DNS Despoof(er)

August 6, 2010 1 Comment

These days I was playing with some well-known tools to perform DNS spoofing in both *nix and windows environment: Dnsspoof (part of the dsniff suite) and WinDNSSpoof, of which I learned only recently.

I was analyzing the generation of DNS replies when I discovered something interesting:

If a request is artificially forged with arbitrary trailing bytes, these bytes are replicated in replies of DNS spoofer. The DNS response, since it must contain a copy of the query sent to the server, is generated with a simple memcpy () without being fully parsed.

Due to this behavior, we can easily find out if we are victims of DNS spoofing, if the attacker uses one of these stateless tools (essentially sniffers based on pcap). Of course this permit to detect the spoofer even if the attacker is not using ARP spoofing or other visible techniques.

So I wrote a script, quite easy to use, to automate this test. It’s based on hping3 tcl shell, which provides (IMHO in an easier manner than scapy) a framework for packet forging. Let’s see how to use the tool:

root@backtrack-base# hping3 exec dns_despoof.tcl
DNS Despoofer - Emanuele "Crossbower" Acri - 2010
 Usage: hping3 exec dns_despoof.tcl <server> <interface> (<action:search|crash>)

root@backtrack-base# hping3 exec dns_despoof.tcl192.168.56.101 vboxnet0 search
SPOOFER DETECTED!

In this case dnsspoof was running.

The tool has also another function: crash. This function injects a malformed packet, where the DNS name is not terminated by a null character. The tools that fail to properly parse the requested will exhibit a nice segfault. This is the case of WinDNSSpoof.

Dnsspoof, instead, uses the function dh_expand, contained in resolv.h, which is able to detect this type of error:

if ((i = dn_expand((u_char *)dns, end, p, name, sizeof(name))) < 0)
 return;

Crash example:

root@backtrack-base# hping3 exec dns_despoof.tcl 192.168.56.101 vboxnet0 crash
Bullet fired... Try again to search for spoofers:
 1) No responses: the spoofer is probably crashed (windnsspoof).
 2) Responses: it's a well written spoofer (dnsspoof).

A subsequent test will allow to realize whether the tool crashed or not, so this may also be a sort of fingerprint.

Here’s the source code of the tool (http://pastebin.com/78y4snFk). It’s only able to make a request with the name “google.com”, but can be easily adapted.

Filed under Attack, Coding, Defense, Various Tagged with , , , , , , ,

BackTrack 4 R1 – Public Release

August 5, 2010 Leave a comment

There’s not much to say…

backtrack 4 r1 release

Filed under BackTrack Tagged with

Follow

Get every new post delivered to your Inbox.