Another way to perform DNS Spoofing....

[>Dart>]

Alright.... 2 nights ago I had a hard time falling asleep so I started to think. My topic was DNS spoofing. I was thinking of all the great times me and my professor had last year in our Net+ class (still have not gotten my Network+...im trying to find some cram notes or flash cards or something...might make some). It was great to go to www.microsoft.com and get www.linux.com and amazon lead go google haha.

We did it using Ethercap with a MITM attack. Took a little while to set up (or at least for me it does). Worked out great!

But I was thinking, is there another way to do a DNS Spoof attack with a little less software and Ethernet traffic (such as MITM). Iv been working with Nemesis. And it got me thinking.

Let me go back to basics just in case im mis-understanding anything.

When you go to www.google.com, your computer checks with your local DNS server to resolve www.google.com to its static IP (if you have a local DNS server) and when it resolves (if it does) it leads you to www.google.com. If it cant find it on the Local DNS it checks with your ISPs DNS then goes to the Root DNS servers. Then that IP under www.google.com gets cached in Windows for a certin amount of time. Then when you go to www.google.com again it checks whats cached and pulls up that entry.

Now if my logic for that is correct, I went to a website that i KNOW was not cached on my laptop while I was running Wireshark. After the page was fully loaded I looked at Wireshark and it showed 2 DNS packets. A request and a answer? If im correct that should be cached now.

Now im thinking i could use Nemesis and data carving to take a DNS answer packet straight from Wireshark, modify it using Hex to a different address, convert it back to binary (.bin file). And then I load up Nemesis and specify the source (my router), the destination (The victim), port 53 (DNS Port) and the payload GoogleDNS.bin which is say, amazon URL bound to googles IP. Then I inject it into my network and the victim receives it and caches it? Then when they visit Amazon and go to google! Spoof complete!

Now here is the complications:

I'm running Nemesis on my Linux router via SSH. All I get on Wireshark is a bunch of SSH port 22 gibberish. Will this ruin the GoogleDNS.bin payload? Also, Once I modify the amazon packet from Wireshark, how can I convert the text into a binary file that is recognized as a valid payload packet? Next question is how could i send the payload to all my computers on the network (-D 255.255.255.255)? Lastly I thought of this all by myself, hence I could be very, very wrong about all of this! Haha.

[imported_cybrsnpr]

I think you have the right idea, but I also think you are really trying to kill a gnat with a small nuclear device! Unless the "chase to create something new" or "do this a different way" is what motivates your interest in the subject. If so, "you go man!".

There are tools besides ettercap which will already do the dns packet mangling for you. dnsspoof comes to mind immediately. Scapy would do this too (although it is a bit more difficult to set up).

If you are looking for a "different type" of dns spoof. Look into the WPAD hack. Works against IE only (AFAIK). There are a few papers on it (just google). It isn't that hard to set up.

[>Dart>]

I think you have the right idea, but I also think you are really trying to kill a gnat with a small nuclear device! Unless the "chase to create something new" or "do this a different way" is what motivates your interest in the subject. If so, "you go man!".

There are tools besides ettercap which will already do the dns packet mangling for you. dnsspoof comes to mind immediately. Scapy would do this too (although it is a bit more difficult to set up).

If you are looking for a "different type" of dns spoof. Look into the WPAD hack. Works against IE only (AFAIK). There are a few papers on it (just google). It isn't that hard to set up.

Could I use the part about the gnat and the small nuclear devices as my sig lol. That was great. But I guess. Ill look into dnsspoof and Scapy. Maybe i could work with them. But I do want to try this nemesis idea to see if i would work. I just am wondering if anyone has ever tried that or if anyone can see difficulty's down the road. And thanks for the encouragement. I dont get a lot of that

[imported_cybrsnpr]

Could I use the part about the gnat and the small nuclear devices as my sig

You certainly can!

I've just never used nemesis, so I don't know what it can do. Give it a try and if it works out, write it up!!! Worst case scenario, it doesn't work out but you learn a lot of stuff about the tool, packets and networks.

Good Luck...

[>Dart>]

Well in the past, iv learned a lot ways of how to make something NOT WORK...then what I have found that does work. Haha.

[imported_cybrsnpr]

iv learned a lot ways of how to make something NOT WORK

That's called "narrowing down the possibilities"

[compaq]

It should work >dart>.
The target send a request to the dns server, and you intcept it with wireshark, and record the dns seq number(forgot the name for them), and stop the dns responding or if its a internet one, make sure your replie is quicker, it will use your ip.

[>Dart>]

It should work >dart>.
The target send a request to the DNS server, and you intercept it with Wireshark, and record the dns seq number(forgot the name for them), and stop the DNS responding or if its a internet one, make sure your replie is quicker, it will use your ip.

Hmm...well that's not exactly what I had in mind, but that could work. Just a few questions:

For the DNS sequence number of the DNS query packet, would I have to "compile" a new payload with that sequence number hard coded into it, or could I specify the sequence number with the -s switch on Nemesis? Next what would be the best way to to "stop the DNS from responding" on my local network. Also for using a WAN DNS server, exactly how many seconds do you think I would have to intercept it with my spoofed packet? (Ill test that tomorrow, I did not think about looking at the time stamps). Lastly, if say I have a payload saved with Amazon leading to Google, and the person does a DNS query for say Yahoo and I reply with my Amazon to Google packet, they would just get a "Page cant be found" or would it bring up the response (Google) regardless what the packet resolves to (amazon) or what they requested (Yahoo)?

[compaq]

Hmm...well that's not exactly what I had in mind, but that could work. Just a few questions:

For the DNS sequence number of the DNS query packet, would I have to "compile" a new payload with that sequence number hard coded into it, or could I specify the sequence number with the -s switch on Nemesis? Next what would be the best way to to "stop the DNS from responding" on my local network. Also for using a WAN DNS server, exactly how many seconds do you think I would have to intercept it with my spoofed packet? (Ill test that tomorrow, I did not think about looking at the time stamps). Lastly, if say I have a payload saved with Amazon leading to Google, and the person does a DNS query for say Yahoo and I reply with my Amazon to Google packet, they would just get a "Page cant be found" or would it bring up the response (Google) regardless what the packet resolves to (amazon) or what they requested (Yahoo)?

Can't remeber off the top of my head wither nemesis arp has a ISM or ICM(seq number, some thing like that, I will check wireshark latter). You could proable stop the local dns(if router),by updateing the arp table with there mac as yours, if its a computer i'm not to shore. If you made a program to automaticly recive the packet and fill in the data and send it, it should be quicker(22ns for lan say and 1ms repley from ISP, add processing time)
If the asked page was for yahoo and the repley came back with a google feild(0x36 i think in wireshark) the packet would be droped and the real packet will get recived.You will need Transaction ID,A record(0x36) that was sent not recived.

I tryed to do something like this awhile ago, and didn't have much luck, if you get it props.

[Andy90]

Forgive me for probably saying something daft, but is this really a 'new way', to me beating the real response with a forged packet of your own with a manual sequence number is the standard way?