zodiac - advanced dns spoofer

readme file



 0. content

    compilation ......................................................  1
    features and description .........................................  2
    overview of weak points in the domain name service ...............  3
    spoofing descriptions ............................................  4
    hints for effective spoofing .....................................  5

    about ............................................................  6
    greetings ........................................................  7

    legal stuff / disclaimer .........................................  8



 1. compilation

    read "INSTALL"

 2. features and description

    basic features include:

DONE  - sniffing of dns datagrams on an ethernet device
DONE  - decoding of all types of dns packets, including safe decompression
?     - nice display and gui
DONE  - always interactive in all situations
DONE  - threaded and flexible design

    advanced features include:

DONE? - local dns spoof
      - jizz dns spoof, exploiting a weakness in some named's implementations
      - determines jizz-weakness, id-prediction and resolver type remotely
      - id spoofing, exploiting a weakness in the dns protocol itself
      - implements some advanced dns denial of service attacks, including
        flood, label compression and unres attack, advanced dns smurf


 3. overview of weak points in the domain name service

    - connectionless, udp based, independent protocol

      the dns protocol can utilize tcp and udp as transportation protocols.
      however, nearly all domain name servers use udp, because it has two
      great advantages over tcp: it has little overhead and it doesn't need
      time to establish a connection, it can just send data directly.

      this is one of the reasons why the dns protocol is attackable, because
      it uses a stateless protocol to deliver it's data, and extends this with
      just some weak state variables inside the dns header.

      stateless protocols can be spoofed easily, this is true for udp also. so
      the spoof-security has to be guaranteed by the protocol on top of it, in
      this case the dns protocol.

    - broad usage, compatibility over security

      since the dns protocol is very popular it has to be compatible with as
      much servers as possible. the dns standard is written down in two
      technical documents, the so called rfc's, for dns it is rfc 1034 and
      1035.
      a dns server often has to handle hundrets of requests from hundrets of
      different machines at the same time, to understand them they have to fit
      the format defined in the rfc's, any violation may render the request
      to be dropped. this makes it nearly impossible to extend the dns protocol
      within the tight borders given by the rfc.

    - old, ineffective

      the dns protocol we use today has been established 1987. at this time
      the internet was not as popular as today, and although there has been
      incidents in which protocol security has been compromised there was no
      real sense of security when the protocol was designed.

      therefore the protocol is functional and obviously working but is
      lacking any security implementation. the dns id was never intended to be
      used for security, just to sort the answers of the remote dns server
      more quickly (the same applies to the isn of a tcp connection, they were
      never intended to stop ip/tcp spoofing).

      also dns turned out to be a quite ineffective protocol in large net-
      works. there are estimations that 20% of all internet traffic are dns
      traffic. dns caching is used to avoid too much traffic, therefore
      exposing another way to compromise dns security.

      also the dns protocol is centralized, which means there are more
      important computers than others in dns design, therefore it's clearly
      obvious which computers are subject to attacks (those that cache for
      many computers).


 4. spoofing descriptions

    not yet

 5. hints for effective spoofing

    not yet

 6. about

    the program has been written by members of team teso and smiler.
    a helpful patch has been submitted by noah williamsson <tm@ns2.crw.se>.

    the vulnerabilities the program exploits have been discovered by other
    persons, the adm crew deserves credit for the dns id spoofing technique.

    the dozends of mindful people from the bugtraq mailing list that messed
    with dns also deserve credits :)


 7. greetings

    (from scut)

      in alphabetical order :-D

      acpizer, avoozl, axhate, blackb, blow, bigblue, crestor, davy, domnar,
      edi, focht, foxfire, fungus, garry, hendy, hoopy, js, kafka, lorian,
      mindtrip, moc, overhead, oxigen, packwahn, plasmoid, random, route,
      smiler, spy, tb303, tis, toniq, typo, vax, waterloo, wildandi, wilkins,
      yks, yodler, zap. 

      special greetings to

        smiler, :-)
        the adm crew, for finding the id vulnerability, but lack a good coding
          style ;-)
        foxfire, for giving me some nice packet dumps to play with
        oxigen, for giving me some hints about dns spoofing
        rfc1035, for giving me any information about any dns packet
        ken williams, for just being so cool B-)


 8. legal stuff / disclaimer

    know what you do before you do it, be able to face it's consequences.