Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Computer Networks

Pharming (Word) - ECE Users Pages

advertisement 
Pharming
Group Number:
Member Names:
Date Assigned:
Date Due:
Last Edited:
Lab Authors:
Goal: Throughout decades, pharming has been one of the techniques that hackers use to
redirect users to a malicious site. Therefore, we would like to use this lab to illustrate the
effectiveness of the use of pharming by allowing the students an opportunity to explore
the effectiveness of changing the host files and the DNS entry to redirect internet traffic
of the users.
Summary of the lab:
The first part of the lab will deal with host file. This lab begins by talking about
the usefulness of host files. Then, it will have an exercise that demonstrates the
usefulness of host files in terms of pharming. Second part of the lab will be mainly on
DNS. It first informs the students of the usefulness of DNS in the internet. Afterwards, it
will have an exercise of exploiting a DNS to poison the entry to get the users to go to the
destinations’ of a hacker choice. In the third section the students will use ethereal to
monitor DNS traffic. This section will also conclude with the countermeasure for the
DNS poisoning problem as well.
Equipment:
In the section one the students will be using Windows XP virtual Machine for the
user to manipulate the host file to point to the local webserver or the webserver in the lab.
In the section two students will be using the Red Hat 4.0 WS physical machine and the
local DNS server. In the section three the students will be using Red Hat 4.0 WS physical
machine.
Background and Theory:
Before the Domain Name System(DNS) was invented, host file was being used to
perform the host name to IP address translation. As the internet grows, the host file
becomes harder to manage. DNS has become the solution. Today, there are 13 DNS root
servers around the world. Such as: edu, org, gov, com, and etc. Next, the naming space
is being delegated down to the organizations. For example, Georgia Institute of
Technology is responsible for the Gatech domain. Each organization may delegate the
domain management further down into sub-domain of its organization.
1
Section 1: Host File Configuration
Open Windows XP Pro virtual machine. If you fail to open it, close it and restart
the virtual machine service with service vmware restart.
Open up the hosts file from C:\WINDOWS\system32\drivers\etc. Add a line at
the bottom of the file to point google.com and www.google.com to the webserver in our
mininet, 57.35.6.207, which is College of Computing website.
Now, open up mozilla to go to google.com. You should get the Georgia Tech website
instead of a page not found site.
Question 1.1: What is host entry to map google.com to our webserver?
Take a screenshot of your google.com mapping to our webserver on
WindowXP virtual machine, Screenshot #1.
Section 2: DNS Poisoning
In this section, we will be poisoning the DNS server. In order to do it, we need to
be familiarized with the DNS forwarding technique. When an application requests a
hostname translation to an IP address, it needs to talk to the resolver. The resolver, DNS
client, contacts its closest DNS server. If that DNS server has it, then it sends the result
back to the resolver. If not, then it will contact its closest DNS server. If nothing is
found for the address, then the host does not exist on the internet. This is a recursive
technique to get the translation of the hostname to the IP address.
For this section, we will be using Linux Workstation 4.0. The Linux can be
configured to act as a DNS client. We can now setup the Red Hat 4.0 WS as a resolver.
1.
First go to /etc/resolv.conf and add this line.
nameserver 57.35.7.254
This sets up our nameserver to be point to our baddnsisp.
2.
Next we need to set up Red Hat 4.0 WS machine to contact the dns server
first instead of the hosts file. If nothing is found in the dns, then the
resolver will be checking for the translation in the host file.
Add this line to the /etc/nsswitch.conf.
hosts: dns files
3.
Then make sure that the /etc/hosts contain the following line
127.0.0.1
localhost.localdomain
localhost
2
Now, we need to restart the network service because we changed the
etc/nsswitch.conf file.
/etc/rc.d/init.d/network restart
Our task now is to poison the DNS server. The goal is to point the
www.mit_xx.edu to our mininet’s badISP webserver’s main page (College of Computing
web page).
The domain name server is responsible for managing zone within its area.
Therefore, in order for us to manage the mit.edu zone, we need to create a fake mit.edu
zone for our dns server to use.
In this step, we will be using the baddnsisp, which is the DNS server for the
mininet network’s badisp zone. The baddnsisp can be reached on the terminal S2 on the
KVM switch on the rack.
Go to /var/named folder of baddnsisp, DNS server, and look at some of the
existing zone files. After you get familiarized with the files, create mit_xx.edu.zone file.
It would be best that you make a copy of one of the working zone files and rename it to
mit_xx.edu.zone where xx is your group number. If your group number is 7, then your
zone file is mit_07.edu.zone. Then, just go in there and modify the code. Make sure that
www.mit_xx.edu points to our badisp webserver, 57.35.6.207. Next, we need to get our
named.conf to point to our mit_xx.edu.zone.
To do this, you need to be familiarized with the named.conf. Then, add the zone
that points to the mit_xx.edu.zone.
After you are done with all of these, restart the DNS server.
/etc/rc.d/init.d/named restart
Now, go back to the WS 4.0, then type www.mit_xx.edu. If you did everything
correctly, then it should point to our mininet badisp web server (College of Computing
website).
Take screenshot of the mit_xx.edu.zone. Screenshot #2.
Take the screenshot of the named.conf where you added the code.
Screenshot #3.
Take the screenshot of the webpage www.mit_xx.edu . Screenshot #4.
Now, go to the terminal, and type dig www.mit_xx.edu. You should see that the
DNS server that we are using is 57.35.7.254.
Take a screenshot of the dig result. Screenshot #5.
3
Section 3: DNS traffic
The browser has caching available. Before you start this section, close all
browsers that are currently opened. In this section you will be using Red Hat 4.0 WS
physical machine. Open up ethereal, and start capturing the DNS traffic. Open up mozilla
and go to www.mit_xx.edu.
Highlight a DNS packet and take a Screenshot #6.
Question 3.1: Choose a DNS query or a DNS response message from the ethereal
and explain what each field means.
Countermeasure:
There is no countermeasure for the host file and DNS poisoning.
When the hackers get into your computer to change the host file and to get into your DNS
server to poison the entry, there is no way to prevent the hackers’ actions. You will still
be able to detect the change, but will not be able to prevent it.
*****************************Very Important****************************
Once you are done with the lab, go to the name.conf file, and take out the part of the code
that you added in Section 2. Also, go to /var/named/ folder to erase the mit_xx.edu.zone
file that you created.
Afterward, restart the named server.
/etc/rc.d/init.d/named restart
************************************************************************
4
References
 “Domain Name System.” Masterin Networks – Lecture Notes. 11 April 2007.
<http://www.cs.virginia.edu/~itlab/book/slides/index.html>
 Kozierok, Charles M. “The TCP/IP Guide – DNS Message Header and Question
Section Format.” 20 September 2005. 11 April 2007.
<http://www.tcpipguide.com/free/t_DNSMessageHeaderandQuestionSectionFor
mat.htm>
 Liebeherr, Jorg. Zarki, Magda El. Mastering Networks: An Internet Lab
Manual.New York. 2004.
5
Answer Sheet
Section 1: Host File Configuration
Question 1.1: What is host entry to map google.com to our webserver?
Take a screenshot of your google.com mapping to our webserver on
WindowXP virtual machine, Screenshot #1.
Section 2: DNS Poisoning
Take screenshot of the mit_xx.edu.zone. Screenshot #2.
Take the screenshot of the named.conf where you added the code.
Screenshot #3.
Take the screenshot of the webpage www.mit_xx.edu . Screenshot #4.
Take a screenshot of the dig result. Screenshot #5.
Section 3: DNS traffic
Highlight a DNS packet and take a Screenshot #6.
Question 3.1: Choose a DNS query or a DNS response message from the
ethereal and explain what each field means.
6
Time Spent on this Lab:
How much time did it take you to read the lab, do the lab, and answer the questions?
Lab Addition: Please provide the lab suggestions and future enhancements.
7
Related documents
Questions for Unit-7
Questions for Unit-7
HOMEWORK 1 • DNS stands for do not submit (1) DNS Make up a
HOMEWORK 1 • DNS stands for do not submit (1) DNS Make up a
Super G on Raven PTarmigan January15th, 2009 RACE JURY
Super G on Raven PTarmigan January15th, 2009 RACE JURY
Lab 11 - Personal Web Pages
Lab 11 - Personal Web Pages
Matching game to review for Exam II
Matching game to review for Exam II
HOMEWORK 2 • DNS stands for do not submit 1. Problems In the
HOMEWORK 2 • DNS stands for do not submit 1. Problems In the
Name Services
Name Services
Final Exam Part 1
Final Exam Part 1
Download
advertisement