Menu
Is free
check in
the main  /  Navigators / Attack DNS Spoofing DNS Spoofing is. We write plugin to Microsoft DNS Server to protect against IDN Spoofing What is DNS Spoofing

Attack DNS Spoofing DNS Spoofing is. We write plugin to Microsoft DNS Server to protect against IDN Spoofing What is DNS Spoofing

The tacty of issuing yourself for someone in order to gain access to confidential data or bank accounts is successfully used not only by criminals in the real world, but also their colleagues on the workshop in the virtual space. This practice is called the title - a collective category, which includes the concepts of the IP address setting (sending messages to computers using the IP address of the trusted source), email spoofing (fake the header of letters for masking the true sender) and DNS spoofing (Changing the DNS server settings for Forwarding a domain name to the IP address of attackers).

How does the spoofing work?

Squealing is technical reception issuing yourself for another person to deceive the network or specific user In order to cause confidence in the reliability of the source of information. For example, hackers via email spoofing can mislead a user regarding the authentication of the sender and access confidential data. Or they may try to apply the IP and DNS requests, to deceive the user's network and redirect it to fraudulent sites, masking under the real, as a result of which the user's computer will be infected.

How to recognize spoofing?

Most simply recognize email-spoofing due to the fact that the immediate target is the user himself. Any message email Mail in which the user needs personal information, it may be an attempt to spoil, especially if credentials are requested. Remember, no reliable private or state organization requests personal data in this way. Pay attention to the address of the sender to make sure its legitimacy. However, the user almost never recognizes that he has become a victim of IP or DNS-spoofing, although the habit of paying close attention to the details and changes in the usual behavior of the site may be extremely helpful. If the site or his behavior causes the slightest doubt, it is better to abandon the scheduled operation to save data and financial funds.

How to eliminate spoofing?

The spoofing is to disguise the true source, so it is not so easy to "eliminate". You can protect yourself only by following common sense and observing the basic rules of safe work on the network, for example, with no circumstances without telling their personal data on EL. Email, even if the sender's reputation is no doubt.

How to warn spoofing
  • Do not respond to messages in which you are asked to send your personal or credentials.
  • Carefully check the address of the sender
  • Pay attention to the strangeness in behavior or differences in the details of the websites usual
Secure yourself from a slut

On the one hand, the definition protection may be in conclusion in the basic principles of safe work on the Internet. However, you can do much more for your own security. First of all, you can entrust the protection of your PC and the data stored in it with a powerful antiviral solution, for example, one of the developed Avast, which securely protect against fraudulent sites and block viruses trying to penetrate your network.

DNS Substitution (DNS Spoofing)

DNS system ( DOMAIN NAME SYSTEM.) Converts domain name (For example, www.test.com) in its IP address (for example, 192.168.0.1) and vice versa. This attack uses the technology of sending fake responses to the DNS victims. The attack is based on two main methods.

DNS ID (DNS ID Spoofing)

The DNS protocol packet header contains an identification field to match query and responses. The goal of the DNS ID changes is to send your response to the DNS request before this DNS server responds. To perform this, you need to predict the query identifier. Locally it is implemented by simply listening to network traffic. However, remotely perform this task much more difficult. There are various methods:

    checking all available identification field values. It is not very practical, since the total number of possible values \u200b\u200bis 65535 (field size 16 bits);

    sending several hundred DNS requests in the correct order. Obviously, this method is not very reliable;

    finding a server generating predicted identifiers (for example, increasing by 1). This type of vulnerability is inherent in some versions of Bind and windows systems 9x.

In any case, you must respond to a real DNS server. This can be achieved, for example, by performing an attack type "Failure to maintain" against the server.

For a successful attack, an attacker must control the DNS server (ns.attaquant.com), authoritative for the attaquant.com zone. The target DNS server (NS.CIBLE.COM) presumably generates predicted identification numbers (increasing by 1 each time).

Attack requires the execution of four steps:

As a result, the Cache of the Target DNS server will contain the compliance required by the attacker and the following customers asking the address www.spooofed.com will be reported by the address of the attacker machine. It can be posted a copy of this site, with which the attacker can steal confidential information.

Change DNS Cache Poisoning

The DNS server uses cache to store the results of previous queries for some time. This is done to avoid permanent recording reuses to authorized servers of relevant domains. The second version of the attack directed to the DNS substitution is changed cache DNS. Servers. Here is an example:

We use the same data as in the previous example. Here are the key points of this option to attack:

    send a DNS request to the resolution name of www.attaquant.com DNS server of the CIBLE.COM domain;

    target DNS server SHOTVET request permission named after www.attaquant.com DNS server of the attacker;

IDN Spoofing is the generation of domain names "similar" to the selected, usually used to force the user to follow the link to the affair resource. Next, consider a more specific attack option.

Imagine that the attacked company owns the domain organization.org, and within this company uses an internal resource of Portal.organization.org. The purpose of the attacker is to pay the user credentials, and for this it sends a link through an e-mail or used in the company Messenger.

Having received such a message with a high probability, you can not notice that the link leads somewhere wrong. After the link on the link will be requested by the login \\ password, and the victim, thinking that it is in the domestic resource, introduces data to its account. The chances of the attacker are especially high if he is already penetrating the perimeter, compromising the system of any employee, and is now fighting the privileges of the system administrator.

The absolute "fool protection" will not come up here, but you can try to intercept this attack at the permission stage of the name via the DNS request.

To protect, we will need to consistently memorize the names in the intercepted DNS requests. The company uses its internal resources, then we will quickly find enough inquiry to portal.organization.org. As soon as we met the name "similar" to the previously encountered, we can replace the DNS response by returning an error instead of an IP address of the attacker.
What can be the definition algorithms for "similar"?

  • UTS39 Confusable Detection (http://www.unicode.org/reports/tr39/#Confusable_Detection) Unicode is not only valuable fur table symbols, but also a bunch of standards and recommendations. In UTS39, the algorithm for the normalization of the Unicode row is defined, in which lines that differ with omoglyphs (for example, Russian "A" and Latin "A") will be given to the same form.
  • Words are characterized by permutations of internal letters. Pretty easily confused Organization.org and Orgainzation.org
  • Replacing the domain of the first level. The first level of the name usually does not make any sense and the employee of the company seeing "Organization" can ignore the difference of V.org or.net, although exceptions are possible here.
Most likely, the corporate server will not be bind, which is the standard rather for Web hosters or providers, but Microsoft DNS Server due to the ubiquitous use of Active Directory. And I did not find the first problem with which I encountered when writing a filter to Microsoft DNS Server - I did not find the DNS queries filtering. This problem can be solved in different ways, I chose an injection of DLL and IAT Hook on the work APIs with sockets.

To understand the technique there will be a knowledge of PE format, you can read more, for example,. The executable file consists of headers, sections tables and sections themselves. The sections themselves are a data block that the bootloader must be displayed in memory at the relative address (Relative Virtual Address - RVA), and all resources, code, other data are contained inside sections. Also inside the header there are links (RVA) on a number of table applications required for the work, two-point import and export table will be important in this article. The import table contains a list of features that are necessary for the application, but are located in other files. The export table is the "reverse" table containing a list of features that are exported from this file, or, in the case of Export Forwarding, the file name and the name of the function is specified to resolve the dependency.

The DLL injection will be done without all the boning createremotethread. I decided to use PE Export Forwarding - this is a long-known admission, when to boot into the desired process, in the directory with an EXE file, a DLL is created with the name equal to any DLL from the EXE file import table (the main thing is not to use HKEY_LOCAL_MACHINE \\ SYSTEM \\ In the created DLL, the export table from the target DLL is copied, but instead of a pointer to the code of the function being exported, you need to record RVA on the forward string of the type "EndPoint! Sendto". Microsoft DNS Server itself is implemented as a HKEY_LOCAL_MACHINE \\ SYSTEM \\ CURRENTCONLSET \\ System \\ DNS service, which is located in% Systemroot% \\ System32 \\ DNS.EXE

The final injection algorithm in dNS server. Will be:

  • Create a catalog% Systemroot% \\ System32 \\ DNSFLT (you can any other, finding a catalog in System32 optional).
  • Copying the% Systemroot% \\ System32 \\ dnsapi.dll there is a DLL of which DNS.exe imports something, you can choose any other "non-KnowNDLL".
  • We rename the copied DLL in endpoint.dll - this name will be used in the forward string.
  • We take our injected DLL and add the correct export table in it, copy our DLL in% Systemroot% \\ System32 \\ DNSFLT
  • In the registry in the key HKEY_LOCAL_MACHINE \\ SYSTEM \\ CURRENTCONTROLSET \\ SERVICES \\ DNS change in ImagePath new address of the battery% Systemroot% \\ System32 \\ Dnsflt \\ DNS.EXE
  • Create Simlink from% Systemroot% \\ System32 \\ DNSFLT \\ DNS.EXE in% Systemroot% \\ System32 \\ DNS.EXE
What for last step? The fact is that Windows has a built-in Firewall, and, by default, in windows Server The right to listen to the 53 port is only at the application% Systemroot% \\ System32 \\ DNS.EXE. When you try to run it from another directory of rights to access to the network there will be no. Why did I copy it at all? In order to minimize the impact on the entire system and do not touch the original dnsapi.dll. It turns out that if you can create a symlink on the application, you can get it network rights. By default, there is only administrators' right to create Symlink, but it is enough to find out that by giving the user the right to create symlink, you give him the opportunity to bypass the built-in Firewall.

After you boot inside the process from DLLMAIN, you can create a stream and set the interception. In very simple case Our DNS service will tell the client an IP address for the name through sending a UDP package with 53 port through the SENDTO fuching from WS2_32.dll. The standard assumes the ability to use 53 TCP ports, if the answer is too big, and it is obvious that the interception of Sendto in this case will be useless. However, to handle the case with TCP, though more laborious, but in the same way. While I will tell you the easiest case with UDP. So, we know that the code from DNS.exe imports from WS2_32.dll function SendTo and will use it to respond to a DNS request. For interception of functions, there is also quite a lot in different ways, Classic this splasing, when the first SendTo instructions are replaced with JMP to their function, and after its completion, the SendTo instructions saved earlier and then the SendTo function is carried out. Splicing will work even if the Sendto call will be used GetProcAddress, and not the import table, but if the import table is used, then instead of splicing it is easier to use an IAT-hook. To do this, find the import table of imports in the loaded image of the DNS.exe. The table itself has a somewhat confusing structure and for the items will have to go to the description of the PE format.

The main thing is that the system in the process of loading the image will record the index to the beginning of the SendTo function in the import table. This means that in order to intercept the SENDTO call, you just need to replace the address of the original Sendto to the import table to your function.

So, we set the interception and began to receive data. The prototype function Sendto looks like this:

Int sendto (_in_ socket s, _in_ const char * buf, _in_ int len, _in_ int flags, _in_ const struct sockaddr * to, _in_ int tolen);
If S is a 53 port socket, then the BUF indicator will lie down the DNS response with the size of Len. The format itself is described in RFC1035, I will briefly describe what you need to do to get to the data of interest.

The standard of communication in the standard is described as follows:

In the title from the desired information: message type, error code and number of elements in sections. The header itself looks like this:

STRUCT DNS_HEADER (UINT16_T ID; // IDENTIFICATION NUMBER UINT8_T RD: 1; // Recursion Desired UINT8_T TC: 1; // Truncated Message Uint8_T AA: 1; // Authoritive Answer Uint8_T OPCode: 4; // Purpose of Message Uint8_T QR: 1; // Query / Response flag uint8_t rcode: 4; // response code uint8_t CD: 1; // checking disabled uint8_t ad: 1; // authenticated data uint8_t z: 1; // its z! Reserved Uint8_T RA: 1 ; // Recursion Available UINT16_T Q_COUNT; // Number of Question Entries Uint16_t ANS_COUNT; // Number of Answer Entries Uint16_t Auth_Count; // Number of Authority Entries Uint16_T Add_Count; // Number of Resource Entries);
The Question section will have to disassemble in order to get to Answer. The section itself consists of such a number of blocks that is indicated in the title (Q_COUNT). Each block consists of a name, type and class class. The name is encoded as a lines sequence, each of which starts with a byte with a long string. At the end there is a row of zero length. For example, the name Homedomain2008.ru will look like this:

The Answers section looks like: The block consists of a name, type, class, TTL and additional data. The IP address will be contained in Extras. data. Another difficulty arises with the analysis of the name. Apparently, to reduce the size of the message, instead of the label length, you can find a link to another data area. It is encoded so: if the 2 senior bit of length is equal to 11, the next byte, as well as the younger bits of length, should be interpreted as a shift in bytes relative to the beginning of the message. Further analysis of the name must be performed by going on this offset.

So, we intercepted the desired API, disassembled the DNS response, now you need to make a decision: skip on this answer or return the error. For each name that is not yet present in the database, it is necessary to check out of the answer whether it is "suspicious" or not.
We will consider such names "suspicious" for which the result of the Skeleton function from Unicode Technical Standard TR39 coincides with the result from any of the names from the base, or those names that differ from the internal letters present in the dopatory. To implement checks, we will store 2 tables. The first will consist of Skeleton results for all names from the database, in the second table write the strings that were obtained from the base rows by removing the first and last symbol from each label other than the first level, and then sort the remaining characters of each tag. Now, if a new name is part of one of two tables, we consider it suspicious.

The meaning of the Skeleton function in determining the similarity of two lines, for this, the symbols are normalized for each row. For example, XLœ will be converted to XLoe, and thus comparing the result of the function, you can determine the similarity of Unicode rows.

With an example of implementing the above described above, you can read GitHub.
Obviously, the stated decision in practice to provide normal protection cannot, because in addition to small technical problems with the interception, there is a big problem with the detection of "similar" names. It would be nice to handle:

  • Combinations of permutations and umoglyphs.
  • Adding \\ Replace the characters not taken into account Skeleton.
  • UTS TR39 does not exhaust Skeleton, you can still limit the mixing of character sets in one label.
  • Japanese full-ficked point and other label separator.
  • As well as beautiful things like

DNS infection or DNS spoofing is a type of cyberak, in which system vulnerabilities are used in the DNS server in order to redirect traffic from legitimate servers to fake.

How does DNS infection or DNS spoofing work

The code for infection of the DNS cache is often found in the URLs sent in spam messages. In these messages, attackers are trying to scare users and thereby force them to go through the attached link, which, in turn, will infect their computer. Banners and images as in e-mailAnd on dubious sites can also redirect users to this code. After infection, computers will redirect users to fake sites imitating original web pages, thus exposing them to such risks as infection spyware, keylogera or worms.

Risks

DNS infection causes various risks, starting with theft of data. Sites of banks and popular online stores are easily replaced, which means that any password, a credit card or personal information can be compromised. And if the IT security providers provider sites are replaced, the user's computer can be subjected to additional risks, such as infection with viruses or Trojak programs, since the security systems will not receive legitimate updates. Finally, the DNS cache infection is very difficult, as the cleaning of the infected server does not save the computer from the problem, and the cleaning of computers connected to the compromised server will lead to their re-infection. If necessary, users can solve the problem, clearing their DNS cache.

To prevent DNS infection, users should not pass through unknown links and regularly check their computer for malicious programs. Always do it using the program installed on your computer, not the online version, which can also be replaced.

Squealing is a rather interesting method of attacks, which many professionals in the field of IB are negotiated. And in vain, very much in vain. From this article you will understand how deceptive this multiform world can be. Do not believe your eyes!

Warning

All information is provided solely for informational purposes. Neither the editors nor the author are responsible for any possible harm caused by the materials of this article.

Intro.

Often, from colleagues on the workshop I have to hear that the spoofing as an attack vector should not even consider. However, you dare to assure you: if the sling methods are carefully thought out, you can use them for very and very much. And the scale and results of such attacks sometimes are catastrophic. After all, deceiving your eyes once, I will deceive you and on. The most important argument in favor of the fact that spoof attacks represent a real danger - not a single person, including professionals, are not insured. It should be noted here that the spoofing itself does not give anything: To carry out a really hacker attack, it is necessary to use post-exploitation (post-exploitation). In most cases, the objective of post-exploitation is to be in standard capture of management, increasing the privileges, mass distribution of malicious programs and, as a result, theft of personal data and electronic digital keys of banking systems with further money laundering. In this article, I, firstly, I want to tell about which methods at all there are methods of spouting, and, secondly, tell you in detail about some modern approaches. Naturally, all information is provided to you only with the aim of helping to protect against this kind of attacks.

Past and real spa

Initially, the term "spoofing" was used as a term network securitywhich implies a successful falsification of certain data in order to obtain unauthorized access to a network resource. Over time, this term began to be used in other areas of info-safety, although most of the so-called Old School specialists and today continue to use the word "spoofing" only to clarify the type of network attacks.

First IDN clones

An attack using IDN-Omographs was first described in 2001 Evgeny Gablovich and Alex Gonmeter from the Israeli Technology Institute of Technology. The first famous case of a successful attack using this methodwas presented to publication in 2005 at the SHMOOCON hacker conference. Hackers managed to register the PAYPAL.COM domain (XN--PYPAL-4VE.com in Punycode), where the first letter A is Cyrillic. Thanks to the publication on Slashdot.org, the public attention was drawn to the problem, after which both browsers and administrators of many domains top level Developed and implemented countermeasures.

So, when the network was only born, most of the efforts of programmers and developers were mainly aimed at optimizing algorithms for the operation of network protocols. Safety was not so critical as today, and she, as often, it happens, paid very little attention. As a result, we get banal and fundamental errors in network protocolswhich continue to exist today, despite various types of patches (for no payback is not pushing the logical error of the protocol). Here we need total changes that the network in the existing view simply will not survive. For example, in the article "Attacks on DNS: Yesterday, today, tomorrow" (] [ #5 2012) I talked about the disastrous consequences of fundamental vulnerabilities in DNS systems - using the UDP protocol (which, unlike TCP / IP, is unsafe, since it does not have a built-in mechanism for preventing a spoofing) and local cache.

Vectors

Depending on the purpose and tasks, the spoofing vectors can be divided into local (local) and network (NET) directions. It is them that we will consider in this article. As an attack object at a local vector, the OS itself is most often considered, installed on the victim's computer, as well as a certain kind of application, which often require additional analysis, depending on the situation. Objects attacks with a network vector, on the contrary, are more abstructed. The main ones are components information systemsrepresented by both local and global networks. Consider the main types of spa.

  1. Spoofing TCP / IP & UDP - attacks at the level of transport. Due to the fundamental errors of the transportation of TCP and UDP protocols, the following types of attack are possible:
    • IP Spoofing - the idea consists in the substitution of the IP address through changing the Source field value in the IP package body. It is used to substitute the address of the attacker, for example, in order to invoke a response package to the desired address;
    • ARP Spoofing - an attack technique in Ethernet networks, allowing to intercept traffic between hosts. Based on the use of the ARP protocol;
    • DNS Cache Poisoning - Server DNS-Kesha poisoning;
    • NetBIOS / NBNS Spoofing - based on the features of the resolve of local machines inside Microsoft networks.
  2. Referrer Spoofing - Substitution Referre.
  3. Poisoning of File-Sharing Networks - phishing in file sharing networks.
  4. Caller ID Spoofing - substitution of a caller phone number in VoIP networks
  5. Email Address Spoofing - Substitution e-mail addresses Sender.
  6. GPS Spoofing - Subtitution of packets from a satellite in order to confuse GPS device.
  7. Voice Mail Spoofing is a substitution of voicemail numbers in order to phishing victim passwords.
  8. SMS Spoofing - Splafing method based on the submenu of the SMS sender numbers.

The latest developments in the spouting

The most common techniques are already quite old and beaten. Global network Literally tends to information about the possible variations of their operation and protection from them. Today we will look at a few newest methods of spouting, the use of which is only gaining momentum, starting from local vectors and ending with networks. So, everything is in order.

FLAMER and scandalous spoofing certificates Microsoft

Microsoft Security ADVISORY (2718704) - Unauthorized Digital Certificates Could Allow Spoofing. A rather interesting thing was found in the copies of the sensational spy bot Flamer: according to the results of the reverse engineering of the components of this malicious, a section of the code was detected responsible for conducting a sphingizing attack type. Imitating the provision of original certificates large companies, Bot conducted a MITM attack, the purpose of which was the interception of personal data of users corporate network With subsequent sending to the developer server. This spoofing incident received Security Advisory # 2718704 with High Hazard Rank.

Squealing in OS.

1. Extension Spoofing - file expansion spoofing

Technique who saw the light due to the development of the Chinese researcher in the field information security Zhitao Zhou. The essence of this technique is to use the 0x202E (RLO) control character in the file name, which allows you to change the order of characters when the file name is displayed in windows Explorer (explorer.exe). I will give an example of using this simple technique:

Super Music Uploaded by 3 PM.SCR

File 3 PM.SCR represents nothing but an executable file that implements certain functions (Trojan program. - approx. Editor). If at the beginning of the file name "3 pm.src" insert the 0x202E control symbol (see Fig. 1), then the procedure for characters changes to the reverse and file name is displayed in Windows Explorer already differently:

Super Music uploaded by rcs.mp3

To change the file icon, use any resource editor (Restorator, Resource Hacker). This technique is designed for a careless user who can take this file for the song and open double-clickThereby running the malicious program. Unfortunately, this technique will not work in programs - analogs of the conductor supporting Unicode. The following is the C # code, which performs a change in the name of the file by adding the 0x202E control symbol to the beginning:

Public Sub U_202E (File As String, Extension As String) Dim D As Integer \u003d File.Length - 4 Dim u AS char \u003d chrw (823) Dim T AS char () \u003d extension.tocararray () Array.Reverse (T) Dim Dest As String \u003d File.Substring (0, D) & U & New String (T) & File.Substring (D) System.io.File.move (File, Dest) End Sub

2. File Name Spoofing - File Name Cloning

This technique was represented by the Japanese researcher Yosuke Hasegawa at the Security-Momiji conference. It is based on the use of zero characters (Zero Width Characters), which do not affect the display of the file name (see Fig. 2). Below are all characters from this category:

U + 200B (Zero Width Space) - U + 200C (Zero Width Non-Joiner) - U + 200D (Zero Width Joiner) - U + FEFF (Zero Width No-Break Space) - U + 202A (Left-to-Right Embedding)

In addition, it is possible to use UTF encoding to falsify the names of existing files. This technique often applies modern Malwar. In the field of my view, samples of malicious people came across such attacks. For example, the malware trojandropper: Win32 / Vundo.l (used for phishing sites vk.com, vkontakte.ru, * odnoklassniki.ru) involves this technique.


The% Systemroot% \\ System32 \\ Drivers \\ ETC \\ HOSTS file has been copied to the "clone" file with UTF-symbol "O" (0x043e), after which the original hosts file attributed attribute hidden file. And its contents were overwritten with the addition of the following records:

92.38.66.111 Odnoklassniki.ru 92.38.66.111 vk.com 92.38.66.111 vkontakte.ru


Stena web browsers

1. Status Bar / Link Spooof

The principle of this attack lies in the dynamic substitution of the address of the hypertext link ( ). For example, the victim hires the mouse over the link, after which the address in the status bar displays the address to which this link leads. After clicking on the link, the Sly JavaScript code replaces the address of the transition in the dynamics. My familiar researcher, known for Nick Iamjuza, was studying and developing a POC for the operation of this technique in practice, but its development was not universal and acted only on specific browsers. After conducting a similar study, I got more successful results, managed to achieve versatility of operation of this sphere technique for all browser engines. PROF-OF-CONCEPT is published on the 1337day.com resource. Technical implementation looks like this:

Method this.href \u003d ":
Method location.replace (""):
Methon location.assign (""):
Method window.location.assign (""):
Method window.location.replace (""):
Method window.location.href \u003d "":

The HTML code given is the dynamic substitution of the specified address ( www.google.com) to the site address] [() by various kinds of methods based on the JavaScript event onClick \u003d "".

2. URL BAR Spoofing - Substitution Links in the address bar of the browser

At first glance, it seems impossible, but believe me - this is just a task for the development of the smelting. Consider the CVE-2011-1452 vulnerability, which is the address string in the wrong Google Chrome to version 11.0.0.696.57:

Click Me.

  • a new window opens (spoofing.php) with assignment to the variable "A";
  • after 4500 microseconds (4.5 seconds) (Window.setTimeout function), a return on the history of transitions is returned, for which the function a.history.back () assigned to the variable "A" is responsible;
  • after 5000 microseconds, the variable "A" is set to a new location to Spoofing.php, located in the same directory.

This occurs to overwrite the address string to the new URL in the context of the first page "Parent".

Next Vulnerability CVE-2010-4045 (Opera<= 10.62):

PROF OF CONCEPT - OPERA HIGH LOCATION BAR SPOOFING


When you click on the button, which is represented by the picture (), the page (Location.Reload ()) is automatically rebooted, while it is possible to overwrite the address bar in the context of the current tab.

Some Payment / Bank WebSite Included Here.
  1. start PoC. click The Button to Run The Poc.



After pressing the "Demo" button simultaneously, the variable and the MYWINDOW object is assigned the value of the function that opens the Apple.com site with dimensions of 200 × 100, which corresponds to the Safari browser extension area for mobile devices. The following MyWindow implements additional HTML (JavaScript / VB / etc) code using the Document.Write () function. The compririsonment step is to attach the Safari browser focus on the MYWINDOW object.

There is nothing complicated in the address slut in the address bar of the browser, the only thing - you need to correctly apply the smelting where it is required ;-).

3. Source Code Spoofing - Substitution of the contents of the page and the source code

Operation is implemented thanks to the UTF-8 manager already known to us, 0x202e (RLO) symbol. The method was discovered by the Virginia Tech student John Kurlak. To demonstrate the technique, it used the JavaScript History.ReplaceState () function, which allows you to change the page address in the address bar in the dynamics. PROF-OF-CONCEPT (Source.html):

Source

Can You View My Source FROM Chrome?

The contents of the source file source.html [% 20% 2e] You can, But not That Easily ...

The essence of this method is to substitute the contents of the source page of the page using the trick with the RLO control symbol at the end of the file (see Fig. 4). When you try to view the source code of the source.html page, we obtain the contents of the second source.html% 20% 2e file. A rather interesting and exotic pattern of a spa, with a very strange profit, as you may seem at first glance. What is the most interesting - this script allows you to "hide" the source code of the page, masking it not only in the address context, but also in the context of the host name.


4. IDN Clones - Technique based on the external similarity of the display of domain names

There is no innovation here, the technique was practiced from the very beginning of the DNS system, but it was the use of IDN (International Domain Names - internationalized domain names) made it possible to implement the creation of almost indistinguishable "clones" of domain names. Technical implementation of phishing attack looks like this:

  1. A domain name is registered, the most similar to writing with the attacked domain. Typically, the similarity of letters with numbers in some fonts (letter L and figure 1, the letter O and digit 0), the similarity of the combinations of letters (RN and M, CL and D).
  2. The face of the original site, which is placed on the created "clone".
  3. References to a phishing domain (spam mail, spam in social networks, through popular services of type Twitter, use iframe'ov, Dorweev).
  4. It turns out a profit :).

The main difference between this attack based on the similarity of domain names, compared with other types of phishing using fake web pages - it does not require interference with the operation of network protocols: from a technical point of view of the submarine domain is legitimate.

Protection methods from IDN attacks began to be implemented since the mid-2005, when the domain name recorders were adopted by agreement limiting the possibility of registering any IDN domain. Thus, the international domain.org limits the number of permitted characters with a one or another subset of the extended latice. But thanks to some unscrupulous registrars and smelting, even today there are all opportunities for the registration of a phishing domain.

The most radical variant of protection against the omotive threat would be a complete refusal of IDN decoding when displaying. Then the submarine name would always begin with "XN" and ended with an unreadable sequence of characters, which would have sharply distinguished him from the original. Unfortunately, this option negates almost all the advantages of IDN.

The main protection against IDN spouting on the client side is a browser statusbar. When you hover the cursor to the link in the status bar displays the PUNYCODE equivalent IDN domain, which immediately suggests a possible phishing. But this is not a panacea, you can see everything if you apply a mixture ;-). See my universal exploit for all browser engines.

Conclusion

The spoofing was always in demand, because it is the basis and guarantee for holding successful attacks in many directions. Hope you made the right conclusions. Be careful on the Internet.