What is DNS Spoofing?
Firstly, we need to understand what is a DNS server.
DNS stands for Domain Name Server. It is a server that match IPs to their associated hostnames.
Here’s a clear and easy example to understand what a DNS server does ;
Copy/paste this IP : 22.214.171.124 - in your browser and you should see the “google.co.uk” webpage displayed.
Why am I being redirected to this website ?
Because what you’ve just entered is the IPv4 of the “website” (server), and because your DNS server knows this IP = google.co.uk, it was replaced.
Why do we need DNS servers ?
I’m pretty sure you will forget all these numbers whereas you’ll keep in mind simple words like “google” or even “HackThis” :p
II. How it works
Now that we know what is a DNS server, we’ll see about the main subject, how a DNS spoofing ( or DNS cache poisonning ) works.
As you probably understood with the word “spoofing”, a DNS spoofing attacks consists in spoofing the hostname of an IP, id est matching an IP and a fake hostname.
How would one make such a thing ?
You need to be on the same network as your victim and then use some knowledge you’ll get in the next part :)
In this tutorial, we’ll make use of Ettercap, a free and open source network security tool for man-in-the-middle attacks on LAN by HackingTeam.
For Windows computers, a little “ettercap windows” search using your favorite website should do the job. For *NIX-like computer, just run the command to download & install a package. As for myself, on ArchLinux ;
$ pacman -S ettercap-gtk
N.B: Make sure to download the GTK-version package!
When you’re done with this, you can continue and do the right configuration as following ;
$ gedit /etc/ettercap/etter.conf
You need to change two values, gid & uid, to 0, just like this :
Now, scroll down until you see the “Linux” part, and delete the two ‘#’ just as following ;
Now that we’re done with the configuration, we’ll start the real work :)
C. Configuration of the attack
First thing, let’s run Ettercap ;
$ ettercap -G
Now we want to sniff on the right interface. The right interface I’m talking about is the one you’re getting internet from. To find it ;
And take a look at the one displaying an IPv4 address. My interface is named “wlp2s0”
Let’s go back to Ettercap ; Sniff > Unified sniffing > Select your interface, wlp2s0
When clicking on “OK” (“Valider” for me as you can see in the screenshot), the sniffing automatically starts, but we don’t want this, so we stop it like this : Start > Stop sniffing.
As of now, we need to select our victim. We first need to lookup the available hosts on the network. Hit Hosts > Scan for hosts and wait until the scan is done.
The scan is done, let’s take a look at the available hosts, Hosts > Hosts list.
Here we need to select 2 target. The first one, target1 needs to be your victim ; find who is your victim by any manner you want. And the second one, target2 needs to be your network gateway.
How do I know my network gateway IP ?
Here’s a little command
$ route -n
That’ll give you something like :
Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 192.168.1.254 0.0.0.0 UG 600 0 0 wlp2s0 192.168.1.0 0.0.0.0 255.255.255.0 U 600 0 0 wlp2s0
My gateway, there, is 192.168.1.254
After selecting your targets, Ettercap should looks like ;
D. Lauching the attack
Now that everything is set-up, we can proceed to the attack.
- MITM > ARP Poisonning and choose ‘Sniff remote connections’.
- Plugins > Manage the plugins > Double click on ‘dns_spoof’ to activate it
We need to edit another file, as following ;
$ gedit /etc/ettercap/etter.dns
You need to edit this file by inserting line(s) just as I did ( where you can read “hackthis” ).
I don’t get what you did there, what is this file and what is this IP next to hackthis?
This file is basically the one the DNS server will read. As for the line ;
*.hackthis.co.uk means : any link from hackthis.co.uk
A type of query, if you want to know more about it, check this link : List of DNS record types
The IP you want the target to be redirect to when visiting the website.
If I had to make a sentence from this line ; If the user (aka the victim aka Target1) is visiting a website matching “*.hackthis.co.uk”, then redirects him to the IP “192.168.1.12”
Why this IP and not another one ?
This IP I chose is just an example. It could be anything else. I could’ve made a web server hosted on my computer which is a good phishing of HackThis!!’s login page.
And thus, when the victim visit the page “https://hackthis.co.uk”, he thinks he’s being using the right page whereas he’s being pwned. That’s how good this attack is, because the url won’t change, it’ll remains the same as the actual website.
Free to your imagination to do anything you want :p
Now, go back to Ettercap and : Start > Start Sniffing
If you followed the aforesaid steps as described, you should’ve succeeded in your attack!
Being the attacker is a cool thing for sure, but what to do if you find yourself in the position of the victim? There’s a lot to do !
There are few 3rd party apps that may help you in the detection of DNS poisonning such as ;
Snort ; XArp ; ArpON ; ArpAlert ; Arpwatch and a lot of others you can find by a little Google search.
But… why using 3rd party apps when you can do it manually over a beautiful terminal ? :p
$ arp -a
A simple method is to check if you can find a line containing the mac address of your network gateway (router), if not, you’re having some problems with your DNS ;)
We’ve learnt what were DNS server, DNS spoofing attacks, how they work, how to attack but also and more importantly how to prevent from getting pwnd of such attacks.
I hope this tutorial will help someone, a day, to get past such problems :)