LogoLogo
DocumentationPayloadsCommunitySupport
  • Packet Squirrel Mark II by Hak5
  • Setup
    • Connecting the Packet Squirrel
    • Setting up the Packet Squirrel
  • Getting Started
    • Changes & New features
    • Packet Squirrel Basics
    • Accessing the Packet Squirrel
    • Web UI
    • Getting the Packet Squirrel online
    • Status LED
    • Cloud C²
    • USB storage support
    • Selecting and editing payloads
    • Configuring payloads
    • Running payloads
    • Networking and modes
  • Networking Tutorial
    • Glossary
    • OSI layers
    • Private IP ranges
    • Network masks
    • Packet injection
    • Translation and redirection
    • Packet capture
  • Payload Development
    • Payload development basics
    • DuckyScript for Packet Squirrel
      • BUTTON
      • C2EXFIL
      • C2NOTIFY
      • C2WATCHDIR
      • DYNAMICPROXY
      • KILLPORT
      • KILLSTREAM
      • LED
      • MATCHPORT
      • MATCHSTREAM
      • NETMODE
      • SELFDESTRUCT
      • SSH_START
      • SSH_STOP
      • SPOOFDNS
      • SWITCH
      • UI_START
      • UI_STOP
      • USB_FREE
      • USB_STORAGE
      • USB_WAIT
  • Advanced payloads
    • Quotes and expansions
    • Flow control
    • Redirecting output
    • Payload configuration
    • Return codes & success
    • Background commands
    • Command groups
    • Processing JSON
    • USB encryption
    • VPN configuration
    • Network manipulation
    • Tips, tricks, & pitfalls
    • Python
  • Payload repository
  • Troubleshooting
    • Troubleshooting networking
    • Troubleshooting payloads
    • Factory reset
  • Software Updates
    • Upgrading firmware
Powered by GitBook
On this page
  • Limitations
  • Options
  • Interface
  • Hosts and IP addresses
  • Examples

Was this helpful?

  1. Payload Development
  2. DuckyScript for Packet Squirrel

SPOOFDNS

Last updated 2 years ago

Was this helpful?

The SPOOFDNS command overrides DNS queries via packet injection, allowing a Packet Squirrel to manipulate network behavior in NAT, BRIDGE or TRANSPARENT modes.

The SPOOFDNS command overrides DNS queries via packet injection, allowing a Packet Squirrel to manipulate DNS queries even in BRIDGE or TRANSPARENT modes. Hostnames can be matched by plain names or .

Regular expressions can be difficult, but powerful. They allow matching complex patterns in a hostname. Sites such as can help explore the power of regular expressions.

SPOOFDNS uses the ECMASCRIPT regular expression flavor.

Limitations

The SPOOFDNS tool is able to manipulate the traditional UDP-based DNS which is still in common use. It is not able to manipulate DNS-over-HTTPS.

Options

The SPOOFDNS command expects several options:

SPOOFDNS [interface] [host1=ip1] ... [hostN=ipN]

Interface

SPOOFDNS requires a network interface. Typically on the Packet Squirrel this is br-lan, the virtual interface which connects the Ethernet ports.

Hosts and IP addresses

SPOOFDNS can match any number of hosts.

Hosts can be full hostnames or regular expressions. SPOOFDNS uses the ECMASCRIPT regular expression flavor.

An IP address can be either IPv4 or IPv6. For IPv4 addresses, SPOOFDNS will override A record queries, and for IPv6 addresses, it will override AAAA queries.

SPOOFDNS will detect the type of IP address used automatically, and generate the appropriate A or AAAA response.

When using regular expressions to match hostnames, the match should always be enclosed in quotes:

SPOOFDNS br-lan '.*.example.com=127.0.0.1'

Multiple hostname matches can be provided, and they will be matched in the order listed.

Always put the most general matches at the end!

For example:

SPOOFDNS br-lan \
    'logon.example.com=1.2.3.4' \
    'v6.example.com=::1' \
    '.*.example.com=127.0.0.1'

This example will resolve logon.example.com to the IPv4 address 1.2.3.4, v6.example.com to the IPv6 localhost address ::1, and all other hosts in example.com to the IPv4 localhost 127.0.0.1 address.

Examples

The SPOOFDNS command can be used as part of a payload to redirect or sinkhole DNS queries:

#!/bin/bash
# Title:        DNS Sinkhole
#
# Description: Demonstrate sinkholing a DNS domain (hak5.org) 

# This payload will intercept any requests for a *.hak5.org domain 
# and redirect them to localhost (127.0.0.1 for IPv4 or ::1 for IPv6)

NETMODE BRIDGE 

LED R SINGLE

SPOOFDNS br-lan '.*.hak5.org=127.0.0.1' 'hak5.org=127.0.0.1' '.*.hak5.org=::1' 'hak5.org=::1' 
regular expression
https://regex101.com/