PT0-002 Question #211: Real Exam Question with Answer & Explanation

Question

A penetration tester has established an on-path position between a target host and local network services but has not been able to establish an on-path position between the target host and the Internet. Regardless, the tester would like to subtly redirect HTTP connections to a spoofed server IP. Which of the following methods would BEST support the objective?

Options

• AGain access to the target host and implant malware specially crafted for this purpose.
• BExploit the local DNS server and add/update the zone records with a spoofed A record.
• CUse the Scapy utility to overwrite name resolution fields in the DNS query response.
• DProxy HTTP connections from the target host to that of the spoofed host.

Explanation

To subtly redirect HTTP connections to a spoofed server IP when having on-path access to local network services, exploiting the local DNS server to add or update zone records is the best method.

Common mistakes.

• A. Gaining access to the target host and implanting malware is more invasive and less subtle than redirecting traffic via DNS manipulation, and may not be necessary if network-level control is sufficient.
• C. Using Scapy to overwrite name resolution fields in DNS query responses involves active, real-time packet manipulation, which can be less subtle and persistent than directly modifying the DNS server's records, especially given the constraint of not having on-path access to the Internet.
• D. Proxying HTTP connections typically requires configuring the target to use a proxy or establishing a transparent proxy that can intercept all traffic, which might not be subtle or feasible without full on-path Internet access.

Concept tested. DNS spoofing, network redirection, local network exploitation

Reference. https://csrc.nist.gov/glossary/term/dns-spoofing

No community discussion yet for this question.