DNS (Domain Name Server): is a special server designed to resolve domain names into IP addresses. So when a user sends a request to a particular server asking to load up a web page, because computers on the net communicate using IPs and not domain names, they need to transfer the request over to the domain name server to search for the requested web page and link it to its IP address then loads it up. The DNS translates domain names to the IP addresses of the servers hosting the websites.
DNS spoofing, also referred to as DNS cache poisoning, is a form of computer security hacking in which corrupt Domain Name System data is introduced into the DNS resolver’s cache, causing the name server to return an incorrect result record, e.g. an IP address.
Alright guys, we’ve gotten over how to be the man in the middle and reading the requests & responses that pass through our machine.
To modify packets sent or received, we’ll need to be able to intercept the packet before we can modify and send it, but that means that the original request or response will be sent first, leaving our modified packet not executed. Which we definitely don’t want, it’ll defeat the whole purpose of intercepting and modifying the packets.
To make sure that our intercepted and modified packets are acknowledged and executed, we’ll need to store the requests and responses in a queue, access them for modification before sending the modified packets only.
To do this, we’re going to use a program called IP tables, which allows the modification of routes rules on computers.
In the program iptables the -I argument specifies a chain that is to be modified, in our case it’s the forward chain, which is the place where the packets that come through our machine are placed in by default. We’ll put it in an NFQUEUE (Net Filter Queue) and specify the queue number (you can use whatever number you want), all the packets will be trapped in this queue. It works, if you get nothing back.
This command can be executed using the subprocess module in our program, since it is a simple Linux command.
With this command, we just created the queue, where any requests or responses we get while being the man in the middle, will be trapped in the queue. Next, we’ll need to be able to access this queue from our Python program, to do this we’ll need to install a module called netfilterqueue.
If you get errors while installing netfilterqueue, use the following command before trying the pip install again.
If you still get errors, then finally you can use both this commands and I’m certain they’ll work. I had to go search on Google when I got my errors and these worked for me. If you still get errors, my friend, start praying about it. LOL
Kidding, just Google and see what you get or reach out to me and we can Google it together. Two heads and all that jazz.
Hopefully, you were able to install it, and we’re going to import it into our Python program.
We’ll use this module to create an object to interact with whatever queue number you create, which in my case is queue-num 0. Which creates an instance of a netfilterqueue object, placing it in a variable called queue.Then connect the object with the queue we created, using the same number for the queue we created in our terminal earlier (in my case it’s 0) and gave it a call back function that will execute on each packet trapped inside our queue. Finally, we run the created queue.
NB: In order to be the man-in-the-middle, you need to execute the ARP spoof script, so the victim will be sending the DNS requests to your machine first, instead of directly routing them into the Internet.
To test this, we have to be the MITM first before running it. This will allow us to receive the packets but the visited website in our target machine won’t load because all the packets gets trapped in the queue and are being accessed by our Python programs but we’re not forwarding the packets to the target, the target isn’t receiving the packets.
So we need to either use accept packet, like this
OR
We can just drop the packets, which will allows us to be able to cut the internet connection of the target. For this the visited website in the target machine won’t load, because we succeed in cutting off the internet connection, so our program doesn’t forward the packets but traps them.
Now we’ve gotten a hang on intercepting packets, now we’re going to see how to modify them before accepting and forwarding them to their destination.
First, we’re checking if our packet contains a DNS response and if the question that caused the response is a domain that we want to target (www.google.com). If it is, we create a spoofed answer, modify the scapy packet to use this answer and then modify a few fields to make sure the packet will work and not get corrupted after the answer is modified.
All the modification is done in the variable called scapy_packet, which is gotten from the packet that is being sniffed and trapped in the queue. So we set the sniffed packet to the modified packet, before we send it through, invoking the packet.accept will forward the modified packet to the target.
NB: Kali comes with a web server preinstalled in it and to start it, use the command ‘service apache2 start’. This will allow the access of the website stored on this server using the IP of the Kali machine, to get Kali’s IP, use the command ‘ifconfig’. Then copy and paste the IP in a web browser and then access the default website stored on the web server. I used this as the redirected load-up page locally (which was my Kali), but you can use any IP address you want and perform remote attacks too.
Before running the program, don’t forget to run your IP tables redirect to queue num 0, which will trap the packets. This is at the top.
We can redirect any request to any domain to any other server. This can be used to server up fake pages, login pages, even downloads, updates and much more. Here, I’m only focused on the programming aspect and not the carrying out of the attack, i’ll most likely get around to uploading a post on this is in the Ethical hacking category, in the near future.
Here’s the full code
NB: Make sure you delete the IP tables we created in the beginning of this post, after you’re done carrying out the attack. To do that, we use the ‘iptables –flush’ command.
Next up, we’ll be writing a file injector program.
DISCLAIMER: I’m not responsible for using this script in a network you don’t have permission to, use it on your own responsibility.
Learn also: Build a network scanner in Python.
Until next time, Keep learning. Keep hacking. And don’t forget to breathe!
Phoenix Information Security 