Dnsspoof working principle, compilation, source code analysis

 

Dnsspoof is a DNS Spoofing tool that provides the domain name to be redirected and the IP address to which the domain name is redirected.

: Http://monkey.org /~ Dugsong/dsniff/

Dnsspoof is one of the dsniff tool sets.
Dnsspoof depends on two third-party libraries: libpcap and Libnet

Libpcap: http://www.tcpdump.org
Libnet: http://code.google.com/p/ips-builder/downloads/detail? Name‑libnet-1.0.2a.tar.gz & can = 2 & Q =

The version I used here is:
Dsniff-2.3.tar.gz
Libnet-1.0.2a.tar.gz
Libpcap-1.2.0rc1.tar.gz

[Source code compilation]

Compile libpcap

Tar-zxvf libpcap-1.2.0rc1.tar.gz
Mkdir/ usr/local/libpcap-1.2.0
CD libpcap-1.2.0
./Configure -- prefix =/usr/local/libpcap-1.2.0/
Make
Make install

Then compile Libnet

Tar-zxvf libnet-1.0.2a.tar.gz
Mkdir/ usr/local/libnet-1.0.2a
CD libnet-1.0.2a
./Configure -- prefix =/usr/local/libnet-1.0.2a/
Make
Make install

The source code of dnsspoof includes the following files:
Err. h
Err. c
Queue. h
Pcaputil. h
Pcaputil. c
Version. h
Strlcpy. h
Strlcpy. c
Dnsspoof. c

Strlcpy. H is the header file I added to declare the strlcpy function.
Size_t strlcpy (char * DST, const char * SRC, size_t siz );

Dnsspoof. C needs to modify the path of the included file
# Include "sys/queue. H"
# Include "Err. H"
# Include "pcaputil. H"
# Include "version. H"
# Include "strlcpy. H"

Macro definition in_addr_t
# Define in_addr_t u_int32_t

Compile command line is
Gcc-g-wall-O dnsspoof. c pcaputil. c err. c strlcpy. c-I/usr/local/libpcap-1.2.0/include/-I/usr/local/libnet-1.0.2a/include/-L/usr/local/libpcap-1.2.0/lib-L/usr/local/ libnet-1.0.2a/lib-lpcap-lnet-lresolv-dlibnet_lil_endian

Compile and generate an executable file dnsspoof

[Usage]

Create a file in the local directory, dnsspoof. Hosts
The file format is
# [IP address to be redirected] [space or Tab] [domain name to be redirected]

192.168.61.1 www.baidu.com

Execute Command Line is
Dnsspoof-I network interface-F domain name-IP file libpcap filter expression to be redirected
./Dnsspoof-I eth0-F./dnsspoof. hosts UDP DST port 53 and SRC 192.168.61.109

To spoof the local machine, modify the code in the dnsspoof. c file.

Snprintf (BUF, sizeof (BUF), "udp dst port 53 and not SRC % s ",
Libnet_host_lookup (lnet_ip, 0 ));

Change

Snprintf (BUF, sizeof (BUF), "udp dst port 53 and SRC % s ",
Libnet_host_lookup (lnet_ip, 0 ));

When dnsspoof is executed, the Libpcap filter expression is not included.
./Dnsspoof-I eth0-F./dnsspoof. Hosts

[Source code analysis]

The main function first calls dns_init (Dev, hosts) based on the input parameter-F hosts );
Dns_init parses the file and extracts the IP-Domain Name and saves it to the slist_insert_head (& dns_entries, de, next) in the linked list );

Next, call pcap_init. What pcap_init does is to use libpcap to open the NIC, set it to the mixed mode, compile according to the given filter expression,
Set Filter

Call pcap_dloff to get the offset of the IP address data header.

Then, use the Libnet interface function libnet_open_raw_sock to create the original socket.

Next, go to pcap_loop (pcap_pd,-1, dns_spoof, null );

Every time a packet is intercepted, dns_spoof is called.
The dns_spoof function analyzes a DNS query packet, finds the domain name to be resolved, and CALLS dns_lookup_a or dns_lookup_ptr to query the domain name saved in the linked list.
Check whether we want to cheat the domain name,
If yes, call libnet_build_ip, libnet_build_udp, memcpy, libnet_do_checksum to construct a DNS response packet,
Call libnet_write_ip to send the constructed packet.
If not.

After the application receives the response message, the gethostbyname function returns the response.