Fugitif
25.10.2008, 17:03
DNS Multiple Race Exploiter: DNS Cache Poisoner/Overwriter
DNS Multiple Race Exploiter is a tool that exploits an inherent flaw in the DNS Server Cache. By sending many queries to a DNS server along with fake replies, an attacker can successfuly writes a fake new entry in the DNS cache. Also, this type of attack can overwrite an existing entry. For example, if the DNS server's cache already has www.example.com => 1.2.3.4, the attack can overwrite it with www.example.com => 4.3.2.1. The attack is made easy since the majority of DNS servers does not randomize the UDP source port number. Patched DNS servers randomize the UDP source port number, however, that will not eliminate the flaw; it will only increase the time required to poison the cache. Poisoning unpatched systems would take a period seconds, however, poisoning patched systems would take a period of hours. DNS Multiple Race Exploiter is made to attack both patched and upatched systems..
DNS Multiple Race Exploiting tool has the following features:
[A]The tool can attack both unpatched DNS systems as well as patched DNS systems. Attacking a patched system requires a much longer time than an unpatched system.
[B]The tool can launch two modes of attack; one is against DNS server that supports recursion, and the second mode is against DNS
server configured with forwarder DNS. The attack modes differ in the "flags" carried in the DNS fake replies. Since a DNS with server forwarder(s) sends a query with the "recursion desired" bit set, the reply has to have this bit set, too. Also, the reply has to have the "recursion available" bit set. On the other hand, a DNS server with recursion sends query with the recursion bit unset (i.e. iteration query), the reply has to have this bit unset, too.
[C] The tool spoofs the source IP address of the queries. This is useful if the attacker does not want leave any trace of his IP address on the server.
[D] The tool utilizes CNAME Record Type to inject the false entry. The way the poisoning is implemented is by sending two answer Resource Records (RRs): One is a CNAME RR, and the second is an A record. Every fake reply contains something like:
[1] abdc.example.com is a CNAME of IN Class for www.example.com
[2] www.example.com is an A of IN Class for IP 11.22.33.44
[E]The tool sends multiple fake replies with different TXIDs to increase the probability of hitting the correct TXID. This is useful in reducing the time needed to generate a "hit". For a server that does not randomize the source port number, the maximum number of iterations needed is 65546 (an average would 32768). However, by sending 10 to 15 TXIDs, for example, the probability of
making a "hit" is higher in a shorter time; an average of ~3000 iterations are needed.
Download:
DNS Multiple Race Exploiter -- version 1.0
http://www.securebits.org/tools/dns_mre-v1.0.tar.gz
DNS Multiple Race Exploiter is a tool that exploits an inherent flaw in the DNS Server Cache. By sending many queries to a DNS server along with fake replies, an attacker can successfuly writes a fake new entry in the DNS cache. Also, this type of attack can overwrite an existing entry. For example, if the DNS server's cache already has www.example.com => 1.2.3.4, the attack can overwrite it with www.example.com => 4.3.2.1. The attack is made easy since the majority of DNS servers does not randomize the UDP source port number. Patched DNS servers randomize the UDP source port number, however, that will not eliminate the flaw; it will only increase the time required to poison the cache. Poisoning unpatched systems would take a period seconds, however, poisoning patched systems would take a period of hours. DNS Multiple Race Exploiter is made to attack both patched and upatched systems..
DNS Multiple Race Exploiting tool has the following features:
[A]The tool can attack both unpatched DNS systems as well as patched DNS systems. Attacking a patched system requires a much longer time than an unpatched system.
[B]The tool can launch two modes of attack; one is against DNS server that supports recursion, and the second mode is against DNS
server configured with forwarder DNS. The attack modes differ in the "flags" carried in the DNS fake replies. Since a DNS with server forwarder(s) sends a query with the "recursion desired" bit set, the reply has to have this bit set, too. Also, the reply has to have the "recursion available" bit set. On the other hand, a DNS server with recursion sends query with the recursion bit unset (i.e. iteration query), the reply has to have this bit unset, too.
[C] The tool spoofs the source IP address of the queries. This is useful if the attacker does not want leave any trace of his IP address on the server.
[D] The tool utilizes CNAME Record Type to inject the false entry. The way the poisoning is implemented is by sending two answer Resource Records (RRs): One is a CNAME RR, and the second is an A record. Every fake reply contains something like:
[1] abdc.example.com is a CNAME of IN Class for www.example.com
[2] www.example.com is an A of IN Class for IP 11.22.33.44
[E]The tool sends multiple fake replies with different TXIDs to increase the probability of hitting the correct TXID. This is useful in reducing the time needed to generate a "hit". For a server that does not randomize the source port number, the maximum number of iterations needed is 65546 (an average would 32768). However, by sending 10 to 15 TXIDs, for example, the probability of
making a "hit" is higher in a shorter time; an average of ~3000 iterations are needed.
Download:
DNS Multiple Race Exploiter -- version 1.0
http://www.securebits.org/tools/dns_mre-v1.0.tar.gz