lab
代写Network | network代写 – 这是一个Network的practice, 考察Network的理解, 涵盖了Network/network等方面
Task1: We prepare three VMs: user(10.0.2.6), attacker(10.0.2.7), and server(10.0.2.8) On the user machine, we add a nameserver 10.0.2.8. Then we use dig command to check, we can see the SERVER becomes 10.0.2.
Then, we follow the instruction to set up the server.
Now, on the user machine, we run ping sfu.ca
and on the wireshark, we can see the detailed DNS query process: the user machine query to the DNS server to get the IP, then it sends ICMP data packet. Also, when we run ping sfu.ca again without flushing the cache, we can see the querying time is significantly reduced. This is because the info is stored in the DNS server after the first time querying.
Then, we run dig http://www.example.com, we can see it shows the information we just configured on the server machine.
and on the wireshark, we can see the user machine sends a query to the DNS server and then get the response back.
Task2: First, we flush the DNS cache to make sure it wont check the info stored in cache.
Then, on the attacker machine, we use netwox 105 to sniff the network and spoof the DNS response. To do it, we first check the parameter usage of netwox 105 by running netwox 105 help2. Then, we make up a spoofing command:
sudo netwox 105 -h "www.example.net" -H 192.168.0.5 -a "ns.example.net" -A 192.168.0.6 -f "src host 10.0.2.8" -s raw
On the user machine, we open wireshark, and run dig http://www.example.net, we can see the response is replaced as the spoofed.
We can see the user machine sends a query to the DNS server and the following is the DNS servers recursive queries. Then, the server get the spoofed response and it reply to the user machine.
Now, we dont flush the cache and dig http://www.example.net on the user machine again, we can see the DNS server directly response the stored data rather than doing the recursion
Task3: Here is the spoofing code with scapy. Running this code enables attacker to sniff the network and capture the DNS packet where udp and destination of port 53. And when the user sends a query of the domain name https://www.helix-project.org/, it will send back a spoofed response with ns1.cmpt783.org as name server.
After running the script on the attacker machine, we run dig http://www.helix-project.org on the user machine, we can see it shows the spoofed information.
In the DNS server cache, we can see the nsl.cmpt783.org is the authauthority.
In the Wireshark, we can see the user machine sends a query to ask the DNS server, and the DNS server sends query recursively to the attacker controlled nameserver. Then the DNS server sends packet back to the user machine as response.
Now, we test to dig another hostname in the same domain, we run dig mail.helix- project.org on the user machine, we can see the answer is also the spoofed.
In the Wireshark, we can see it it similar as above, the user machine finally gets the spoofed response.
Then, we run ping mail.helix-project.org. We can see we get 100% packet loss, this is because the host 10.0.0.8 is not in the local network.
In the wireshark, we can see the user machine sends a query to the DNS server and get the response with the IP address of the name server. Then, the user machine keeps trying to send packet to the 10.0.0.8 but doesnt get response.