Judas DNS – Nameserver DNS Poisoning Attack Tool
Judas DNS is a Nameserver DNS Poisoning Attack Tool which functions as a DNS proxy server built to be deployed in place of a taken over nameserver to perform targeted exploitation. Judas works by proxying all DNS queries to the legitimate nameservers for a domain.
The magic comes with Judas’s rule configurations which allow you to change DNS responses depending on source IP or DNS query type. This allows an attacker to configure a malicious nameserver to do things like selectively re-route inbound email coming from specified source IP ranges (via modified MX records), set extremely long TTLs to keep poisoned records cached, and more.
How to use Judas DNS Nameserver DNS Poisoning Attack Tool
The following is an example configuration for Judas for an example scenario where an attacker has compromised/taken over one of Apple’s authoritative nameservers (for apple.com):
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 |
{ "version": "1.0.0", "port": 2248, "dns_query_timeout": 10000, "target_nameservers": [ "17.254.0.59", "17.254.0.50", "17.112.144.50", "17.112.144.59", "17.171.63.30", "17.171.63.40", "17.151.0.151", "17.151.0.152" ], "rules": [ { "name": "Secretly redirect all emails coming from 127.0.0.1!", "query_type_matches": [ "MX" ], "ip_range_matches": [ "127.0.0.1/32" ], "modifications": [ { "answer": [ { "name": "apple.com", "type": 15, "class": 1, "ttl": 10, "priority": 10, "exchange": "hacktheplace.localhost" } ] } ] }, { "name": "Make all responses NOERROR even if they've failed.", "query_type_matches": [ "*" ], "modifications": [ { "header": { "rcode": 0 } } ] } ] } |
The above configuration value purposes are the following:
- version: The configuration file format version (for now is always 1.0.0).
- port: The port Judas should run on.
- dns_query_timeout: How long to wait in milliseconds before giving up on a reply from the upstream target nameserver.
- target_nameservers: The legit nameservers for your target domain, all DNS queries will be sent here from Judas on behalf of all requesting clients.
- rules: A list of rules with modifications to the DNS response to apply if matched.
- name: Name of a given rule.
- query_type_matches: List of query types to match on such as CNAME, A, etc. A wildcard (*) can also be specified to match any query type.
- ip_range_matches: List of IP ranges to match on. For selectively spoofing responses to a specific range of IPs.
- modifications: See the “Modifications” section of this README.
You can download Judas DNS here:
Or read more here.
Topic: Hacking Tools
dsniff Download – Tools for Network Auditing & Password Sniffing
Dsniff download is a collection of tools for network auditing & penetration testing. Dsniff, filesnarf, mailsnarf, msgsnarf, URLsnarf, and WebSpy passively monitor a network for interesting data (passwords, e-mail, files, etc.).
ARPspoof, DNSspoof, and macof facilitate the interception of network traffic normally unavailable to an attacker (e.g, due to layer-2 switching). sshmitm and webmitm implement active monkey-in-the-middle attacks against redirected SSH and HTTPS sessions by exploiting weak bindings in ad-hoc PKI.
These tools were written with honest intentions – for the author to audit his own network, and to demonstrate the insecurity of cleartext/weakly-encrypted network protocols and ad-hoc PKI. please do not abuse this software.
Features/Contents for Dsniff Network Auditing & Password Sniffing
The name Dsniff refers both to the package of all the below tools and the one eponymous tool “Dsniff” included within.
- arpspoof – redirect packets from a target host (or all hosts) on the LAN intended for another local host by forging ARP replies. this is an extremely effective way of sniffing traffic on a switch. kernel IP forwarding (or a userland program which accomplishes the same, e.g. fragrouter :-) must be turned on ahead of time.
- dnsspoof – forge replies to arbitrary DNS address / pointer queries on the LAN. this is useful in bypassing hostname-based access controls, or in implementing a variety of man-in-the-middle attacks (HTTP, HTTPS, SSH, Kerberos, etc).
- dsniff – password sniffer. handles FTP, Telnet, SMTP, HTTP, POP, poppass, NNTP, IMAP, SNMP, LDAP, Rlogin, RIP, OSPF, PPTP, MS-CHAP, NFS, VRRP, YP/NIS, SOCKS, X11, CVS, IRC, AIM, ICQ, Napster, PostgreSQL, Meeting Maker, Citrix ICA, Symantec pcAnywhere, NAI Sniffer, Microsoft SMB, Oracle SQL*Net, Sybase and Microsoft SQL auth info.
- filesnarf – saves selected files sniffed from NFS traffic in the current working directory.
- macof – flood the local network with random MAC addresses (causing some switches to fail open in repeating mode, facilitating sniffing). a straight C port of the original Perl Net::RawIP macof program.
- mailsnarf – a fast and easy way to violate the Electronic Communications Privacy Act of 1986 (18 USC 2701-2711), be careful. outputs selected messages sniffed from SMTP and POP traffic in Berkeley mbox format, suitable for offline browsing with your favorite mail reader (mail -f, pine, etc.).
- msgsnarf – record selected messages from sniffed AOL Instant Messenger, ICQ 2000, IRC, and Yahoo! Messenger chat sessions.
- sshmitm – SSH monkey-in-the-middle. proxies and sniffs SSH traffic redirected by dnsspoof(8), capturing SSH password logins, and optionally hijacking interactive sessions. only SSH protocol version 1 is (or ever will be) supported – this program is far too evil already.
- sshow – SSH traffic analysis tool. analyzes encrypted SSH-1 and SSH-2 traffic, identifying authentication attempts, the lengths of passwords entered in interactive sessions, and command line lengths.
- tcpkill – kills specified in-progress TCP connections (useful for libnids-based applications which require a full TCP 3-whs for TCB creation).
- tcpnice – slow down specified TCP connections via “active” traffic shaping. forges tiny TCP window advertisements, and optionally ICMP source quench replies.
- urlsnarf – output selected URLs sniffed from HTTP traffic in CLF (Common Log Format, used by almost all web servers), suitable for offline post-processing with your favourite web log analysis tool (analog, wwwstat, etc.).
- webmitm – HTTP / HTTPS monkey-in-the-middle. transparently proxies and sniffs web traffic redirected by dnsspoof(8), capturing most “secure” SSL-encrypted webmail logins and form submissions.
- webspy – sends URLs sniffed from a client to your local Netscape browser for display, updated in real-time (as the target surfs, your browser surfs along with them, automagically). a fun party trick. :-)
You can download Dsniff here:
Or read more here.
Topic: Networking Hacking
OWASP Amass – DNS Enumeration, Attack Surface Mapping & External Asset Discovery
The OWASP Amass Project is a DNS Enumeration, Attack Surface Mapping & External Asset Discovery tool to help information security professionals perform network mapping of attack surfaces and perform external asset discovery using open source information gathering and active reconnaissance techniques.
Information Gathering Techniques Used by OWASP Amass for DNS Enumeration and More
The main functionality of Amass is as follows:
- DNS: Basic enumeration, Brute forcing (optional), Reverse DNS sweeping, Subdomain name alterations/permutations, Zone transfers (optional)
- Scraping: Ask, Baidu, Bing, DNSDumpster, DNSTable, Dogpile, Exalead, Google, HackerOne, IPv4Info, Netcraft, PTRArchive, Riddler, SiteDossier, ViewDNS, Yahoo
- Certificates: Active pulls (optional), Censys, CertSpotter, Crtsh, Entrust, GoogleCT
- APIs: AlienVault, BinaryEdge, BufferOver, CIRCL, CommonCrawl, DNSDB, GitHub, HackerTarget, IPToASN, Mnemonic, NetworksDB, PassiveTotal, Pastebin, RADb, Robtex, SecurityTrails, ShadowServer, Shodan, Spyse (CertDB & FindSubdomains), Sublist3rAPI, TeamCymru, ThreatCrowd, Twitter, Umbrella, URLScan, VirusTotal, WhoisXML
- Web Archives: ArchiveIt, ArchiveToday, Arquivo, LoCArchive, OpenUKArchive, UKGovArchive, Wayback
Usage of Amass for DNS Enumeration, Attack Surface Mapping & External Asset Discovery
The Amass tool has several subcommands shown below for handling your Internet exposure investigation.
- intel – Collect open-source intelligence for investigation of the target organization
- enum – Perform DNS enumeration and network mapping of systems exposed to the Internet
- viz – Generate visualizations of enumerations for exploratory analysis
- track – Compare results of enumerations against common target organizations
- db – Manage the graph databases storing the enumeration results
Each subcommand has its own arguments, for example, the ‘intel’ subcommand.
The intel subcommand can help you discover additional root domain names associated with the organization you are investigating. The data source sections of the configuration file are utilized by this subcommand in order to obtain passive intelligence, such as reverse whois information.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 |
-active Enable active recon methods -addr IPs and ranges (192.168.1.1-254) separated by commas -asn ASNs separated by commas (can be used multiple times) -cidr CIDRs separated by commas (can be used multiple times) -config Path to the INI configuration file -d Domain names separated by commas (can be used multiple times) -demo Censor output to make it suitable for demonstrations -df Path to a file providing root domain names -dir Path to the directory containing the graph database -ef Path to a file providing data sources to exclude -exclude Data source names separated by commas to be excluded -if Path to a file providing data sources to include -include Data source names separated by commas to be included -ip Show the IP addresses for discovered names -ipv4 Show the IPv4 addresses for discovered names -ipv6 Show the IPv6 addresses for discovered names -list Print the names of all available data sources -log Path to the log file where errors will be written -max-dns-queries Maximum number of concurrent DNS queries -noresolvrate Disable resolver rate monitoring -noresolvscore Disable resolver reliability scoring -o Path to the text output file -org Search string provided against AS description information -p Ports separated by commas (default: 443) -public-dns Use public-dns.info resolvers -r IP addresses of preferred DNS resolvers (can be used multiple times) -rf Path to a file providing preferred DNS resolvers -src Print data sources for the discovered names -timeout Number of minutes to execute the enumeration -whois All discovered domains are run through reverse whois |
It has some visualization capabilities and can also output to other tools and in various formats such as D3.js, GEXF, Graphistry JSON, VisJS and Maltego format.
You can download Amass here:
Linux: amass_v3.4.2_linux_amd64.zip
Windows: amass_v3.4.2_windows_amd64.zip
Source: Amass-v3.4.2.zip
Or read more here.
Topic: Hacking Tools
Cameradar – Hack RTSP Video Surveillance CCTV Cameras
Cameradar is a Go-based tool to hack RTSP Video Surveillance CCTV Cameras, it can detect open RTSP hosts, detect device models and launch automated attacks.
The main features of Cameradar are:
- Detect open RTSP hosts on any accessible target host
- Detect which device model is streaming
- Launch automated dictionary attacks to get their stream route (e.g.: /live.sdp)
- Launch automated dictionary attacks to get the username and password of the cameras
- Retrieve a complete and user-friendly report of the results
Using Cameradar to Hack RTSP Video Cameras
|
1 2 3 4 5 6 7 8 9 10 11 |
"-t, --targets": Set target. Required. Target can be a file (see instructions on how to format the file), an IP, an IP range, a subnetwork, or a combination of those. Example: --targets="192.168.1.72,192.168.1.74" "-p, --ports": (Default: 554,5554,8554) Set custom ports. "-s, --scan-speed": (Default: 4) Set custom nmap discovery presets to improve speed or accuracy. It's recommended to lower it if you are attempting to scan an unstable and slow network, or to increase it if on a very performant and reliable network. You might also want to keep it low to keep your discovery stealthy. See this for more info on the nmap timing templates. "-I, --attack-interval": (Default: 0ms) Set custom interval after which an attack attempt without an answer should give up. It's recommended to increase it when attempting to scan unstable and slow networks or to decrease it on fast and reliable networks. "-T, --timeout": (Default: 2000ms) Set custom timeout value after which an attack attempt without an answer should give up. It's recommended to increase it when attempting to scan unstable and slow networks or to decrease it on fast and reliable networks. "-r, --custom-routes": (Default: <CAMERADAR_GOPATH>/dictionaries/routes) Set custom dictionary path for routes "-c, --custom-credentials": (Default: <CAMERADAR_GOPATH>/dictionaries/credentials.json) Set custom dictionary path for credentials "-o, --nmap-output": (Default: /tmp/cameradar_scan.xml) Set custom nmap output path "-d, --debug": Enable debug logs "-v, --verbose": Enable verbose curl logs (not recommended for most use) "-h": Display the usage information |
Examples to Hack RTSP Camera
Running cameradar on your own machine to scan for default ports
|
1 |
docker run --net=host -t ullaakut/cameradar -t localhost |
Running cameradar with an input file, logs enabled on port 8554
|
1 |
docker run -v /tmp:/tmp --net=host -t ullaakut/cameradar -t /tmp/test.txt -p 8554 |
Running cameradar on a subnetwork with custom dictionaries, on ports 554, 5554 and 8554
|
1 |
docker run -v /tmp:/tmp --net=host -t ullaakut/cameradar -t 192.168.0.0/24 --custom-credentials="/tmp/dictionaries/credentials.json" --custom-routes="/tmp/dictionaries/routes" -p 554,5554,8554 |
You can download Cameradar here:
Or read more here.
Topic: Hacking Tools
dSploit APK Download – Hacking & Security Toolkit For Android
dSploit APK Download is a Hacking & Security Toolkit For Android which can conduct network analysis and penetration testing activities. It aims to offer to IT security experts the most complete and advanced professional toolkit to perform network security assessments on a mobile device. Once dSploit is started, you will be able to easily map […]
Topic: Hacking Tools
Scallion – GPU Based Onion Hash Generator
Scallion is a GPU-driven Onion Hash Generator written in C#, it lets you create vanity GPG keys and .onion addresses (for Tor’s hidden services) using OpenCL. Scallion runs on Mono (tested in Arch Linux) and .NET 3.5+ (tested on Windows 7 and Server 2008) Scallion was used to find collisions for every 32bit key id […]
Topic: Cryptography