Results 1 to 10 of 12

Thread: Another way to perform DNS Spoofing....

Hybrid View

  1. #1
    Junior Member
    Join Date
    Mar 2008
    Posts
    94

    Default Another way to perform DNS Spoofing....

    Alright.... 2 nights ago I had a hard time falling asleep so I started to think. My topic was DNS spoofing. I was thinking of all the great times me and my professor had last year in our Net+ class (still have not gotten my Network+...im trying to find some cram notes or flash cards or something...might make some). It was great to go to www.microsoft.com and get www.linux.com and amazon lead go google haha.

    We did it using Ethercap with a MITM attack. Took a little while to set up (or at least for me it does). Worked out great!

    But I was thinking, is there another way to do a DNS Spoof attack with a little less software and Ethernet traffic (such as MITM). Iv been working with Nemesis. And it got me thinking.

    Let me go back to basics just in case im mis-understanding anything.

    When you go to www.google.com, your computer checks with your local DNS server to resolve www.google.com to its static IP (if you have a local DNS server) and when it resolves (if it does) it leads you to www.google.com. If it cant find it on the Local DNS it checks with your ISPs DNS then goes to the Root DNS servers. Then that IP under www.google.com gets cached in Windows for a certin amount of time. Then when you go to www.google.com again it checks whats cached and pulls up that entry.

    Now if my logic for that is correct, I went to a website that i KNOW was not cached on my laptop while I was running Wireshark. After the page was fully loaded I looked at Wireshark and it showed 2 DNS packets. A request and a answer? If im correct that should be cached now.

    Now im thinking i could use Nemesis and data carving to take a DNS answer packet straight from Wireshark, modify it using Hex to a different address, convert it back to binary (.bin file). And then I load up Nemesis and specify the source (my router), the destination (The victim), port 53 (DNS Port) and the payload GoogleDNS.bin which is say, amazon URL bound to googles IP. Then I inject it into my network and the victim receives it and caches it? Then when they visit Amazon and go to google! Spoof complete!

    Now here is the complications:

    I'm running Nemesis on my Linux router via SSH. All I get on Wireshark is a bunch of SSH port 22 gibberish. Will this ruin the GoogleDNS.bin payload? Also, Once I modify the amazon packet from Wireshark, how can I convert the text into a binary file that is recognized as a valid payload packet? Next question is how could i send the payload to all my computers on the network (-D 255.255.255.255)? Lastly I thought of this all by myself, hence I could be very, very wrong about all of this! Haha.

  2. #2

    Default

    I think you have the right idea, but I also think you are really trying to kill a gnat with a small nuclear device! Unless the "chase to create something new" or "do this a different way" is what motivates your interest in the subject. If so, "you go man!".

    There are tools besides ettercap which will already do the dns packet mangling for you. dnsspoof comes to mind immediately. Scapy would do this too (although it is a bit more difficult to set up).

    If you are looking for a "different type" of dns spoof. Look into the WPAD hack. Works against IE only (AFAIK). There are a few papers on it (just google). It isn't that hard to set up.

  3. #3
    Junior Member
    Join Date
    Mar 2008
    Posts
    94

    Default

    Quote Originally Posted by cybrsnpr View Post
    I think you have the right idea, but I also think you are really trying to kill a gnat with a small nuclear device! Unless the "chase to create something new" or "do this a different way" is what motivates your interest in the subject. If so, "you go man!".

    There are tools besides ettercap which will already do the dns packet mangling for you. dnsspoof comes to mind immediately. Scapy would do this too (although it is a bit more difficult to set up).

    If you are looking for a "different type" of dns spoof. Look into the WPAD hack. Works against IE only (AFAIK). There are a few papers on it (just google). It isn't that hard to set up.
    Could I use the part about the gnat and the small nuclear devices as my sig lol. That was great. But I guess. Ill look into dnsspoof and Scapy. Maybe i could work with them. But I do want to try this nemesis idea to see if i would work. I just am wondering if anyone has ever tried that or if anyone can see difficulty's down the road. And thanks for the encouragement. I dont get a lot of that

  4. #4

    Default

    Could I use the part about the gnat and the small nuclear devices as my sig
    You certainly can!

    I've just never used nemesis, so I don't know what it can do. Give it a try and if it works out, write it up!!! Worst case scenario, it doesn't work out but you learn a lot of stuff about the tool, packets and networks.

    Good Luck...

  5. #5
    Junior Member
    Join Date
    Mar 2008
    Posts
    94

    Default

    Well in the past, iv learned a lot ways of how to make something NOT WORK...then what I have found that does work. Haha.

  6. #6

    Default

    iv learned a lot ways of how to make something NOT WORK
    That's called "narrowing down the possibilities"

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •