Sunday 10 May 2015

Fake Website with DNS Spoofing in Kali Linux


DNS Spoofing is based on presenting fake DNS replies to a victim in response to their DNS request and, as a result, forcing them to visit a fake website.

In normal DNS communication, the client requests the IP Address of a particular website and the DNS Server responds back with the  IP address of that  website. The client then connects to the website through the IP Address it received as a response. With DNS Spoofing, the attacker intercepts the DNS request and sends out a response containing a spoofed IP address, before the reply from the real DNS server can reach the client.

Consider the following scenario:

Gateway: 192.168.122.1
Victim :    192.168.122.3
Attacker: 192.168.122.10

There is a LAN which is connected to the Internet through a router 'Gateway'. There is a machine 'Victim' on the LAN , which will access the Internet. There is a machine 'Attacker' on the LAN, which will launch a 'man-in-the-middle' attack (ARP Spoofing attack) against the 'Victim' and 'Gateway'. All communication between 'Victim' and 'Gateway' will pass through the 'Attacker'. For a detailed explanation on ARP Spoofing, refer to this post


How will the Attacker do this ?
 
'Attacker' will send the 'Victim' false ARP replies telling that it is 'Gateway'. And 'Attacker' will send the 'Gateway' false ARP replies telling that it is 'Victim'.
When 'Victim' requests the IP address of 'www.facebook.com' , 'Attacker' will intercept the request and respond to the DNS query ( before the actual response arrives)  with a spoofed address of '192.168.122.10' (the IP Address of the Attacker). 'Victim' will make a connection request to 192.168.122.10 and will end up visiting a fake website hosted on the 'Attacker' machine.


Perform the following steps on the 'Attacker' (Kali Linux) machine:

1) Configure ARP spoofing
  1.1) Tell the 'victim' that we are 'gateway'. Open a terminal window and type the below command:
     arpspoof -i eth0 -t victimIP gatewayIP

  1.2) Tell the 'gateway' that we are 'victim'. Open a terminal window and type the below command:
     arpspoof -i eth0 -t gatewayIP victimIP

  1.3) Enable IP Forwarding in the kernel. Open a terminal window and type the below command:
    sysctl -w net.ipv4.ip_forward=1

  1.4) Ensure that Forwarding is enabled in the Firewall. And verify that the firewall doesnot block any incoming or outgoing packets.


2) Configure DNS Spoofing
2.1) Create a file 'hosts.spoof' containing the name of the website and the spoofed IP Address.
     192.168.122.10           www.facebook.com

2.2) Open a terminal window and run the following command
     dnsspoof -i eth0 -f hosts.spoof

Now, whenever the 'Attacker' will intercept a DNS request for 'www.facebook.com', it will send a fake DNS reply containing it's own IP Address. The 'Client's' browser will now be redirected to a fake website hosted on the 'Attacker's' machine.

7 comments:

  1. how would you get the credentials once you've set this up?
    Thanks

    ReplyDelete
    Replies
    1. If you're using kali you can set up a fake website that will steal credentials in the social engineering toolkit

      Delete
  2. Hello

    How can this works in a wan network?

    Thanks

    ReplyDelete
  3. I have been trying this for a few days with lots of research. The victim is not being redirected. Any thoughts?

    ReplyDelete
  4. look up, it's complicated dude , i am having the same issue

    ReplyDelete
  5. SSN FULLZ AVAILABLE

    Fresh & valid spammed USA SSN+Dob Leads with DL available in bulk.

    >>1$ each SSN+DOB
    >>3$ each with SSN+DOB+DL
    >>5$ each for premium fullz (700+ credit score with replacement guarantee)

    Prices are negotiable in bulk order
    Serious buyer contact me no time wasters please
    Bulk order will be preferable

    CONTACT
    Telegram > @leadsupplier
    ICQ > 752822040
    Email > leads.sellers1212@gmail.com

    OTHER STUFF YOU CAN GET

    SSN+DOB Fullz
    CC's with CVV's (vbv & non-vbv)
    USA Photo ID'S (Front & back)

    All type of tutorials available
    (Carding, spamming, hacking, scam page, Cash outs, dumps cash outs)

    SMTP Linux Root
    DUMPS with pins track 1 and 2
    WU & Bank transfers
    Socks, rdp's, vpn
    Php mailer
    Sql injector
    Bitcoin cracker
    Server I.P's
    HQ Emails with passwords
    All types of tools & tutorials.. & much more

    Looking for long term business
    For trust full vendor, feel free to contact

    CONTACT
    Telegram > @leadsupplier
    ICQ > 752822040
    Email > leads.sellers1212@gmail.com

    ReplyDelete
  6. when i tried it it routed all dns traffic through attacker server , it only worked for fake website other site had no connection because there is no A record for it

    ReplyDelete