DNS Spoofing

I was asked what DNS spoofing (Cache Poisoning) was during the week and when it came to explain it all I could think of was arp-spoofing and I got muddled up as this was in a fast paced environment!

So in order to solidify this into my brain as I have encountered it many times in my studies I have chosen to write briefly on the subject.

What is it?

Well it’s when data is introduced into a DNS resolvers cache which then causes the name server to return an incorrect IP address and this then diverts traffic to the attacking device or any other device.

What is DNS?
In simple terms something that makes your website address human readable allowing you to type in the fully qualified domain name for example ‘itfellover.com’ is my fqdn.

To follow along with this tutorial you need a Windows box, pfsense and Kali so if you don’t have them installed do so first.

Let’s get started:

This is as always for educational purposes only. Understanding an attack like this is thought in many security syllabus and it has been a long time since I played with this in the lab myself.

Start setoolkit first:

setoolkit

1 - Kali setoolkit start

1 – Kali setoolkit start

After setoolkit loads you can scroll up to see the following information about the toolkit:

2 - Kali setoolkit started

2 – Kali setoolkit started

Select option 1 first for ‘Social-Engineering Attacks’:

3 - Kali setoolkit option 1

3 – Kali setoolkit option 1

Then select option 2 for ‘Website Attack Vectors’:

4 - Kali setoolkit option 2

4 – Kali setoolkit option 2

Select option 3 for ‘Credential Harvester Attack Method’

5 - Kali setoolkit option 3

5 – Kali setoolkit option 3

Finally select option 1 for ‘Web Templates’

6 - Kali setoolkit option 1

6 – Kali setoolkit option 1

Check your Kali IP address with ‘ifconfig’

7 - Check your Kali IP address

7 – Check your Kali IP address

As my address is 10.0.0.23 this is what I will use in setoolkit so enter your Kali IP address next

8 - Kali setoolkit IP address Website Template

8 – Kali setoolkit IP address Website Template

Next select option two for ‘Google’

9 - Kali setoolkit select option two for Google

9 – Kali setoolkit select option two for Google

The website is then cloned from templates and placed in the apache root directory, let setoolkit start apache for you by just entering ‘y’ to start the process

10 - Kali setoolkit start apache

10 – Kali setoolkit start apache

Apache is then enabled and you can browse to ‘/var/www’ to modify ‘post.php’ if you want. Just press ‘Enter’ to continue

11 - Kali setoolkit apache webserver on

11 – Kali setoolkit apache webserver on

It’s ok when you arrive back at this page, your first thought may be to think something is wrong but it is not.

12 - Kali setoolkit menu return

12 – Kali setoolkit menu return

Change directory into /var/www

cd /var/www

13 - Kali change directory var www

13 – Kali change directory var www

‘Watch’ is a cool command and I love it for things like this, think of it like saying hey watch this file and give me an update in real-time if anything changes. In order to run ‘cat *.txt’ though we need to use quotes to encapsulate the command because of the space so that you can then use watch to run it. The asterisk ‘*’ says watch all txt files in this directory, I used it as the name of the file is very long. You can use the filename here if you want also.

Fun Tip!:
To find out more about watch run ‘man watch’ and have a read

14 - watch cat tall txt files

14 – watch cat tall txt files

It will then listen and should look blank if you haven’t run anything already, just delete the contents if you have something in here.

15 - Kali watch all txt files waiting

15 – Kali watch all txt files waiting

Next navigate to your hosts file and modify it like mine below with the google domain of your country and save

Kali IP address *.google.ie
Kali IP address *.google.com

vi /etc/hosts

16 - Add your Kali IP address and google domain

16 – Add your Kali IP address and google domain

Next start dnsspoof listening with the following:

‘dnsspoof’ to start dnsspoof
‘-i eth0’ to start on eth0 which is my Kali network interface on the internal LAN
‘-f /etc/hosts’ is used to start with your modified hosts file in /etc/hosts

17 - Kali dnsspoof start

17 – Kali dnsspoof start

Now on your Windows 7 test machine or system of your choosing navigate to ‘google.com’ in your web browser and you should get a Spoofed google login screen, you will notice though as we are not connected to the Internet here we don’t get any loaded images, you can change your WAN NIC in pfsense to access the Internet if you want images but it is safer to stay in the sand-boxed environment.

18 - Windows 7 googledotcom spoofed

18 – Windows 7 googledotcom spoofed

Looking at your ‘dnsspoof’ output you left running you should see something similar to the following:

19 - Kali dnsspoof spoofing

19 – Kali dnsspoof spoofing

What happens above is simple

10.0.0.24 (Windows 7) says hey 10.0.0.12 (pfsense) on port 53 I would like to get the ‘A’ record or address of www.google.com

dnsspoof sitting in the middle of all this then says hey i’m www.google.com! I will serve the address up to you so then 10.0.0.24 receives the fake page spoofing the Google home page.

Now enter a random username and password and hit ‘Sign In’

20 - Windows 7 Google Fake Login

20 – Windows 7 Google Fake Login

In the output displayed by ‘watch’ below you can see my username beside ‘Email’ and password next to ‘Passwd’ at the bottom of the page:

21 - Kali watch listening output

21 – Kali watch listening output

One thing I didn’t say to do at the start was to start Wireshark, I just take it you do that anyway now in order to learn what’s going on in the background. If you didn’t do it go back and start this exercise from the start again and this time run ‘wireshark &’ to start Wireshark from the terminal as root.

1 - WireShark start

1 – WireShark start

After running your ‘dnsspoof’ attack again stop Wireshark and save your packet capture so you can look at it again in the future and start to analyse the capture.

Below we see packet 12 is where I queried pfsense 10.0.0.12 from the Windows 7 box 10.0.0.24 and said hey give me the address for www.google.com

2 - Wireshark google A record query

2 – Wireshark google A record query

Following on down through the rest of the packets you will see some similar looking packets trying to resolve Google for you including the Windows 7 machine 10.0.0.24 asking via a broadcast also, that’s the 10.0.0.255 address you see below. What that is effectively doing is broadcasting to everyone on your network saying hey!, you there!, do you have the address of www.google.com as I would like to access this resource.

3 - Wireshark search for google A record

3 – Wireshark search for google A record

What you are looking for here though is a SYN packet like you see below over TCP saying hey I am 10.0.0.24 and I am looking for a website address called www.google.com can you find it for me?

4- Wireshark dnsspoof SYN

4- Wireshark dnsspoof SYN

Next the attacker device says hey 10.0.0.24 take this SYN-ACK because I can give you access to the address you are looking for!

5 - Wireshark dnsspoof SYN ACK

5 – Wireshark dnsspoof SYN ACK

The client then replies with an ACK to say thank you and open the TCP socket to establish a connection.

6 - Wireshark dnsspoof ACK

6 – Wireshark dnsspoof ACK

In order for connection to be successful a TCP Three Way Handshake is required here as outlined in the diagram below:

TCP - Three way handshake

TCP – Three way handshake

The DNS Spoofing looks similar as you can see below, the difference is that the attacker device is listening on the local LAN and says hey i’m www.google.com instead of your server or router serving up your requests as it is Man in the middling everything on your local area network.

Three way handshake - DNS Spoofing

Three way handshake – DNS Spoofing

So there you have it, a question that made me think and realise I had forgotten all about DNS spoofing and how it actually worked under the surface. There are other ways to do this but I had mentioned modifying the host file at the time of this question. For now once again back to Learn Python the hardway as I am currently on exercise 37 and flying along, I highly recommend using this resource if you want to either go over Python again and refresh your memory or just start it from the beginning as a newbie.

 

Building an ethichal hacking lab on your laptop with VirtualBox – Part 13 – All the Windows

Next install the following operating systems below which I am not going to go through here as the installation guides can easily be found online in either readable or video form and I imagine most of you have configured Windows systems at some point. If not go with the defaults of just next, next, next etc as that’s what most people are going to do anyway!:

Windows Server 2008 R2Configure Active Directory, DNS and DHCP
Windows Server 2012Install, Configure Active Directory, DNS and DHCP
Windows 7
Windows 8
Windows XP

You won’t need to run all of these systems at the same time but try to run them with as much memory as possible, I recommend 2GB’s for XP, 7 and 8 even though they will operate with 1GB albeit much slower and 3-4GB’s for the 2008 R2 server and 2012 server.

And that’s it! For now at least, I am teaching myself Python currently so I can work on some side projects.

You now have a lab on either a laptop, server or PC that will allow you to exploit and investigate what has happened in a safe environment with or without access to the Internet. Stay tuned for future tutorials in which we will exploit and analyse within our sandboxed environment. I encourage you to play around with the environment once you have these operating systems installed and see what you can do! I also encourage you to install other operating systems and tools too and not to stick to the few that have been included in this lab, let me know if you find any vulnerable systems you personally find useful and I may include them in a future lesson.

Remember one thing though about all this, keep the network cards internal especially when running exploits as you don’t want to scan a subnet online or send exploits to something you are not authorised to because you will get in trouble for doing so. You have been warned so go have some fun and learn!