2018年3月29日 星期四

libpcap - Dump DNS header and message(18)


這篇一兩年前答應了同學要放出來,結果一直忘記XD。

DNS(Domain Name System)的功能最基本就是查詢domain或ip的資訊,目前可以解析的Type有:A、NS、CNAME、SOA、PTR、MX、TXT、AAAA、LOC以及SRV。

DNS解析有兩個重點,DNS domain儲存方式並不是一般字串而已,詳細可以看DNS and BIND, 5th Edition - O'Reilly Media的第15.2章。

大概說一下:

第一個,儲存方式:
假設一個domain為「www.facebook.com」,那麼在封包裡會以表示成「\x03www\x08facebook\x03com\x00」,每一層前面一個byte表示後面的字串的長度。

第二個,壓縮:
在response封包裡,同一個domain可能會出現多次,上面講的儲存方式中的表示長度的byte,假設最高兩個bit都是1(0xc0),表示接下來一個byte是offset,這個offset是從DNS封包開頭開始算的offset,就是接下來這層domain字串的位置。

如果稍微了解過DNS會知道,每一層domain長度最大是63,這個數字剛好是八個bit扣除表達壓縮的兩個bit後的長度。

那麼還是要講一下,這個範例只是練習而已,實際上有現成的library(libresolv)可以解析DNS表頭,要拿出去實戰的工具記得還是要用現成的東西,別造輪子。

執行結果(Type A):
192.168.1.10(54884) -> 8.8.8.8(53)
Protocol DNS:
+-------------------------+-------------------------+
| Transaction ID:      633| Flags:            0x0100|
+-------------------------+-------------------------+
| Questions:             1| Answer:                0|
+-------------------------+-------------------------+
| Authority:             0| Additional:            0|
+-------------------------+-------------------------+

Questions:
    Name: www.google.com
    Type: A
    Class: IN



8.8.8.8(53) -> 192.168.1.10(54884)
Protocol DNS:
+-------------------------+-------------------------+
| Transaction ID:      633| Flags:            0x8180|
+-------------------------+-------------------------+
| Questions:             1| Answer:                1|
+-------------------------+-------------------------+
| Authority:             0| Additional:            0|
+-------------------------+-------------------------+

Questions:
    Name: www.google.com
    Type: A
    Class: IN


Answers:
    Name: www.google.com
    Type: A
    Class: IN
    TTL: 160
    Data Length: 4
    Address: 216.58.200.36


執行結果(Type NS):
192.168.1.10(49693) -> 8.8.8.8(53)
Protocol DNS:
+-------------------------+-------------------------+
| Transaction ID:    29648| Flags:            0x0100|
+-------------------------+-------------------------+
| Questions:             1| Answer:                0|
+-------------------------+-------------------------+
| Authority:             0| Additional:            0|
+-------------------------+-------------------------+

Questions:
    Name: isc.org
    Type: NS
    Class: IN



8.8.8.8(53) -> 192.168.1.10(49693)
Protocol DNS:
+-------------------------+-------------------------+
| Transaction ID:    29648| Flags:            0x8180|
+-------------------------+-------------------------+
| Questions:             1| Answer:                4|
+-------------------------+-------------------------+
| Authority:             0| Additional:            0|
+-------------------------+-------------------------+

Questions:
    Name: isc.org
    Type: NS
    Class: IN


Answers:
    Name: isc.org
    Type: NS
    Class: IN
    TTL: 4601
    Data Length: 13
    Name Server: ord.sns-pb.isc.org

    Name: isc.org
    Type: NS
    Class: IN
    TTL: 4601
    Data Length: 7
    Name Server: sfba.sns-pb.isc.org

    Name: isc.org
    Type: NS
    Class: IN
    TTL: 4601
    Data Length: 25
    Name Server: ns.isc.afilias-nst.info

    Name: isc.org
    Type: NS
    Class: IN
    TTL: 4601
    Data Length: 6
    Name Server: ams.sns-pb.isc.org

執行結果(Type CNAME):
192.168.1.10(49923) -> 8.8.8.8(53)
Protocol DNS:
+-------------------------+-------------------------+
| Transaction ID:    62928| Flags:            0x0100|
+-------------------------+-------------------------+
| Questions:             1| Answer:                0|
+-------------------------+-------------------------+
| Authority:             0| Additional:            0|
+-------------------------+-------------------------+

Questions:
    Name: 5-edge-chat.facebook.com
    Type: A
    Class: IN



8.8.8.8(53) -> 192.168.1.10(49923)
Protocol DNS:
+-------------------------+-------------------------+
| Transaction ID:    62928| Flags:            0x8180|
+-------------------------+-------------------------+
| Questions:             1| Answer:                2|
+-------------------------+-------------------------+
| Authority:             0| Additional:            0|
+-------------------------+-------------------------+

Questions:
    Name: 5-edge-chat.facebook.com
    Type: A
    Class: IN


Answers:
    Name: 5-edge-chat.facebook.com
    Type: CNAME
    Class: IN
    TTL: 1834
    Data Length: 12
    CNAME: star.c10r.facebook.com

    Name: star.c10r.facebook.com
    Type: A
    Class: IN
    TTL: 16
    Data Length: 4
    Address: 157.240.15.16

執行結果(Type SOA):
192.168.1.10(55659) -> 8.8.8.8(53)
Protocol DNS:
+-------------------------+-------------------------+
| Transaction ID:    43230| Flags:            0x0100|
+-------------------------+-------------------------+
| Questions:             1| Answer:                0|
+-------------------------+-------------------------+
| Authority:             0| Additional:            0|
+-------------------------+-------------------------+

Questions:
    Name: www.google.com
    Type: SOA
    Class: IN



8.8.8.8(53) -> 192.168.1.10(55659)
Protocol DNS:
+-------------------------+-------------------------+
| Transaction ID:    43230| Flags:            0x8180|
+-------------------------+-------------------------+
| Questions:             1| Answer:                0|
+-------------------------+-------------------------+
| Authority:             1| Additional:            0|
+-------------------------+-------------------------+

Questions:
    Name: www.google.com
    Type: SOA
    Class: IN


Authority:
    Name: google.com
    Type: SOA
    Class: IN
    TTL: 59
    Data Length: 38
    Primary Name Server: ns1.google.com
    Responsible Authority's Mailbox: dns-admin.google.com
    Serial Number: 190759656
    Refresh Interval: 900
    Retry Interval: 900
    Expire Time: 1800
    Minimum TTL: 60

執行結果(Type PTR):
192.168.1.10(52005) -> 8.8.8.8(53)
Protocol DNS:
+-------------------------+-------------------------+
| Transaction ID:     8319| Flags:            0x0100|
+-------------------------+-------------------------+
| Questions:             1| Answer:                0|
+-------------------------+-------------------------+
| Authority:             0| Additional:            0|
+-------------------------+-------------------------+

Questions:
    Name: 8.8.8.8.in-addr.arpa
    Type: PTR
    Class: IN



8.8.8.8(53) -> 192.168.1.10(52005)
Protocol DNS:
+-------------------------+-------------------------+
| Transaction ID:     8319| Flags:            0x8180|
+-------------------------+-------------------------+
| Questions:             1| Answer:                1|
+-------------------------+-------------------------+
| Authority:             0| Additional:            0|
+-------------------------+-------------------------+

Questions:
    Name: 8.8.8.8.in-addr.arpa
    Type: PTR
    Class: IN


Answers:
    Name: 8.8.8.8.in-addr.arpa
    Type: PTR
    Class: IN
    TTL: 21599
    Data Length: 32
    Name: google-public-dns-a.google.com

    

192.168.1.10(54936) -> 8.8.8.8(53)
Protocol DNS:
+-------------------------+-------------------------+
| Transaction ID:    54369| Flags:            0x0100|
+-------------------------+-------------------------+
| Questions:             1| Answer:                0|
+-------------------------+-------------------------+
| Authority:             0| Additional:            0|
+-------------------------+-------------------------+

Questions:
    Name: 3.6.0.0.0.0.0.0.0.0.0.0.0.0.0.0.5.0.c.0.8.0.0.4.0.0.8.6.4.0.4.2.ip6.arpa
    Type: PTR
    Class: IN



8.8.8.8(53) -> 192.168.1.10(54936)
Protocol DNS:
+-------------------------+-------------------------+
| Transaction ID:    54369| Flags:            0x8180|
+-------------------------+-------------------------+
| Questions:             1| Answer:                1|
+-------------------------+-------------------------+
| Authority:             0| Additional:            0|
+-------------------------+-------------------------+

Questions:
    Name: 3.6.0.0.0.0.0.0.0.0.0.0.0.0.0.0.5.0.c.0.8.0.0.4.0.0.8.6.4.0.4.2.ip6.arpa
    Type: PTR
    Class: IN


Answers:
    Name: 3.6.0.0.0.0.0.0.0.0.0.0.0.0.0.0.5.0.c.0.8.0.0.4.0.0.8.6.4.0.4.2.ip6.arpa
    Type: PTR
    Class: IN
    TTL: 21599
    Data Length: 21
    Name: tj-in-x63.1e100.net

執行結果(Type MX):
192.168.1.10(64457) -> 8.8.8.8(53)
Protocol DNS:
+-------------------------+-------------------------+
| Transaction ID:    13466| Flags:            0x0100|
+-------------------------+-------------------------+
| Questions:             1| Answer:                0|
+-------------------------+-------------------------+
| Authority:             0| Additional:            0|
+-------------------------+-------------------------+

Questions:
    Name: google.com
    Type: MX
    Class: IN



8.8.8.8(53) -> 192.168.1.10(64457)
Protocol DNS:
+-------------------------+-------------------------+
| Transaction ID:    13466| Flags:            0x8180|
+-------------------------+-------------------------+
| Questions:             1| Answer:                5|
+-------------------------+-------------------------+
| Authority:             0| Additional:            0|
+-------------------------+-------------------------+

Questions:
    Name: google.com
    Type: MX
    Class: IN


Answers:
    Name: google.com
    Type: MX
    Class: IN
    TTL: 599
    Data Length: 17
    Preference: 40
    Mail Exchange: alt3.aspmx.l.google.com

    Name: google.com
    Type: MX
    Class: IN
    TTL: 599
    Data Length: 9
    Preference: 20
    Mail Exchange: alt1.aspmx.l.google.com

    Name: google.com
    Type: MX
    Class: IN
    TTL: 599
    Data Length: 9
    Preference: 50
    Mail Exchange: alt4.aspmx.l.google.com

    Name: google.com
    Type: MX
    Class: IN
    TTL: 599
    Data Length: 9
    Preference: 30
    Mail Exchange: alt2.aspmx.l.google.com

    Name: google.com
    Type: MX
    Class: IN
    TTL: 599
    Data Length: 4
    Preference: 10
    Mail Exchange: aspmx.l.google.com

執行結果(Type TXT):
192.168.1.10(64292) -> 8.8.8.8(53)
Protocol DNS:
+-------------------------+-------------------------+
| Transaction ID:    15584| Flags:            0x0100|
+-------------------------+-------------------------+
| Questions:             1| Answer:                0|
+-------------------------+-------------------------+
| Authority:             0| Additional:            0|
+-------------------------+-------------------------+

Questions:
    Name: google.com
    Type: TXT
    Class: IN



8.8.8.8(53) -> 192.168.1.10(64292)
Protocol DNS:
+-------------------------+-------------------------+
| Transaction ID:    15584| Flags:            0x8180|
+-------------------------+-------------------------+
| Questions:             1| Answer:                2|
+-------------------------+-------------------------+
| Authority:             0| Additional:            0|
+-------------------------+-------------------------+

Questions:
    Name: google.com
    Type: TXT
    Class: IN


Answers:
    Name: google.com
    Type: TXT
    Class: IN
    TTL: 3599
    Data Length: 36
    TXT Length: 35
    TXT: v=spf1 include:_spf.google.com ~all

    Name: google.com
    Type: TXT
    Class: IN
    TTL: 299
    Data Length: 46
    TXT Length: 45
    TXT: docusign=05958488-4752-4ef2-95eb-aa7ba8a3bd0e

執行結果(Type AAAA):
192.168.1.10(51732) -> 8.8.8.8(53)
Protocol DNS:
+-------------------------+-------------------------+
| Transaction ID:     7567| Flags:            0x0100|
+-------------------------+-------------------------+
| Questions:             1| Answer:                0|
+-------------------------+-------------------------+
| Authority:             0| Additional:            0|
+-------------------------+-------------------------+

Questions:
    Name: www.google.com
    Type: AAAA
    Class: IN



8.8.8.8(53) -> 192.168.1.10(51732)
Protocol DNS:
+-------------------------+-------------------------+
| Transaction ID:     7567| Flags:            0x8180|
+-------------------------+-------------------------+
| Questions:             1| Answer:                1|
+-------------------------+-------------------------+
| Authority:             0| Additional:            0|
+-------------------------+-------------------------+

Questions:
    Name: www.google.com
    Type: AAAA
    Class: IN


Answers:
    Name: www.google.com
    Type: AAAA
    Class: IN
    TTL: 146
    Data Length: 16
    Address: 2404:6800:4012::2004


執行結果(Type LOC):
192.168.1.10(55335) -> 8.8.8.8(53)
Protocol DNS:
+-------------------------+-------------------------+
| Transaction ID:    31301| Flags:            0x0100|
+-------------------------+-------------------------+
| Questions:             1| Answer:                0|
+-------------------------+-------------------------+
| Authority:             0| Additional:            0|
+-------------------------+-------------------------+

Questions:
    Name: local
    Type: SOA
    Class: IN



8.8.8.8(53) -> 192.168.1.10(55335)
Protocol DNS:
+-------------------------+-------------------------+
| Transaction ID:    31301| Flags:            0x8183|
+-------------------------+-------------------------+
| Questions:             1| Answer:                0|
+-------------------------+-------------------------+
| Authority:             1| Additional:            0|
+-------------------------+-------------------------+

Questions:
    Name: local
    Type: SOA
    Class: IN


Authority:
    Name: <root>
    Type: SOA
    Class: IN
    TTL: 12825
    Data Length: 64
    Primary Name Server: a.root-servers.net
    Responsible Authority's Mailbox: nstld.verisign-grs.com
    Serial Number: 2018032701
    Refresh Interval: 1800
    Retry Interval: 900
    Expire Time: 604800
    Minimum TTL: 86400

執行結果(Type SRV):
192.168.1.10(56361) -> 8.8.8.8(53)
Protocol DNS:
+-------------------------+-------------------------+
| Transaction ID:      567| Flags:            0x0100|
+-------------------------+-------------------------+
| Questions:             1| Answer:                0|
+-------------------------+-------------------------+
| Authority:             0| Additional:            0|
+-------------------------+-------------------------+

Questions:
    Name: _http._tcp.mxtoolbox.com
    Type: SRV
    Class: IN



8.8.8.8(53) -> 192.168.1.10(56361)
Protocol DNS:
+-------------------------+-------------------------+
| Transaction ID:      567| Flags:            0x8180|
+-------------------------+-------------------------+
| Questions:             1| Answer:                1|
+-------------------------+-------------------------+
| Authority:             0| Additional:            0|
+-------------------------+-------------------------+

Questions:
    Name: _http._tcp.mxtoolbox.com
    Type: SRV
    Class: IN


Answers:
    Service: _http
    Protocol: _tcp
    Name: mxtoolbox.com
    Type: SRV
    Class: IN
    TTL: 3599
    Data Length: 21
    Priority: 10
    Weight: 100
    Port: 80
    Target: mxtoolbox.com


Source code on Github



2018年3月28日 星期三

libpcap - Dump wol frame and datagram(17)


WOL(Wake-on-LAN)網路喚醒封包,現在大多數網卡在關機狀態的時候,能夠以低電量方式接收wol封包,一旦收到就可以讓電腦開機。

一般都是屬於layer 2的協定,type是0x0842,WOL也可以透過UDP走在WAN上。

執行結果:
libpcap % ./dump-wol 
Sniffing: en0
6c:40:08:bc:ae:98 -> ff:ff:ff:ff:ff:ff
+-------------------------+-------------------------+-------------------------+
| Sync stream:                                                    ffffffffffff|
+-------------------------+-------------------------+-------------------------+
| MAC Address:                                               a0:d7:95:b7:22:2f|
+-------------------------+-------------------------+-------------------------+
| Password:                                                  00:00:00:00:00:00|
+-------------------------+-------------------------+-------------------------+


Source code on Github

Re: CentOS 架 L2TP/IPsec VPN


一些設定或IP地址請參考:CentOS 架 L2TP/IPsec VPN


這陣子都在家裡工作,大部分時間都用VPN連回公司,遇到兩個問題。

  1. 家裡網段剛好跟公司網段一樣,連不進公司的設備。
  2. VPN連上後,五分鐘左右時間沒有用就會斷線。

第一個問題是假設家裡網段是192.168.1.0/24,公司網段也是,VPN配到的網段是172.30.10.0/24,如果想要連到公司那端的設備例如:「192.168.1.150」,卻會因為路由表關係是連到本地端的「192.168.1.150」,解決方法很簡單,就是增加路由表。

前一篇設定預設閘道是「172.30.10.1」,指令:
$ sudo route add -host 192.168.1.150 172.30.10.1

直接增加一筆entry讓往192.168.1.150的封包送往172.30.10.1,讓他送往另一端。


第二個問題google了一下,關鍵字是「keep alive」,在檔案「/etc/strongswan/strongswan.conf」增加「keep_alive = 30s」。

[root@vpn ~]# cat /etc/strongswan/strongswan.conf 
# strongswan.conf - strongSwan configuration file
#
# Refer to the strongswan.conf(5) manpage for details
#
# Configuration changes should be made in the included files

charon {
 load_modular = yes
 plugins {
  include strongswan.d/charon/*.conf
 }
 keep_alive = 30s
}

記得restart service。
[root@vpn ~]# service strongswan restart
[root@vpn ~]# service xl2tpd restart

閒聊一下


工作最近偶爾很忙偶爾很閒,然後很閒的時候想到可以更新一下blogger,但是每次想想又放棄。

每次寫文章都會非常龜毛這邊要怎樣那邊要怎樣(處女座癌),一篇文都要花很多心力寫,超級累的。

所以改變一下經營方式,以後可能還是會以筆記為主,偶爾可以還是可以寫一下教學,不然就是亂寫