Lab 2: SSL Security Attack June 17, 2008 Hyun Jin Kim

Lab 2: SSL Security Attack

June 17, 2008

Hyun Jin Kim

Objective

• Configure DNS such that https://www.paypal.com gets resolved to our own IP address of the “attack” server– Paypal uses SSL protocol.

Normal DNS Query Processing

www.paypal.com

64.4.241.33

DNS Server

Paypal’s Server

Attacking DNS Request

www.paypal.com

128.222.11.3

DNS Server

Paypal ServerFake Paypal Server

Filter

What We Will Do

• Write a program that injects a spoofed DNS Response when the source queries the IP address of www.paypal.com

• C programming• Basic skeleton of codes are provided.• Attacker’s fake server is also provided.

Libraries

• Libpcap– To capture DNS requests– /usr/include/pcap.h

• Libnet– To inject fake DNS replies– /usr/include/libnet.h

Procedures

• Setup for packet sniffing• Grab packets• Check if packets are DNS queries• If the query is for www.paypal.com, inject a

spoofed DNS response back• Web browser will direct to attacker’s fake

paypal website!

Step 1: Packet Sniffing Setup

• Find the network interface for sniffing– device = pcap_lookupdev(errbuf);• eth0 in our case

• Set up for sniffing– capdev = set_cap_dev(device, filter);• filter specifies some properties of DNS Requests

– UDP packets– Destination port = 53

Step 2: Grab a DNS Query Packet

• Grab a packet (first fill-in)– packet = (u_char *) pcap_next(capdev, &pcap_hdr);

• Check if the packet is a DNS Query– i.e., Destination port = 53?

• Check if the DNS Query is for www.paypal.com

Step 3: Create Spoofed DNS Response

• Create a new DNS Response with Attacker’s IP address

• Send it back to the source• void spoof_dns(char *device)– Open a raw socket– Start creating the header for the spoofed

response

Step 3: Create Spoofed DNS Response

• Header Construction– Build DNS Header (fill in)– dns = libnet_build_dnsv4(LIBNET_DNS_H, /* header size */

ntohs(spoofpacket.dns_id), /* dns id */ 0x8100, /* control flags (QR,AA,RD,*/

1, /* number of questions */ 1, /* number of answer RR's */

0, /* number of authority RR's*/ 0, /* number of additional RR's*/ spoofpacket.payload, /* payload */ spoofpacket.payload_size, /* payload length */ handler, /* libnet handler */

0); /* ptag */

– Build UDP Header

– Build IP Header

– Calculate Checksum (fill in)• libnet_toggle_checksum(handler, udp, 1);• libnet_toggle_checksum(handler, ip, 1);

Step 4: Inject DNS Response

• Inject the packet (fill in)– inject_size = libnet_write(handler);

• Destroy the packet (fill in)– libnet_destroy (handler);

• Compile– Type make

• Run– Type ./sslattack

• Open a web browser• Type http://www.naver.com– No attack

• Type https://www.paypal.com– Certificate Warning Sign

Certificate

Spoofed paypal.com

Actual paypal.com

Lab 2: SSL Security Attack June 17, 2008 Hyun Jin Kim

Documents

Kim Hyun-Jin Hafs

Analysis and Improvement for Impact Assessment of ... Diffusion by Marine Development Projects Jin-Hyun Jeong, Dae-Ho Tac, Jae-Hyun Lim, and Dae-In Lee Marine Environmental Impact

Welcome to the 16 th Joint Meeting of Coronary ... · Chair : Jin-yeong Han, victor serebruany Panel : Byung Jin Kim, sang min Park, Deuk-young nah, Hyun-sook Kim, Jae Kean ryu, il

A Computerized In-Hospital Alert System for Thrombolysis ... · Kim, Hye Jin Kim, Seo Hyun Kim, Yong-Jae Kim, Sun Uck Kwon, Byung-Chul Lee, Jun Hong Hye-Yeon Choi, Sang Won Han, Myoung-Jin

Three-dimensional structure of the orbicularis retaining ligament: … · 2019. 9. 4. · Jehoon O, Hyun-Jin K won, You-Jin Choi, Tae-Hyeon Cho & Hun-Mu Yang The orbicularis retaining

, Sung Ho Kim , Jin Hyun Jeong and Man Yong Shinblue.for.msu.edu/meeting/proc2/Yim_Kim_Jeong_Shin.pdf · Jong Su Yim1, Sung Ho Kim2, Jin Hyun Jeong2 and Man Yong Shin1 1 Department

Acute Pyelonephritis: Clinical Characteristics and the Role of the Surgical Treatment Dong-Gi Lee, Seung Hyun Jeon, Choong-Hyun Lee, Sun-Ju Lee, Jin Il

AFM-19: Program at Glance - Functional Materials€¦ · Antony Ananth, Hyeon-Jin Seo, Rak Hyun Jeong, Jin-Hyo Boo* Department of Chemistry, Sungkyunkwan University, Suwon 16419,

ProgramandAbstracts - eksideksid.com/pds/files/20______________________.pdf · ProgramandAbstracts 2010.4.2 ... Jeong-Hyun Shin2, SunA Yoon 3, Sang-Joo Park3, ... Tae Kyun Kim, Jin

Lightweight Source Authentication and Path Validationxia/resources/Documents/tiff… · · 2016-04-17Lightweight Source Authentication and Path Validation Tiffany Hyun-Jin Kim CyLab,

MATCHUP vs. ANGELS Dodgers: Angels: T-2 All-Time …losangeles.dodgers.mlb.com/documents/5/4/6/239289546/Dodgers_Daily...FOREVER HYUN: Dodger southpaw Hyun-Jin Ryu will take the

An Analysis of P3P Deployment Hyun Jin Kim Sensitive Information in a Wired World November 11, 2003

Eun Ju Ha 1 , Jung Hwan Baek 1 , Jeong Hyun Lee 1 , Jin Young Sung 2 ,

Hyun Jin Kim July 23, 2009 - Industrial Design Centre

Overview on i2 Five.Two SCM Solution Suite Hyun-Woong Jin Global Customer Solution Management i2 Technologies Hyun-Woong Jin Global Customer Solution Management

LOS ANGELES DODGERS (42-26) vs. Cincinnati Reds …cincinnati.reds.mlb.com/.../Dodgers_Daily_Notes_6.17.17_4w0d2hnj.pdf · today’s starter at cincinnati: lhp hyun-jin ryu (2-6,

100 Jin Hyun Kirn Abraham Moles' Definition von Musik …musicweb.hmt-hannover.de/kopiez/Kopiez(2015)lntonationstoleranz im... · Das »Jump-Desaster« von Van Halen Das Ereignis

Interrupted speech perception Su-Hyun Jin, Ph.D. University of Texas & Peggy B. Nelson, Ph.D. University of Minnesota

Record Mondiali, Europei e Nazionali(Park Sung Hyun, Yun Mi Jin, Yun Ok Hee) 70m Round (3x72 Arr.) Corea Mag, 14 Medellin, Col 2032 (Chang Hye Jin, Joo Hyun Jung, Lee Tuk Young) 24

· 2017-06-16 · DUOLAC KOSCAP 2015 Health Care LG collection 2016 KBO "SWEBS" KBS Dreamcon Hyun-Jin MD.ReviS ,THE .ANSWEœOF SECURITY RMC, 1