An exercise in exploiting the DNS Cache poisoning attack, that was demonstrated by Dan Kaminsky in 2008.
An illustration of the attack can be found Here
This project has two parts building up to the attack - in the first, I build a simple DNS proxy (dnsproxy.py
) that can be used to spoof DNS replies. The second, poison.py
is an extension of this idea, leading to the Kaminsky attack - poisoning an entire server by spoofing replies.
We will be using the popular BIND (Berkeley Internet Name Domain) program for getting and resolving DNS queries. Also, the user will need Python's Scapy library to run the files (specifically, version 2.3.3).
(Note: The BIND server has been patched so that one doesn't need to spoof IP address of the sent packet such that the IP address matches that of the remote name server. This is because this needs sudo access, which is not always available. In an actual attack scenario, this is required.)
In etc/
, you will find two files: named.conf
and rndc.conf
. You will need to pick random port numbers, greater than 1024 (unless you have root access), and modify the following parameters in the above-mentioned files:
rndc.conf
options {
default-key “rndc-key”;
default-server 127.0.0.1;
default-port <RNDC port number>;
};
named.conf
options {
...
query-source port <query port>;
...
listen-on-port <NAMED port number> { any; };
};
...
controls {
inet 127.0.0.1 port <RNDC port number>
allow { 127.0.0.1; } keys { “rndc-key”; };
};
query-source port
specifies the port number BIND will use to send its outgoing queries to external DNS servers.listen-on port
specifies the port number BIND will use to listen for DNS queries.
To run the BIND server, run the script ./run_bind sh
To enable logging of queries received by BIND, do ./bin/rndc -c etc/rndc.conf querylog
pip install scapy==2.3.3 --user
Verify successful installation by opening the interpeter:
>>> import scapy
>>> exit()
Importing the scapy module should not raise any errors.
During the installation and actualy running of scapy, the following warnings and errors can be safely ignored: SNIMissingWarning
,InsecurePlatformWarning
and Exception RuntimeError: 'maximum recursion depth exceeded while calling a Python object' in <type 'exceptions.AttributeError'> ignored
.
- DNS Proxy Spoofer: open 3 terminals.
- Terminal 1:
./run_bind.sh
- Terminal 2:
python dnsproxy --port <Proxy Port #> --dns_port <named..conf listen-on port> --spoof_response <include if you want to spoof>
- Terminal 3 :
dig @127.0.0.1 example.com -p <Proxy Port #>
(if you are spoofing, stick to example.com for demo purposes)
- Terminal 1:
- Cache Poisoning Exploit:
- Terminal 1 :
./run_bind.sh
- Terminal 2 :
python poison.py --ip <BIND ip> --port <named..conf listen-on port> --query_port <named.conf query-source port>
- Terminal 1 :
If you want to run the attack multiple times, you need to kill and restart the server because the cache got poisoned, what did you expect ;)