deserter

A targeted DNS cache poisoner.

Report Bug · Request Feature

Table of Contents

1. About The Project
   • Highlights
2. Getting Started
   • Prerequisites
   • Installation
   • Installation with support for multiple queries in a single request
3. Usage
4. Roadmap
5. Contributing
6. License
7. Contact

About The Project

deserter is a targeted DNS cache poisoner. It is capable of DNS cache poisoning without bruteforcing the target ID and source port - instead, it sniffs out DNS probes and uses the information inside to craft poisoned responses and send them back to the target.

In the absence of DNS security mechanisms, deserter has a near 100% success rate of poisoning the target's cache when the router has to forward the DNS query to an external DNS server (the router doesn't have an entry for the domain in its own cache).

Highlights

• Silence - deserter doesn't flood the network with any type of packet - it only ever sends a single response per query received.
• Speed - deserter is fast which is required when racing against packets coming from the legitimate name server.
• Robustness & Easy of Use - deserter supports DNS/MDNS queries of type A/AAAA as well as DNS over IPv6, all while being extremely simple to use.

Getting Started

To get a local copy up and running follow these simple steps.

Prerequisites

In order for the tool to work, the attacker needs to be on the same network as the victim. Sometimes, arp spoofing may also be required - usually on physical connections through Ethernet.

Building from source

1. Clone the repo with its submodules

git clone --recurse-submodules https://github.com/cr0mll/deserter

2. Install libpcap

sudo apt-get install libpcap-dev

3. Change into deserter/scripts

cd deserter/scripts

4. Change the permissions for the scripts and run it

chmod +x *

Run the installation script:

./install.sh

This will configure and build the binary in the deserter/build directory.

You can use the scripts configure.sh and build.sh to manually configure and build the cmake project.

Usage

The tool requires sudo permissions to be run. You can run deserter with --help to get information about all of the available options.

Performing a DNS cache poisoning

For any DNS cache poisoning attack, you will need to specify the network interface which deserter should use and the IPv4 address which to use for poisoning queries:

./deserter -b <bad IP> -i <interface>

Specifying targets to poison

The -t/--targets options can be used to provide a comma-separated list, without whitespace, of IPv4/IPv6 addresses whose queries to poison. By default, deserter will poison all queries it sees. Furthermore, you can prepend ~ to any IP addresses you want to exclude from the target list, such that their queries are left unaltered.

Specifying domains to poison

The -d/--domains options can be used to provide comma-separated list, without whitespace, of the domains which to poison when they are found in a query. By default, deserter will poison all domains.

Roadmap

• See the open issues for a list of proposed features (and known issues).

Contributing

Contributions are what make the open source community such an amazing place to learn, inspire, and create. Any contributions you make are greatly appreciated.

1. Fork the Project
2. Create your Feature Branch (git checkout -b feature/AmazingFeature)
3. Commit your Changes (git commit -m 'Add some AmazingFeature')
4. Push to the Branch (git push origin feature/AmazingFeature)
5. Open a Pull Request

License

Distributed under the MIT License. See LICENSE for more information.

Contact

Project Link: https://github.com/cr0mll/deserter