ADVANCED DNS HIJACKING TUTORIAL BY Eboz

Its not made by me. I am just sharing it.Eboz is a turkish hacker. Even he pwned pakisani's google, ebay and many sites.

ADVANCED DNS HIJACKING GUIDE
|=-----------------------------------------------------------------------=|
| =------------------= [Still hayattayız, and we are still going to 0wn.-------=]
|=-----------------------------------------------------------------------=|
| =-------------------= [Gaza our greetings!-----------------= |
|=-----------------------------------------------------------------------=|
by eboz
eb0z [at] hotmail.com

-[1]-the DNS Hijacking Presentation


Bismillah.
Hello people Hacking DNS address (or Spoofing), you may be wondering what it is.
DNS ID Hacking hacking/phishing is not the normal way, like jizz
or any-erect. This method is based on the DNS protocol security.
More brutal, the DNS ID Hacking/parody is very effective, very strong
It is because there is no generation (even if DNS escapes rampage
WinNT!).

-[1.1]-the DNS protocol mechanism description

In the first step, you need to know how it works for DNS. I will outline only
This Protocol is one of the most important facts. To do this, we will follow
Request for a DNS packet path from A to Z!

1: the client sends a request (bla.bibi.com) resolution
"Www.heike.com". To resolve the name, bla.bibi.com for "dns.bibi.com"
DNS. Let's take a look at the following image. ''

/ --------------------------------- \
| 111.1.2.123 = bla.bibi.com |
| 111.1.2.222 = dns.bibi.com |
| Format: |
| IP_ADDR > IP_ADDR: PORT-PORT |
| Ex: |
| 111.1.2.123: 2999-> 111.1.2.222: 53 |
\ --------------------------------- /
...
gethosbyname ("www.heike.com");
...

[Bla.bibi.com] [dns.bibi.com]
111.1.2.123: 1999---> [? Www.heike.com]------> 111.1.2.222: 53

Here is the source port when you see our name resolution request in 1999
port 53 for dns.

[Note: always on the DNS port 53]

Now dns.bibi.com, bla.bibi.com took the resolution request
dns.bibi.com let's see, you will have to resolve the name.

[Dns.bibi.com] [ns.internic.net]
111.1.2.222: 53 pm--------> [dns? Www.heike.com]----> 198.41.0.4: 53

dns.bibi.com asks for the root name server for the address of who ns.internic.net
www.heike.com, and it does not exist, and if it sends a demand for
'. com ' domain has the name server authority.

[Note: you can ask for this request in its cache because Internic]

[Ns.internic.net] [ns.bibi.com]
198.41.0.4: 53------> [ns for.com 144.44.44.4]------> 111.1.2.222: 53

Here you can see the ns.bibi.com (which ns.internic.net answered
The DNS domain name of this authority over bibi.com) Server
for.com IP 144.44.44.4 and [let's call it ns.for.com]. Now our
ns.bibi.com, www.heike.com, and will ask for the address of the ns.for.com
but this one does not have to forward DNS requests and
heike.com has the authority to heike.com.

[Ns.bibi.com] [ns.for.com]
111.1.2.222: 53 pm------> [? Www.heike.com]-----> 144.44.44.4: 53

the answer from ns.for.com

[Ns.for.com] [ns.bibi.com]
144.44.44.4: 53 pm------> [heike.com ns for the 31.33.7.4]---> 144.44.44.4: 53

Now on a "heike.com" which IP address field has the right to know
We ask what the www IP machine [we'll call ns.heike.com]
[Www.heike.com after].

[Ns.bibi.com] [ns.heike.com]
111.1.2.222: 53-----> [? Www.heike.com]----> 31.33.7.4: 53

And now we can at least have our answer!

[Ns.heike.com] [ns.bibi.com]
31.33.7.4: 53 pm-------> [www.heike.com = 31.33.7.44]----> 111.1.2.222: 53

We have the answer, please let our customer bla.bibi.com.

[Ns.bibi.com] [bla.bibi.com]
111.1.2.222: 53 pm-------> [www.heike.com = 31.33.7.44]----> 111.1.2.123: 1999

Hehe now I bla.bibi.com www.heike.com knows the computer IP

So. .. Now we want to imagine a machine name for most of his
IP, a way to continue to do so will be a little different
Must be converted to IP, because:

example:
will be in-addr.ARPA arpa 100.20.40.3 3.40.20.100.

Watch Out! This method is only for IP resolution request (reverse DNS)

So we www.heike.com 31.33.7.44 let's look at the most practical when the IP (as between
After an understandable translation or "44.7.33.31." in-addr.arpa "
By the DNS format).

...
gethostbyaddr ("31.33.7.44");
...

[Bla.bibi.com] [ns.bibi.com]
111.1.2.123: 2600-----> [? 44.7.33.31. the in-addr.ARPA]-----> 111.1.2.222: 53

We sent our request to ns.bibi.com

[Ns.bibi.com] [ns.internic.net]
111.1.2.222: 53-----> [? 44.7.33.31. the in-addr.ARPA]------> 198.41.0.4: 53

We will send you a name server IP ns.internic.net has the authority
' 31. ' in-addr.arpa.

[Ns.internic.net] [ns.bibi.com]
198.41.0.4: 53-> [31. in-addr.ARPA DNS 144.44.44.4]-> 111.1.2.222: 53

Now I will ask you the same question ns.bibi.com 144.44.44.4 in the DNS.

[Ns.bibi.com] [ns.for.com]
111.1.2.222: 53-----> [? 44.7.33.31. the in-addr.ARPA]------> 144.44.44.4: 53

and so on ...
In fact the name is almost the same that was used for the mechanism
the resolution.

I hope you figured out how DNS works in communications. Now let's study the DNS
messages format.

-[2]-the DNS packet

A DNS message format here:
+ --------------------------- + ----------------

| Identity (the famous | flag |
+ --------------------------- + --------------------- ------ +
| Questions numbers | the answer to the numbers |
+ --------------------------- + --------------------- ------ +
| RR authorization number | the number of additional RR |
+ --------------------------- + --------------------- ------ +
| |
\ \
\ QUESTIONS \
| |
+ ------------------------------------------------- ------ +
| |
\ \
\\ ANSWER
| |
+ ------------------------------------------------- ------ +
| |
\ \
No matter the pages etc.
| |
+ ------------------------------------------------- ------ +

-[1.3]-the structure of DNS packets.

__ID__

ID name to identify each, since the exchanges between allows DNS package
servers port 53 port 53, and the more I can have more than one
Request at a time, so the identity is the only way to get to know the different DNS
requests. Well talk to you later about it.

__flags__

The flags field is divided into several sections:

4 bit 3 bit (always 0)
| |
| |
[QR | opcode | AA | TC | RD | RA | zero | RCODE]
|
| | __ | __ | __ | | ______ 4 bit
| | _ 1 bit
|
1 bit

QR-Bit = 0, this package is a question that comes from the QR =
otherwise have an answer.

opcode = a normal request for a reserve value, from 1 to 0,
and 2 for a status request (we do not need to know all of these modes).

It is equal to 1 MM = says that the name server
An authoritative answer.

No matter the TC =

If this flag is set to 1, for example, RD = means "Recursion",
bla.bibi.com, to resolve the name when the flag ns.bibi.com
This tells the DNS to accept the request.

If set to 1, which means that the existing RA = this recursion.
This bit is set to 1 if the name server response
Supports iteration.

Here are three zero Zero = ...

RCODE = this includes error messages returned for DNS requests
is 0, no error "," 3 "name error" means

2 the following flags no matter for us.

DNS QUESTION:

Here's a DNS question format is as follows:

+ ------------------------------------------------- ---------------------- +
| Question name |
+ ------------------------------------------------- ---------------------- +
| Question type | query type |
+ -------------------------------- + ---------------- ---------------------- +

The nature of the problem.

example:
www.heike.com [| w | w | w | 5 | h | e | I | c | E | 3 | c | It | m | 0 3]
Has the same thing to an IP address

44.33.88.123. the in-addr.ARPA arpa will:
[2 | 3 | 4 | 2 | 3 | 4 | 2 | 3 | 4 | 5 | 1 | 2 | 3 | 4 | I | n |-| a | d | d | r | 4 | a | r | p | a | 0]
[Note]: have A compression format, but we will not use it.

question type:

Most of the time values that you will use here are:
[Note]: (!) There are more than 20 types of different values, and I'm sick of
writing up)

the value of name
A | 1 | IP address (IP to name resolution)
PTR | 12 | Pointer (the name of an IP analysis)

Query type:

According to the type of the values in the same
(If it is true I do not know, but not to be able to target the DNS protocol,
From A to Z, to do this, you need to look at the RFC and 35 from 33 to 37
The goal here is to put into practice a global!)

DNS REPLY:

I have a format that we call our answers to the RR. but we don't mind

Here is a reply in the form (a, RR)

+ ------------------------------------------------- ----------------------- +
| Domain name |
+ ------------------------------------------------- ----------------------- +
| Type | class |
+ ---------------------------------- + -------------- ----------------------- +
| TTL (time-to-live) |
+ ------------------------------------------------- ----------------------- +
| Source data length ||
| ---------------------------- + |
| Source data |
+ ------------------------------------------------- ------------------------

domain name:

Name of the domain the following source reports:
Domain name for this section are stored in the same way in question;
www.heike.com resolution request, the flag will be the "domain name"
contains [3 | w | w | w | 5 | h | e | I | c | E | 3 | c | It | m | 0]

type:

Type the question section "query type" more of the same flag
package.

class:
Class flag is equal to 1 for Internet data.

: live time
This flag tells the life time of the information into seconds
name the server cache.

the length of the source data:
The length of the source data from the source data length, for example, is 4
the source of the data, the data length of 4 bytes.

source data:
here for example I put the IP (at least in our case)

Will present a small example that describes it better:

Here's what ns.heike.com asks for is ns.bibi.com
www.heike.com of address

ns.bibi.com: 53 pm---ns.heike.com >----> [www.heike.com?]: 53 (Phear Heike

+ --------------------------------- + --------------- ----------------------- +
| ID = 1999 | QR = 1 opcode = 0 RD = 1 |
+ --------------------------------- + --------------- ----------------------- +
| Questions numbers = htons (1) | answer = 0 numbers |
+ --------------------------------- + --------------- ----------------------- +

| The number of authorized RR = 0 | the number of additional RR = 0 |
+ --------------------------------- + --------------- ----------------------- +
< the question part >
+ ------------------------------------------------- ----------------------- +
| Question name = [3 | w | w | w | 5 | h | e | I | c | E | 3 | c | It | m | 0] |
+ ------------------------------------------------- ----------------------- +
| Question type = htons (1) | query type = htons (1) |
+ --------------------------------- + --------------- ----------------------- +

Here is the question.

Now I'm looking at the most ns.heike.com and let the answer

ns.heike.com: 53 pm-> [31.33.7.44 www.heike.com is IP]-> ns.bibi.com: 53

+ --------------------------------- + --------------- ------------------------ +
| ID = 1999 | QR = 1 opcode = 0 RD = 1 a = 1, R = 1 |
+ --------------------------------- + --------------- ------------------------ +
| Questions numbers = htons (1) | number of answers = htons (1) |
+ --------------------------------- + --------------- ------------------------ +
| The number of authorized RR = 0 | the number of additional RR = 0 |
+ --------------------------------- + --------------- ------------------------ +
+ ------------------------------------------------- ------------------------ +
| Question name = [3 | w | w | w | 5 | h | e | I | c | E | 3 | c | It | m | 0] |
+ ------------------------------------------------- ------------------------ +
| Question type = htons (1) | query type = htons (1) |
+ ------------------------------------------------- ------------------------ +
+ ------------------------------------------------- ------------------------ +
| Domain name = [3 | w | w | w | 5 | h | e | I | c | E | 3 | c | It | m | 0] |
+ ------------------------------------------------- ------------------------ +
| Type = htons (1) | class = htons (1) |
+ ------------------------------------------------- ------------------------ +
| = 999999 time live |
+ ------------------------------------------------- ------------------------ +
| Source data length = htons (4) | source data = inet_addr ("31.33.7.44") |
+ ------------------------------------------------- ------------------------ +

Yah! All of this for now)

Here's an analysis:
The answer is an answer to this because QR = 1
AA = 1 has the authority, because their domain name server
RA = 1 because the replica is available

Good I hope you will need the following for reasons not understood
events.

-[2.0]-the DNS ID Hacking/parody

What is DNS ID Hacking/phishing now is clearly the time has come to explain.
I recognize the DNS daemon as explained earlier, the only way
different questions/answers the package ID of the flag. Look at this
example:

[www.heike.com]; ns.bibi.com > 53-----------> ns.heike.com: 53

So you just have to give the wrong answer to the ip between parody and ns.heike.com
ns.bibi.com ns.heike.com for information before!

ns.bibi.com <-------........... ns.heike.com
|
| [Www.heike.com IP is 1.2.3.4] < <--hum.roxor.com

If you're on a LAN, but in practice you have to guess a good ID,
The name server can listen to answer before this identity, and (this is easy
Local Area Network

If you want to do this, you do not have a lot of options, remote only
There are four basic methods:

1. the identity flag of all possible values of the random test). You must answer
ns! (In this example, ns.heike.com). This method is now obsolete
If I'd want to know. or any other suitable condition
his prediction.

2.) to increase the chances of some DNS requests (200 or 300)
Falls upon a good ID.

3). to prevent paint the DNS. The name server to crash
and does not show the following error!

> > Oct 06 05: 26: 02 ADM named [1913]: db_free: DB_F_ACTIVE set-ABORT
At this time the order of the named daemon

4.) or are discovered by using the vulnerability in BIND SNI (Secure
ID estimate (we will discuss this a bit) with Networks, Inc.)

# # # # # # # # # # # # # # # # # # # # # Windows Güvenlik ID # # # # # # # # # # # # # # # # # # # # # # # # # # #

(I have not tested on Windows 95, a severe vulnerability found
WinNT), Windows 95 lets you imagine my little friend.
Because Windows Live ID "1" by default)) is extremely easy to guess
the second question to "2" (question 2 at the same time).

# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # Güvenlik UYMASINI # # # # # #

A vulnerability in BIND (SNI, discovered by the previously mentioned).
In fact, only one DNS DNS is easily predictable, you have to sniff
In order to do what you want. Let Me Explain ...

DNS was originally a random ID use it to increase but only used
The next questions ...)

It is easy to exploit this vulnerability.
Here is the way:

1. comes from a random DNS messages Easily (e.g. can be sniff
For this example, ns.dede.com).

2. you ask for NS.victim.com to solve the (random). Dede.com. NS.victim.com will be
(random) seek to solve ns.dede.com. dede.com

ns.victim.com---> [? (rand). dede.com ID = 444]---> ns.dede.com

3. now you know, what's the message ID from NS.victim.com
You have to use the CustomerID field. (ID in this example = 444).

4. then do the resolve request. ex. to www.microsoft.com
NS.victim.com

(You)---> [? Www.microsoft.com]---> ns.victim.com

ns.victim.com-> [www.microsoft.com, ID = 446?]-> ns.microsoft.com

5. paint the name of the server with ID ns.victim.com (444) already exists and
then this one.

ns.microsoft.com-> [www.microsoft.com = 1.1.1.1 ID = 444]-> ns.victim.com
ns.microsoft.com-> [www.microsoft.com = 1.1.1.1 ID = 445]-> ns.victim.com
ns.microsoft.com-> [www.microsoft.com = 1.1.1.1 ID = 446]-> ns.victim.com
ns.microsoft.com-> [www.microsoft.com = 1.1.1.1 ID = 447]-> ns.victim.com
ns.microsoft.com-> [www.microsoft.com = 1.1.1.1 ID = 448]-> ns.victim.com
ns.microsoft.com-> [www.microsoft.com = 1.1.1.1 ID = 449]-> ns.victim.com

(Now I know, and they are just predictable DNS IDs. You
ID 444 ns.victim.com + torrent with fake answers with

** * ADMsnOOfID.

Without a stem, there is another way to exploit this vulnerability
any DNS

The mechanism is very simple. Here is a description of

We send a resolution request to ns.victim.com. Provnet. fr

(Siz) ---------- [? (Random). Provnet. fr]-------> ns.victim.com

Then, ns.victim.com (random) to solve ns1. provnet. fr. Provnet. fr.
There is nothing new here, but the interesting part starts here.

From that point on, fake ns.victim.com start flooding with answers
(Ns1. provnet. fr IP) 100 110 IDs.

(Parody)-[. (Random) provnet fr ns.victim.com > ID = 100]-1.2.3.4
(Parody)-[. (Random) provnet fr ns.victim.com > ID = 101]-1.2.3.4
(Parody)-[. (Random) provnet fr ns.victim.com > ID = 103]-1.2.3.4
(Parody)-[. (Random) provnet fr ns.victim.com > ID = 103]-1.2.3.4
.....

After that, we ns.victim.com if (random). Provnet. fr IP.

Ns.victim.com in us (random). Provnet. we have an IP for that time fr
I found the correct ID, otherwise we have to repeat this attack until the
to find his identity. A little long, but it works. And nothing forbides
do it with your friends

How does this ADMnOg00d

-------------------------------

# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #

./EOF
by Eboz
#KriptekS
#kongash0
#flowturkz

Follow: http://hackthedevil.blogspot.com/2013/06/advanced-dns-hijacking-tutorial-by-eboz.html