DNS Spoofing

I was asked what DNS spoofing (Cache Poisoning) was during the week and when it came to explain it all I could think of was arp-spoofing and I got muddled up as this was in a fast paced environment!

So in order to solidify this into my brain as I have encountered it many times in my studies I have chosen to write briefly on the subject.

What is it?

Well it’s when data is introduced into a DNS resolvers cache which then causes the name server to return an incorrect IP address and this then diverts traffic to the attacking device or any other device.

What is DNS?
In simple terms something that makes your website address human readable allowing you to type in the fully qualified domain name for example ‘itfellover.com’ is my fqdn.

To follow along with this tutorial you need a Windows box, pfsense and Kali so if you don’t have them installed do so first.

Let’s get started:

This is as always for educational purposes only. Understanding an attack like this is thought in many security syllabus and it has been a long time since I played with this in the lab myself.

Start setoolkit first:

setoolkit

1 - Kali setoolkit start

1 – Kali setoolkit start

After setoolkit loads you can scroll up to see the following information about the toolkit:

2 - Kali setoolkit started

2 – Kali setoolkit started

Select option 1 first for ‘Social-Engineering Attacks’:

3 - Kali setoolkit option 1

3 – Kali setoolkit option 1

Then select option 2 for ‘Website Attack Vectors’:

4 - Kali setoolkit option 2

4 – Kali setoolkit option 2

Select option 3 for ‘Credential Harvester Attack Method’

5 - Kali setoolkit option 3

5 – Kali setoolkit option 3

Finally select option 1 for ‘Web Templates’

6 - Kali setoolkit option 1

6 – Kali setoolkit option 1

Check your Kali IP address with ‘ifconfig’

7 - Check your Kali IP address

7 – Check your Kali IP address

As my address is 10.0.0.23 this is what I will use in setoolkit so enter your Kali IP address next

8 - Kali setoolkit IP address Website Template

8 – Kali setoolkit IP address Website Template

Next select option two for ‘Google’

9 - Kali setoolkit select option two for Google

9 – Kali setoolkit select option two for Google

The website is then cloned from templates and placed in the apache root directory, let setoolkit start apache for you by just entering ‘y’ to start the process

10 - Kali setoolkit start apache

10 – Kali setoolkit start apache

Apache is then enabled and you can browse to ‘/var/www’ to modify ‘post.php’ if you want. Just press ‘Enter’ to continue

11 - Kali setoolkit apache webserver on

11 – Kali setoolkit apache webserver on

It’s ok when you arrive back at this page, your first thought may be to think something is wrong but it is not.

12 - Kali setoolkit menu return

12 – Kali setoolkit menu return

Change directory into /var/www

cd /var/www

13 - Kali change directory var www

13 – Kali change directory var www

‘Watch’ is a cool command and I love it for things like this, think of it like saying hey watch this file and give me an update in real-time if anything changes. In order to run ‘cat *.txt’ though we need to use quotes to encapsulate the command because of the space so that you can then use watch to run it. The asterisk ‘*’ says watch all txt files in this directory, I used it as the name of the file is very long. You can use the filename here if you want also.

Fun Tip!:
To find out more about watch run ‘man watch’ and have a read

14 - watch cat tall txt files

14 – watch cat tall txt files

It will then listen and should look blank if you haven’t run anything already, just delete the contents if you have something in here.

15 - Kali watch all txt files waiting

15 – Kali watch all txt files waiting

Next navigate to your hosts file and modify it like mine below with the google domain of your country and save

Kali IP address *.google.ie
Kali IP address *.google.com

vi /etc/hosts

16 - Add your Kali IP address and google domain

16 – Add your Kali IP address and google domain

Next start dnsspoof listening with the following:

‘dnsspoof’ to start dnsspoof
‘-i eth0’ to start on eth0 which is my Kali network interface on the internal LAN
‘-f /etc/hosts’ is used to start with your modified hosts file in /etc/hosts

17 - Kali dnsspoof start

17 – Kali dnsspoof start

Now on your Windows 7 test machine or system of your choosing navigate to ‘google.com’ in your web browser and you should get a Spoofed google login screen, you will notice though as we are not connected to the Internet here we don’t get any loaded images, you can change your WAN NIC in pfsense to access the Internet if you want images but it is safer to stay in the sand-boxed environment.

18 - Windows 7 googledotcom spoofed

18 – Windows 7 googledotcom spoofed

Looking at your ‘dnsspoof’ output you left running you should see something similar to the following:

19 - Kali dnsspoof spoofing

19 – Kali dnsspoof spoofing

What happens above is simple

10.0.0.24 (Windows 7) says hey 10.0.0.12 (pfsense) on port 53 I would like to get the ‘A’ record or address of www.google.com

dnsspoof sitting in the middle of all this then says hey i’m www.google.com! I will serve the address up to you so then 10.0.0.24 receives the fake page spoofing the Google home page.

Now enter a random username and password and hit ‘Sign In’

20 - Windows 7 Google Fake Login

20 – Windows 7 Google Fake Login

In the output displayed by ‘watch’ below you can see my username beside ‘Email’ and password next to ‘Passwd’ at the bottom of the page:

21 - Kali watch listening output

21 – Kali watch listening output

One thing I didn’t say to do at the start was to start Wireshark, I just take it you do that anyway now in order to learn what’s going on in the background. If you didn’t do it go back and start this exercise from the start again and this time run ‘wireshark &’ to start Wireshark from the terminal as root.

1 - WireShark start

1 – WireShark start

After running your ‘dnsspoof’ attack again stop Wireshark and save your packet capture so you can look at it again in the future and start to analyse the capture.

Below we see packet 12 is where I queried pfsense 10.0.0.12 from the Windows 7 box 10.0.0.24 and said hey give me the address for www.google.com

2 - Wireshark google A record query

2 – Wireshark google A record query

Following on down through the rest of the packets you will see some similar looking packets trying to resolve Google for you including the Windows 7 machine 10.0.0.24 asking via a broadcast also, that’s the 10.0.0.255 address you see below. What that is effectively doing is broadcasting to everyone on your network saying hey!, you there!, do you have the address of www.google.com as I would like to access this resource.

3 - Wireshark search for google A record

3 – Wireshark search for google A record

What you are looking for here though is a SYN packet like you see below over TCP saying hey I am 10.0.0.24 and I am looking for a website address called www.google.com can you find it for me?

4- Wireshark dnsspoof SYN

4- Wireshark dnsspoof SYN

Next the attacker device says hey 10.0.0.24 take this SYN-ACK because I can give you access to the address you are looking for!

5 - Wireshark dnsspoof SYN ACK

5 – Wireshark dnsspoof SYN ACK

The client then replies with an ACK to say thank you and open the TCP socket to establish a connection.

6 - Wireshark dnsspoof ACK

6 – Wireshark dnsspoof ACK

In order for connection to be successful a TCP Three Way Handshake is required here as outlined in the diagram below:

TCP - Three way handshake

TCP – Three way handshake

The DNS Spoofing looks similar as you can see below, the difference is that the attacker device is listening on the local LAN and says hey i’m www.google.com instead of your server or router serving up your requests as it is Man in the middling everything on your local area network.

Three way handshake - DNS Spoofing

Three way handshake – DNS Spoofing

So there you have it, a question that made me think and realise I had forgotten all about DNS spoofing and how it actually worked under the surface. There are other ways to do this but I had mentioned modifying the host file at the time of this question. For now once again back to Learn Python the hardway as I am currently on exercise 37 and flying along, I highly recommend using this resource if you want to either go over Python again and refresh your memory or just start it from the beginning as a newbie.

 

Leave a Reply