebook from cache of Windows Server 2008 on Windows 7 Machine
  • 28. DNS CACHE POISONING - MARCH 2015 27 Figure 41 Checking Ettercap to see if Windows 7 Machine was impacted Figure 42 Pinging Facebook from Windows 7 Machine