Re: [PEN-TEST] Forge name-query?

[Mordechai Ovits <movits () OVITS NET>]

On Mon, Nov 20, 2000 at 09:52:33PM -0500, Dug Song wrote:
> On Mon, Nov 20, 2000 at 07:47:52AM -0800, jarel () NIGHTMAIL COM wrote:
>
> > In theory you're able to make a program that listans after a
> > name-query for a special address and when it comes you're racing
> > the real DNS and tries to give the client an other ip-address than
> > the real one... Does anyone know of such a program?
> >
> > I succeeded to get people to use SSH instead of telnet after
> > showing them what I could do with Hunt.
>
> wait a bit for the next release of dsniff, which includes
>
> dnsspoof
>         forge replies to arbitrary DNS address / pointer queries on
>         the LAN. this is useful in bypassing hostname-based access
>         controls, or in implementing a variety of man-in-the-middle
>         attacks (HTTP, HTTPS, SSH, Kerberos, etc).
>
> sshmitm
>         proxy and sniff SSH traffic redirected by dnsspoof(8),
>       capturing SSH password logins.

Won't the user get a warning about host not matching the key in known_hosts?

> webmitm
>         proxy and sniff HTTP / HTTPS traffic redirected by dnsspoof(8),
>         capturing most "secure" SSL-encrypted webmail logins and form
>         submissions.

Won't the browser pop up an error about the certificate not matching the
site?  Or not signed by a known CA?

> among other things...

Cool, what else?

> -d.
>
> ---
> http://www.monkey.org/~dugsong/