Detect DNS Spoofer
About a month ago, I sat down at my computer, typed in google, and a porn webpage came up. After hours of searching for spyware and viruses and coming back with nothing, I tried google again and this time it worked. I realized that I was probably DNS spoofed... no one on my network knows how to do that, I'm sure of it. But my network was not password protected (I know, I'm an idiot), so I figure it was a drive-by. So now I have WPA2. But now it got me thinking about DNS spoof....
My college campus does not password protect their networks. Instead, they use some sort of proxy configuration (I'm not sure of the term, is it tunneling?) that requires you to register what I believe to be the MAC address of your device with your school username and password. I.e., you can connect to the network without problem, but when you go to surf, you're redirected to a page that tells you to login with your username as password, and that page register your device for future use.
So my question is, what's to stop someone from connecting to say, the college library, and not registering the device with their MAC but instead simply DNS spoofing the router? They wouldn't even need to stay connected long, they could connect, spoof, and disconnect and for the next 5 minutes (windows default flush cache time) all websites could be directed wherever the attacker wanted. So what's to stop this?>
You probably mistyped google. Some sites have names like ggoogle.com; they count on users to mistype names like google.com to get traffic.
I don't see why someone would invest so much energy to spoof for only 5 minutes.I can see behind the reason of spoofing, but for only 5 minutes?!?!
Just watch how you type in your browser!
Here is something funny about that and how people choose names:
www.penisland.net . Now go there and buy a pen!
Cheers!
Sorry I didn't mention, every webpage, including google. Google is my homepage and that was spoofed, along with every other address I tried to visit. I have no doubt that it was a DNS spoof because I ran through the list of hosts and someone was definitely pushing traffic through themselves.
I'm trying to look at this from like a prank point of view (not something I would ever do, I'm asking how someone could get caught doing it). Sending a few hundred people (our library is big) to nothing but teletubbies.com for 5 minutes would be kind of hilarious. And it's not investing so much energy, that's what I'm trying to point out, how easy it would be. All they would have to do is arp poison, open a dns spoof, and then turn off the spoof and poison after like 5 seconds. Then they can disconnect from the network and walk away, leaving everyone still connected to it wondering why they're getting rick rolled every time they redirect.
So again, my question: what's to prevent this?
Looked into arpwatch?
wtf?
Assuming you spoof your MAC, arpwatch wouldn't be able to detect any identifying information though. And that's all it can do is detect I think. The attacker will still be able to pull off the attack, but not get caught.Originally Posted by Andy90
How do you intend to 'catch' them? If you mean physically locate them then ok, but if you mean 'be aware' of them then its different.
If they are faking their mac then yes it it wouldn't be picked up by a conflict, but if you have two machines on the same network with same mac, it goes a little mental. I once did this by accident and knew something was up straight away as everything was borked.
Not efficient but would it help?
wtf?
You're right, I said "detect" but what I really mean is identify. Basically, I'm just asking if anyone knows of a way to catch someone stupid enough to do this. So I guess the answer is no as of now, they would be able to get away with it...
yes u can try just type arp -a in cmd (windows box) if u find any mac twice or more means there is someone who is arp poisning your network so just do a complete scan of ur network by nmap and check who have that repeated mac address bcoz he must be the poisnor.
the same u can do by noticing the mac of your dns address
so try ,i think this must help you...................
Let me guess, you have a wireless network that is either Open or protected with WEP?
Or the password for the Wireless network is weak enough to bruteforce? After that it
would be quite common for anyone just to open up Ettercap, Arp Spoof the whole net-
work with the DNS-module if they want to have fun and then everything is pron.
Of course if you're using winbl0wz, the problem might be a trojan arpspoofing you
Stop downloading so much pron ;D Use OpenDNS instead of your ISP's resolver, it's better.
The ways to stop these kinds of attacks is simply just to monitor the arp-table and
yes there are programs to do this kind of thing for you. If you do such an alert box
might come up and bam! Then you arpspoof them off the network or send de-auth
packages to them if they're connected wireless :-D
[quote][I]I realized, that I had fallen down from the top of the mountain into a deep, terrifying and dark hole, just to find out that another mountain in front of me, much greater than the previous, was the next step in life. I began to wander uphill on the next mountain of life while I knew it would be much harder than the previous mountain. [/I]- MaXe[/quote]
Posting Permissions
