Use dnschef in kali for DNS spoofing

1 Introduction

        DNSChef is a highly configurable DNS proxy for penetration testers and malware analysts. It has the ability to finely configure which DNS replies to modify or simply proxy the real response. In order to take advantage of the tool, you must manually configure your DNS servers to point to DNSChef.

2. Execution parameters

Option parameters:

-h,--help
	显示帮助信息并退出

--fakedomain thesprawl.org.google.com
	以逗号分隔的域名列表，将解析为上述参数中指定的FAKE值。 所有其他域名将解析为其真实值。

--truedomains thesprawl.org.google.com
	以逗号分隔的域名列表，这些列表将解析为TRUE值。 所有其他域名将解析为上述参数中指定的伪造值。

Fake DNS records:

--fakeip 192.0.2.1
	用于匹配DNS查询的IP地址。 如果您在不指定域名的情况下使用此参数，则所有“ A”查询都会被欺骗。 如果需要定义多个IP地址，请考虑使用–file参数。

--fakeipv6 2001:db8::1
	用于匹配DNS查询的IPv6地址。 如果您在不指定域名的情况下使用此参数，则将欺骗所有“ AAAA”查询。 如果需要定义多个IPv6地址，请考虑使用--file参数。

--fakemail mail.fake.com
	用于匹配DNS查询的MX名称。 如果您在不指定域名的情况下使用此参数，则会欺骗所有“ MX”查询。 如果需要定义多个MX记录，请考虑使用--file参数。

--fakealias www.fake.com
	用于匹配DNS查询的CNAME名称。 如果您在不指定域名的情况下使用此参数，则会欺骗所有“ CNAME”查询。 如果需要定义多个CNAME记录，请考虑使用--file参数。

--fakens ns.fake.com
	用于匹配DNS查询的NS名称。 如果您在不指定域名的情况下使用此参数，则会欺骗所有“ NS”查询。 如果需要定义多个NS记录，请考虑使用--file参数。

--file FILE
	指定一个文件，该文件包含用于DNS响应的DOMAIN = IP对（每行一对）的列表。 例如：google.com = 1.1.1.1将强制所有对“ google.com”的查询都解析为“ 1.1.1.1”。 IPv6地址将被自动检测。 通过将--file与其他参数组合，您甚至可以更加具体。 但是，从文件获取的数据将优先于其他数据。

Optional runtime arguments:

--logfile FILE
	指定一个日志文件以记录所有活动

--nameservers 8.8.8.8#53 or 4.2.2.1#53#tcp or 2001:4860:4860::8888
	用逗号分隔的替代DNS服务器列表，用于处理代理请求。 名称服务器可以采用P或IP＃PORT格式。 提供多个服务器时，将从列表中随机选择的服务器用于代理请求。 默认情况下，该工具在Pv4模式下运行时使用oogle的公共DNS服务器8.8.8.8，在Pv6模式下运行时使用2001：4860：4860 :: 8888。

-i 27.0.0.1 or ::1,--interface 127.0.0.1 or ::1
	定义用于DNS侦听器的接口。 默认情况下，该工具将127.0.0.1用于IPv4模式和:: 1或IPv6模式。

-t,--tcp
	使用TCP DNS代理而不是默认的UDP。

-6,ipv6
	在IPv6模式下运行。

-p 53,--port 53
	侦听DNS请求的端口号。

-q,--quiet
	不显示标题。

3. Actual test use

3.1 Network connection

The laptop is wirelessly connected to the wifi provided by a traffic card.

The kali in the virtualbox of the laptop is started, and the network selects the bridge mode.

The laptop's hotspot is turned on.

Mobile Android device wirelessly connects to laptop hotspot.

3.2 Network configuration

3.2.1 Check the network information of the laptop

无线局域网适配器 WLAN:

   连接特定的 DNS 后缀 . . . . . . . :
   本地链接 IPv6 地址. . . . . . . . : fe80::8158:d09:dfd0:cbe5%10
   IPv4 地址 . . . . . . . . . . . . : 192.168.43.168
   子网掩码  . . . . . . . . . . . . : 255.255.255.0
   默认网关. . . . . . . . . . . . . : 192.168.43.1

        It needs to be used in the network configuration after kali starts. Kali's network configuration is detailed in the following blog:

5 minutes to complete Kali linux installation (based on VirtualBox)_virtualbox installation kali_Xiaoxiangzi's Blog-CSDN Blog

3.2.2 Check the network information of kali and know that the ip of kali is 192.168.43.209

┌──(root㉿kali)-[/home/kali]
└─# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.43.209  netmask 255.255.255.0  broadcast 192.168.43.255
        inet6 fe80::a00:27ff:fe22:464f  prefixlen 64  scopeid 0x20<link>
        ether 08:00:27:22:46:4f  txqueuelen 1000  (Ethernet)
        RX packets 53891  bytes 67773851 (64.6 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 19008  bytes 1363876 (1.3 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 4  bytes 240 (240.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 4  bytes 240 (240.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

3.2.3 Set the DNS address of the computer to the address of kali

3.3 DNSChef startup, configuration rules, testing

        Check if DNSChef is in kali

┌──(root㉿kali)-[/home/kali]
└─# dnschef                                                       
          _                _          __  
         | | version 0.4  | |        / _| 
       __| |_ __  ___  ___| |__   ___| |_ 
      / _` | '_ \/ __|/ __| '_ \ / _ \  _|
     | (_| | | | \__ \ (__| | | |  __/ |  
      \__,_|_| |_|___/\___|_| |_|\___|_|  
                   [email protected]  

(21:09:00) [*] DNSChef started on interface: 127.0.0.1
(21:09:00) [*] Using the following nameservers: 8.8.8.8
(21:09:00) [*] No parameters were specified. Running in full proxy mode
^C(21:10:01) [*] DNSChef is shutting down.

        We took the urls of two well-known universities in Nanjing for testing. Obtain the IPs of the two schools through wireshak capture (dns answer) when the browser logs in to the school website, as follows

        Nanjing University: www.nju.edu.cn 202.119.32.7

        Nanjing University of Aeronautics and Astronautics: www.nuaa.edu.cn 218.94.136.180

        We match the url of Nanjing University with the ip of Nanjing University of Aeronautics and Astronautics, and write it to the DNS server.

The ip after --interface fills in the ip of kali. 

dnschef --fakeip=218.94.136.180 --fakedomains=www.nju.edu.cn --interface 192.168.43.209 -q

        Use the browser on the mobile phone Android device to try to enter the URLs of the two universities for testing.

        The following format is observed to print, indicating that the DNS setting is successful, and DNSChef will print out the domain name it has processed for analysis.

 Proxing the response of *** indicates that the standard DNS proxy is used, the default is 8.8.8.8, of course, this is configurable.

Cooking the response of ***** indicates that it is the spoofing rule we configured, and we can see that our DNS responded to the url of Nanjing University (www.nju.edu.cn) with the ip of Nanjing University of Aeronautics and Astronautics (218.94. 136.180)

        The phenomenon is: the website of Nanjing University of Aeronautics and Astronautics can be opened normally. But the website of Nanjing University could not be opened.

        As for why the URL of Nanjing University is not displayed when we enter the URL of Nanjing University, this may be related to some security policies used by the browser. still not clear.

        What needs to be added here is, what if you have many rules to set?

        You can use this command:

dnschef --file dnsfile --interface 0.0.0.0 -q

        dnsfile is the file name, and the structure in the file is as follows:

[A]
name1 = ip1
name2 = ip2

If you have doubts, why the IP is set to 0.0.0.0, this blog is the answer:

What does the IP address 0.0.0.0 mean? _mtAsnow's Blog - CSDN Blog

4. Finally

This article uses the DNSChef tool that comes with kali to do DNS spoofing, and the tool has successfully taken effect.

reference

The dnschef_dnschef tool of the latest kali does not respond - Vanony's blog - CSDN blog