My-Tiny.Net :: Breaking Bad



Ettercap: DNS Spoofing


The Domain Naming System (DNS) protocol as defined in RFC 1034/1035 is what some consider one of the most important protocols in use by the Internet. In a nutshell, whenever you type in a web address such as http://www.google.com into your browser, a DNS request is made to a DNS server in order to find out what IP address that name resolves to. This is because routers and the devices that interconnect the Internet do not understand domain names like google.com, they only understand numeric addresses such as 74.125.95.103.

A DNS server itself works by storing a database of entries (called Resource Records) of IP address to DNS name mappings, communicating those resource records to clients, and communicating those resource records to other DNS servers. The architecture of DNS servers throughout enterprises and the Internet is something that can be a bit complicated. As a matter of fact, there are whole books dedicated to DNS architecture.

Here we will see how we can spoof the DNS. The goal of this scenario is to get users on the target network to visit our malicious website rather than the website they are attempting to access. This requires two steps. First, we ARP cache poison the target device to reroute its traffic through our attacking host so that we can intercept the DNS request, and then we send the spoofed packet.

A bit of configuration is required. Ettercap at its core is a packet sniffer which utilizes various plug-in to do the attacks. The dns_spoof plug-in is what will be doing the attack in this example, and you will not see it on the list of available plugins until you create the configuration file for it that contains the DNS records you wish to spoof.

There is a sample file /etc/ettercap/etter.dns.new that has a lot of very complete examples, but we can create a simple file that will work. Type in the first command below, using the IP address of your Ettercap VM, then use Up Arrow and modify it for the second and third. 

echo "example.com A 192.168.234.ip" >/etc/ettercap/etter.dns
echo "*.example.com A 192.168.234.ip" >>/etc/ettercap/etter.dns
echo "www.example.com PTR 192.168.234.ip" >>/etc/ettercap/etter.dns
The A (Address) record is returned when the client asks the server "What is the IP address for this domain name", while the PTR (Pointer) record is returned when the client asks the server "What is the domain name for this IP address", which is also known as a reverse lookup.

The next setup step is to head over to the webserver DocumentRoot (default html page folder) on your Ettercap VM and customise the index.html page. Every time the victim visits the website indicated in the etter.dns file they will be redirected to this page, so we can try to capture credentials, install malware, or cause a denial of service.

With that configuration done,
  1. ARP cache poison the target device to reroute its traffic through our attacking host,
  2. intercept the DNS request, and then
  3. send the spoofed response.
The process is the same as before, with one extra step to activate the plugin.
  1. Start Ettercap with the simple menu (ncurses) interface: ettercap -C

  2. From the Sniff menu, select Unified Sniffing.

  3. From the Hosts menu, select Scan for hosts.
    When it is finished, select Host List to see all the potential targets that Ettercap found.

  4. Select the domserv (192.168.234.101) in the Host List and press 1 to add it to the Targets List

  5. Select the others in the Host List (one-by-one) and press 2 to add them to the Targets List

  6. Use Ctrl-Q to exit the Host List, then select Plugins and Manage Plugins from the menu.
    Select dns_spoof and press Enter, and you will see the zero on the left change to one.

  7. Use Ctrl-Q to exit the Plugins List, select MITM (Man in the Middle) on the menu and select Arp Poisoning to spoof the ARP tables. Press Enter to leave the Parameters box empty.
Now if you ping example.com (or whatever server you specified in etter.dns) from your Net-R Webserver or Mailhost you will see the address given in the configuration. Try links on one of them and use the URL www.example.com to see your new website. Note that if you try this on the Domserv you will get "unknown host" because it is doing a localhost name lookup with dnsmasq.

Using the command line means we can use this in a shell script and open a world of possibilities for automation. Running this command starts the two phased attack:

ettercap -T -q -P dns_spoof -M arp // // 

      -T             Specifies the use of the text-based interface
      -q             Runs commands in quiet mode so that captured packets are not output to the screen
      -P dns_spoof   Specifies the use of the dns_spoof plug-in
      -M arp         Initiates a MITM Arp poisoning attack 
      // //          Specifies the entire network as the targets of the attack

Ettercap on VMs Tip:

The Host OS Bridged interface (192.168.56.1) makes using the entire network as the targets unstable.
In this case the target list should be something like

  /192.168.234.101/ /192.168.234.ip1,192.168.234.ip2/