Uncategorized

Hacking at its best with DNS

Leave a comment

I received a tweet yesterday from @gravax who was the Epic Hack of the Day, so just check this out which is pretty cool

tracert -h 99 216.81.59.173

You get back

12  * * *

13  episode.iv (206.214.251.1)  155.693 ms  161.675 ms  163.572 ms

14  a.new.hope (206.214.251.6)  180.764 ms  171.357 ms  162.435 ms

15  it.is.a.period.of.civil.war (206.214.251.9)  164.476 ms  167.635 ms  155.173 ms

16  rebel.spaceships (206.214.251.14)  170.381 ms  159.131 ms  163.331 ms

17  striking.from.a.hidden.base (206.214.251.17)  155.447 ms  168.457 ms  161.968 ms

18  have.won.their.first.victory (206.214.251.22)  170.991 ms  163.975 ms  156.780 ms

19  against.the.evil.galactic.empire (206.214.251.25)  157.577 ms  161.265 ms  164.181 ms

20  during.the.battle (206.214.251.30)  174.856 ms  166.470 ms  192.210 ms

21  rebel.spies.managed (206.214.251.33)  158.729 ms  172.967 ms  167.352 ms

22  to.steal.secret.plans (206.214.251.38)  168.628 ms  158.817 ms  186.524 ms

23  to.the.empires.ultimate.weapon (206.214.251.41)  158.969 ms  155.680 ms  173.059 ms

24  the.death.star (206.214.251.46)  160.173 ms  179.227 ms  158.865 ms

25  an.armored.space.station (206.214.251.49)  154.652 ms  165.593 ms  159.269 ms

26  with.enough.power.to (206.214.251.54)  165.290 ms  170.299 ms  170.502 ms

27  destroy.an.entire.planet (206.214.251.57)  159.706 ms  163.257 ms  159.500 ms

28  pursued.by.the.empires (206.214.251.62)  159.571 ms  160.371 ms  163.285 ms

29  sinister.agents (206.214.251.65)  173.527 ms  170.109 ms  160.567 ms

30  princess.leia.races.home (206.214.251.70)  158.904 ms  178.839 ms  182.604 ms

31  aboard.her.starship (206.214.251.73)  168.096 ms  158.851 ms  160.790 ms

32  custodian.of.the.stolen.plans (206.214.251.78)  162.274 ms  171.099 ms  231.641 ms

33  that.can.save.her (206.214.251.81)  168.688 ms  167.075 ms  169.212 ms

34  people.and.restore (206.214.251.86)  160.793 ms  157.587 ms  161.663 ms

35  freedom.to.the.galaxy (206.214.251.89)  178.962 ms  154.471 ms  160.194 ms

36  0——————-0 (206.214.251.94)  159.720 ms  157.607 ms  165.869 ms

37  0——————0 (206.214.251.97)  161.146 ms  174.066 ms  161.739 ms

38  0—————–0 (206.214.251.102)  166.029 ms  164.294 ms  160.558 ms

39  0—————-0 (206.214.251.105)  190.757 ms  166.709 ms  186.424 ms

40  0—————0 (206.214.251.110)  157.325 ms  158.420 ms  181.166 ms

41  0————–0 (206.214.251.113)  160.496 ms  158.207 ms  160.479 ms

42  0————-0 (206.214.251.118)  161.534 ms  168.666 ms  157.581 ms

43  0————0 (206.214.251.121)  157.866 ms  159.754 ms  167.938 ms

44  0———–0 (206.214.251.126)  163.660 ms  179.243 ms  163.206 ms

45  0———-0 (206.214.251.129)  168.475 ms  163.112 ms  158.493 ms

46  0———0 (206.214.251.134)  157.329 ms  158.661 ms  161.612 ms

47  0——–0 (206.214.251.137)  161.833 ms  164.059 ms  166.384 ms

48  0——-0 (206.214.251.142)  169.368 ms  182.151 ms  161.276 ms

49  0——0 (206.214.251.145)  172.806 ms  159.547 ms  169.672 ms

50  0—–0 (206.214.251.150)  165.376 ms  156.775 ms  169.386 ms

51  0—-0 (206.214.251.153)  157.625 ms  163.558 ms  162.880 ms

52  0—0 (206.214.251.158)  179.708 ms  167.693 ms  159.625 ms

53  0–0 (206.214.251.161)  158.662 ms  163.736 ms  170.034 ms

54  0-0 (206.214.251.166)  160.455 ms  162.898 ms  172.839 ms

55  00 (206.214.251.169)  171.892 ms  181.111 ms  157.887 ms

56  * i (206.214.251.174)  165.980 ms  173.152 ms

57  by.ryan.werber (206.214.251.177)  166.216 ms  160.726 ms  165.419 ms

58  when.ccies.get.bored (206.214.251.182)  175.014 ms  180.888 ms  159.231 ms

59  ccie.38168 (206.214.251.185)  164.865 ms  166.514 ms  183.855 ms

60  fin (216.81.59.173)  169.747 ms  165.412 ms  165.241 ms

 
How did Ryan Werber do it?

Star Wars Traceroute

“Bored in the blizzard in Boston; I was inspired by my IRC friend ‘Plazma’ constantly making fun of my reverse dns of scrye.net I came up with this pretty neat hack.
 
It is accomplished using many vrfs on (2) Cisco 1841s. For those less technical, VRFs are essentially private routing tables similar to a VPN. When a packet destined to 216.81.59.173 (AKA obiwan.scrye.net) hits my main gateway, I forward it onto the first VRF on the “ASIDE” router on 206.214.254.1. That router then has a specific route for 216.81.59.173 to 206.214.254.6, which resides on a different VRF on the “BSIDE” router. It then has a similar set up which points it at 206.214.254.9 which lives in another VPN on “ASIDE” router. All packets are returned using a default route pointing at the global routing table. This was by design so the packets TTL expiration did not have to return fully through the VRF Maze. I am a consultant to Epik Networks who let me use the Reverse DNS for an unused /24, and I used PowerDNS to update all of the entries through mysql. This took about 30 minutes to figure out how to do it, and about 90 minutes to implement. All VRFs and DNS were generated by a PHP script. Disclaimer: I am not a very elegant programmer. I can do whatever I need to. I think very linearly and do not plan very well. Below is the code I used to generate the VRFs.”