[!] legal disclaimer : Usage of this software for attacking targets or networks without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
Manipulation of DNS traffic is a very dangerous attack. Knowing how it works, and how to write code to perform this spoofing is very important in understanding how to protect from it. For our assignment we have implemented a very simple ARP and DNS spoofer in python that will send spoofed DNS responses to a victim, redirecting all of their web requests to an ip address you specify.
Our application has these main components:
-
Start → Get user input of ip addresses needed for spoofing
-
We need to enable IP forwarding, and add an iptables rule as to not send back the legit DNS responses to our victim.
-
Initialize → here is where we craft our ARP packets then start our threads
-
ARP Thread → This thread sends out the spoofed arp packets to the router and victim
-
DNS Thread → Here we sniff for incoming DNS requests, and send back spoofed responses redirecting the victim to our spoofing webservice
The following requirements were given for a successful DNS spoof implementation:
-
Your application will simply sense an HTML DNS Query and respond with a crafted Response answer, which will direct the target system to a your own web site.
-
You will test this POC on a LAN on your own systems only. This means that you are not to carry out any DNS spoofing activity on unsuspecting client systems.
-
You are required to handle any arbitrary domain name string and craft a spoofed Response.
Based on the requirements above, we came up with the test cases below to test the application against. Our results and discussion of each test case are presented in the following sections.
# | Scenario | Tools Used | Expected Behavior | Actual Behavior | Status |
1 | Sense HTML DNS Queries | Wireshark, Scapy, Python | Victim’s DNS Queries appear on attacker’s machine | Victim’s DNS Queries appear on attacker’s machine | Pass |
2 | Send back spoof DNS responses | Python, Scapy, Wireshark | DNS Responses appear on both attacker and target machines as DNS responses | DNS Responses appear on both attacker and target machines as DNS responses | Pass |
3 | Victim is redirected to our web service | Node.js Chrome | User is redirected to our "You have been spoofed site" when they try to navigate to any A record URL | User is redirected to our “You have been spoofed site” when they try to navigate to any A record URL | Pass |
4 | Handle any arbitrary domain name string and craft a spoofed Response. | Python, Scapy, Wireshark | We send spoofed packets on any DNS request from the victim | We send spoofed packets on any DNS request from the victim | Pass |
An example of how we started our application:
DNS Queries as they appear on the attackers machine.
DNS Queries as they appear on our spoofer application.
Here is a response that our spoofer has sent, as seen by the attacker’s machine.
**An answer as seen by the victim machine: **
As you can see the spoofed response is for milliways.bcit.ca but the address is shown as 192.168.2.50
**Nslookups as seen by the victim machine: **
Here we demonstrate how all nslookups turn up as our spoofed address of 192.168.2.50 where our web server is running.
When victim navigates to any web page, they will be redirected to our "you have been spoofed webpage"
As you can see even mobile devices can be affected by this spoof:
Any arbitrary request will be redirected:
After doing this assignment we have realised how easy it is to perform these type of man in the middle attacks on unsuspecting networks. It really demonstrates the necessity to protect ourselves and our information when we are navigating the web on any network.
By writing this application we better understand the ARP and DNS protocols and will be much more effective as security admins out in the field.