Results 1 to 9 of 9

Thread: Detect DNS Spoofer

  1. #1
    Just burned his ISO
    Join Date
    Nov 2008
    Posts
    7

    Default Detect DNS Spoofer

    About a month ago, I sat down at my computer, typed in google, and a porn webpage came up. After hours of searching for spyware and viruses and coming back with nothing, I tried google again and this time it worked. I realized that I was probably DNS spoofed... no one on my network knows how to do that, I'm sure of it. But my network was not password protected (I know, I'm an idiot), so I figure it was a drive-by. So now I have WPA2. But now it got me thinking about DNS spoof....

    My college campus does not password protect their networks. Instead, they use some sort of proxy configuration (I'm not sure of the term, is it tunneling?) that requires you to register what I believe to be the MAC address of your device with your school username and password. I.e., you can connect to the network without problem, but when you go to surf, you're redirected to a page that tells you to login with your username as password, and that page register your device for future use.

    So my question is, what's to stop someone from connecting to say, the college library, and not registering the device with their MAC but instead simply DNS spoofing the router? They wouldn't even need to stay connected long, they could connect, spoof, and disconnect and for the next 5 minutes (windows default flush cache time) all websites could be directed wherever the attacker wanted. So what's to stop this?>

  2. #2
    Member godcronos's Avatar
    Join Date
    Jan 2010
    Posts
    103

    Default

    You probably mistyped google. Some sites have names like ggoogle.com; they count on users to mistype names like google.com to get traffic.
    I don't see why someone would invest so much energy to spoof for only 5 minutes.I can see behind the reason of spoofing, but for only 5 minutes?!?!
    Just watch how you type in your browser!
    Here is something funny about that and how people choose names:
    www.penisland.net . Now go there and buy a pen!

    Cheers!

  3. #3
    Just burned his ISO
    Join Date
    Nov 2008
    Posts
    7

    Default

    Sorry I didn't mention, every webpage, including google. Google is my homepage and that was spoofed, along with every other address I tried to visit. I have no doubt that it was a DNS spoof because I ran through the list of hosts and someone was definitely pushing traffic through themselves.

    I'm trying to look at this from like a prank point of view (not something I would ever do, I'm asking how someone could get caught doing it). Sending a few hundred people (our library is big) to nothing but teletubbies.com for 5 minutes would be kind of hilarious. And it's not investing so much energy, that's what I'm trying to point out, how easy it would be. All they would have to do is arp poison, open a dns spoof, and then turn off the spoof and poison after like 5 seconds. Then they can disconnect from the network and walk away, leaving everyone still connected to it wondering why they're getting rick rolled every time they redirect.

    So again, my question: what's to prevent this?

  4. #4
    Member
    Join Date
    Nov 2007
    Posts
    220

    Default

    Looked into arpwatch?
    wtf?

  5. #5
    Just burned his ISO
    Join Date
    Nov 2008
    Posts
    7

    Default

    Quote Originally Posted by Andy90 View Post
    Looked into arpwatch?
    Assuming you spoof your MAC, arpwatch wouldn't be able to detect any identifying information though. And that's all it can do is detect I think. The attacker will still be able to pull off the attack, but not get caught.

  6. #6
    Member
    Join Date
    Nov 2007
    Posts
    220

    Default

    How do you intend to 'catch' them? If you mean physically locate them then ok, but if you mean 'be aware' of them then its different.

    If they are faking their mac then yes it it wouldn't be picked up by a conflict, but if you have two machines on the same network with same mac, it goes a little mental. I once did this by accident and knew something was up straight away as everything was borked.

    Not efficient but would it help?
    wtf?

  7. #7
    Just burned his ISO
    Join Date
    Nov 2008
    Posts
    7

    Default

    You're right, I said "detect" but what I really mean is identify. Basically, I'm just asking if anyone knows of a way to catch someone stupid enough to do this. So I guess the answer is no as of now, they would be able to get away with it...

  8. #8
    Just burned his ISO coolabhijits's Avatar
    Join Date
    Mar 2009
    Posts
    13

    Default

    Quote Originally Posted by Jakamo5 View Post
    You're right, I said "detect" but what I really mean is identify. Basically, I'm just asking if anyone knows of a way to catch someone stupid enough to do this. So I guess the answer is no as of now, they would be able to get away with it...
    yes u can try just type arp -a in cmd (windows box) if u find any mac twice or more means there is someone who is arp poisning your network so just do a complete scan of ur network by nmap and check who have that repeated mac address bcoz he must be the poisnor.
    the same u can do by noticing the mac of your dns address
    so try ,i think this must help you...................

  9. #9
    Member
    Join Date
    Dec 2007
    Location
    @InterN0T
    Posts
    315

    Default

    Let me guess, you have a wireless network that is either Open or protected with WEP?
    Or the password for the Wireless network is weak enough to bruteforce? After that it
    would be quite common for anyone just to open up Ettercap, Arp Spoof the whole net-
    work with the DNS-module if they want to have fun and then everything is pron.

    Of course if you're using winbl0wz, the problem might be a trojan arpspoofing you
    Stop downloading so much pron ;D Use OpenDNS instead of your ISP's resolver, it's better.

    The ways to stop these kinds of attacks is simply just to monitor the arp-table and
    yes there are programs to do this kind of thing for you. If you do such an alert box
    might come up and bam! Then you arpspoof them off the network or send de-auth
    packages to them if they're connected wireless :-D
    [quote][I]I realized, that I had fallen down from the top of the mountain into a deep, terrifying and dark hole, just to find out that another mountain in front of me, much greater than the previous, was the next step in life. I began to wander uphill on the next mountain of life while I knew it would be much harder than the previous mountain. [/I]- MaXe[/quote]

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •