Re: [SLUG] Using packit with DNS

From: Jason Copenhaver (jcopenha@typedef.org)
Date: Sun Apr 11 2004 - 21:32:10 EDT


Yeah... It looks like the hex feature was just added and they still have
some bugs to work out. I think it has a problem because those 0x00's
are treated as NULLs, which I think are prematurely terminating the
payload string it is using.

Jason

On Sun, 2004-04-11 at 19:03, Kwan Lowe wrote:
> I'm having a bear of a time trying to do something that seems simple.
> There's a program called 'packit' that allows you to craft custom
> TCP/UDP packets. You can specify a payload and most of the IP header
> pieces. What I'm trying to do (at first) is mimic a standard A query
> from packit. Next, I want to create packets bigger than 512 bytes.
>
> Here's the command I'm using:
>
> packit -t UDP -T 64 -s 10.1.1.100 -S 32767 \
> -d 10.1.1.1 -V 4 --D 53 -p \
> '0x DE AD 01 00 00 01 00 00 \
> 00 00 00 00 03 41 42 43 \
> 03 31 32 33 00 00 01 00 \
> 01'
>
> Above hex corresponds to:
> 0x DEAD - Transaction ID
> 01 00 - Query type (Query or response), various DNS flags
> 00 01 - number of queries
> 00 00
> 00 00
> 00 00 - Number of answers, similar stuff
> 03 41 42 43 03 31 32 333 00 - the query (03 represents length)
> 00 01 00 01 - Type of response desired
>
> The payload above corresponds (or should correspond) with a standard
> query for host ABC.123. I.e., I request a single recursive query,
> setting all other DNS flags to 0. However, it looks like bytes are being
> skipped over. On the bottom you can see that it thinks I'm making 833
> queries when I'm asking for just one.
>
> Here's an Ethereal log of the packet:
>
> Domain Name System (query)
> Transaction ID: 0xdead
> Flags: 0x0101 (Standard query)
> 0... .... .... .... = Response: Message is a query
> .000 0... .... .... = Opcode: Standard query (0)
> .... ..0. .... .... = Truncated: Message is not truncated
> .... ...1 .... .... = Recursion desired: Do query recursively
> .... .... .0.. .... = Z: reserved (0)
> .... .... ...0 .... = Non-authenticated data OK:
> Non-authenticated data is unacceptable
> Questions: 833
> Answer RRs: 16963
> Authority RRs: 817
> Additional RRs: 12851
> Queries
> [Malformed Packet: DNS]
>
> I've gone so far as to capture a valid query (using nslookup) and just
> copied over the dump but it still seems to skip the zeros and push the
> actual query into the header area.
>
> Any ideas what I'm doing wrong? Anyone know of another tool that will
> allow this to be done?
>
> Thanks,
> Kwan
>
>
> -----------------------------------------------------------------------
> This list is provided as an unmoderated internet service by Networked
> Knowledge Systems (NKS). Views and opinions expressed in messages
> posted are those of the author and do not necessarily reflect the
> official policy or position of NKS or any of its employees.
>

-----------------------------------------------------------------------
This list is provided as an unmoderated internet service by Networked
Knowledge Systems (NKS). Views and opinions expressed in messages
posted are those of the author and do not necessarily reflect the
official policy or position of NKS or any of its employees.



This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 20:30:46 EDT