gecloud.ch/security-scripts
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

added scripts and zodiac

Browse source
This commit is contained in:
Peter Baumann 2013-06-04 14:33:16 +02:00
commit 9bbbc17676
49 changed files with 9254 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

284
dns/zodiac/doc/ChangeLog Normal file
View file

@ -0,0 +1,284 @@
0.4.9 (20000518) - noah williamsson <tm@ns2.crw.se>, scut
- added usage and mini help (zodiac -h)
- compatible with FreeBSD now, other BSD's should work aswell
0.4.8 (20000518) - noah williamsson <tm@ns2.crw.se>
- changed Makefile to enable Open- and FreeBSD systems to compile
zodiac with the pthread libary (-pthread)
- fixed make clean in Makefile
- fixed missing include file in dns-spoof-int.c
- fixed include order in network.c
- removed netinet/ip.h include file from io-udp.c, it is unneeded
and causes errors when compiling under FreeBSD
- removed const qualifiers from m_print* functions
- include fix in packet.c
- include fix in sniff.c
0.4.7 (20000428) - scut
- fixed missing header definition in packet.h (pq_destroy)
- fixed small c stylistic errors
0.4.6 (19991220) - scut
- added command line option "-q" for quite mode (won't print out
packets in long form, use two times to avoid printing packets
at all)
0.4.5 (19991130) - scut, smiler
- added relay option to spoof proxy (whoever will need it ?), with
reencryption support *woaw* :)
- fixed some minor things in the spoof proxy
- fixed dns-build.c, was not synced
0.4.4 (19991129) - scut
- fixed broken daemon mode in spoof proxy
- added help option to spoof proxy
- fixed some minor things in error handling stuff in spoof proxy
0.4.3 (19991129) - smiler, scut
- added ptr and a+ptr id spoofing
- added id spoofing for windows nameservers
- changed dns_build_ptr a bit
- fixed menu_idspoof
- improved id spoofing (spoof_dnsid)
- removed gui-config.*, they are not needed anymore because of
the different spoofing interface
- tested dns id spoofing, works el8ly gr8 :-]
0.4.2 (19991129) - scut
- fixed minor descriptive bug in usage of zsp
0.4.1 (19991128) - scut
- added "set" command to set spoof proxy and show mode
0.4.0 (19991127) - scut
- added encryption support
- added spoof proxy option
- fixed minor bugs in udp routines (length handling on encrypted
frames were sometimes invalid, causing some extra bytes being
sent)
- fixed a severe bug in the dns id queue routines, where own
datagrams were added as legal id's
- improved makefiles a bit
0.3.12 (19991107) - smiler, scut
- several small additions to the spoofing interface
- begun a spoof proxy to split the spoofing from the sniffing =)
it is in the src/zsp/ directory :)
- hey, we broke the 7000 lines barrier, currently at 7373 lines =)
0.3.11 (19991104) - smiler
- beefed up the OO spoofing interface a lot, although the code is
still inactive it will provide a comfortable spoofing interface
0.3.10 (19991104) - scut
- fixed a minor bug in dns-tag.c, where we squashed some references
0.3.9 (19991103) - scut
- hey welcome random to team teso :-D
- added "did i send that packet that i just see"-checking to avoid
confusing filter rules we keep a list of packets we send ourself
for 5 seconds and shield incoming packets that match them from
the dns queue comparing routines (dq_match called from dns.c)
- the "test spoof" function works very properly now (thanks to the
checking routines above
- fixed some minor bugs
0.3.8 (19991101) - smiler, scut
- added "test spoof" function (see "help"), that will test whether
you can ip spoof from your current ip :-) (nice, ehh ? ;)
- improved id spoofing even further
- fixed some minor bugs in dnsq.c
0.3.7 (19991101) - scut
- linted the sources a bit and got rid of some unneccesary include
files :-)
- tweaked the random hostname generation routine a bit (hostnames
of 50 characters aren't so common, ehh ? ;)
- easified the id_* interface
0.3.6 (19991029) - smiler
- worked out dns id spoofing, working for type a entries, yeah :-)
- we're at > 6000 lines now, btw =)
0.3.5 (19991028) - scut
- made zodiac libnet 1.0 compliant (pff... how many times will this
interface change ? think once, think well)
0.3.4 (19991028) - smiler
- some small bugs squashed, oh yeah =)
0.3.3 (19991028) - smiler, scut
- added a better generic query interface
- added a "ns version <ip>" command line ehm... command :-D
0.3.2 (19991026) - smiler
- added a generic dns query handler to ease high-level dns coding
- improved packet parsing routines
0.3.1 (19991025) - smiler, scut
- fixed an ugly bug in dnsq.c, which was pure c'ish bug (yea, face it
guys, c sux ;-)
- fixed minor things within dns-tools.c
0.3.0 (19991014) - smiler, scut
- fixed some broken things in dns.c, the dns routines can be considered
quite good now :]
0.2.31 (19991008) - smiler, scut
- changed the way the local ip is detected from the device, being more
portable now
- minor fixes
0.2.30 (19990927) - smiler
- fixed dns spoofing routines that got broken in 0.2.29, works perfectly
now :)
0.2.29 (19990926) - smiler
- fixed threading bugs (broken cancelation)
- improved dns query and spoofing routines to work with proxy dns servers
too
0.2.28 (19990924) - smiler
- fixed randomization order
0.2.27 (19990923) - smiler
- fixed spoof_query function
- fixed reentrancy
0.2.26 (19990920) - smiler
- added IP ID randomization within the dns-build routines
0.2.25 (19990919) - smiler
- added support for various link layer types (ppp, eth, ...)
0.2.24 (19990914) - smiler
- fixed another byte order bug in dns-tools.c
0.2.23 (19990914) - smiler
- the switch from own definitions to nameser.h ones caused further
problems at byte order conversions within the dns build routines,
jielding them unuseable, fixed.
0.2.22 (19990914) - scut
- general tidy-up
0.2.21 (19990913) - scut, smiler
- fixed wrong network/host-byte-order in dns_packet_send
(found by smiler)
- fixed correct ip/udp/dns segmentation, using ip header length
instead of fixed ip minimum header length
- added correct error handling on non superuser privileges
0.2.20 (19990913) - scut, smiler
- use of PUTSHORT and GETSHORT now within the dns packet processing,
to preserve endianess and be more compatible in general
(suggested by smiler)
- used arpa/nameser.h instead of own dns definitions
(suggested by smiler)
- switched from own header definitions to the one libnet supplies
(suggested by smiler)
- replaced dns_build_domain with an optimized version from smiler
- cleaned up packet.c to reuse it's own code
- beefed up sources at whole, shorting some unnecessary parts
- minor changes within the Makefile, to be more portable
0.2.19 (19990912) - scut
- fixed minor bugs within dnsq.c
0.2.18 (19990907)
- fixed segfaulting bug in sniffing routines, where an error value
wasn't checked appropiatly (possible failure of pcap_open)
0.2.17 (19990907)
- added type txt encoding in dns-build.c
- fixed missing mutex unlocking within dq_filter_uninstall, which
caused only the first filter set working
0.2.16 (19990805)
- added passive threading for spoofing functions
- finished jizz and local spoof
- added rudimentary id spoof function
- added console, with prompt and multilevel input
0.2.15 (19990731)
- fixed windows id detection for only one-packet situations, where
zodiac didn't detected windows id's
0.2.14 (19990727)
- added dt_bind_version routine (not yet finished)
- added dns-tools.c subset
- cleaned dns_packet_send a bit
0.2.13 (19990718)
- extended dns_jizz spoof with the logs from foxfire
- fixed minor bugs in dns-build.c
0.2.12 (19990718)
- added dns_build_random, m_random
- extended dns_build_* for more comfortability
- analyzed jizz logs from foxfire
- started rewrote of spoof_jizz, to be tested
- simplified configset structure
0.2.11 (19990714)
- rewrote local dns spoof function from scratch
- fixed serious bug in dns_build_q
0.2.10 (19990714)
- modified dns_build_* to accept always char hostname/ip addresses,
that will be converted according to type values (new: dns_build_ptr)
- modified dns_build_* functions to accept plaintext char parameters
for all kind of dns labels/rdata/*, to make it more comfortable to
create packets
- code cleanup within dns*.c
- minor updates in packet.c
- minor bugfixes, especially in dns*.c
0.2.9
- modified packet dump to dump the whole ip packet
- cleaned up, improved and testing the local spoof routines
- tested virtual dns queue routines, working perfectly :)
- proofread great parts of the code, to ensure quality
0.2.8
- improved/rewritten dns packet construction routines
- researched on dns flags acceptance
- ran first successful local dns spoof, error response problem though
0.2.7
- first local dns spoof testing
- wrote many company routines for dns packet creation
- successfully tested dns packet filter
- started with local spoof routine
0.2.6
- fixed small bugs within all dns*.c files
- added network primitives (network.c)
- extended packet filter routines, added select like waiting methods
- fixed minor bugs in dns queue
- hopefully fixed this weird timeval bug in dnsid.c, _GNU_SOURCE doesn't
seem to be reliable (most likely it is fixed, but it was difficult to
reproduce, though)
- improved sequential prediction
0.2.5beta
- added windows dns resolver library detection
- fixed some minor bugs, code cleanups within dns*.c
0.2.5alpha
- fixed a id queue bug in dnsid.c
- started with a comfortable dns packet filter (dnsq.h)
0.2.4
- implemented rdata decoding
- fixed all bugs detected
0.2.3
- added decompression, recursive, rewrote large parts of the dns
routines
0.2.2
- added/fixed real dns packet decoder
- fixed dozends of segfaults

124
dns/zodiac/doc/INSTALL Normal file
View file

@ -0,0 +1,124 @@
INSTALLATION INSTRUCTIONS
for
zodiac - advanced dns spoofer
(not finished yet !)
0. INTRODUCTION
this document describes how to install zodiac on unix based systems.
zodiac is a low level analyzation and spoof tool for the dns protocol.
zodiac has been compiled successfully on following systems:
linux 2.0.x with libc5, gcc and the linuxthread thread library
linux 2.2.x with glibc, egcs
linux 2.3.x with glibc, egcs
freebsd 4.0-stable
...
if you managed to compile zodiac without any modifications on another
system, please tell us. for our email address refer to the readme file.
1. COMPILATION - REQUIREMENTS
zodiac is provided at source code level, under a certain license. you have
to compile it before you can use it. to compile it successfully you need
to have following libraries installed.
libncurses >= 4.0 http://www.freshmeat.net/
libnet >= 0.99 http://www.packetfactory.net/libnet/
libpcap >= 0.4 ftp://ftp.ee.lbl.gov/
thread library = POSIX http://www.freshmeat.net/
(libpthread)
the thread library has to conform to the POSIX IPC standard. you won't
have any difficulties if you use a libc6 system, for libc5 linux systems
i recommend the linuxthreads library. if you use more exotic systems,
like bsd or irix or aix, there is still a way to compile zodiac by using
a usermode thread library such as the excellent GNU Pth (portable threads)
library, which is available from freshmeat also.
the pcap library is a platform independant packet capturing library, that
is used by many network programs. don't miss to install the man pages and
the header files also (make install won't do, read the Makefile of
the libpcap package)
libnet is a low level, platform independant packet construction library
that is used by many programs to comfortably create raw packets. read the
included README file in the libnet package for further instructions how
to install this library. thanks to route for this piece, but the asn1
stuff in it is useless ;)
libncurses is a very portable terminal library that is used within zodiac
to provide a text based graphical user interface. the ability of ncurses
to provide virtual terminal windows is used to split the screen into sub-
windows. libncurses should compile well on any platform, but in most cases
you don't have to install it, it ships with almost any unix operating
system.
you also need a working c library, networking support and a ansi-c conform
c compiler (gcc/egcs recommended).
2. COMPILATION - LET'S GO
first, a point on portability. zodiac was developed on linux only systems.
we (scut, especially smiler) tried up to be as portable as possible, but
this haven't been tested on any big endian or bsd system yet, so we
encourage any user support.
/* FOR THE FINAL VERSION ONLY
since zodiac takes advantage of the GNU autoconf/automake packages, you
normaly just have to start the configure script:
./configure
if it fails, please resolv the problem and run it again. after having
created a Makefile from the Makefile.in, run the make program:
*/
make
if it fails to compile successfully on your system try to resolve the
problem and tell me why it failed and how you solved it.
don't come crying that it doesn't compile, just come smiling with a patch
or a description ;)
/* NOT YET FINISHED
after compilation there will be a "zodiac" binary in the current di-
rectory. if you are the system administrator of the unix system and you
want to have the program installed system wide you may also want to run:
make install
if it's your local hack-shellbox you may want to set the binary suid by
doing an
make sinstall
*/
3. USAGE
you are not required to have superuser privileges to compile zodiac, but
you are required superuser privileges to use it. if you don't know what
this means, please get informed about the whole topic, and then carefully
ask your system administrator to get kicked out of your cs course =).
4. CONTACT
for powerusers, who did a porting patchfile to let zodiac run on a plat-
form it didn't run before, here is our contact address to send the file
to:
scut@nb.in-berlin.de, subject: "zodiac: (<version>) patch - <description"

148
dns/zodiac/doc/README Normal file
View file

@ -0,0 +1,148 @@
zodiac - advanced dns spoofer
readme file
0. content
compilation ...................................................... 1
features and description ......................................... 2
overview of weak points in the domain name service ............... 3
spoofing descriptions ............................................ 4
hints for effective spoofing ..................................... 5
about ............................................................ 6
greetings ........................................................ 7
legal stuff / disclaimer ......................................... 8
1. compilation
read "INSTALL"
2. features and description
basic features include:
DONE - sniffing of dns datagrams on an ethernet device
DONE - decoding of all types of dns packets, including safe decompression
? - nice display and gui
DONE - always interactive in all situations
DONE - threaded and flexible design
advanced features include:
DONE? - local dns spoof
- jizz dns spoof, exploiting a weakness in some named's implementations
- determines jizz-weakness, id-prediction and resolver type remotely
- id spoofing, exploiting a weakness in the dns protocol itself
- implements some advanced dns denial of service attacks, including
flood, label compression and unres attack, advanced dns smurf
3. overview of weak points in the domain name service
- connectionless, udp based, independent protocol
the dns protocol can utilize tcp and udp as transportation protocols.
however, nearly all domain name servers use udp, because it has two
great advantages over tcp: it has little overhead and it doesn't need
time to establish a connection, it can just send data directly.
this is one of the reasons why the dns protocol is attackable, because
it uses a stateless protocol to deliver it's data, and extends this with
just some weak state variables inside the dns header.
stateless protocols can be spoofed easily, this is true for udp also. so
the spoof-security has to be guaranteed by the protocol on top of it, in
this case the dns protocol.
- broad usage, compatibility over security
since the dns protocol is very popular it has to be compatible with as
much servers as possible. the dns standard is written down in two
technical documents, the so called rfc's, for dns it is rfc 1034 and
1035.
a dns server often has to handle hundrets of requests from hundrets of
different machines at the same time, to understand them they have to fit
the format defined in the rfc's, any violation may render the request
to be dropped. this makes it nearly impossible to extend the dns protocol
within the tight borders given by the rfc.
- old, ineffective
the dns protocol we use today has been established 1987. at this time
the internet was not as popular as today, and although there has been
incidents in which protocol security has been compromised there was no
real sense of security when the protocol was designed.
therefore the protocol is functional and obviously working but is
lacking any security implementation. the dns id was never intended to be
used for security, just to sort the answers of the remote dns server
more quickly (the same applies to the isn of a tcp connection, they were
never intended to stop ip/tcp spoofing).
also dns turned out to be a quite ineffective protocol in large net-
works. there are estimations that 20% of all internet traffic are dns
traffic. dns caching is used to avoid too much traffic, therefore
exposing another way to compromise dns security.
also the dns protocol is centralized, which means there are more
important computers than others in dns design, therefore it's clearly
obvious which computers are subject to attacks (those that cache for
many computers).
4. spoofing descriptions
not yet
5. hints for effective spoofing
not yet
6. about
the program has been written by members of team teso and smiler.
a helpful patch has been submitted by noah williamsson <tm@ns2.crw.se>.
the vulnerabilities the program exploits have been discovered by other
persons, the adm crew deserves credit for the dns id spoofing technique.
the dozends of mindful people from the bugtraq mailing list that messed
with dns also deserve credits :)
7. greetings
(from scut)
in alphabetical order :-D
acpizer, avoozl, axhate, blackb, blow, bigblue, crestor, davy, domnar,
edi, focht, foxfire, fungus, garry, hendy, hoopy, js, kafka, lorian,
mindtrip, moc, overhead, oxigen, packwahn, plasmoid, random, route,
smiler, spy, tb303, tis, toniq, typo, vax, waterloo, wildandi, wilkins,
yks, yodler, zap.
special greetings to
smiler, :-)
the adm crew, for finding the id vulnerability, but lack a good coding
style ;-)
foxfire, for giving me some nice packet dumps to play with
oxigen, for giving me some hints about dns spoofing
rfc1035, for giving me any information about any dns packet
ken williams, for just being so cool B-)
8. legal stuff / disclaimer
know what you do before you do it, be able to face it's consequences.

17
dns/zodiac/doc/ToDo Normal file
View file

@ -0,0 +1,17 @@
short time:
- implement all TY_* for dns_build_rr
- jizz dns spoof
global goals:
- first release
- gui cleanup, docs
- dns denial of service attacks
- tool functions: finding nameserver, getting info about it (HWARE)
- implement SOA rdata decoding + rest of rdata-types
- implement dns packet compression within dns_packet_send ()
- verbosity levels
done:
- gui