Lab 2: SSL Security Attack June 17, 2008 Hyun Jin Kim.
16
Lab 2: SSL Security Attack June 17, 2008 Hyun Jin Kim
-
Upload
lenard-atkinson -
Category
Documents
-
view
216 -
download
4
Transcript of Lab 2: SSL Security Attack June 17, 2008 Hyun Jin Kim.
Lab 2: SSL Security Attack
June 17, 2008
Hyun Jin Kim
Objective
• Configure DNS such that https://www.paypal.com gets resolved to our own IP address of the “attack” server– Paypal uses SSL protocol.
Normal DNS Query Processing
www.paypal.com
64.4.241.33
DNS Server
Paypal’s Server
Attacking DNS Request
www.paypal.com
128.222.11.3
DNS Server
Paypal ServerFake Paypal Server
Filter
What We Will Do
• Write a program that injects a spoofed DNS Response when the source queries the IP address of www.paypal.com
• C programming• Basic skeleton of codes are provided.• Attacker’s fake server is also provided.
Libraries
• Libpcap– To capture DNS requests– /usr/include/pcap.h
• Libnet– To inject fake DNS replies– /usr/include/libnet.h
Procedures
• Setup for packet sniffing• Grab packets• Check if packets are DNS queries• If the query is for www.paypal.com, inject a
spoofed DNS response back• Web browser will direct to attacker’s fake
paypal website!
Step 1: Packet Sniffing Setup
• Find the network interface for sniffing– device = pcap_lookupdev(errbuf);• eth0 in our case
• Set up for sniffing– capdev = set_cap_dev(device, filter);• filter specifies some properties of DNS Requests
– UDP packets– Destination port = 53
Step 2: Grab a DNS Query Packet
• Grab a packet (first fill-in)– packet = (u_char *) pcap_next(capdev, &pcap_hdr);
• Check if the packet is a DNS Query– i.e., Destination port = 53?
• Check if the DNS Query is for www.paypal.com
Step 3: Create Spoofed DNS Response
• Create a new DNS Response with Attacker’s IP address
• Send it back to the source• void spoof_dns(char *device)– Open a raw socket– Start creating the header for the spoofed
response
Step 3: Create Spoofed DNS Response
• Header Construction– Build DNS Header (fill in)– dns = libnet_build_dnsv4(LIBNET_DNS_H, /* header size */
ntohs(spoofpacket.dns_id), /* dns id */ 0x8100, /* control flags (QR,AA,RD,*/
1, /* number of questions */ 1, /* number of answer RR's */
0, /* number of authority RR's*/ 0, /* number of additional RR's*/ spoofpacket.payload, /* payload */ spoofpacket.payload_size, /* payload length */ handler, /* libnet handler */
0); /* ptag */
– Build UDP Header
– Build IP Header
– Calculate Checksum (fill in)• libnet_toggle_checksum(handler, udp, 1);• libnet_toggle_checksum(handler, ip, 1);
Step 4: Inject DNS Response
• Inject the packet (fill in)– inject_size = libnet_write(handler);
• Destroy the packet (fill in)– libnet_destroy (handler);
Test
• Compile– Type make
• Run– Type ./sslattack
• Open a web browser• Type http://www.naver.com– No attack
• Type https://www.paypal.com– Certificate Warning Sign
Certificate
Spoofed paypal.com
Actual paypal.com
