Dalia Solomon
DNS Attack
DNS BACKGROUND
DNS is Short for Domain Name System (or Service or Server). DNS is an Internet service that
translates domain names into IP addresses. The fact that domain names are alphabetic, they are
easier for people to remember. The Internet traffic however, is really based on IP addresses.
Every time you use a domain name, therefore, a DNS service must translate the name into the
corresponding IP address. For example, the domain name www.example.com might translate to
198.134.272.5.
CONFIGURATION
The trace used in this experiment was taken on a private network. Two Laptops and a Linux
Bind DNS server were connected via Nat router. The router was connected to a Clarkson Internet
routable address for Internet connectivity.
Attacker  Laptop A
IP: 192.168.0.4
Mac: 00-0c-29-df-af-9b
Laptop B
IP: 192.168.0.2
1
Dalia Solomon
Man in the Middle- A “man in the middle” attack, performed when a malicious user is able to
read, and possibly modify at will, messages between two parties without letting either party
know that they have been attacked. The malicious computer will forward frames between the
two computers; so communications are not interrupted. In our case laptop A will be the “middle
man” between laptop B and the DNS server.
This particular attack- With this particular attack a program was used to mimic a real DNS
server only returning A records to its own IP address. In other words no matter what domain you
ask for you get the attacking computers address in return. This, in itself, is useless unless you
can tell the computers on your network that you are really the DNS server. This is where the
MAC address spoofing comes in. With the MAC address spoof you can convince the computers
on your LAN that the MAC address (and thus the NIC card to talk to) of the DNS server is your
own computer.
KNOPPIX
"Knoppix STD” STD stands for security tools distribution. Knoppix-STD is a customized
distribution of the Knoppix Live Linux CD. Knoppix STD is a bootable CD, with Linux OS,
Linux kernel 2.4.2, with an emphasis on information security tools. STD focuses on information
security and network management tools.
The tools are divided into the following categories:
 Authentication
 Encryption utilities
 Firewalls
 Penetration tools
 Vulnerability assessment
 Forensic tools
 Honeypots
 Intrusion detection
 Packet sniffers and assemblers
 Network utilities
 Wireless tools
 Password auditing (crackers)
 Servers
2
Dalia Solomon
Step I
Laptop A Was booted from CD drive, with Knoppix STD.
Laptop B Runs Ethereal 0.10.3.
Step II
On laptop A, I type the following command:
arpspoof –i eth0 192.168.0.3
Arpspoof intercepts packets on a switched LAN.
arpspoof [-i interface] [-t target] host
-i interface
Specify the interface to use.
-t target
Specify a particular host to ARP poison (if not specified,
all hosts on the LAN).
host
Specify the host you wish to intercept packets for (usually
the local gateway).
Laptop A, constantly sends the victim computer, laptop B, ARP replies telling him that the MAC
address (00-0c-29-df-af-9b) belongs to the IP of the DNS server (192.168.0.3), which is actually
our MAC address. Almost immediately the victim computer, laptop B, will believe us and makes
a wrong entry in his ARP cache. (The poor implementation of the ARP protocols was not
intentional. The coding for the protocols has been used for quite some time; in the original
design security was not an issue.) When Laptop B wants to send an IP packet to the DNS server
it sends the Ethernet frame to Laptop’s A MAC address so actually laptop A gets the IP packet.
3
Dalia Solomon
On laptop A, we have the following screen:
The above screenshot shows us the status of the MAC spoofing. It lets us know each time a reply
packet is sent. The first column is the MAC of the attacking computer (Laptop A), the second is
the Ethernet broadcast address (to send it to everyone on our switch’s broadcast domain) the 7 th
column is address of the real DNS server and the 9th columns is again the MAC address of the
attacker (laptop A). This means that: the attacking machine (Laptop A) tells the entire network,
the attacking computer’s MAC resolves back to the real DNS server’s IP address. Once we have
this in place we have affectively told every computer on our LAN that we are indeed the real
DNS server.
The following is an ethereal trace taken on Laptop B, showing the ARP reply
4
Dalia Solomon
Notice, when I type the command (on Laptop B):
arp -a
We see that both, laptop A and the DNS server have the same MAC address, 00-0c-29-df-af-9b.
The command arp –a shows us the local machines arp table. This table gives the machine a set
of remembered MAC addresses for IP address so that it does not need to repeatedly broadcast to
find this information for each network transmission. The exploit of our arpspoof depends on the
fact that when a machine receives an arp reply it assumes it sent the request and puts it into its
arp table without question. If the arp code were to be modified to check to see if a request was
sent before making an addendum to its table all the switched network exploits would become
useless.
NSLOOKUP
Nslookup is a DNS testing tool. Nslookup allows you to make a command line request for a
DNS resolution. It will let you know if it finds a CNAME record and returns the referenced name
with it’s A record or, if there is no CNAME, it will return the A record (the IP of the host). For
further exploration a Linux tool called Dig can give you more verbose results about DNS
resolutions as well as traces in recursive queries.
The following screenshot shows that every time Laptop B enters any domain name, the IP
address will be 192.168.0.4,which is actually laptops A IP address.
5
Dalia Solomon
Step III
I open another bash shell on laptop A, and type the following command:
dnsspoof
This command will allow laptop A to see all the websites laptop B is trying to reach.
6
Dalia Solomon
Here is a list of websites laptop B accessed.
From our screenshot of dnsspoof, we can see that this program will simply return A records to its
own address for any queries received. This can be useful information to track where users are
going. As you can see from the last column we have the content of the web names asked by the
tricked computer so we can see what sites they intended explore.
Step IV
On laptop A,
a) /etc/init.d/apache start
7
Dalia Solomon
Laptop A doing the spoofing is 192.168.0.4 and laptop B is being spoofed is 192.168.0.2. If I am
on 192.168.0.2 and I put www.google.com in the browser, my laptop (B) has www.google.com
resolve to 192.168.0.4 so it sends a request to 192.168.0.4, which is laptop A. If 192.168.0.4 has
no web server running 192.168.0.2 will get an error and no page will load, but if there is a web
server then it will get whatever page we have as index.htm.
The following screenshot illustrates the scenario where the laptop B enter an invalid URL and
get the default index.htm of laptop A, which is the Apache index page in our case.
Note: This will work only where Laptop B requests a URL is the main page (www.google.com).
All other cases such as www.google.com/example, Laptop B will get 404 Error, page not found.
8
Dalia Solomon
b) edit /var/www/index.htm
c) Write the html code. In our case “you’ve been spoofed”.
What we are doing here is since our spoofed DNS server replies to any request with the IP
address of our computer (Laptop A); we need a web server running to answer these requests. In
our example, I started apache web server and then modified the intex.htm to what the spoofed
computer (Laptop B) to see.
Every time Laptop B tries to access a specific web site, he will get the screen with the message
“you’ve been spoofed”
Laptop B attempt to access www.google.com
9
Dalia Solomon
Packets 832-837 and 839 are the packets with index.htm. If you follow TCP stream you get the
following screen. Notice in the red text it lists Host as www.google.com.
10
Dalia Solomon
Reference
1] http://www.knoppix-std.org/
11