How dns id spoofing works in Windows

In this article, the relevant program T-DNS to support any host within the LAN to initiate dns id spoofing attacks, so that any website accessed by it is directed to a custom WEB server, such as your personal homepage. You can download this software from SafeChina.
Download link: http://www.safechina.net/download/click.php? Type = original site & id = 1038791088>

A Domain Name System (DNS) is a distributed database used for TCP/IP applications. It provides conversion information between host names and IP addresses. Generally, network users communicate with the DNS server through UDP protocol, while the server listens on a specific 53 port and returns the information required by the user.

1. DNS data structure
DNS datagram:
Typedef struct dns
{
Unsigned short id;
// ID, through which the client can match the DNS request with the response;
Unsigned short flags;
// Flag: [QR | opcode | AA | TC | RD | RA | zero | rcode]
Unsigned short quests;
// Number of questions;
Unsigned short answers;
// Number of resource records;
Unsigned short author;
// Number of authorized resource records;
Unsigned short addition;
// Number of additional resource records;
} DNS, * PDNS;
In the 16-Bit Flag, the QR Code determines whether the query is a query/response message. The opcode identifies the query type, the AA determines whether the answer is an authorized answer, and the TC determines whether the query can be truncated, RD determines whether a recursive query is expected. RA determines whether a recursive query is available. zero must be 0, and rcode is the return code segment.

DNS query datagram:
Typedef struct query
{
Unsinged char * name;
// Query the domain name, which is a string between 0 and 63;
Unsigned short type;
// Query type. There are about 20 different types.
Unsigned short classes;
// Query class, usually Class A queries both IP addresses.
} QUERY, * PQUERY;

DNS response datagram:
Typedef struct response
{
Unsigned short name;
// Query the Domain Name
Unsigned short type;
// Query type
Unsigned short classes;
// Type code
Unsigned int ttl;
// Survival time
Unsigned short length;
// Resource Data Length
Unsigned int addr;
// Resource data
} RESPONSE, * PRESPONSE;

Ii. How dns id spoofing works in windows
We can see that the id (id) in the DNS datagram header is used to match the response and request datagram. Now let's take a look at the whole process of domain name resolution. The client first sends a domain name query datagram to the DNS server with a specific identifier, and then sends the domain name response datagram to the client with the same ID number after the DNS Server query. At this time, the client will compare the ID of the received DNS response datagram with the query datagram ID sent by itself. If yes, the client will receive the desired datagram and discard it if no match exists.

If the DNS server can send response data packets to the client in advance, the IP address corresponding to the domain name in the DNS cache of the client is our custom IP address, at the same time, the client is also carried to the website we want. There is only one condition, that is, The DSN response datagram with the ID that we send will arrive at the client before the response datagram sent by the DNS server. Clearly shows the dns id spoofing process:

Client <-- response -- | ...... DNS Server
| <-- [A. B. c = 112.112.112.112] -- Your Computer

So far, I think we all know the essence of DNS ID spoofing. How can we achieve this? There are two cases:
1. the local host and DNS server, both the local host and the client host are not in the same LAN. The methods are as follows: a large number of DNS response data packets are randomly sent to the client host, with a low hit rate; it is too rude to initiate a Denial-of-Service attack to the DNS server. The BIND vulnerability has a narrow scope of use.
2. the local host is at least in the same LAN as the DNS server or one of the client hosts: We can use ARP spoofing to achieve reliable and stable dns id spoofing, we will discuss this situation in detail below.

First, the foundation of dns id spoofing is ARP spoofing, that is, spoofing the gateway and client host (or the gateway and DNS server) in the LAN at the same time, or spoof the DNS server and client host ). We send ARP response datagram to the Gateway in the name of the client, but change the source MAC address to the MAC address of our host. At the same time, the gateway sends the ARP response datagram to the client host, change the source MAC address to the MAC address of our host. In this case, the MAC address of the gateway client is the MAC address of our host. The client also considers the MAC address of the gateway as the MAC address of our host. Because the data transmitted in the LAN is based on the MAC address, the data flow between the gateway and the client must first pass through the local host. For more information, see detailed description of calling the WinPCap driver to write Arp multi-function tools.

When you monitor the data reports between the gateway and the client host, if you find the DNS query datagram sent by the client (the destination port is 53 ), then, we can send the self-constructed DNS response datagram to the client in advance. Note: We must extract the ID information of the DNS query datagram sent by a client, because the client uses it for matching authentication. This is a DNS vulnerability that we can exploit. In this way, the client will first receive the DNS response datagram we sent and access our custom website. Although the client will also receive the Response Message from the DNS server, it is too late, haha.

Iii. Core code analysis
The main program creates two threads, one thread for real-time ARP spoofing, And the other thread for listening to received data packets. If the current Domain Name Service queries data packets, then, send the custom DSN response datagram to the client immediately. Test environment: Windows2000 + VC6.0 + Winpcap_3.0_alpha, Registry: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTcpipParametersIPEnableRouter = 0x1.
1. sniff thread:
PacketSetHwFilter (lpadapter, NDIS_PACKET_TYPE_PROMISCUOUS );
// Set the NIC to the hybrid mode
PacketSetBuff (lpadapter, 500*1024 );
// Set the kernel cache of the network adapter;
PacketSetReadTimeout (lpadapter, 1 );
// Set the wait time;
PacketReceivePacket (lpadapter, lppacketr, TRUE );
// Receives network datagram;
Checksum (USHORT *) temp, sizeof (PSD) + sizeof (UDPHDR) + sizeof (DNS) + ulen + sizeof (QUERY) + sizeof (RESPONSE ));
// Calculate the checksum;
PacketInitPacket (lppackets, sendbuf, sizeof (ETHDR) + sizeof (IPHDR) + sizeof (UDPHDR) + sizeof (DNS) + ulen + 4 + sizeof (RESPONSE ));
// Initialize a _ PACKET structure and send a DNS response datagram;

2. arpspoof thread;
PacketInitPacket (lppackets, sendbuf, sizeof (eth) + sizeof (arp ));
// Initialize the ARP response datagram;
PacketSendPacket (lpadapter, lppackets, TRUE );
// Send the response datagram of ARP spoofing;

3. getmac () function
GetAdaptersInfo (padapterinfo, & adapterinfosize );
// Obtain the network adapter attributes;
SendARP (destip, 0, pulmac, & ullen );
// Send ARP request datagram, the MAC address of the previous network host;

4. main () function
PacketGetAdapterNames (char *) adaptername, & adapterlength );
// Obtain the network adapter list and description of the local host;
Lpadapter = PacketOpenAdapter (adapterlist [open-1]);
// Open the specified network adapter;
CreateThread (NULL, 0, sniff, NULL, 0, & threadrid );
CreateThread (NULL, 0, arpspoof, NULL, 0, & threadsid );
// Create two threads;
WaitForMultipleObjects (2, thread, FALSE, INFINITE );
// Wait for the end of a thread;

Iv. Summary and postscript
Network security in the LAN is a noteworthy issue. It is often prone to various spoofing attacks. This is determined by the attributes of the LAN-network sharing. Dns id spoofing described in this article is Based on ARP spoofing. If it is deployed on a wide area network, it is troublesome. However, there are some exceptions: If the proxy server is used in IE, spoofing cannot be performed because the client does not perform domain name requests locally. If you are not visiting the website homepage, it is a subdirectory file, so that you do not find the relevant file on the custom website, login ended in failure. If you are unfortunately cheated, disable the local connection first, and then enable the local connection to clear the DNS cache.

V. Source Code

# Include
# Include
# Include

# Define ETH_IP 0x0800
# Define ETH_ARP 0x0806
# Define ARP_REQUEST & nbs