temat funbox 3 arp spoof DNSów - kontekst + 5 pytań w Modemy i routery

funbox 3 arp spoof DNSów - kontekst + 5 pytań

Edward39 — Mon, 23 Sep 2019 13:56:09 GMT

Wpinam kabel, włączam funbox 3 czekam aż się światełka "wyszumią" i robię dig wp.pl

Pierwszy pakiet ARP jaki dostaje po włączeniu funbox3 jest dość dziwny:

[ 1360.945636] ARP-IN: IN=enp2s0 OUT= ARP HTYPE=1 PTYPE=0x0800 OPCODE=1 MACsrc=$$$FUNBOX-MAC IPsrc=1.1.1.1 MACDST=00:00:00:00:00:00 IPDST=$$$LAPTOP-IP

co produkuje dziwny wpis w tablicy ARP:

ip neigh
1.1.1.1 dev enp2s0 lladdr $$$FUNBOX-MAC STALE
192.168.1.1 dev enp2s0 lladdr $$$FUNBOX-MAC PERMANENT

o ile 192.168.1.1 to poprostu brama to ten 1.1.1.1 wskazujący na funbox dziwi

DNS ustawiony na sztywno w /etc/resolv.conf na 1.1.1.1

zrzut tcpdump

    1   0.000000  192.168.1.1 → 224.0.0.1    IGMPv2 62 Membership Query, general
    2   5.728997  192.168.1.1 → 224.0.0.251  MDNS 134 Standard query 0x0000 ANY 1.1.168.192.in-addr.arpa, "QM" question ANY FUNBOX.local, "QM" question A 192.168.1.1 PTR FUNBOX.local
    3   5.980501  192.168.1.1 → 224.0.0.251  MDNS 134 Standard query 0x0000 ANY 1.1.168.192.in-addr.arpa, "QM" question ANY FUNBOX.local, "QM" question A 192.168.1.1 PTR FUNBOX.local
    4   6.232990  192.168.1.1 → 224.0.0.251  MDNS 134 Standard query 0x0000 ANY 1.1.168.192.in-addr.arpa, "QM" question ANY FUNBOX.local, "QM" question A 192.168.1.1 PTR FUNBOX.local
    5   6.436293  192.168.1.1 → 224.0.0.251  MDNS 122 Standard query response 0x0000 PTR, cache flush FUNBOX.local A, cache flush 192.168.1.1
    6   6.598948  192.168.1.1 → 224.0.0.251  MDNS 306 Standard query 0x0000 ANY SSW on FUNBOX._ssw._tcp.local, "QM" question ANY FUNBOX._http._tcp.local, "QM" question ANY SSW on FUNBOX._mqtt._tcp.local, "QM" question SRV 0 0 80 FUNBOX.lo
cal TXT SRV 0 0 8883 FUNBOX.local TXT SRV 0 0 8883 FUNBOX.local TXT
    7   6.852670  192.168.1.1 → 224.0.0.251  MDNS 306 Standard query 0x0000 ANY SSW on FUNBOX._ssw._tcp.local, "QM" question ANY FUNBOX._http._tcp.local, "QM" question ANY SSW on FUNBOX._mqtt._tcp.local, "QM" question SRV 0 0 80 FUNBOX.lo
cal TXT SRV 0 0 8883 FUNBOX.local TXT SRV 0 0 8883 FUNBOX.local TXT
    8   7.110923  192.168.1.1 → 224.0.0.251  MDNS 306 Standard query 0x0000 ANY SSW on FUNBOX._ssw._tcp.local, "QM" question ANY FUNBOX._http._tcp.local, "QM" question ANY SSW on FUNBOX._mqtt._tcp.local, "QM" question SRV 0 0 80 FUNBOX.lo
cal TXT SRV 0 0 8883 FUNBOX.local TXT SRV 0 0 8883 FUNBOX.local TXT
    9   7.310284  192.168.1.1 → 224.0.0.251  MDNS 411 Standard query response 0x0000 TXT, cache flush PTR FUNBOX._http._tcp.local SRV, cache flush 0 0 80 FUNBOX.local A, cache flush 192.168.1.1 TXT, cache flush PTR _http._tcp.local PTR SS
W on FUNBOX._mqtt._tcp.local SRV, cache flush 0 0 8883 FUNBOX.local TXT, cache flush PTR _mqtt._tcp.local PTR SSW on FUNBOX._ssw._tcp.local SRV, cache flush 0 0 8883 FUNBOX.local PTR _ssw._tcp.local
   10   7.539011  192.168.1.1 → 224.0.0.251  MDNS 106 Standard query response 0x0000 PTR, cache flush FUNBOX.local
   11   8.383806  192.168.1.1 → 224.0.0.251  MDNS 154 Standard query 0x0000 PTR _services._dns-sd._udp.local, "QM" question PTR _http._tcp.local PTR _mqtt._tcp.local PTR _ssw._tcp.local
   12   8.411707  192.168.1.1 → 224.0.0.251  MDNS 411 Standard query response 0x0000 TXT, cache flush PTR FUNBOX._http._tcp.local SRV, cache flush 0 0 80 FUNBOX.local A, cache flush 192.168.1.1 TXT, cache flush PTR _http._tcp.local PTR SS
W on FUNBOX._mqtt._tcp.local SRV, cache flush 0 0 8883 FUNBOX.local TXT, cache flush PTR _mqtt._tcp.local PTR SSW on FUNBOX._ssw._tcp.local SRV, cache flush 0 0 8883 FUNBOX.local PTR _ssw._tcp.local
   13   8.908595  192.168.1.1 → 224.0.0.251  MDNS 178 Standard query 0x0000 PTR _ssw._tcp.local, "QM" question PTR _http._tcp.local, "QM" question PTR _mqtt._tcp.local, "QM" question PTR SSW on FUNBOX._mqtt._tcp.local PTR FUNBOX._http._tc
p.local PTR SSW on FUNBOX._ssw._tcp.local
   14   9.386788  192.168.1.1 → 224.0.0.251  MDNS 154 Standard query 0x0000 PTR _services._dns-sd._udp.local, "QM" question PTR _http._tcp.local PTR _mqtt._tcp.local PTR _ssw._tcp.local
   15   9.640978  192.168.1.1 → 224.0.0.251  MDNS 122 Standard query response 0x0000 A, cache flush 192.168.1.1 PTR, cache flush FUNBOX.local
   16   9.913424  192.168.1.1 → 224.0.0.251  MDNS 178 Standard query 0x0000 PTR _ssw._tcp.local, "QM" question PTR _http._tcp.local, "QM" question PTR _mqtt._tcp.local, "QM" question PTR SSW on FUNBOX._mqtt._tcp.local PTR FUNBOX._http._tc
p.local PTR SSW on FUNBOX._ssw._tcp.local
   17  10.514839  192.168.1.1 → 224.0.0.251  MDNS 411 Standard query response 0x0000 TXT, cache flush PTR FUNBOX._http._tcp.local SRV, cache flush 0 0 80 FUNBOX.local A, cache flush 192.168.1.1 TXT, cache flush PTR _http._tcp.local PTR SS
W on FUNBOX._mqtt._tcp.local SRV, cache flush 0 0 8883 FUNBOX.local TXT, cache flush PTR _mqtt._tcp.local PTR SSW on FUNBOX._ssw._tcp.local SRV, cache flush 0 0 8883 FUNBOX.local PTR _ssw._tcp.local
   18  11.389989  192.168.1.1 → 224.0.0.251  MDNS 154 Standard query 0x0000 PTR _services._dns-sd._udp.local, "QM" question PTR _http._tcp.local PTR _mqtt._tcp.local PTR _ssw._tcp.local
   19  11.916866  192.168.1.1 → 224.0.0.251  MDNS 178 Standard query 0x0000 PTR _ssw._tcp.local, "QM" question PTR _http._tcp.local, "QM" question PTR _mqtt._tcp.local, "QM" question PTR SSW on FUNBOX._mqtt._tcp.local PTR FUNBOX._http._tc
p.local PTR SSW on FUNBOX._ssw._tcp.local
   20  14.839840 $$$FUNBOX-MAC6 → ff02::1      ICMPv6 120 Echo (ping) request id=0x0337, seq=0, hop limit=255
   21  15.013392 $$$FUNBOX-MAC6 → ff02::1      ICMPv6 120 Echo (ping) request id=0x0337, seq=0, hop limit=255
   22  15.391889  192.168.1.1 → 224.0.0.251  MDNS 154 Standard query 0x0000 PTR _services._dns-sd._udp.local, "QM" question PTR _http._tcp.local PTR _mqtt._tcp.local PTR _ssw._tcp.local
   23  15.918667  192.168.1.1 → 224.0.0.251  MDNS 178 Standard query 0x0000 PTR _ssw._tcp.local, "QM" question PTR _http._tcp.local, "QM" question PTR _mqtt._tcp.local, "QM" question PTR SSW on FUNBOX._mqtt._tcp.local PTR FUNBOX._http._tc
p.local PTR SSW on FUNBOX._ssw._tcp.local
   24  16.155735 Sagemcom_$$$FUNBOX-MAC →              HomePlug AV 62 CM_BRG_INFO.REQ (Get Bridge Informations Request)
   25  23.404119  192.168.1.1 → 224.0.0.251  MDNS 130 Standard query 0x0000 PTR _services._dns-sd._udp.local, "QM" question PTR _http._tcp.local, "QM" question PTR _mqtt._tcp.local, "QM" question PTR _ssw._tcp.local, "QM" question
   26  23.495853  192.168.1.1 → 224.0.0.251  MDNS 411 Standard query response 0x0000 PTR SSW on FUNBOX._ssw._tcp.local TXT, cache flush SRV, cache flush 0 0 8883 FUNBOX.local A, cache flush 192.168.1.1 PTR _http._tcp.local PTR _ssw._tcp.l
ocal PTR _mqtt._tcp.local PTR FUNBOX._http._tcp.local TXT, cache flush SRV, cache flush 0 0 80 FUNBOX.local PTR SSW on FUNBOX._mqtt._tcp.local TXT, cache flush SRV, cache flush 0 0 8883 FUNBOX.local
   27  30.465268 $$$FUNBOX-MAC6 → ff02::1      ICMPv6 120 Echo (ping) request id=0x0337, seq=0, hop limit=255
   28  31.251226  192.168.1.1 → 224.0.0.1    IGMPv2 62 Membership Query, general
   29  31.513090 Sagemcom_$$$FUNBOX-MAC →              HomePlug AV 62 CM_BRG_INFO.REQ (Get Bridge Informations Request)
   30  35.429796 $$$LAPTOP-IP → 1.1.1.1      DNS 90 Standard query 0x06da A wp.pl OPT
   31  35.453171 Sagemcom_$$$FUNBOX-MAC →              ARP 62 Who has $$$LAPTOP-IP? Tell 1.1.1.1
   32  35.453242 $$$LAPTOP-MAC →              ARP 44 $$$LAPTOP-IP is at $$$LAPTOP-MAC
   33  35.454073      1.1.1.1 → $$$LAPTOP-IP DNS 94 Standard query response 0x06da A wp.pl A 212.77.98.9 OPT
   34  35.528628 Sagemcom_$$$FUNBOX-MAC →              ARP 62 Who has $$$LAPTOP-IP? Tell 192.168.1.1
   35  35.528674 $$$LAPTOP-MAC →              ARP 44 $$$LAPTOP-IP is at $$$LAPTOP-MAC
   36  35.528679 Sagemcom_$$$FUNBOX-MAC →              ARP 62 Who has $$$LAPTOP-IP? Tell 192.168.1.1
   37  35.528693 $$$LAPTOP-MAC →              ARP 44 $$$LAPTOP-IP is at $$$LAPTOP-MAC
   38  35.548427 Sagemcom_$$$FUNBOX-MAC →              ARP 62 Who has $$$LAPTOP-IP? Tell 192.168.1.1
   39  35.548467 $$$LAPTOP-MAC →              ARP 44 $$$LAPTOP-IP is at $$$LAPTOP-MAC
   40  38.264464  192.168.1.1 → 192.168.1.255 NBNS 112 Registration NB FUNBOX<20>
   41  38.264537  192.168.1.1 → 192.168.1.255 NBNS 112 Registration NB FUNBOX<03>
   42  38.264573  192.168.1.1 → 192.168.1.255 NBNS 112 Registration NB FUNBOX<00>
   43  38.264604  192.168.1.1 → 192.168.1.255 NBNS 112 Registration NB WORKGROUP<00>
   44  38.264634  192.168.1.1 → 192.168.1.255 NBNS 112 Registration NB WORKGROUP<1e>
   45  38.265874  192.168.1.1 → 192.168.1.255 BROWSER 251 Host Announcement FUNBOX, Workstation, Server, Print Queue Server, Xenix Server, NT Workstation, NT Server, Potential Browser, DFS server
   46  39.440035  192.168.1.1 → 224.0.0.251  MDNS 249 Standard query 0x0000 PTR _http._tcp.local, "QM" question PTR _services._dns-sd._udp.local, "QM" question PTR _ssw._tcp.local, "QM" question PTR _mqtt._tcp.local, "QM" question PTR SSW
 on FUNBOX._mqtt._tcp.local PTR SSW on FUNBOX._ssw._tcp.local PTR _http._tcp.local PTR _ssw._tcp.local PTR _mqtt._tcp.local PTR FUNBOX._http._tcp.local
   47  40.281303  192.168.1.1 → 192.168.1.255 NBNS 112 Registration NB FUNBOX<20>
   48  40.281383  192.168.1.1 → 192.168.1.255 NBNS 112 Registration NB FUNBOX<03>
   49  40.281418  192.168.1.1 → 192.168.1.255 NBNS 112 Registration NB FUNBOX<00>
   50  40.281425  192.168.1.1 → 192.168.1.255 NBNS 112 Registration NB WORKGROUP<00>
   51  40.281431  192.168.1.1 → 192.168.1.255 NBNS 112 Registration NB WORKGROUP<1e>
   52  40.281437  192.168.1.1 → 192.168.1.255 NBNS 112 Registration NB FUNBOX<20>
   53  40.281701  192.168.1.1 → 192.168.1.255 NBNS 112 Registration NB FUNBOX<03>
   54  40.281715  192.168.1.1 → 192.168.1.255 NBNS 112 Registration NB FUNBOX<00>
   55  40.281721  192.168.1.1 → 192.168.1.255 NBNS 112 Registration NB WORKGROUP<00>
   56  40.282281  192.168.1.1 → 192.168.1.255 NBNS 112 Registration NB WORKGROUP<1e>
   57  42.296824  192.168.1.1 → 192.168.1.255 NBNS 112 Registration NB FUNBOX<20>
   58  42.296866  192.168.1.1 → 192.168.1.255 NBNS 112 Registration NB FUNBOX<03>
   59  42.296880  192.168.1.1 → 192.168.1.255 NBNS 112 Registration NB FUNBOX<00>
   60  42.296884  192.168.1.1 → 192.168.1.255 NBNS 112 Registration NB WORKGROUP<00>
   61  42.297270  192.168.1.1 → 192.168.1.255 NBNS 112 Registration NB WORKGROUP<1e>
   62  45.570019 $$$FUNBOX-MAC6 → ff02::1      ICMPv6 120 Echo (ping) request id=0x0337, seq=0, hop limit=255

Ponieważ jedyne co znalazłem o “zaśmiecaniu” tablicy ARP to artykuły z cyklu “jak zmusić moich użytkowników by korzystali z mojego DNS” poczytałem jak zablokować dziwne requesty ARP i zablowałem “tworzenie wpisu”

1.1.1.1 dev enp2s0 lladdr $$$FUNBOX-MAC STALE

Wyłączyłem wszystko ponownie włączyłem komputer jedyna zmiana do poprzedniej operacji to jedna dodatkowa reguła na firewallu blokująca wciskanie kitu przez ARP:

wyniki i pytania pod spodem w reply:

funbox 3 arp spoof DNSów - kontekst + 5 pytań

Edward39 — Mon, 23 Sep 2019 13:56:54 GMT

tablica arp tym razem czysta - tylko funbox

ip neigh                                   
192.168.1.1 dev enp2s0 lladdr $$$FUNBOX-MAC PERMANENT

log protokołu arp w kółko pokazuje próbę wciśnięcia śmiecia do tablicy arp

[  323.046717] ARP-IN: IN=enp2s0 OUT= ARP HTYPE=1 PTYPE=0x0800 OPCODE=1 MACsrc=$$$FUNBOX-MAC IPsrc=1.1.1.1 MACDST=00:00:00:00:00:00 IPDST=$$$LAPTOP-IP
[  324.048895] ARP-IN: IN=enp2s0 OUT= ARP HTYPE=1 PTYPE=0x0800 OPCODE=1 MACsrc=$$$FUNBOX-MAC IPsrc=1.1.1.1 MACDST=00:00:00:00:00:00 IPDST=$$$LAPTOP-IP

w routes coś nowego się pokazało

ip route
default via 192.168.1.1 dev enp2s0 
192.168.1.0/24 dev enp2s0 proto kernel scope link src $$$LAPTOP-IP

PYTANIE1:

nie wiem co to za proto kernel na laptopowym IP i skąd to trafiło do tablicy routing-u ?

efekt po blokadzie wpisu arp

dig wp.pl
### timeout ###

dołączam również tcpdump ze wszystkich interfejsów

1   0.000000  192.168.1.1 → 224.0.0.1    IGMPv2 62 Membership Query, general                                                                                                                                                              
    2   5.660224  192.168.1.1 → 224.0.0.251  MDNS 134 Standard query 0x0000 ANY 1.1.168.192.in-addr.arpa, "QM" question ANY FUNBOX.local, "QM" question A 192.168.1.1 PTR FUNBOX.local                                                        
    3   5.911112  192.168.1.1 → 224.0.0.251  MDNS 134 Standard query 0x0000 ANY 1.1.168.192.in-addr.arpa, "QM" question ANY FUNBOX.local, "QM" question A 192.168.1.1 PTR FUNBOX.local                                                        
    4   6.163248  192.168.1.1 → 224.0.0.251  MDNS 134 Standard query 0x0000 ANY 1.1.168.192.in-addr.arpa, "QM" question ANY FUNBOX.local, "QM" question A 192.168.1.1 PTR FUNBOX.local                                                        
    5   6.366578  192.168.1.1 → 224.0.0.251  MDNS 122 Standard query response 0x0000 PTR, cache flush FUNBOX.local A, cache flush 192.168.1.1                                                                                                 
    6   6.537099  192.168.1.1 → 224.0.0.251  MDNS 306 Standard query 0x0000 ANY SSW on FUNBOX._ssw._tcp.local, "QM" question ANY FUNBOX._http._tcp.local, "QM" question ANY SSW on FUNBOX._mqtt._tcp.local, "QM" question SRV 0 0 80 FUNBOX.lo
cal TXT SRV 0 0 8883 FUNBOX.local TXT SRV 0 0 8883 FUNBOX.local TXT                                                                                                                                                                           
    7   6.788287  192.168.1.1 → 224.0.0.251  MDNS 306 Standard query 0x0000 ANY SSW on FUNBOX._ssw._tcp.local, "QM" question ANY FUNBOX._http._tcp.local, "QM" question ANY SSW on FUNBOX._mqtt._tcp.local, "QM" question SRV 0 0 80 FUNBOX.lo
cal TXT SRV 0 0 8883 FUNBOX.local TXT SRV 0 0 8883 FUNBOX.local TXT                                                                                                                                                                           
    8   7.044574  192.168.1.1 → 224.0.0.251  MDNS 306 Standard query 0x0000 ANY SSW on FUNBOX._ssw._tcp.local, "QM" question ANY FUNBOX._http._tcp.local, "QM" question ANY SSW on FUNBOX._mqtt._tcp.local, "QM" question SRV 0 0 80 FUNBOX.lo
cal TXT SRV 0 0 8883 FUNBOX.local TXT SRV 0 0 8883 FUNBOX.local TXT                                                                                                                                                                           
    9   7.243702  192.168.1.1 → 224.0.0.251  MDNS 411 Standard query response 0x0000 TXT, cache flush PTR FUNBOX._http._tcp.local SRV, cache flush 0 0 80 FUNBOX.local A, cache flush 192.168.1.1 TXT, cache flush PTR _http._tcp.local PTR SS
W on FUNBOX._mqtt._tcp.local SRV, cache flush 0 0 8883 FUNBOX.local TXT, cache flush PTR _mqtt._tcp.local PTR SSW on FUNBOX._ssw._tcp.local SRV, cache flush 0 0 8883 FUNBOX.local PTR _ssw._tcp.local                                        
   10   7.488338  192.168.1.1 → 224.0.0.251  MDNS 106 Standard query response 0x0000 PTR, cache flush FUNBOX.local                                                                                                                            
   11   8.365419  192.168.1.1 → 224.0.0.251  MDNS 411 Standard query response 0x0000 TXT, cache flush PTR FUNBOX._http._tcp.local SRV, cache flush 0 0 80 FUNBOX.local A, cache flush 192.168.1.1 TXT, cache flush PTR _http._tcp.local PTR SS
W on FUNBOX._mqtt._tcp.local SRV, cache flush 0 0 8883 FUNBOX.local TXT, cache flush PTR _mqtt._tcp.local PTR SSW on FUNBOX._ssw._tcp.local SRV, cache flush 0 0 8883 FUNBOX.local PTR _ssw._tcp.local                                        
   12   8.614085  192.168.1.1 → 224.0.0.251  MDNS 154 Standard query 0x0000 PTR _services._dns-sd._udp.local, "QM" question PTR _http._tcp.local PTR _mqtt._tcp.local PTR _ssw._tcp.local                                                     
   13   9.091205  192.168.1.1 → 224.0.0.251  MDNS 178 Standard query 0x0000 PTR _ssw._tcp.local, "QM" question PTR _http._tcp.local, "QM" question PTR _mqtt._tcp.local, "QM" question PTR SSW on FUNBOX._mqtt._tcp.local PTR FUNBOX._http._tc
p.local PTR SSW on FUNBOX._ssw._tcp.local                                                                                                                                                                                                     
   14   9.610215  192.168.1.1 → 224.0.0.251  MDNS 122 Standard query response 0x0000 A, cache flush 192.168.1.1 PTR, cache flush FUNBOX.local                                                                                                 
   15   9.615313  192.168.1.1 → 224.0.0.251  MDNS 154 Standard query 0x0000 PTR _services._dns-sd._udp.local, "QM" question PTR _http._tcp.local PTR _mqtt._tcp.local PTR _ssw._tcp.local                                                     
   16  10.095461  192.168.1.1 → 224.0.0.251  MDNS 178 Standard query 0x0000 PTR _ssw._tcp.local, "QM" question PTR _http._tcp.local, "QM" question PTR _mqtt._tcp.local, "QM" question PTR SSW on FUNBOX._mqtt._tcp.local PTR FUNBOX._http._tc
p.local PTR SSW on FUNBOX._ssw._tcp.local                                                                                                                                                                                                     
   17  10.487410  192.168.1.1 → 224.0.0.251  MDNS 411 Standard query response 0x0000 TXT, cache flush PTR FUNBOX._http._tcp.local SRV, cache flush 0 0 80 FUNBOX.local A, cache flush 192.168.1.1 TXT, cache flush PTR _http._tcp.local PTR SS
W on FUNBOX._mqtt._tcp.local SRV, cache flush 0 0 8883 FUNBOX.local TXT, cache flush PTR _mqtt._tcp.local PTR SSW on FUNBOX._ssw._tcp.local SRV, cache flush 0 0 8883 FUNBOX.local PTR _ssw._tcp.local                                        
   18  11.616250  192.168.1.1 → 224.0.0.251  MDNS 154 Standard query 0x0000 PTR _services._dns-sd._udp.local, "QM" question PTR _http._tcp.local PTR _mqtt._tcp.local PTR _ssw._tcp.local                                                     
   19  12.096786  192.168.1.1 → 224.0.0.251  MDNS 178 Standard query 0x0000 PTR _ssw._tcp.local, "QM" question PTR _http._tcp.local, "QM" question PTR _mqtt._tcp.local, "QM" question PTR SSW on FUNBOX._mqtt._tcp.local PTR FUNBOX._http._t$p.local PTR SSW on FUNBOX._ssw._tcp.local
   20  14.812082 $$$FUNBOX-MAC6 → ff02::1      ICMPv6 120 Echo (ping) request id=0x0337, seq=0, hop limit=255                                                                                                                     
   21  15.024519 $$$FUNBOX-MAC6 → ff02::1      ICMPv6 120 Echo (ping) request id=0x0337, seq=0, hop limit=255                                                                                                                     
   22  15.618684  192.168.1.1 → 224.0.0.251  MDNS 154 Standard query 0x0000 PTR _services._dns-sd._udp.local, "QM" question PTR _http._tcp.local PTR _mqtt._tcp.local PTR _ssw._tcp.local                                                    
   23  16.098387  192.168.1.1 → 224.0.0.251  MDNS 178 Standard query 0x0000 PTR _ssw._tcp.local, "QM" question PTR _http._tcp.local, "QM" question PTR _mqtt._tcp.local, "QM" question PTR SSW on FUNBOX._mqtt._tcp.local PTR FUNBOX._http._t$p.local PTR SSW on FUNBOX._ssw._tcp.local
   24  16.186192 Sagemcom_$$$FUNBOX-MAC →              HomePlug AV 62 CM_BRG_INFO.REQ (Get Bridge Informations Request)
   25  23.629564  192.168.1.1 → 224.0.0.251  MDNS 130 Standard query 0x0000 PTR _services._dns-sd._udp.local, "QM" question PTR _http._tcp.local, "QM" question PTR _mqtt._tcp.local, "QM" question PTR _ssw._tcp.local, "QM" question       
   26  23.691788  192.168.1.1 → 224.0.0.251  MDNS 411 Standard query response 0x0000 PTR SSW on FUNBOX._ssw._tcp.local TXT, cache flush SRV, cache flush 0 0 8883 FUNBOX.local A, cache flush 192.168.1.1 PTR _http._tcp.local PTR _ssw._tcp.$ocal PTR _mqtt._tcp.local PTR FUNBOX._http._tcp.local TXT, cache flush SRV, cache flush 0 0 80 FUNBOX.local PTR SSW on FUNBOX._mqtt._tcp.local TXT, cache flush SRV, cache flush 0 0 8883 FUNBOX.local                                       
   27  30.286478 $$$FUNBOX-MAC6 → ff02::1      ICMPv6 120 Echo (ping) request id=0x0337, seq=0, hop limit=255                                                                                                                     
   28  31.251485  192.168.1.1 → 224.0.0.1    IGMPv2 62 Membership Query, general
   29  31.367445 Sagemcom_$$$FUNBOX-MAC →              HomePlug AV 62 CM_BRG_INFO.REQ (Get Bridge Informations Request)
   30  38.270491  192.168.1.1 → 192.168.1.255 NBNS 112 Registration NB FUNBOX<20>
   31  38.270563  192.168.1.1 → 192.168.1.255 NBNS 112 Registration NB FUNBOX<03>
   32  38.270589  192.168.1.1 → 192.168.1.255 NBNS 112 Registration NB FUNBOX<00>
   33  38.270612  192.168.1.1 → 192.168.1.255 NBNS 112 Registration NB WORKGROUP<00>
   34  38.270637  192.168.1.1 → 192.168.1.255 NBNS 112 Registration NB WORKGROUP<1e>
   35  38.271856  192.168.1.1 → 192.168.1.255 BROWSER 251 Host Announcement FUNBOX, Workstation, Server, Print Queue Server, Xenix Server, NT Workstation, NT Server, Potential Browser, DFS server                                          
   36  39.648805  192.168.1.1 → 224.0.0.251  MDNS 249 Standard query 0x0000 PTR _http._tcp.local, "QM" question PTR _services._dns-sd._udp.local, "QM" question PTR _ssw._tcp.local, "QM" question PTR _mqtt._tcp.local, "QM" question PTR SS$ on FUNBOX._mqtt._tcp.local PTR SSW on FUNBOX._ssw._tcp.local PTR _http._tcp.local PTR _ssw._tcp.local PTR _mqtt._tcp.local PTR FUNBOX._http._tcp.local                                                                                      
   37  40.288556  192.168.1.1 → 192.168.1.255 NBNS 112 Registration NB FUNBOX<20>
   38  40.288622  192.168.1.1 → 192.168.1.255 NBNS 112 Registration NB FUNBOX<03>
   39  40.288643  192.168.1.1 → 192.168.1.255 NBNS 112 Registration NB FUNBOX<00>
   40  40.288647  192.168.1.1 → 192.168.1.255 NBNS 112 Registration NB WORKGROUP<00>
   41  40.288651  192.168.1.1 → 192.168.1.255 NBNS 112 Registration NB WORKGROUP<1e>
   42  40.289199  192.168.1.1 → 192.168.1.255 NBNS 112 Registration NB FUNBOX<20>
   43  40.289217  192.168.1.1 → 192.168.1.255 NBNS 112 Registration NB FUNBOX<03>
   44  40.289222  192.168.1.1 → 192.168.1.255 NBNS 112 Registration NB FUNBOX<00>
   45  40.289226  192.168.1.1 → 192.168.1.255 NBNS 112 Registration NB WORKGROUP<00>
   46  40.290144  192.168.1.1 → 192.168.1.255 NBNS 112 Registration NB WORKGROUP<1e>
   47  42.305288  192.168.1.1 → 192.168.1.255 NBNS 112 Registration NB FUNBOX<20>
   48  42.305349  192.168.1.1 → 192.168.1.255 NBNS 112 Registration NB FUNBOX<03>
   49  42.305370  192.168.1.1 → 192.168.1.255 NBNS 112 Registration NB FUNBOX<00>
   50  42.305830  192.168.1.1 → 192.168.1.255 NBNS 112 Registration NB WORKGROUP<00>
   51  42.305845  192.168.1.1 → 192.168.1.255 NBNS 112 Registration NB WORKGROUP<1e>
   52  45.501636 $$$FUNBOX-MAC6 → ff02::1      ICMPv6 120 Echo (ping) request id=0x0337, seq=0, hop limit=255
   53  50.064665 $$$LAPTOP-IP → 1.1.1.1      DNS 90 Standard query 0xa614 A wp.pl OPT
   54  50.088547 Sagemcom_$$$FUNBOX-MAC →              ARP 62 Who has $$$LAPTOP-IP? Tell 1.1.1.1
   55  51.090725 Sagemcom_$$$FUNBOX-MAC →              ARP 62 Who has $$$LAPTOP-IP? Tell 1.1.1.1
   56  52.092788 Sagemcom_$$$FUNBOX-MAC →              ARP 62 Who has $$$LAPTOP-IP? Tell 1.1.1.1
   57  55.064341 $$$LAPTOP-IP → 1.1.1.1      DNS 90 Standard query 0xa614 A wp.pl OPT
   58  55.088184 Sagemcom_$$$FUNBOX-MAC →              ARP 62 Who has $$$LAPTOP-IP? Tell 1.1.1.1
   59  56.090463 Sagemcom_$$$FUNBOX-MAC →              ARP 62 Who has $$$LAPTOP-IP? Tell 1.1.1.1
   60  57.092878 Sagemcom_$$$FUNBOX-MAC →              ARP 62 Who has $$$LAPTOP-IP? Tell 1.1.1.1
   61  60.065075 $$$LAPTOP-IP → 1.1.1.1      DNS 90 Standard query 0xa614 A wp.pl OPT
   62  60.088383 Sagemcom_$$$FUNBOX-MAC →              ARP 62 Who has $$$LAPTOP-IP? Tell 1.1.1.1
   63  60.478058 Sagemcom_$$$FUNBOX-MAC →              HomePlug 62 MAC Management
   64  61.090958 Sagemcom_$$$FUNBOX-MAC →              ARP 62 Who has $$$LAPTOP-IP? Tell 1.1.1.1
   65  62.092989 Sagemcom_$$$FUNBOX-MAC →              ARP 62 Who has $$$LAPTOP-IP? Tell 1.1.1.1
   66  71.253346  192.168.1.1 → 224.0.0.1    IGMPv2 62 Membership Query, general

PYTANIE2:

Nie rozumiem sytuaacji z pakietem nr 54 Dlaczego funbox pyta przez ARP kto ma $$$LAPTOP-IP w dodatku kieruje to pytanie do zewnętrznego DNSu a nie do default gw ????

wyciągnąłem pakiet 54 poniżej

54  50.088547 Sagemcom_$$$FUNBOX-MAC →              ARP 62 Who has $$$LAPTOP-IP? Tell 1.1.1.1

dla kontekstu pakiet 53 to nic innego jak

dig wp.pl

dla sprawdzenia czy DNSy trybią

PYTANIE 3:

niestety DNSy nie działają bez “śmieciowego wpisu” w tablicy ARP dlaczego?

PYTANIE 4:

Funbox pyta moje DNSy 1.1.1.1 o adres IP mojego laptopa - lokalne IP 192.168.1.x - czemu nie spyta bramy <-> sam siebie ???

PYTANIE 5:

W dniu instalacji internetu pytałem czy mogę używać dowolnych DNSów - panowie technicy powiedzieli że nie ma w tym zakresie ograniczeń no ale jak się to ma do tego ARPowania przez funbox ?

przeklejka kodu z początku posta

ip neigh
1.1.1.1 dev enp2s0 lladdr $$$FUNBOX-MAC STALE
192.168.1.1 dev enp2s0 lladdr $$$FUNBOX-MAC PERMANENT

funbox 3 arp spoof DNSów - kontekst + 5 pytań

BORAX — Mon, 23 Sep 2019 15:03:04 GMT

@Edward39 Odpowiem tylko na pytanie 5. Oczywiście nie ma w tym zakresie(DNS) ograniczeń, ale mając Funbox 3.0 musisz aplikować w konfiguracji każdego urządzenia adres DNS. Funbox ze względów między innymi bezpieczeństwa nie zezwala na ich zmianę na poziomie routera.

funbox 3 arp spoof DNSów - kontekst + 5 pytań

Edward39 — Mon, 23 Sep 2019 17:52:17 GMT

@BORAX

@BORAXnapisał(-a)
mając Funbox 3.0 musisz aplikować w konfiguracji każdego urządzenia adres DNS. Funbox ze względów między innymi bezpieczeństwa nie zezwala na ich zmianę na poziomie routera

W routerze mam na sztywno to co wszyscy a w linuxie chcialbym docelowo DNS over TLS

W pierwszej chwili nie poszedł TLS zrywał połączenie więc sprawdziłem na prostrzym przypadku ... no i jest grubo

Raz ustawiłem na funbox 3 dns over tls działał tylko przez weekend ale internet chodził nieporównywalnie szybciej niż dziś

To już jest któryś funbox3 z kolei i na tym nie moge za wiele podziałać ... patrz wyżej

funbox 3 arp spoof DNSów - kontekst + 5 pytań

rspl — Tue, 24 Sep 2019 14:02:17 GMT

Odpowiedź na pytanie 1:

Wpis "proto kernel" oznacza że dana trasa została dodana przez jądro Linuksa i jest przez niego zarządzana. W tym przypadku trasa została dodana na podstawie maski podsieci i jest to zupełnie normalne.

Odpowiedź na pytanie nr 2,3,4:

Generalnie problem polega na tym, że z jakiegoś powodu funbox ma na interfejsie LAN przypisany na stałe adres 1.1.1.1 (co swoją drogą nie jest zgodne z RFC, ponieważ a blok adresów 1.1.1.0/24 należy do Cloudflare a nie do Orange). O tym że funbox ma przypisany adres 1.1.1.1 można się przekonać wykonując traceroute do 1.1.1.1.

Ten pakiet:

54  50.088547 Sagemcom_$$$FUNBOX-MAC →              ARP 62 Who has $$$LAPTOP-IP? Tell 1.1.1.1

To nie jest arp poisoning, tylko nic innego jak zapytanie funboxa (który ma adres IP 1.1.1.1) jaki jest adres MAC twojego komputera - to jest konieczne aby funbox miał jak wysłać odpowiedź na zapytanie DNS. Dlatego jeżeli to zablokujesz komunikacja z 1.1.1.1 (czyli funboxem, a nie serwerami Cloudflare) nie będzie możliwa.

Niestety komunikacja z serwerem 1.1.1.1 w przypadku funboxa jest niemożliwa - zawsze będzie ci odpowiadał funbox (czyli jak ustawisz dns na 1.1.1.1 to i tak będziesz używał DNS od Orange).

Na szczęście rozwiązanie tego problemu jest łatwe i można mieć normalnie dostęp do serwerów DNS Cloudflare - wystarczy użyć adresu ich zapasowego serwera: 1.0.0.1 i wszystko będzie działać jak należy.

P.S Ciekawi mnie dlaczego Funbox ma przypisany do LAN adres 1.1.1.1.

Moim taki adres do funboxa został przypisany celowo a nie np. w wyniku błędu oprogramowania, ale po co? Może ktoś z Orange kiedyś zechce się wypowiedzieć na ten temat.

funbox 3 arp spoof DNSów - kontekst + 5 pytań

Edward39 — Wed, 25 Sep 2019 12:50:47 GMT

jest mały progress chociaż u mnie traceroute dla 1.1.1.1 pokazuje droge do cloudflare

próba zestawienia połączenia DNS over TLS kończy się timeeoutem

włączam funbox robię dig wp.pl gdy lampki się wyszumią - tym razem DNS over TLS na 9.9.9.9

1   0.000000  192.168.1.1 → 224.0.0.1    IGMPv2 62 Membership Query, general
2   4.381446    127.0.0.1 → 127.0.0.1    UDP 90 48692 → 48884 Len=46
3   4.381616 $$$LAPTOP-IP → 9.9.9.9      TCP 80 45404 → 853 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 SACK_PERM=1 TSval=2039067141 TSecr=0 WS=128 TFO=R
4   4.409813      9.9.9.9 → $$$LAPTOP-IP TCP 76 853 → 45404 [SYN, ACK] Seq=0 Ack=1 Win=28960 Len=0 MSS=1460 TSval=3959142448 TSecr=2039067141 WS=256
5   4.409891 $$$LAPTOP-IP → 9.9.9.9      TCP 68 45404 → 853 [ACK] Seq=1 Ack=1 Win=64256 Len=0 TSval=2039067170 TSecr=3959142448
6   4.410154 $$$LAPTOP-IP → 9.9.9.9      TLSv1 337 Client Hello
7   4.438175      9.9.9.9 → $$$LAPTOP-IP TCP 68 853 → 45404 [ACK] Seq=1 Ack=270 Win=30208 Len=0 TSval=3959142476 TSecr=2039067170
8   4.438798      9.9.9.9 → $$$LAPTOP-IP TLSv1.3 2964 Server Hello, Change Cipher Spec, Application Data, Application Data
9   4.438842 $$$LAPTOP-IP → 9.9.9.9      TCP 68 45404 → 853 [ACK] Seq=270 Ack=2897 Win=63488 Len=0 TSval=2039067199 TSecr=3959142477
10   4.438849      9.9.9.9 → $$$LAPTOP-IP TLSv1.3 176 Application Data, Application Data
11   4.438869 $$$LAPTOP-IP → 9.9.9.9      TCP 68 45404 → 853 [ACK] Seq=270 Ack=3005 Win=63488 Len=0 TSval=2039067199 TSecr=3959142478
12   4.441657 $$$LAPTOP-IP → 9.9.9.9      TLSv1.3 148 Change Cipher Spec, Application Data
13   4.472296      9.9.9.9 → $$$LAPTOP-IP TLSv1.3 307 Application Data
14   4.472345 $$$LAPTOP-IP → 9.9.9.9      TLSv1.3 220 Application Data
15   4.472687      9.9.9.9 → $$$LAPTOP-IP TLSv1.3 307 Application Data
16   4.502255      9.9.9.9 → $$$LAPTOP-IP TLSv1.3 142 Application Data
17   4.502365 $$$LAPTOP-IP → 9.9.9.9      TCP 68 45404 → 853 [ACK] Seq=502 Ack=3557 Win=64128 Len=0 TSval=2039067262 TSecr=3959142511
18   4.502458 $$$LAPTOP-IP → 9.9.9.9      TLSv1.3 220 Application Data
19   4.533065      9.9.9.9 → $$$LAPTOP-IP TLSv1.3 1231 Application Data
20   4.533122 $$$LAPTOP-IP → 9.9.9.9      TLSv1.3 676 Application Data, Application Data, Application Data, Application Data
21   4.564526      9.9.9.9 → $$$LAPTOP-IP TLSv1.3 1147 Application Data
22   4.565333      9.9.9.9 → $$$LAPTOP-IP TLSv1.3 458 Application Data
23   4.565375 $$$LAPTOP-IP → 9.9.9.9      TCP 68 45404 → 853 [ACK] Seq=1262 Ack=6189 Win=64128 Len=0 TSval=2039067325 TSecr=3959142602
24   4.618445      9.9.9.9 → $$$LAPTOP-IP TLSv1.3 182 Application Data
25   4.620618      9.9.9.9 → $$$LAPTOP-IP TLSv1.3 848 Application Data
26   4.620731 $$$LAPTOP-IP → 9.9.9.9      TCP 68 45404 → 853 [ACK] Seq=1262 Ack=7083 Win=64128 Len=0 TSval=2039067380 TSecr=3959142656
27   7.289015 $$$LAPTOP-IP → 172.217.16.3 TCP 68 46282 → 443 [ACK] Seq=1 Ack=1 Win=501 Len=0 TSval=1480267360 TSecr=2798955943
28   9.382040    127.0.0.1 → 127.0.0.1    UDP 90 48692 → 48884 Len=46
29   9.382274 $$$LAPTOP-IP → 9.9.9.9      TLSv1.3 220 Application Data
30   9.411252      9.9.9.9 → $$$LAPTOP-IP TLSv1.3 142 Application Data
31   9.411460 $$$LAPTOP-IP → 9.9.9.9      TLSv1.3 220 Application Data
32   9.412765 Sagemcom_$$$FUNBOX-MAC →              ARP 62 Who has $$$LAPTOP-IP? Tell 192.168.1.1
33   9.412812 WistronI_$$$LAPTOP-MAC →              ARP 44 $$$LAPTOP-IP is at $$$LAPTOP-MAC
34   9.441008      9.9.9.9 → $$$LAPTOP-IP TLSv1.3 1231 Application Data
35   9.441090 $$$LAPTOP-IP → 9.9.9.9      TLSv1.3 676 Application Data, Application Data, Application Data, Application Data
36   9.470441      9.9.9.9 → $$$LAPTOP-IP TLSv1.3 1147 Application Data
37   9.470509      9.9.9.9 → $$$LAPTOP-IP TLSv1.3 458 Application Data
38   9.470539 $$$LAPTOP-IP → 9.9.9.9      TCP 68 45404 → 853 [ACK] Seq=2174 Ack=9789 Win=64128 Len=0 TSval=2039072230 TSecr=3959147508
39   9.470543      9.9.9.9 → $$$LAPTOP-IP TLSv1.3 182 Application Data
40   9.470549      9.9.9.9 → $$$LAPTOP-IP TLSv1.3 848 Application Data
41   9.470658 $$$LAPTOP-IP → 9.9.9.9      TCP 68 45404 → 853 [ACK] Seq=2174 Ack=10683 Win=64128 Len=0 TSval=2039072230 TSecr=3959147509
42  10.033248 Sagemcom_$$$FUNBOX-MAC →              HomePlug 62 MAC Management
43  14.161557 198.252.206.25 → $$$LAPTOP-IP TLSv1.2 129 Application Data
44  14.382757    127.0.0.1 → 127.0.0.1    UDP 90 48692 → 48884 Len=46
45  14.382977 $$$LAPTOP-IP → 9.9.9.9      TLSv1.3 220 Application Data
46  14.450653      9.9.9.9 → $$$LAPTOP-IP TCP 68 853 → 45404 [ACK] Seq=10683 Ack=2326 Win=38400 Len=0 TSval=3959152489 TSecr=2039077143
47  14.463028      9.9.9.9 → $$$LAPTOP-IP TLSv1.3 142 Application Data
48  14.463205 $$$LAPTOP-IP → 9.9.9.9      TLSv1.3 220 Application Data
49  14.491295      9.9.9.9 → $$$LAPTOP-IP TCP 68 853 → 45404 [ACK] Seq=10757 Ack=2478 Win=39680 Len=0 TSval=3959152529 TSecr=2039077223
50  14.491372 $$$LAPTOP-IP → 9.9.9.9      TLSv1.3 676 Application Data, Application Data, Application Data, Application Data
51  14.491379      9.9.9.9 → $$$LAPTOP-IP TLSv1.3 1231 Application Data
52  14.521243      9.9.9.9 → $$$LAPTOP-IP TLSv1.3 1147 Application Data
53  14.521295 $$$LAPTOP-IP → 9.9.9.9      TCP 68 45404 → 853 [ACK] Seq=3086 Ack=12999 Win=64128 Len=0 TSval=2039077281 TSecr=3959152530
54  14.521298      9.9.9.9 → $$$LAPTOP-IP TLSv1.3 458 Application Data
55  14.521306      9.9.9.9 → $$$LAPTOP-IP TLSv1.3 182 Application Data
56  14.521313      9.9.9.9 → $$$LAPTOP-IP TLSv1.3 848 Application Data
57  14.521409 $$$LAPTOP-IP → 9.9.9.9      TCP 68 45404 → 853 [ACK] Seq=3086 Ack=14283 Win=64128 Len=0 TSval=2039077281 TSecr=3959152560
58  23.673029 $$$LAPTOP-IP → 198.252.206.25 TCP 68 43944 → 443 [ACK] Seq=0 Ack=1 Win=501 Len=0 TSval=1520445039 TSecr=2276464594
59  23.785180 198.252.206.25 → $$$LAPTOP-IP TCP 68 [TCP ****** ACK 43#1] [TCP ACKed unseen segment] 443 → 43944 [ACK] Seq=62 Ack=1 Win=61 Len=0 TSval=2276829079 TSecr=1519849778
60  24.531686 $$$LAPTOP-IP → 9.9.9.9      TLSv1.3 92 Application Data
61  24.531734 $$$LAPTOP-IP → 9.9.9.9      TCP 68 45404 → 853 [FIN, ACK] Seq=3110 Ack=14283 Win=64128 Len=0 TSval=2039087291 TSecr=3959152560
62  24.559861      9.9.9.9 → $$$LAPTOP-IP TLSv1.3 92 Application Data
63  24.559940 $$$LAPTOP-IP → 9.9.9.9      TCP 56 45404 → 853 [RST] Seq=3111 Win=0 Len=0
64  24.559948      9.9.9.9 → $$$LAPTOP-IP TCP 68 853 → 45404 [FIN, ACK] Seq=14307 Ack=3111 Win=40704 Len=0 TSval=3959162598 TSecr=2039087291
65  24.559971 $$$LAPTOP-IP → 9.9.9.9      TCP 56 45404 → 853 [RST] Seq=3111 Win=0 Len=0
66  28.281033 $$$LAPTOP-IP → 46.101.120.188 TCP 68 45404 → 443 [ACK] Seq=1 Ack=1 Win=9136 Len=0 TSval=3040152852 TSecr=3219099768
67  28.311694 46.101.120.188 → $$$LAPTOP-IP TCP 68 [TCP ACKed unseen segment] 443 → 45404 [ACK] Seq=1 Ack=2 Win=692 Len=0 TSval=3219111028 TSecr=3040107838

zauważyłem że porty mimo że są otwarte w regułach wykazywane są jako zamknięte

nmap -p 80,443,22,53,853,9418 $$$ROUTER-PUB-IP
Starting Nmap 7.70 ( https://nmap.org ) at 2019-09-25 14:13 CEST
Nmap scan report for $$$ROUTER-PUB-IP.ipv4.supernova.orange.pl ($$$ROUTER-PUB-IP)
Host is up (0.0016s latency).

PORT     STATE    SERVICE
22/tcp   filtered ssh
53/tcp   filtered domain
80/tcp   open     http
443/tcp  open     https
853/tcp  filtered domain-s
9418/tcp filtered git

Nmap done: 1 IP address (1 host up) scanned in 1.26 seconds
➜  ~ nmap -p 80,443,22,53,853,9418 192.168.1.1
Starting Nmap 7.70 ( https://nmap.org ) at 2019-09-25 14:13 CEST
Nmap scan report for 192.168.1.1
Host is up (0.0013s latency).

PORT     STATE    SERVICE
22/tcp   filtered ssh
53/tcp   filtered domain
80/tcp   open     http
443/tcp  open     https
853/tcp  filtered domain-s
9418/tcp filtered git

Nmap done: 1 IP address (1 host up) scanned in 1.25 seconds

z tego jak wygląda ruch sieciowy wnioskuje że wszytkie porty są otwarte poza 853 nmap mówi co innego

sytuacja bliźniacza do mojego posta "FunBox 3.0 saegem... firewall "odrzuc" ... nie odrzuca"

tyle że teraz jest "akceptuj" wciąż blokuje

poprzednio skończyło się na wymianie urządzenia... co teraz ?