Foreword
Hello everyone, in this chapter I will explain to you how to forge DNS through the DHCP service, attack it, and use phishing websites to obtain the login user name and password.
Principle of attack
The imitated host suffered a false domain name resolution attack and information was leaked.
Network topology
Windows server 2008 R2 hacker server 192.168.90.1
Windows server 2008 R2 victim host 192.168.90.2 (obtained automatically)
If possible, you can use a switch in the middle
Hacking server requirements: DHCP server, DNS server
Let’s stop talking nonsense and get started!
Practical drill
1. Hacker server configuration
1. Set fixed IP and DNS
First, our hacker server needs to manually configure the IP:
Check the setting result:
ipconfig /all
See that the IPv4 and DNS servers are both 192.168.90.1, and the settings are complete.
2. Install DHCP server
Start-Server Manager-Role-Add Role-Check DHCP Service
Next step – Next step, select the IP address as the one you just set:
Next step, here comes the key point! !
1. Specify parent domain as “test.com“
2. The preferred DNS address is the server’s local IP address “192.168.90.1”
Next, choose not to need wins, next step:
Add a DHCP scope, and the scope name is “test.com“. Because our local server has already occupied the 90.1 address, >The starting IP address is “192.168.90.2”, and the ending IP address is “192.168.90.254”.
After confirming, next step, disable DHCP stateless mode, next step
The installation is complete, and you will enter the configuration later. After the installation is successful, since the parent domain does not exist, there may be an error after the installation, which can be ignored directly.
3. DHCP server configuration
After the DHCP service is successfully installed, start the victim host to obtain an IP through the DHCP server.
Start-Run-cmd-OK
Enter ipconfig /release to release the old IP address, and then enter ipconfig /renew to obtain a new IP address.
ipconfig /release ipconfig /renew
Enter ipconfig /all to get all network information
ipconfig /all
You can see that the DNS address is “192.168.90.1”, which is assigned by the DHCP server. That is, when accessing the website, the hacker can build a malicious phishing website on the hacker server to simulate the victim host to access and log in, and then theft can be achieved. Get the login password and a series of operations.
Switch to the hacker server and install the DNS resolution service.
4. Install DNS resolution service
1. Server Manager-Role-Add Role, check the DNS server, continue to the next step, and install it.
The installation is completed as shown below:
5. Create a new area
Role-DNS Server-DNS-WIN-XXX-right-click “Forward Lookup Zone” and create a new zone.
Click Next to use the Main area – Next step:
The zone name is “test.com“
Next step, create a zone file, keep the file name unchanged, next step:
Select “Do not allow dynamic updates” and next
Confirm after completing the addition.
6. Create a new host
Forward search area-test.com-right-click-new host (A or AAA)
The name is “www“, the IP address points to “192.168.90.1“, click Add host
Complete the host creation: (It doesn’t matter if there is no pop-up window, as long as the creation is successful)
Switch to the victim host and use the cmd command “nslookup www.test.com” to view the host and domain currently resolved by DNS.
Simulating the victim host being hijacked when surfing the Internet
Assume www.test.com is a bank website, and the domain name of the DNS service points to the hacker server.
Okay, there is still something wrong with my environment. I still don’t know how to handle the virtual machine environment.
When I was practicing outside, I used the py-b7 system, which had an independent physical machine environment. When I came back and used my own computer, something went wrong. Alas, it was difficult to deal with.
In this way, when accessing the www.test.com domain name in the browser of the victim host, a login page will pop up. After the administrator of the victim host enters the account number and password, an error message will be displayed indicating that the login failed, and then the server will be returned to the hacker server. , in the www directory of the c drive, you will find a login.txt file, which records the account name and password entered by the administrator of the victim host when logging into the phishing website built by the hacker.
Malicious DNS assigned by malicious DHCP resolves “www.test.com” to a malicious IP address
Defense
In order to prevent the DHCP server from being forged, the switch needs to be reinforced. The main port is configured in the Trusted state and other ports are set in the Untrusted state. etc,
Run the dhcp server detect command under the interface to locate the DHCP impostor.
Run the dhcp snooping check dhcp-rate enable command in the interface or vlan view to enable the dhcp speed limit function, and then run the dhcp snooping check dhcp-raterate command to set the speed limit.
Run the dhcp snooping max-user-numbermax-user-number command in the interface or vlan view to set the maximum number of bindings in the binding table. Then execute the dhcp snooping check dhcp-chaddr enable command to enable the function of detecting whether the MAC address in the frame header of the DHCP Request message is consistent with the CHADDR field in the DHCP data area.
Okay, this chapter ends here. Since the computer room does not have equipment and platforms, you cannot record or take photos during training outside (this is how people make a living, but I am thick-skinned). I will try my best to do it when I have the opportunity later. The changes are more detailed, and the big guys can also give me some advice, such as where to build an open source platform, etc. Thank you for your support! !