In order to resolve local hostnames to ip addresses the DNS server on the centro grande writes every hostname into its own hosts file. The hostnames are provided by the DHCP requests.
An attacker in the same network may craft a DCHP request which contains a
hostname like www.example.com. This page will be resolved to the ip address of
the attacker. It's also possible to set spoof the address of multiple hosts by
seperating them with a space: www.example.com example.com
If a victim tries to visit the www.example.com (and doesn't use a static
DNS server) the HTTP(S) request will be directed to the attacker.
- python
- scapy
- cherrypy (for landing page)
The script dns_spoofing.py is python script which will send a DHCP request
which by default spoofs the ip address of www.example.com and example.com.
After this request the script starts a minimal HTTP server as a landing page.
If the landing page is not wanted (or cherrypy is not installed)
it can be disabled by removing start_landing_server().
The script has to be run with administrator / root rights e.g.:
$ sudo ./dns_spoofing.pyUse a (second) computer to try to connect to www.example.com over HTTP. The request will be displayed
You are only affected if you let the DHCP client configure your the DNS server. So using a static DNS server is an easy and save way to protect yourself:
- Escape or disallow spaces in hostnames.
- Add a suffix to hostsnames (e.g.
.local) or disallow dots in hostnames.