Wonderful World Of Dns

[bobbyb1980]

Hello all. I've been doing a little experimenting for the past several week with bind9 and I am having some issues. I can successfully add zones and in theory have a functioning DNS server. However I am having a problem when it comes to redirects. Here is an example.

I create an entry for "www.testmylogin.com" then I clone "www.testmylogin.com".

When user types "testmylogin.com" they are forwarded to the malicious site, where they then enter their credentials.

However when the attack is over and it's time to redirect, "www.testmylogin.com" redirects to "login.testmylogin.com" which is actually a subdomain and therefore either forwards to the same IP or results in a 404 error.

Is there anyway to get around this, perhaps I can add an A record in testmylogin.com.zone? The problem is I am not a C programmer so the most I can do is guess with the conf files. I've tried adding the A record in the zone file, didn't work. Also tried playing around with the reverse DNS lookup file, didn't work either. I've read that there are several ways to do this, etc etc but I'm just looking for a way that works.

It also looks like in theory to verify the integrity of DNS you'd need to have a known good list of IP's for servers you use which would be a pretty long list.

Edited May 13, 2012 by bobbyb1980

[Raziel]

What happens if you flush the DNS on the victims machine after the attack is over? Does it still happen?

[digip]

Is the site "www.testmylogin.com" a real site for which you just changed the name for this post? Because it might be that the cloned site, has session data that if not logged in, redirects to the sub domain. Hotmaail for instance does stuff like this for login.live.com, so just wondering if its something you overlooked.

[bobbyb1980]

How would I flush the DNS on the victim? The victim is assigned this malicious DNS server from over the internet.

Digi, I'm not sure I understand your question, but I'll give it a shot anyways. Let's say I'm cloning gmail.com. Once the victim arrives at the credential harvesting site, after they enter credentials they are forwarded to mail.gmail.com or even login.gmail.com (sake of conversation). However this ALWAYS gives a "server not found" error. Same thing with facebook.com, it forwards to https://login.facebook.com.

This is the odd part. Even if I type in the TRUE gmail.com IP into the browser, nothing happens.

I've also added entries like this "login IN A TRUE_IP" into the zone file and it still can't work properly.

Later on today I am going to try to add an entry in "named.conf.local" for a zone like "gmail.co.uk" and have it forward to a true gmail server (and presumably have the credential harvester forward to gmail.co.uk after the attack is complete) , but I'm even skeptical about that...

Any ideas? Thanks for the help guys.

[Raziel]

How would I flush the DNS on the victim? The victim is assigned this malicious DNS server from over the internet.

DNS entries can be cached on a client. This is done to reduce traffic to the DNS servers. So even if you visit google.com 50 times in a day, your client only does one initial DNS resolution.

You can flush the DNS cache on a windows box by doing the following

ipconfig /flushdns

[bobbyb1980]

Thanks for the reply, however I won't necessarily have access to the victim's machine to flush the DNS. Without going into a 5 page explanation, I'm using it for clients that I'm running pentests on, weak routers are commonplace, and in theory all I'd have to do is get them to go to a website, snag their IP, then remote into the router and change the DNS then viola.

Remote access to the victim is obtainable (I could use a ms module to rickroll all sites to a java app page via a different style bogus DNS server, but that would be obvious).

If I understand you correctly, I think that even if I could flush the victim's DNS that wouldn't work because the browser is going to ask for another DNS record from the DNS server which would tell them the exact same thing (malicious site).

Thanks for the help guys.

[digip]

I don't know why your sites are prefixing with login.somesite.com as most of those sites you mentioned don't have real sub domains with the login prefix. Is your script adding that to try redirecting them? If you are using DNS to change the address they should reach as your own, once they do and try to login, you need to undo the bind, or they would still be hitting your machine, for which their DNS is pointing to. If you don't have a login.facebook.com for example setup for them to reach, its going to fail either way.

Easiest way to handle a redirect and clone though, use something like SET to handle all of the credential harvesting for you and just have to feed your victim a URL created by SET, either via PDF or email phish. Once they click the link and try to login, you should then get all the credentials. You could also try using Ettercap and SSL Strip, but a DNS bind, will more than likely cause issues unless you can change the DNS addresses on the fly and force the victims to reload DNS every time you make an update. Most DNS caches last anywhere from 15 minutes to 45 minutes depending on the OS, and could last up to a day.

[bobbyb1980]

Once again... I am doing this from over the internet. This is not an ARP based attack, not on the LAN, so can't (to my knowledge) use stuff like SSLStrip or ettercap.

The victim thinks that my rouge DNS server is their own. This is the DNS that they will live with for the time being. This same principal would apply to a pineapple based rouge DNS attack so heads up pineapplers!

With that being said, here is the config I have.

1.2.3.4 = DNS Server and HTTP server w/credential harvesting page

named.conf.local

zone "facebook.com" {
        type master;
        file "/etc/bind/zones/facebook.com.zone";
        };

zone "4.3.2.in-addr.arpa" {
     type master;
     file "/etc/bind/zones/4.3.2.in-addr.arpa";
};

facebook.com.zone

facebook.com. IN      SOA     ns1.facebook.com. admin.facebook.com. (
          2006071801 
          28800       
          3600        
          604800    
          38400 )    
facebook.com. IN      NS      ns1.facebook.com.
facebook.com. IN      MX     10 mta.facebook.com.

www           IN      A       4.3.2.1
login         IN      A       REAL FACEBOOK IP HERE

4.3.2.in-addr.arpa

@ IN SOA ns1.facebook.com. admin.facebook.com. (
                        2006071801; serial
                        28800; refresh, seconds
                        604800; retry, seconds
                        604800; expire, seconds
                        86400 ); minimum, seconds

                     IN  NS ns1.facebook.com.

1                  IN      PTR    facebook.com

And named.conf.options is normal and forwards all requests for zones that are not local to the server to google's DNS server.

To recap, the attack works fine, I can harvest credentials fine, but when the user presses "login" they get a server not found error which would raise red flags to a security savvy target.

The weird part, is that even when I type the true facebook IP in the browser, nothing is happening, it's not going to the real page because the real page forwards requests to 10 million different subdomains of facebook.com.

Anyone got any ideas?

Thanks again for the help guys.

[digip]

www-slb-11-08-prn1.facebook.com will resolve to facebook.com when you try to reach it by facebook IP alone, which is the "resolved" name for "69.171.234.37". Problem is, Facebook has multiple IP addresses and sub domains(just like google does) and depending on the ISP, they cache their own IP's sometimes. OpenDNS does this for google. There are at least 11 sites on that same IP for facebook too.

If you try going to the IP alone, you should end up at www-slb-11-08-prn1.facebook.com which will automatically forward directly to facebook.com. Their login page when the button is pressed is also https://www.facebook.com/login.php?login_attempt=1. The cloned page might need to be pointed to the full URL in the form, or it could end up posting locally to you since your DNS is intercepting everything.

This here:

www           IN      A       4.3.2.1
login         IN      A       REAL FACEBOOK IP HERE

is why you are seeing login.facebook.com as subdomains prefixing the TLD. Not sure how yours is redirecting, because I use OpenDNS, but when I go to login.facebook.com or even their IP, both redriect me to www.facebook.com, and if you are pointing them to 4.3.2.1 as the a record, well, thats not the real facebook IP either. That is a google owned IP space, with multiple sites on the same IP, none of which are facebook.com. By the way, for subdomains, i think you need cname records??

foo.example.com.        CNAME  bar.example.com.
bar.example.com.        A      192.0.2.23

By the way, I'm not a DNS guru, so don't know much about bind syntax or how to set it up...

Edited May 16, 2012 by digip

[bobbyb1980]

digi, I put 4.3.2.1 because I didn't want to put the address of my server, that's not the actual IP I am forwarding to nor do I own it.

This really isn't bind syntax persay, it's C, so if any of you C'ers out there are reading please chime in!

I'm really not following most of what you're saying digi, but I can conclude at the end of the day just about everything is going to forward to "facebook.com" or a subdomain of, which in turn will bring it back to the credential harvester or a 404 error. I'm sure there's still a way to do it, heck, there are probably several ways to do it.

I do have a question. Can you successfully do what I am trying to do using OpenDNS? Please type "Y" for yes or "N" for no : )

Edited May 16, 2012 by bobbyb1980

[digip]

digi, I put 4.3.2.1 because I didn't want to put the address of my server, that's not the actual IP I am forwarding to nor do I own it.

This really isn't bind syntax persay, it's C, so if any of you C'ers out there are reading please chime in!

I'm really not following most of what you're saying digi, but I can conclude at the end of the day just about everything is going to forward to "facebook.com" or a subdomain of, which in turn will bring it back to the credential harvester or a 404 error. I'm sure there's still a way to do it, heck, there are probably several ways to do it.

I do have a question. Can you successfully do what I am trying to do using OpenDNS? Please type "Y" for yes or "N" for no : )

My bad, I thought they were some sort of bind .conf files or something with A name entries for www and login sub domains. I'm not C programmer either, so couldn't tell you where to being on that, but hit up sitwon, send him a PM. Hes a C guy and might be able to help you.

[bobbyb1980]

No problem digi, I appreciate the help that you and others have offered in this thread. I gotta say though, I am really learning to appreciate a nice, organized config file like apache and so many other servers offer : P

I think this problem has something to do with reverse lookups. Going to try to delete the reverse lookup entries and hopefully when the browser can't resolve it to an IP to a domain (if browsers even do reverse lookups) it will just initiate communication with the server and proceed on.

If that doesn't work going to try to do what I was saying earlier and create another zone, like facebook.co.uk, specifically for being forwarded to after successful credential harvesting, and that zone would forward to a legit facebook IP that is not affiliated with traditional facebook.com IP, if it even exists.

Then if that doesn't work, I'll just create a nice page that says "facebook is under construction" and cross my fingers that it doesn't make any clients suspicious, which it very well may. Especially if I do that with multiple sites.

[bobbyb1980]

Got it working. For some reason it works by adding only zone entries to named.conf.local and not reverse lookup entries in (/etc/bind9/zones). Don't know why it's like this and it kind of makes me question the concept of reverse lookups in the first place but if it works it works.