DNS spoofing is an attack in which the person carrying out the MITM attack uses it to change the name resolution in the DNS server's response to the victim, sending them to a malicious page instead of to the one they requested while still using the legitimate name.
In this recipe, we will use Ettercap to perform a DNS spoofing attack and make the victim visit our site when they really wanted to visit a different site.
For this recipe, we will use our Windows client virtual machine but this time with the network adapter bridged to consult DNS resolution. Its IP address in this recipe will be 192.168.71.14.
The attacking machine will be our Kali Linux machine with the IP address 192.168.71.8. It also will need to have an Apache server running and have a demo index.html
page, ours will contain the following:
<h1>Spoofed SITE</h1>
/etc/ettercap/etter.dns
so that it contains only the following line:* A 192.168.71.8
We will set only one rule: All A records (address records) will resolve to 192.168.71.8, which is our Kali Linux address. We could have left the other entries but we want to avoid noise in this example.
ettercap -i wlan0 -T -P dns_spoof -M arp /192.168.71.14///
It will run Ettercap in text mode performing ARP spoofing with the DNS spoofing plugin enabled, having only 192.168.71.14 as a target.
Note how the address and title bars show the name of the original site even though the content is from a different place.
nslookup
, as shown here:In this recipe, we saw how to use a Man In The Middle attack to force users to navigate to pages even when they believe they are on other sites.
In the first step, we modified Ettercap's name resolution file, ordering it to resolve all names requested to the address of our Kali machine.
After that, we ran Ettercap with the following parameters: (-i wlan0 -T -P dns_spoof -M arp /192.168.71.14///
)
-i wlan0
: Remember we needed the client to ask for DNS resolution, so we needed it to have a bridged adapter and to be within reach of our Kali machine so we set the sniffing interface as wlan0
(the attacker's computer wireless card).-T
: This is used for text-only interface.-P dns_spoof
: This is to enable the DNS spoofing plugin.-M arp
: This is to perform an ARP spoofing attack./192.168.71.14///
: This is how we set targets to Ettercap in the command line: MAC/ip_address/port
where //
means any MAC address corresponding to IP 192.168.71.14 (the client) at any port.Finally, we just confirmed that the attack was working OK.
There is also another very useful tool for these kinds of attacks called dnsspoof. You should check it out and add it to your arsenal:
man dnsspoof
http://www.monkey.org/~dugsong/dsniff/
Another tool worth mentioning is the Man In The Middle attack framework: MITMf. It contains built-in capabilities for ARP poisoning, DNS spoofing, WPAD rogue proxy server and other types of attacks.
mitmf --help
18.225.255.187