Re: Dynamic DNS "Spoofing" & IRC

From: Markus Kovero (muikku_at_muikkuverkko.net)
Date: 05/02/03

  • Next message: c4: "Re: Dynamic DNS "Spoofing" & IRC"
    Date: Fri, 2 May 2003 18:26:24 +0300 (EEST)
    To: Intel Nop <0x90@invisiblenet.net>
    
    

    We have in Darkmyst ( http://www.darkmyst.org ) this thing called hostname
    verification or smthin:

    21:36 [nla] !xx.xx.xx.darkmyst.org *** Notice -- IP# Mismatch:
    24.xxx.177.xxx != wv-xxx-ubr-b-xxx-196-xxx-130.charterwv.net[82b19f18]

    Don't know exactly how it works, probably kills user with fake hostname.
    We're using somekind modified darkhex ircd atm and we're coding new one
    which is in beta-stage now.

    cheers and happy "vappu"-holidays; Markus Kovero

    On Thu, 1 May 2003, Intel Nop wrote:

    > This is a trivial "feature/flaw" I've been holding onto for a bit, and it's
    > probably commonly known, but I haven't seen it posted anywhere, more of a
    > neat little thing in taking advantage of IRC and it's treatment of dyndns
    > within DNS if reverse lookup is possible.
    >
    > IRC (Internet Relay Chat) servers being a common ground for chat, have some
    > annoyances such as the username@ipaddress or username@domainname, some
    > people don't like that etc, being that they have to use a bouncer to avoid
    > showing their own ip address or hostname to other users if they want to
    > maintain some sort of privacy.
    >
    > Well here's a pseudo-privacy trick that can be reasonably easy to perform
    > given one has control of a dns server that performs reverse and forward
    > lookups, support for dyndns scripts, and a domain-name registered to you.
    > You can optionally use a bouncer if you want.
    >
    > In my example, I will use the host name spooftest.domain.com, a port
    > forwarding tool, a zoneedit account with my dyndns script that forward
    > resolves, and a friend's server (he/she runs an isp) that allows for me to
    > have an PTR record to the ip address "10.1.1.1" (<-- this is a private
    > address for demo purposes) on his server as spooftest.domain.com
    >
    > Step 1) I have zoneedit script set up to tell it that my dyndns address is
    > to spooftest.domain.com is 10.1.1.1, which it updates immediately and the
    > 10.1.1.1 server has PTR record for 10.1.1.1 as spooftest.domain.com (thus
    > allowing reverse and forward lookup of spooftest.domain.com)
    > My portforward (say we're using datapipe.c on the 10.1.1.1 box)
    > settings are datapipe 10.1.1.1 6667 irc.whateverserver.net 6667
    >
    > Step 2) Log into irc server on your local machine by doing a /server
    > spooftest.domain.com 6667, make sure the irc server has resolved you as
    > username@spooftest.domain.com
    >
    > Step 3) Run your dyndns script for zoneedit to assign your ip address as
    > whatever ip you want (in this case I'll use 127.0.0.1), then wait about a
    > minute before joining a channel.
    >
    > By this time, your dyndns should have updated and changed your ip address to
    > 127.0.0.1, and irc servers don't re-check after you've connected (so anyone
    > resolving your hostname will come up with 127.0.0.1).
    >
    > I don't know if this is categorized as a flaw in dns or irc, or just merely
    > exploiting a feature, and this is a rather trivial trick (surely can't be
    > original and I apologize if it's been posted before).
    >
    > A fix I think would have ircd recheck after a certain amount of time for
    > resolving properties of their dns, and I was going to say dnssec, but I
    > can't really see that fixing the problem unless ircd re-checks as well
    > there.
    >
    > This "feature/flaw" could probably apply to other application protocols as
    > well that do not recheck dns properties, but I haven't taken the time to
    > come up for other practical uses for it.
    >
    > This has been tested on most ircd server versions and all so far are victim
    > to this "hack".
    >
    > 0x90
    > www.invisiblenet.net
    >
    >
    >
    >


  • Next message: c4: "Re: Dynamic DNS "Spoofing" & IRC"

    Relevant Pages

    • Dynamic DNS "Spoofing" & IRC
      ... within DNS if reverse lookup is possible. ... and a friend's server that allows for me to ... Step 2) Log into irc server on your local machine by doing a /server ... Step 3) Run your dyndns script for zoneedit to assign your ip address as ...
      (Bugtraq)
    • Re: binary switching, no killing
      ... >implementing ssl encryption between client and server. ... Our original ircd did ... new server reads and restores server state from udp socket ... This list is provided by the SecurityFocus Security Intelligence Alert ...
      (Pen-Test)
    • Re: Unrealircd & Anope services - join segmentation fault in operserv.c
      ... interpreted) as the name of the server. ... crash, since servers can't join channels and so forth. ... > Ircd go to SEGFAULT because it don't find that nick ...
      (Bugtraq)
    • Re: IM server for FreeBSD
      ... The other option is IRC running an ircd. ... Is there any IM server for freebsd which can do user authentication by vchkpw? ...
      (freebsd-isp)