Information Security, Web, Networks and Systems

Friday, June 28, 2013

DNS Spoofing with Ettercap in BackTrack 5

6:26 AM Posted by Deepal Jayasekara , , , , , , No comments
As you know DNS is an essential service in the internet which requires you to easily browse internet using beautiful URL addresses. I am not going to describe the usage of DNS, but I think a brief explanation may be useful. Here I list the functionality of DNS in brief.

  • DNS is the essential service that maps user friendly plain text web addresses (i.e facebook.com, google.com etc..) into IP addresses which are the real addresses of the servers that the websites run.

  • When you type a URL in the browser's address bar and start navigation, your address will be directed to a DNS server and the relavent IP address of the Web server will be sent back as a reply to your computer.

  • Then you will be able to directly connect to the web browser that you wished to visit.

  • DNS is really important since you cannot remember all the IP addresses of your preferred servers, as you only have to remember the name of the website and DNS does the address translation for you.
What if.........

What if you requested the IP address of the Facebook.com and the DNS server sent back the Google.com's IP address as the reply?? Your browser thinks that this is the IP address of the facebook and using that IP address it will be redirected to the Google. You want to visit Facebook to see some friends but you will end up with Google.com homepage!!
                  Fortunately...You won't face such kind of things since all of the DNS servers that are configured properly do not that kind of mistakes. But think of this concept..what if an attacker can maliciously change those settings so that your requests for some websites are replied with fake IP addressess and you will be directed to the attacker's web server?

This concept is called DNS spoofing. In DNS spoofing, an attacker intercepts this DNS process and he sends you a fake IP address as the reply to your DNS query. Then you will end up being compromised.

Ettercap is a tool that is shipped with BackTrack 5 OS that can be used for DNS spoofing. Once you have installed Backtrack operating system, you can find this tool in the folder /usr/local/share/ettercap/. First, what we should do is to configure Ettercap so that we can spoof a legitimate web address. To configure Ettercap, we should make some changes in the file etter.dns. Follow these steps for configuration.

$ nano /usr/local/share/ettercap/etter.dns

Then etter.dns file will be opened in the editor. Go down the file, there you see few DNS entries already there such as for microsoft.com.


As an example, lets spoof requests for the Google.com to another server. For that purpose we should add an entry into this file that is for Google.com. Add the following entry into that file with other entries.

Note:
   In my environment I am running a web server in 192.168.78.1 IP address. I wanted to direct all requests for Google.com into my server. So I have mentioned above IP address in the following entry. You can use one of your servers' IP address in following entry.

google.com    A    192.168.78.1


After entering that entry into the file, press Ctrl+O and save. Then exit the editor with Ctrl+X.

Now we have completed the configuration. What we have to do next is starting DNS spoof.

For that run the following command in the terminal.

Note:
     At the end of the above command I have mentioned 192.168.78.143 as an IP address. This IP address is the IP address of the victim of our DNS spoofing. Anyone who tries to visit Google.com from the computer with IP address 192.168.78.143,  should be directed to above fake IP address.

$ ettercap -T -Q -M arp -P dns_spoof  /192.168.78.143/ //


Final '//' of the command says that do this DNS spoofing for all IP addresses in our current subnet.

Once the command is executed, you can see following output in your terminal.


Woah!!! DNS spoof is running now.... Anyone who want to visit Google.com from the victim's machine now will be directed to your server... Congratzzz!!!

Here is my case :-


All comments are welcome :)

0 comments:

Post a Comment

Note: Only a member of this blog may post a comment.