Tool 105: Sniff and send DNS answers
Description:
This tool sniffs and replies to DNS requests. It will always return
the same information. It can be used to redirect network flow to a
computer.
The 'hostname' parameter is not used for type A queries.
The 'hostnameip' parameter is not used for type PTR queries.
Parameter --hostname defines the hostname to tell (www.example.com).
Parameter --hostnameip defines IP address of this hostname (1.2.3.4).
Parameter --authns is the authoritative name server (ns.example.com).
Parameter --authnsip defines IP address of name server (1.2.3.5).
Parameter --ttl defines the Time To Live of this reply.
Parameter --device indicates on which device to sniff. Please note
that under some systems, such as Windows, sniffing on some devices is
not supported.
Parameter --filter defines the sniff filter. It permits to restrict
captured packets. This kind of filter is named a BPF or pcap filter.
Basic elements of a filter are:
host 1.2.3.4
net 192.168.10
net 192.168.10.0 mask 255.255.255.0
net 192.168.10.0/24
port 21
dst host 1.2.3.4
src port 2345
ether host a:b:c:d:e:f ('ether a:b:c:d:e:f' is not working)
ether src aa:bb:cc:dd:ee:ff
ip
arp
rarp
tcp
icmp
udp
Here are filter examples:
"host 1.2.3.4"
"net 192.168 and icmp"
"host 1.2.3.4 or dst port 80"
"(udp or tcp) and not host 1.2.3.4"
Parameter --spoofip indicates how to generate link layer for spoofing.
Values 'best', 'link' or 'raw' are common choices for --spoofip. Here
is the list of accepted values:
- 'raw' means to spoof at IP4/IP6 level (it uses system IP stack). If
a firewall is installed, or on some systems, this might not work.
- 'linkf' means to spoof at link level (currently, only Ethernet is
supported). The 'f' means to Fill source Ethernet address.
However, if source IP address is spoofed, it might be impossible
to Fill it. So, linkf will not work: use linkb or linkfb instead.
- 'linkb' means to spoof at link level. The 'b' means to left a Blank
source Ethernet address (0:0:0:0:0:0, do not try to Fill it).
- 'linkfb' means to spoof at link level. The 'f' means to try to Fill
source Ethernet address, but if it is not possible, it is left
Blank.
- 'rawlinkf' means to try 'raw', then try 'linkf'
- 'rawlinkb' means to try 'raw', then try 'linkb'
- 'rawlinkfb' means to try 'raw', then try 'linkfb'
- 'linkfraw' means to try 'linkf', then try 'raw'
- 'linkbraw' means to try 'linkb', then try 'raw'
- 'linkfbraw' means to try 'linkfb', then try 'raw'
- 'link' is an alias for 'linkfb'
- 'rawlink' is an alias for 'rawlinkfb'
- 'linkraw' is an alias for 'linkfbraw'
- 'best' is an alias for 'linkraw'. It should work in all cases.
This tool may need to be run with admin privilege in order to sniff
and spoof.
Synonyms:
bind
Usage:
netwox 105 -h hostname -H ip -a hostname -A ip [-d device] [-T uint32] [-f filter] [-s spoofip]
Parameters:
| parameter |
description |
example |
| -h|--hostname hostname |
hostname |
www.example.com |
| -H|--hostnameip ip |
hostname IP |
1.2.3.4 |
| -a|--authns hostname |
authoritative name server |
ns.example.com |
| -A|--authnsip ip |
authns IP |
1.2.3.5 |
| -d|--device device |
device name |
Eth0 |
| -T|--ttl uint32 |
ttl in seconds |
10 |
| -f|--filter filter |
pcap filter |
|
| -s|--spoofip spoofip |
IP spoof initialization type |
best |
Examples:
netwox 105 -h "www.example.com" -H "1.2.3.4" -a "ns.example.com" -A "1.2.3.5"
netwox 105 --hostname "www.example.com" --hostnameip "1.2.3.4" --authns "ns.example.com" --authnsip "1.2.3.5"