QQ students think -DNS domain name theft triggered by deception
Just arrived
Hello everyone! I was J'adore, the penetration direction, I would like to record their bits and pieces in the learning process by writing blog form, opened before the public micro-channel number, but it feels too small circle and then go CSDN up, also like to take this know more engaged in the security industry friends. This is my first time using CSDN write your own articles, article written if there is failure of the Department forgive us and pointed out, very grateful!
Today, it gives us some article, words rough, hope you forgive heavyweights.
0x00 cause of the incident
13:16 pm October 6 points, I was lying in bed, sick yesterday, today we go a spiritual point, however, is still listless, sleep could not sleep, he opened two days did not on QQ, found silence Association QQ group for a long time, there are students send a link to a group of members of the party notice, as follows:
I thought it was active Association organized, they did not much care, but after seven minutes
which immediately aroused my vigilance, so they He began to dig the reason behind this.
0x01 Investigation and Analysis
First talk about the DNS domain spoofing: DNS domain name spoofing layman's terms is the attacker mapped a site's domain name to the attacker's own IP, domain name and see only the victims can not see the IP address, so an attacker can build Fishing lure victims logon page, this time the victim was unable to determine the authenticity of phishing page will be the login user name and password and other sensitive operations, resulting in information disclosure, thus providing information for the attacker to the next attack.
The talk of this incident actually not domain spoofing, but I ended up extending it to expand, because I see in it after it is resolved IP address, that is, the attacker merely modify the content on the page victim hook, showing the use of simple techniques, the use of the shortcomings of this fact does not appear when you open the URL of the page on the phone QQ, as shown
I opened the website of Tencent written document, found that there is Tencent's official website, but inside the content really is a two-dimensional code, as
then I will analyze it a point to find its IP address, as
then I open the site and found
原来如此,此时已经很明了了,于是我去挖掘这个IP地址的信息,看看能不能挖掘到有用的东西,发现其架设在腾讯云上,如图
查询同IP网站,查询whois信息,都是腾讯云,无果,到这里只能收手
接着我打开真实的QQ端mail进行比对,发现多处不同,如图
假:
真:
假:
真:
1.左上角的网址图标,假的没有,真的有
2.登录状态,假的没有,真的有
3.检测安全的信息不同,假的直接显示在此网页上输入的登录信息可能会泄露,真的是部分图像不安全
4.假的在点击忘了密码时不会做任何操作,而真的在点击后会触发事件跳转到找回密码的网址
可见攻击者还是做了一定的美化的,很用心,但难免会有纰漏,接着我向假网站中随便输入账户密码,如图
点击登录之后页面闪了一下,最后跳转到真正的网站,如图
该网站用nginx容器作为服务器框架,暗地里将受害者的用户名密码提交到2018.php
以下代码即为验证,可以看到用户名密码被以明文的形式传入2018.php
POST /2018.php HTTP/1.1
Host: 1*******9
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 35
Connection: close
Referer: http://1********9/
Cookie: PHPSESSID=0000000000000000000000
Upgrade-Insecure-Requests: 1
user=1040898286&pass=123456789&submit=
基于此,我对该网站进行举报
0x02实验复现攻击流程
接着,我自己做了个小实验复现上述攻击流程并加以完善,同时将域名劫持为m.mail.qq.com并搭配ARP毒化进行中间人攻击
所使用的工具:
kali Linux,windowxp,ettercap,setoolkit()
攻击者IP:[10.10.10.128]
受害者IP:[10.10.10.129]
进行主机扫描,发现受害者IP:[10.10.10.129]
指定攻击目标开始ARP欺骗
回到受害者主机,发现已经欺骗成功
开始DNS域名欺骗,未欺骗前,先检测是否可达到真实网址,如下显示网址可达,注意这里的IP地址为[59.37.96.184],欺骗后会发生变化
进行域名欺骗
劫持成功,m.mail.qq.com已经被劫持从而映射到攻击者的IP,此时ping的该域名,IP地址却是[10.10.10.128]
开始使用setoolkit进行社会工程学攻击,伪造网页,利用各种方法诱骗受害者进行登录,尽你所能,上面的案例就是使用二维码的方式
此时受害者打开该网站进行登录,由于域名m.mail.qq.com已经被劫持到10.10.10.128,因此该页面为伪造的页面,时间原因,只用了内置的页面生成,没有自己动手去做这个网页,还望见谅
攻击者这边已经嗅探到受害者登录
由于时间有限,这里我没有构造截取密码的代码,其实只是一个简单的php提交表单,将受害者输入的账户密码截取下来保存至指定位置
到这里已经可以拿到受害者的账户密码了,如果登录没有进行限制则QQ可被任意登录并执行各种恶意操作。
Defense Method:
1. Under a non-secure environment, do not click on unknown links
2.QQ accounts and accounts related to the financial assets should be added to the phone code validates the login password and enable dynamic
3. learning knowledge of network security, network security to see more books Internet age, information disclosure flooded, of which "man" is the main factor, therefore, enhance safety awareness imminent.
4. Each server operators should carefully review the on-line site if there is fraud, illegal acts like a timely manner and Feng Ting.
0x03 final result
The next day I received a message of Tencent, has informed its partners to intercept and synchronize
Written in the last 0x04
Hee hee finished article, if inadequacies also hope you to be big brother treatise, secure long way, perseverance ~