mount -t ntfs /dev/sda1 /mnt
(Of course replacing the /dev/sda1 with your partition specifics.)
Thursday, December 25, 2008
Monday, September 1, 2008
DNS cache poisoning
An attacker is running his own domain (attacker.net) with his own hacked DNS Server (ns.attacker.net) Note that It is said hacked DNS Server because the attacker customized the records in his own DNS server, for instance one record could be www.cnn.com=81.81.81.81
1) The attacker sends a request to user’s DNS Server asking it to resolve www.attacker.net
2) User’s DNS Server is not aware of this machine IP address, it doesn't belongs to his domain, so it needs to asks to the responsible name server.
3) The hacked DNS Server is replying to user’s DNS server, and at the same time, giving all his records (including his record concerning www.cnn.com)
Note : this process is called a zone transfer.
4) The DNS server is not "poisoned".
The attacker got his IP, but who cares, his goal was not to get the IP address of his
web server but to force a zone transfer and make your DNS server poisoned as long as the cache will not be cleared or updated.
5) Now if user ask his DNS server, about www.cnn.com IP address it will give him
172.50.50.50, where the attacker run his own web server. Or even simple, the attacker could just run a bouncer forwarding all packets to the real web site and vice versa,so you would see the real web site, but all the user’s traffic would be passing through the attacker's web site.
This is one of the ways cache poisoning works
Saturday, July 26, 2008
DNS SPOOFING
Before discussing what is DNS spoofing, let me first explain what is DNS and what is the importance of it.
DNS (Domain Name Service ) is a service which provide the facility of giving u IP addresses of named domain. Let me explain it in more detail by taking an example.
whenever we type an url or website name in the browser,browser doesn't know what is this url or what is this website name. It only understand IP addresses. It can only send request or get responses from a IP address. So, what does browser do in order to resolve a name into IP address.It sends a request to the nearest (DNS) server to resolve this name into IP address. Now its the job of DNS server to find out the correct IP address of a particular domain name and return it back to browser.
for eg. You're on your web browser and wish to search something on www.google.com, without to think of it, you just enter this URL in your address bar and press enter.
Now, what's happening behind the scenes ? Well... basically, your browser is going to
send a request to a DNS Server to get the matching IP address for www.google.com, then
the DNS server tells your browser the IP address of GOOGLE, so your browser to connect
to CNN's IP address and display the content of the main page.
Here comes the concept of DNS Spoofing.
What if after entering the url, u get a page containing a message like 'yahoo is more efficient than google'.
you must be amazed that why google is saying that yahoo is better despite the fact that they are in the same business. Then to confirm yourself you type the IP address of google instead of typing the name (you can get the IP of a domain name by simply pinging that domain).
As soon as you type the IP address and press enter, you see the original google website,you can be sure that your DNS server which duty was to resolve the name into IP has been spoofed.
in the above picture, first the DNS server has been comprised by an attacker and he has replaced the entry of bank.com with another IP address. So, whenever a user will type bank.com into his browser, browser will take him to the fake website.
Wednesday, July 23, 2008
How MAC SPOOFING is done(Linux)
Under Linux, you can change your MAC address with
ifconfig 'interface' hw 'class' MAC
for eg.
ifconfig eth0 hw ether 02:75:73:A3:B1:80 // change MAC
ifconfig eth0 up // Enable it again
please note that there are number of other classes besides 'ether'. Check the man page for ifconfig for more detail.
In the next posts, may be i will discuss about DNS Spoofing.
ifconfig
for eg.
ifconfig eth0 hw ether 02:75:73:A3:B1:80 // change MAC
ifconfig eth0 up // Enable it again
please note that there are number of other classes besides 'ether'. Check the man page for ifconfig for more detail.
In the next posts, may be i will discuss about DNS Spoofing.
Sunday, July 20, 2008
How MAC SPOOFING is done
For Windows: There are number of tools for MAC spoofing. but here i will discuss how MAC can be spoofed using Registry Editor. All you need is a MAC id.
Before starting spoofing MAC , run ipconfig/all from command line and see what network interfaces are present in the system along with description. Please note the actual MAC Id to verify where it has been changed or not.
1. open start->run->regedit
2. go to HKLM\SYSTEM\ControlSet001\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}
3. There are various sub folders under it. Browse through all the folders and see the DriverDesc key value.If it is similar to the the interface which you have, see for another key called NetworkAddress. If it is not present,create it with the data type REG_SZ and provide the new MAC Id as its value.
4. Reset the Network Adapter for which MAC has been changed.
5. verify whether MAC has been changed by running ipconfig/all again.
Most probably you have successfully changed your MAC.
how it is Done is Linux ??? Next post.
Before starting spoofing MAC , run ipconfig/all from command line and see what network interfaces are present in the system along with description. Please note the actual MAC Id to verify where it has been changed or not.
1. open start->run->regedit
2. go to HKLM\SYSTEM\ControlSet001\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}
3. There are various sub folders under it. Browse through all the folders and see the DriverDesc key value.If it is similar to the the interface which you have, see for another key called NetworkAddress. If it is not present,create it with the data type REG_SZ and provide the new MAC Id as its value.
4. Reset the Network Adapter for which MAC has been changed.
5. verify whether MAC has been changed by running ipconfig/all again.
Most probably you have successfully changed your MAC.
how it is Done is Linux ??? Next post.
MAC Spoofing
MAC ( Media Access Control ) ID is unique 48 bits identification for any network interfaces. for eg. NIC (Network Interface Card, popularly known as LAN card or Ethernet card), Wi-fi card,Router, Wireless Access Points(APs) , Switches and so on.
MAC spoofing is a kind of attack in which attacker replaces MAC of his machine with another MAC which belongs to some other user.
This attack is particularly useful where in any organization ( usually universities) where user's MAC is registered in order to surf the internet.In that case whenever a user request a internet connection to his ISP, it is first checked that whether the request which is coming has a valid/Registered MAC or not.If it is registered,the user is permit to access the internet.
Now,if a attacker somehow know what are the valid MACs for this network,he could spoof it and will be able to connect to the network.
how MAC spoofing is done on Windows and Linux ??? It will be discuss in the next post.
MAC spoofing is a kind of attack in which attacker replaces MAC of his machine with another MAC which belongs to some other user.
This attack is particularly useful where in any organization ( usually universities) where user's MAC is registered in order to surf the internet.In that case whenever a user request a internet connection to his ISP, it is first checked that whether the request which is coming has a valid/Registered MAC or not.If it is registered,the user is permit to access the internet.
Now,if a attacker somehow know what are the valid MACs for this network,he could spoof it and will be able to connect to the network.
how MAC spoofing is done on Windows and Linux ??? It will be discuss in the next post.
Saturday, July 19, 2008
What is Web Spoofing
Web Spoofing is a class of specialized attacks which are being carried out by attackers. These are special attacks because it cant be stopped by the firewall or any anti virus software.The normal user who is not technically aware of these attacks is very much vulnerable for this kind of attacks coz, he relied upon the firewall and anti virus software which is installed at his ISP(Internet Service Provider) side as well as on his own system.
Why these attacks cant be stopped by the firewall and anti virus softwares as well ??
As it is earlier mentioned,it is a 'class' of attacks, Various kind of spoofing attacks are possible.for eg.
1. DNS Spoofing
2. IP Spoofing
3. MAC spoofing
4. Caller ID spoofing
5. ARP spoofing
6. Email spoofing etc
i will post details of each kind of spoofing attacks in the next posts.
Why these attacks cant be stopped by the firewall and anti virus softwares as well ??
As it is earlier mentioned,it is a 'class' of attacks, Various kind of spoofing attacks are possible.for eg.
1. DNS Spoofing
2. IP Spoofing
3. MAC spoofing
4. Caller ID spoofing
5. ARP spoofing
6. Email spoofing etc
i will post details of each kind of spoofing attacks in the next posts.
Subscribe to:
Comments (Atom)