How To Sniff DNS Using DNSspoof & Ettercap ? [MITM Series : 2] ? Ettercap Tutorial: DNS Spoofing & ARP Poisoning Examples

 Image result for How To Sniff DNS Using DNSspoof & Ettercap

Welcome to all my beloved hackers, In this article we’ll learn DNS spoofing using dnsspoof and ettrcap.Ettercap is a comprehensive suite for man in the middle attacks. .It features sniffing of live connections, content filtering on the fly and many other . DNS spoofing and ARP poisoning using Ettercap tool in Local Area Network ( LAN ).

What is DNS ?

DNS stands for domain name server which is used to resolve the domain names into IP address.
Basically DNS resolvers asks for a domain and the DNS records contain domain names with respect IP address will return the IP address of the domain so that we can visit the site.
DNS was introduced to use strings in web addresses.
There are many DNS services are like DDNS, RDNS etc

What is DNS spoofing ?

DNS spoofing is a active attack where we used to poison DNS requests and we change the IP address of the domain which the victim queries to our own IP address. and we setup web server in local machine which is fake page. we can perform phishing using this attack.

Attack scenario

You need to be in a LAN network or an hot-spot WLAN to perform this attack. We’ll discuss DNS spoofing using dnsspoof and ettercap. you need to have network packet analyzer. sniff the connections. and you need to have apache server to create fake web page on your local server.

DNS spoofing using dnsspoof

dnsspoof is a terminal shell tool where we can perform DNS spoofing on our terminal.
to get this tool run this command on terminal
sudo apt-get install dnsspoof
After getting this tool at command line you can use it
the basic syntax of this tool is
dnsspoof [-i interface] [-f hostsfile] [expression]
It’s very simple to use this
you first need to turn your NIC into promiscuous mode to sniff all the connections going on LAN
run this comamnd to do that
ifconfig wlan1 promisc
the wlan1 is a interface that I’m using in your case that might be different so if you are on Ethernet you can specify eth0 and if you are on WiFi internal you can specify wlan0 and for external wlan1.
Now you have to change the DNS records of the LAN using tcpkill its just by
tcpkill -9 host [www.example.com]
make sure you changed the website name of your victim site.
After doing this you have to change the hosts file where you have to specify your IP address and spoof the domain. so open the hosts file find in usr/local
edit that file specify add this line
<your_ip_address> www.example.com
It’s important here to use the TAB key between the IP address and the domain. Spaces will be interpreted by the system to be part of the domain name.
Find your IP address using ifconfig
Now we need to create a website that the user will be directed to when they type example.com in the URL of their browser. Let’s create a simple webpage. If you want more info on how to create a simple webpage and host it in Linux, check out my Linux guide on Apache web servers.
go to var/www/html folder create index.html file in there and place fake website as you desired and save it.
go to terminal and start apache server running this command
service apache2 start
and at last run this command to start spoofing DNS
dnsspoof -h hosts
Now, when anyone on the local area network attempts to navigate to the example.com website, they will instead come to our website!

DNS Spoofing using ettercap

It’s very easy to spoof DNS using ettercap. Ettercap is a GUI tool where you can perform almost all types of MITM attacks on LAN
first if you dont have ettercap you need to install that by running this command on terminal
sudo apt-get install ettercap
then start ettercap in GUI mode by running this command on terminal
ettercap -G
Now go to top bar and select unified Sniffing and go to Host list and scan for hosts and if you get all the hosts including your victim you need to select
Gateway IP address to Target 1 and victims IP address to target 2 then go to terminal and edit the etter.conf file located in /etc/ettercap/etter.conf

edit the uid and gid values at the top to make them say 0 so go ahead and do that.
and scroll down and find Linux in the file and remove both the # signs below where it says “if you use iptables”.
then save the file.
Go to the MITM tab and select ARP poisoning, choose Sniff remote connections and press OK. Now go to Plugins > Manage the plugins and double click dns_spoof to activate that plugin.
This etter.dns file is the hosts file and is responsible for redirecting specific DNS requests. Basically, if the target enters example.com they will be redirected to your’s website, but this file can change all of that. This is where the magic happens, so let’s edit it.
First, however, let me explain what can and should be done with the hosts file. So in a real life scenario, an attacker would use this opportunity to redirect traffic to their own machine for data sniffing. This is done by starting an Apache server on the Kali machine and changing the default homepage to a clone of, let’s say facebook.com or chase.com so that when the victim visits those websites, after being redirected to the attacker machine they will see the clones of the aforementioned sites. This will probably fool the unsuspecting user into entering their credentials where they really shouldn’t. Enough talk, let’s do it.
First, redirect traffic from any website you would like to your Kali machine. For that, go down to where it says “microsoft sucks ;)” and add another line just like that below it, but now use whatever website you would like. Also, don’t forget to change the IP address to your IP address. you can find your IP address in Ifconfig command.
Now add index.html file in var/www/html which has the fake page of the site which is going to be redirected.
Start apache2 server running this command
service apache2 start
And you are all set. wait for victim to connect. use wireshark to sniff.
if you dont know wire shark we’ve tutorial on that please read that.
I hope this article was helpful in understanding the DNS spoofing using both ettercap and dnsspoof. Please like and share if you have any queries please comment in.
we’ll continue MITM series for DHCP spoofing and DOS in future part.

Post a Comment