Author Topic: DNS Amplification, please enlighten me  (Read 3233 times)

0 Members and 11 Guests are viewing this topic.

Offline youpi

  • Serf
  • *
  • Posts: 20
  • Cookies: -6
    • View Profile
DNS Amplification, please enlighten me
« on: January 17, 2014, 04:56:21 pm »
So I'm pretty sure I've found recursive DNS servers because NMAP and reliable website says so.

That being said, I would like to be able to verify that myself.

i've been using things like dig +notcp -t ANY @rec-server irc.efnet.org for exemple but I'm getting only 400 bytes response when website says people get 4000 bytes back. (http://www.watchguard.com/infocenter/editorial/41649.asp)


Please enlighten me.

EDIT: Just read they're using large TXT records.

Anyway, is there a way to see if the server is vuln with dig ?
DNS amplifications aren't useless without a compromised dns servers with a large TXT record aren't they ? When resolving things like irc.efnet.org for exempl

-- Use the modify button fool!!
« Last Edit: January 17, 2014, 09:55:51 pm by lucid »

Offline ande

  • Owner
  • Titan
  • *
  • Posts: 2664
  • Cookies: 256
    • View Profile
Re: DNS Amplification, please enlighten me
« Reply #1 on: January 17, 2014, 09:38:17 pm »
http://www.watchguard.com/infocenter/editorial/41649.asp

It doesn't have to be a TXT record and you don't have to compromise the amplification server(s). If you already have compromised the server, you could just as well use a UDP flooder script of some sort.

Thing is you find one or more DNS servers and try to find the largest response possible, then spoof packets (posing as your target) so that the response is sent to your target. This means a request being maybe 70 bytes can reflect as much as 4000 bytes back depending on how large response you are able to craft/find.

Example wise: I can request googl.com (approx 69 bytes) and get 5 IP's back (approx 149 bytes). That's a 215% amplification, not a great one but you get the idea. And because of the way UDP works in this case there are no handshake or connection state required and that's why this attack works.
« Last Edit: January 17, 2014, 09:44:09 pm by ande »
if($statement) { unless(!$statement) { // Very sure } }
https://evilzone.org/?hack=true

Offline bluechill

  • Cybermancer
  • Royal Highness
  • ****
  • Posts: 682
  • Cookies: 344
  • I am the existence in these walls
    • View Profile
Re: DNS Amplification, please enlighten me
« Reply #2 on: January 17, 2014, 11:23:29 pm »
If you really want to do amplification, use standard time servers.  You can get kilobytes back for bytes.  Over 80x amplification whereas DNS is only 1.5-4
I have dreamed a dream, but now that dream has gone from me.  In its place now exists my own reality, a reality which I have created for myself by myself.

Offline ande

  • Owner
  • Titan
  • *
  • Posts: 2664
  • Cookies: 256
    • View Profile
Re: DNS Amplification, please enlighten me
« Reply #3 on: January 18, 2014, 12:19:45 am »
If you really want to do amplification, use standard time servers.  You can get kilobytes back for bytes.  Over 80x amplification whereas DNS is only 1.5-4

(no research done beforehand): Does standard time servers use UDP without any kind of handshake or connection state? Also I am pretty sure you can get a better amplification than 1.5-4 with DNS. If I remember correctly there was some exploit/bug/feature that allowed you to dump all public records on a DNS server and sending megabytes back.
if($statement) { unless(!$statement) { // Very sure } }
https://evilzone.org/?hack=true

Offline vezzy

  • Royal Highness
  • ****
  • Posts: 771
  • Cookies: 172
    • View Profile
Quote from: Dippy hippy
Just brushing though. I will be semi active mainly came to find a HQ botnet, like THOR or just any p2p botnet

Offline youpi

  • Serf
  • *
  • Posts: 20
  • Cookies: -6
    • View Profile
Re: DNS Amplification, please enlighten me
« Reply #5 on: January 19, 2014, 12:15:04 am »
Thanks for this I will read it up.


Anyone has a PoC script to send spoofed NTP request ?
« Last Edit: January 19, 2014, 12:30:34 am by youpi »

Offline youpi

  • Serf
  • *
  • Posts: 20
  • Cookies: -6
    • View Profile
Re: DNS Amplification, please enlighten me
« Reply #6 on: January 25, 2014, 07:47:19 am »
OK so as no one would wipe my ass I done my little research.


UDP is on top of IP.
And NTP should be on TOP of UDP which is on top of IP.


I'll be using raw sockets to forge raw UDP packets with a spoofed address.
So I'll create a struct with all the UDP shit we need to take care, checksum, tos, the lot of it I captured the packet using tcpdump and wireshark.
I've everything figured out concerning this.


Now I understand than when you send a raw UDP packet you're basically sending a string, which is a pointer to an array of chars. and you can send udp packets like "ABC" whatever.


I also understand and read that NTP is protocol on iot's own so I have to create the packet using a struct and here will be the monlist message which is a request message (set the bit) bla bla. Just hsit I have to respect as it's the RFC but don't give a fuck about.




NOW THE QUESTION:
How do I encapsulate the thing to send it in my spoofed UDP raw socket ?
The only way I see is sending it in place of the *buffer, but yeah it seems a bit weird and I actually don't know how I'll do to convert. (just cast the struct to the expected input ?)


Please enlighten me, smartasses. (lawl)


struct iphdr *ip = (struct iphdr *)packet;
06.
struct udphdr *udp = (struct udphdr *)((void *) ip + sizeof(struct iphdr));
07.
 
This is done to encaspulate UDP in IP.
So I just do something similar ?
Still need to look up what's included for the headers and shit.

Wow, so much work, please tell me if I'm in teh right direction.
« Last Edit: January 25, 2014, 07:53:39 am by youpi »

Offline RedBullAddicted

  • Moderator
  • Sir
  • *
  • Posts: 519
  • Cookies: 189
    • View Profile
Re: DNS Amplification, please enlighten me
« Reply #7 on: January 25, 2014, 08:50:35 am »
Hi youpi,

I am not very good at c so I can't help you with that. For the packet frames and the message types you can have a look at a sample capture from here: http://wiki.wireshark.org/SampleCaptures (search for NTP_sync.pcap). For your attack you don't need to write a full ntp implementation. Just define the message types you need. Here you have the structure of an ntp packet: http://www.meinbergglobal.com/english/info/ntp-packet.htm
Maybe a little sample helps? http://www.prismmodelchecker.org/qprover/casestudies/ntpclient_probity/ntpclient/ntpclient.c
Here is another usefull explanation: http://www.eecis.udel.edu/~mills/ntp/html/warp.html and if you want to go hardcore this is the right link for you.. lol: http://tools.ietf.org/html/rfc5905

Anyways.. I would go ahead and capture the ntp packet you want to create with wireshark and try to rebuild that packet than. If you want to take a more easy approach you should have a look at python/scapy. This will give you the possibility to create your attack pretty fast :) http://fossies.org/dox/scapy-2.2.0/classscapy_1_1layers_1_1ntp_1_1NTP.html

Have fun :P
Deep into that darkness peering, long I stood there, wondering, fearing, doubting, dreaming dreams no mortal ever dared to dream before. - Edgar Allan Poe

Offline ande

  • Owner
  • Titan
  • *
  • Posts: 2664
  • Cookies: 256
    • View Profile
Re: DNS Amplification, please enlighten me
« Reply #8 on: January 25, 2014, 07:26:18 pm »
Take a look at the pcap library. It allows for IP spoofing and a lot of IP and TCP/UDP stuff is already taken care of for you, such as structures and checksums.
if($statement) { unless(!$statement) { // Very sure } }
https://evilzone.org/?hack=true

Offline b0whunter

  • Serf
  • *
  • Posts: 41
  • Cookies: 11
  • The finest sword plunged into salt water will rust
    • View Profile
    • My journal
Re: DNS Amplification, please enlighten me
« Reply #9 on: January 26, 2014, 12:20:21 am »

[edit] thanks to rba for the awesome formatting job. Its quite the task on my mobile browser, but send me your paypal donation link and we'll sort it out :) [\edit]
python/scapy is great... take a look:


About ScapyWhat is Scapy
Scapy is a powerful interactive packet manipulation program. It is able to forge or decode packets of a wide number of protocols, send them on the wire, capture them, match requests and replies, and much more. It can easily handle most classical tasks like scanning, tracerouting, probing, unit tests, attacks or network discovery (it can replace hping, 85% of nmap, arpspoof, arp-sk, arping, tcpdump, tethereal, p0f, etc.). It also performs very well at a lot of other specific tasks that most other tools can't handle, like sending invalid frames, injecting your own 802.11 frames, combining technics (VLAN hopping+ARP cache poisoning, VOIP decoding on WEP encrypted channel, ...), etc.

What makes scapy different from most other networking tools
First, with most other tools, you won't build someting the author did not imagine. These tools have been built for a specific goal and can't deviate much from it. For example, an ARP cache poisoning program won't let you use double 802.1q encapsulation. Or try to find a program that can send, say, an ICMP packet with padding (I said padding, not payload, see?). In fact, each time you have a new need, you have to build a new tool.

http://www.secdev.org/projects/scapy/


A nice example of it's use an be found here: http://www.blackhatlibrary.net/Python#Scapy

Perhaps the fastest way to do it would be to capture a  packet you need with wireshark, use hexedit to modify it and then file2cable to send it.
STAFF NOTE: Please format your posts and use the modify Button instead of double posting. Not going to do it for you all the time.
« Last Edit: January 26, 2014, 03:51:26 pm by b0whunter »
“Engage people with what they expect; it is what they are able to discern and confirms their projections. It settles them into predictable patterns of response, occupying their minds while you wait for the extraordinary moment — that which they cannot anticipate.”
― Sun Tzu, The Art of War

Offline Cr4t3r

  • NULL
  • Posts: 4
  • Cookies: -3
    • View Profile
Re: DNS Amplification, please enlighten me
« Reply #10 on: February 11, 2014, 06:21:34 pm »
You can verify here or just do that:
Code: [Select]
$ dig +short porttest.dns-oarc.net TXT
porttest.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net.
"x.x.x.x is GREAT: 26 queries in 5.1 seconds from 26 ports with std dev 18219"