dns2proxy – Offensive DNS server

dns2proxy is an offensive DNS server that offers various features for post-exploitation once you’ve changed the DNS server of a victim.

It’s very frequently used in combination with sslstrip.

Features

• Traditional DNS Spoofing
• Implements DNS Spoofing via Forwarding
• Detects and corrects changes for sslstrip to work

Usage

Using the spoof.cfg config file with the format:

1	hostname ip.ip.ip.ip

1 2 3 4 5 6 7 8 9 10 11 12

root@kali:~/dns2proxy# echo "www.s21sec.com 1.1.1.1" > spoof.cfg   // launch in another terminal dns2proxy.py   root@kali:~/dns2proxy# nslookup www.s21sec.com 127.0.0.1 Server: 127.0.0.1 Address: 127.0.0.1#53   Name: www.s21sec.com Address: 1.1.1.1 Name: www.s21sec.com Address: 88.84.64.30

Or you can use domains.cfg file to spoof all hosts of a domain (wildcard):

1 2 3 4 5 6 7 8 9

root@kali:~/demoBH/dns2proxy# cat dominios.cfg .domain.com 192.168.1.1   root@kali:~/demoBH/dns2proxy# nslookup aaaa.domain.com 127.0.0.1 Server: 127.0.0.1 Address: 127.0.0.1#53   Name: aaaa.domain.com Address: 192.168.1.1

Hostnames at nospoof.cfg will not be spoofed.

Config Files

domains.cfg – resolve all hosts/subdomains for the listed domains with the given IP.

1	.facebook.com 1.2.3.4 .fbi.gov 1.2.3.4

spoof.cfg – Spoof a single host with a given IP.

1	www.nsa.gov 127.0.0.1

nospoof.cfg – Send always a legit response when responding for these hosts.

1	mail.google.com

nospoofto.cfg – Don’t send fake responses to the IPs listed there.

1	127.0.0.1 4.5.6.8

victims.cfg – If not empty, only send fake responses to these IP addresses.

1	23.66.163.36 195.12.226.131

resolv.conf DNS server to forward legitimate queries to.

1	nameserver 8.8.8.8

You can download dns2proxy here: