Saturday, 28 January 2017

DNS Spoofing Tutorial (MITM attack)


Steps and instructions -
This tutorial consists DNS spoofing which is a type of MITM attack. In this tutorial we will redirect a facebook user to our webiste.

Terms -

* DNS - Domain Name System is a service which translates IP address to domain name and domain name to IP address.

DNS spoofing - redirect a website user to our website.

Steps -

This is a LAN attack.

I have two machines running here. One is the target ie windows machine


Another is Kali Linux which we will be using to conduct the attack


Lets check the target IP address by running a quick scan on Kali Linux.

* The command is "nmap -sS (IP adress range)"


It takes some time to scan cause it will scan the range which you have specified.


Here is my target.

The tool which we will be using today is Ettercap.

But before that we need to edit a file.

The file name is etter.conf which is found in /etc/ettercap/etter.conf

* We will open a terminal and type in "gedit /etc/ettercap/etter.conf"


You will get a files opened in the gedit editor


Here you have to edit the 'uid' and the 'gid'. Replace the amount with '0'


Like this





Scroll down and search for Linux


Here we will edit the '#' sign and remove it.


Note - Just remove it, dont add '0' or anything.


Save file and exit.

Now we will open Ettercap.

* Open a terminal and type in "ettercap -G"


This will give you the GUI tool Ettercap which is used to do lot of things in Kali Linux



* Now we want to go to 'sniff' in the menu bar and select 'unified sniffing'


This will ask for which adapter or interface you want to sniff. Mine is eth0. So I will say OK. If you are on Wi-Fi, you may want to select WLAN


The sniffing process will automatically start. We don't want that yet. So we will stop the sniffing for now.


* Now we want to scan the network. Go to Hosts and select 'scan for hosts'


When the scan is complete, we will go again to Hosts and select "Hosts List"


This will show you the alive computers in your network


* Now we need to select our target.

There will be two targets here.

One is the Windows machine and another on is our gateway.

If you don't know your gateway IP address, then open a terminal and type "route".

This will show you the gateway of your network.


Now we will select our target by clicking on the target IP.

First I will add my gateway ie 192.168.80.1

I will click on it and click on 'add to target 1'


Now I will do the same to our target IP address.

But this time I will click on 'Add to Target 2'


* Next step is to go to MITM in the menu and select 'ARP poisoning'


After selecting you will get an option tab and you have to select "Sniff remote connections"


* Now move to the 'Plugins' tab and select "Manage the plugins"


Here we have to select which plugins we should be using. We will select "dns-spoof" because we are spoofing the DNS


* After this the process will complete after we edit another file.

Which is the Host File.

Open another terminal and type "gedit /etc/ettercap/etter.dns"


This will open up the host file.


This file contains the codes where it controls which site should be redirected to which site.

Scroll down and search for "Microsoft Sucks"


Here if the user wants to access the microsoft website, the spoof will redirect him to www.linux.org

Note The truth - "MICROSHIT REALLY SUCKS"

* Here we will edit a few lines.

I will remove the last line which says "www.nicrosoft.com PTR 107.170.40.56 # wildcards in PTR are not allowed"

And replace the microsoft.com with facebook.com

Note - Don't edit anything else.

Note that there is an IP address. We have to change it with our IP.

If you dont know your IP address then open a terminal and say "ifconfig"


Replace the IP address


By the end the file would look something like this.

Now remember that the space between the elements is a tab. Not a space. Use tab if incase your edit goes wrong.

Ok done. Save the file.

This will redirect the facebook site to our IP.

This is an HTTP attack. So some browsers can defend it, just in case if you didn't know.

* Now we need to edit another html file which is located in computer /var/www/html


We need to edit the index.html file.

Open the file with gedit and delete everything inside


And just type in a new code which says something like "<h1> Welcome to Hacking Monks </h1>"


Save the file and exit.

Now we need to start our apache server.

Open another Terminal and say "service apache2 start"



Now we can conduct the attack.

* Go to etercap and start sniffing


Now I will go to the target machine and try to access the facebook website.

Lets see what happens.



You will be redirected to our fake webiste.

This my friends is DNS spoofing.

Hope you guys learnt a lot from this tutorial.

Thank you guys for reading this.


You may want to see my other posts -



7 comments:

  1. But it doesnt work.
    Facebook dont let you go, ebay goes on the origina site.
    Tested with google chrome.

    ReplyDelete
    Replies
    1. Due to HTTPS being used.

      Delete
  2. Does this work only on sites that use the http protocol.? what if our target spoof is https.?
    can you send me the answer by email, this is my email
    adarafaranisa443@gmail.com

    sorry I use google translate.
    Thank you

    ReplyDelete
  3. This comment has been removed by the author.

    ReplyDelete
  4. Hi. I am Manas Lahon and I really like Hacking Monks blog. You're doing a great job.

    ReplyDelete
  5. i'm trying to follow your tutorial...I've added the router's IP as Target 1 n the other IP's (i added more than 1) to Target 2...the effect is the entire network can't access the internet..which is incorrect from the step i've done...???

    ReplyDelete