So, what is DNS spoofing? How can you take advantage of ARP poisoning? Let’s find out!
DNS Spoofing/ARP poisoning
A couple of weeks ago, we posted an article on how to acquire a user’s Facebook credentials, using SEToolkit. This article is an addition to that, so before you begin reading, it is highly recommended to check it out. Also note that this attack can be used only locally.
The main problem in our previous attack was that the victim had to enter our IP address, or in the best case scenario, we had our IP link shortened. Even thought, as soon as the victim enters our link, the URL in his browser presents our IP. Well, that’s bit suspicious, isn’t it? What I mean is that the victim types www.facebook.com (or the website that you’ve cloned) and the browser redirects him to an unknown (?) IP address.
The tool which we are going to used is called Ettercap.
ARP spoofing/poisoning is a technique in which the attacker sends false (spoofed) ARP messages to the local network, trying to associate his MAC address to the IP of another host (eg Default Gateway), so packets destined for the legitimate host are redirected to him (Man in the Middle Attack). The attacker can modify or delete data frames or he can even passively monitor the data traffic as it is.
DNS spoofing is an attack where the attacker grabs all the DNS querries from the victim’s machine and answers them, essentially redirects the victim wherever he wants.
Configuration of Ettercap
To begin with, we need to configure the dns spoofing plugin of Ettercap. Without further ado, launch Kali, open a terminal window and type the command “leafpad /etc/ettercap/etter.dns”. The text editor will open the etter.dns file, in which we need to define the domains we need with their corresponding IPs. Specifically, in the Figure below, there is an entry for “facebook.com” one for “* .facebook.com” which means that it will accept whatever is in position * (eg login.facebook.com) and “www .facebook.com “. Finally next to each entry is the corresponding local IP of the machine where we run SET, in our case is 192.168.1.71
Save those changes and run Ettercap with the command “ettercap -G” where “G” stands for GUI, and choose the “sniff” tab. Ettercap asks for the interface that it will sniff and spoof the packets. By choosing the appropriate interface, Ettercap will introduce us with some new tabs. Under the Hosts tab, select the “scan hosts” option, which sends an ARP broadcast on the network to discover any active nodes. As soon as the scan is completed, in the same tab, select the “Host List” option, where you will be presented with all the active nodes of the network, as shown in the Figure below.
In this scenario, our Default Gateway is 192.168.1.1 and our victim 192.168.1.68, select target 1 as the default gateway and as target 2 the victim.
The next thing that has to be done, is to activate the plugin! Click in the Plugins tab and double click in the “dns_spoof” plugin. An asterisk should appear on the left, which means it’s active.
Finally, we need to activate ARP Poisoning, so that our machine grabs the victim’s packages and answers back, instead of the Default Gateway. In Mitm tab select the ARP poisoning and tick the “Sniff remote connections”.
Well, you are ready to go! The only thing left to do is to follow our guide on how to set up SEToolkit. Happy hunting!