I was asked what DNS spoofing (Cache Poisoning) was during the week and when it came to explain it all I could think of was arp-spoofing and I got muddled up as this was in a fast paced environment!
So in order to solidify this into my brain as I have encountered it many times in my studies I have chosen to write briefly on the subject.
What is it?
Well it’s when data is introduced into a DNS resolvers cache which then causes the name server to return an incorrect IP address and this then diverts traffic to the attacking device or any other device.
What is DNS?
In simple terms something that makes your website address human readable allowing you to type in the fully qualified domain name for example ‘itfellover.com’ is my fqdn.
To follow along with this tutorial you need a Windows box, pfsense and Kali so if you don’t have them installed do so first.
Let’s get started:
This is as always for educational purposes only. Understanding an attack like this is thought in many security syllabus and it has been a long time since I played with this in the lab myself.
Start setoolkit first:
After setoolkit loads you can scroll up to see the following information about the toolkit:
Select option 1 first for ‘Social-Engineering Attacks’:
Then select option 2 for ‘Website Attack Vectors’:
Select option 3 for ‘Credential Harvester Attack Method’
Finally select option 1 for ‘Web Templates’
Check your Kali IP address with ‘ifconfig’
As my address is 10.0.0.23 this is what I will use in setoolkit so enter your Kali IP address next
Next select option two for ‘Google’
The website is then cloned from templates and placed in the apache root directory, let setoolkit start apache for you by just entering ‘y’ to start the process
Apache is then enabled and you can browse to ‘/var/www’ to modify ‘post.php’ if you want. Just press ‘Enter’ to continue
It’s ok when you arrive back at this page, your first thought may be to think something is wrong but it is not.
Change directory into /var/www
‘Watch’ is a cool command and I love it for things like this, think of it like saying hey watch this file and give me an update in real-time if anything changes. In order to run ‘cat *.txt’ though we need to use quotes to encapsulate the command because of the space so that you can then use watch to run it. The asterisk ‘*’ says watch all txt files in this directory, I used it as the name of the file is very long. You can use the filename here if you want also.
To find out more about watch run ‘man watch’ and have a read
It will then listen and should look blank if you haven’t run anything already, just delete the contents if you have something in here.
Next navigate to your hosts file and modify it like mine below with the google domain of your country and save
Kali IP address *.google.ie
Kali IP address *.google.com
Next start dnsspoof listening with the following:
‘dnsspoof’ to start dnsspoof
‘-i eth0’ to start on eth0 which is my Kali network interface on the internal LAN
‘-f /etc/hosts’ is used to start with your modified hosts file in /etc/hosts
Now on your Windows 7 test machine or system of your choosing navigate to ‘google.com’ in your web browser and you should get a Spoofed google login screen, you will notice though as we are not connected to the Internet here we don’t get any loaded images, you can change your WAN NIC in pfsense to access the Internet if you want images but it is safer to stay in the sand-boxed environment.
Looking at your ‘dnsspoof’ output you left running you should see something similar to the following:
What happens above is simple
10.0.0.24 (Windows 7) says hey 10.0.0.12 (pfsense) on port 53 I would like to get the ‘A’ record or address of www.google.com
dnsspoof sitting in the middle of all this then says hey i’m www.google.com! I will serve the address up to you so then 10.0.0.24 receives the fake page spoofing the Google home page.
Now enter a random username and password and hit ‘Sign In’
In the output displayed by ‘watch’ below you can see my username beside ‘Email’ and password next to ‘Passwd’ at the bottom of the page:
One thing I didn’t say to do at the start was to start Wireshark, I just take it you do that anyway now in order to learn what’s going on in the background. If you didn’t do it go back and start this exercise from the start again and this time run ‘wireshark &’ to start Wireshark from the terminal as root.
After running your ‘dnsspoof’ attack again stop Wireshark and save your packet capture so you can look at it again in the future and start to analyse the capture.
Below we see packet 12 is where I queried pfsense 10.0.0.12 from the Windows 7 box 10.0.0.24 and said hey give me the address for www.google.com
Following on down through the rest of the packets you will see some similar looking packets trying to resolve Google for you including the Windows 7 machine 10.0.0.24 asking via a broadcast also, that’s the 10.0.0.255 address you see below. What that is effectively doing is broadcasting to everyone on your network saying hey!, you there!, do you have the address of www.google.com as I would like to access this resource.
What you are looking for here though is a SYN packet like you see below over TCP saying hey I am 10.0.0.24 and I am looking for a website address called www.google.com can you find it for me?
Next the attacker device says hey 10.0.0.24 take this SYN-ACK because I can give you access to the address you are looking for!
The client then replies with an ACK to say thank you and open the TCP socket to establish a connection.
In order for connection to be successful a TCP Three Way Handshake is required here as outlined in the diagram below:
The DNS Spoofing looks similar as you can see below, the difference is that the attacker device is listening on the local LAN and says hey i’m www.google.com instead of your server or router serving up your requests as it is Man in the middling everything on your local area network.
So there you have it, a question that made me think and realise I had forgotten all about DNS spoofing and how it actually worked under the surface. There are other ways to do this but I had mentioned modifying the host file at the time of this question. For now once again back to Learn Python the hardway as I am currently on exercise 37 and flying along, I highly recommend using this resource if you want to either go over Python again and refresh your memory or just start it from the beginning as a newbie.