Alright.... 2 nights ago I had a hard time falling asleep so I started to think. My topic was DNS spoofing. I was thinking of all the great times me and my professor had last year in our Net+ class (still have not gotten my Network+...im trying to find some cram notes or flash cards or something...might make some). It was great to go to www.microsoft.com and get www.linux.com and amazon lead go google haha.

We did it using Ethercap with a MITM attack. Took a little while to set up (or at least for me it does). Worked out great!

But I was thinking, is there another way to do a DNS Spoof attack with a little less software and Ethernet traffic (such as MITM). Iv been working with Nemesis. And it got me thinking.

Let me go back to basics just in case im mis-understanding anything.

When you go to www.google.com, your computer checks with your local DNS server to resolve www.google.com to its static IP (if you have a local DNS server) and when it resolves (if it does) it leads you to www.google.com. If it cant find it on the Local DNS it checks with your ISPs DNS then goes to the Root DNS servers. Then that IP under www.google.com gets cached in Windows for a certin amount of time. Then when you go to www.google.com again it checks whats cached and pulls up that entry.

Now if my logic for that is correct, I went to a website that i KNOW was not cached on my laptop while I was running Wireshark. After the page was fully loaded I looked at Wireshark and it showed 2 DNS packets. A request and a answer? If im correct that should be cached now.

Now im thinking i could use Nemesis and data carving to take a DNS answer packet straight from Wireshark, modify it using Hex to a different address, convert it back to binary (.bin file). And then I load up Nemesis and specify the source (my router), the destination (The victim), port 53 (DNS Port) and the payload GoogleDNS.bin which is say, amazon URL bound to googles IP. Then I inject it into my network and the victim receives it and caches it? Then when they visit Amazon and go to google! Spoof complete!

Now here is the complications:

I'm running Nemesis on my Linux router via SSH. All I get on Wireshark is a bunch of SSH port 22 gibberish. Will this ruin the GoogleDNS.bin payload? Also, Once I modify the amazon packet from Wireshark, how can I convert the text into a binary file that is recognized as a valid payload packet? Next question is how could i send the payload to all my computers on the network (-D 255.255.255.255)? Lastly I thought of this all by myself, hence I could be very, very wrong about all of this! Haha.