Re: Dynamic DNS "Spoofing" & IRC

From: Markus Kovero (muikku_at_muikkuverkko.net)
Date: 05/02/03

  • Next message: c4: "Re: Dynamic DNS "Spoofing" & IRC"
    Date: Fri, 2 May 2003 18:26:24 +0300 (EEST)
    To: Intel Nop <0x90@invisiblenet.net>
    
    

    We have in Darkmyst ( http://www.darkmyst.org ) this thing called hostname
    verification or smthin:

    21:36 [nla] !xx.xx.xx.darkmyst.org *** Notice -- IP# Mismatch:
    24.xxx.177.xxx != wv-xxx-ubr-b-xxx-196-xxx-130.charterwv.net[82b19f18]

    Don't know exactly how it works, probably kills user with fake hostname.
    We're using somekind modified darkhex ircd atm and we're coding new one
    which is in beta-stage now.

    cheers and happy "vappu"-holidays; Markus Kovero

    On Thu, 1 May 2003, Intel Nop wrote:

    > This is a trivial "feature/flaw" I've been holding onto for a bit, and it's
    > probably commonly known, but I haven't seen it posted anywhere, more of a
    > neat little thing in taking advantage of IRC and it's treatment of dyndns
    > within DNS if reverse lookup is possible.
    >
    > IRC (Internet Relay Chat) servers being a common ground for chat, have some
    > annoyances such as the username@ipaddress or username@domainname, some
    > people don't like that etc, being that they have to use a bouncer to avoid
    > showing their own ip address or hostname to other users if they want to
    > maintain some sort of privacy.
    >
    > Well here's a pseudo-privacy trick that can be reasonably easy to perform
    > given one has control of a dns server that performs reverse and forward
    > lookups, support for dyndns scripts, and a domain-name registered to you.
    > You can optionally use a bouncer if you want.
    >
    > In my example, I will use the host name spooftest.domain.com, a port
    > forwarding tool, a zoneedit account with my dyndns script that forward
    > resolves, and a friend's server (he/she runs an isp) that allows for me to
    > have an PTR record to the ip address "10.1.1.1" (<-- this is a private
    > address for demo purposes) on his server as spooftest.domain.com
    >
    > Step 1) I have zoneedit script set up to tell it that my dyndns address is
    > to spooftest.domain.com is 10.1.1.1, which it updates immediately and the
    > 10.1.1.1 server has PTR record for 10.1.1.1 as spooftest.domain.com (thus
    > allowing reverse and forward lookup of spooftest.domain.com)
    > My portforward (say we're using datapipe.c on the 10.1.1.1 box)
    > settings are datapipe 10.1.1.1 6667 irc.whateverserver.net 6667
    >
    > Step 2) Log into irc server on your local machine by doing a /server
    > spooftest.domain.com 6667, make sure the irc server has resolved you as
    > username@spooftest.domain.com
    >
    > Step 3) Run your dyndns script for zoneedit to assign your ip address as
    > whatever ip you want (in this case I'll use 127.0.0.1), then wait about a
    > minute before joining a channel.
    >
    > By this time, your dyndns should have updated and changed your ip address to
    > 127.0.0.1, and irc servers don't re-check after you've connected (so anyone
    > resolving your hostname will come up with 127.0.0.1).
    >
    > I don't know if this is categorized as a flaw in dns or irc, or just merely
    > exploiting a feature, and this is a rather trivial trick (surely can't be
    > original and I apologize if it's been posted before).
    >
    > A fix I think would have ircd recheck after a certain amount of time for
    > resolving properties of their dns, and I was going to say dnssec, but I
    > can't really see that fixing the problem unless ircd re-checks as well
    > there.
    >
    > This "feature/flaw" could probably apply to other application protocols as
    > well that do not recheck dns properties, but I haven't taken the time to
    > come up for other practical uses for it.
    >
    > This has been tested on most ircd server versions and all so far are victim
    > to this "hack".
    >
    > 0x90
    > www.invisiblenet.net
    >
    >
    >
    >


  • Next message: c4: "Re: Dynamic DNS "Spoofing" & IRC"