1

It's perhaps my lack of deeper knowledge of how the DNS, NAT or TCP works, but I have been thinking about the following scenario and can't figure out the following problem which arises in DNS-spoofing MITM attack:

Imagine a MITM attack, which is carried out using DNS spoofing. A victim tries to connect to server A (www.example.com), but since it uses a rogue primary DNS, it gives him a false IP address of other server B. Now since the victim thinks it has the correct IP address it starts some communication with B. The attacker wants just intercept the traffic and forward it to it's proper destination, so he doesn't raise the victim's suspicion. How does the attacker know the original destination?

In case the communication is HTTP, then this is easy since every request carries its URL. But what happens in more general case of just some ordinary TCP packet (non-HTTP). Since TCP header now contains the attacker's server B IP address, how does the attacker know the original destination of this packet?

My particular thought is that the attacker spoofs 2 or more domain names pointing to servers running services at the same port numbers.

NumberFour
  • 195
  • 1
  • 8
  • Are you presuming the DNS is not owned by the same attacker as the rogue website? Because the attack usually works the way that attacker has both the DNS (so he knows what adresses the user wants) and website (so he can do malicious stuff) in control. Plus if you spoof the site, it's very likely it's gonna be one address, which means if you spoof Facebook and host false FB site, you know where to redirect traffic. And the last point - HTTP doesn't carry URL (maybe in the Referer header), just the path like example.com**bold/path/to/resource** – user1164108 Feb 13 '15 at 18:59
  • Okay, my thought was that the attacker owns the DNS and spoofs multiple domains which have services running at the same port numbers. – NumberFour Feb 13 '15 at 19:07
  • 2
    Then he'll most likely use virtual hosting (one server hosts multiple websites). With every HTTP request the browser includes "Host: example.com" header and when it reaches server, it knows what to serve. [More info](http://en.wikipedia.org/wiki/Virtual_hosting) – user1164108 Feb 13 '15 at 19:13
  • This is the answer, please post to get credit. – David Houde Feb 13 '15 at 19:43
  • @user1164108: But in case of other communication than HTTP he doesn't get to know "Host: ..." so he's out of options? – NumberFour Feb 13 '15 at 20:08

1 Answers1

2

HTTP protocol

For HTTP this could be generalized to

How does webserver hosting more websites knows which one to host?

This is through technique called Virtual Hosting in which browser appends Host header to every request send and webserver serves the content of the wanted site, deciding via the header. So if I host foo.com and bar.com on the same server and want to visit my foo site, browser will append (determining by URL address in the browser) "Host: foo.com" header.

More info on Wikipedia

Other protocols

Here you have a problem - you do not know. Either you can just capture DNS request (which is also very useful) and send it to it's original destination or you can spoof the destination, but then you need to have some listener on the given port waiting for a specific trafic. This could be used to steal authentication credentials or something like that, but it's very targeted attack.

Otherwise it's very protocol specific. Maybe the application layer protocol supports something similar to Host header as HTTP.

Lets presume you know the foo.com is also listening on port 21 (FTP protocol). If you knew this, you can spoof the DNS to redirect to your server where your FTP server is listening and steal his credentials.

If you don't have a server listening - by spoofing his traffic, all you can do is DoS him, as your rogue DNS is pointing him to places which don't exist.

Hope this answers your question correctly.¨

M

user1164108
  • 337
  • 1
  • 2