DNS Spoofing is an attack where the attacker uses DNS vulnerability to gain access to the network. It redirects DNS traffic to the attacker by having the user redirected on the fake website created by the attacker rather than the real website.
Open two VM and check its IP addresses. Run ifconfig on both VMs to check their IP.
The IP of the first VM, which will act as an attacker is 10.0.2.4
The IP of the second VM, which will act as the victim is 10.0.2.15
Generating a fake web page using Social Engineering Tool (SET)
Run setoolkit to start Social Engineering Toolkit (SET) in the terminal. This tool is pre-installed with Kali Linux so there’s no need for further configuration and installation.
Social-Engineering Attacks -> Website Attack Vectors -> Credential Harvester Attack Method -> Site Cloner
You will then be asked to enter IP of your machine (10.0.2.4) and the URL to clone in this case, I’ll be cloning www.facebook.com
Now, leave this terminal open and move on to the next step. To check for your fake website, enter 10.0.2.4 in the browser.
Configure Ettercap Files
Locate etter.conf and open it. leafpad /etc/ettercap/etter.conf
On the top of the file, edit the following:
Set the uid and gid values to 0.
Then, comment out the two lines in the linux section like the picture below
After, that locate etter.dns and open it. leafpad /etc/ettercap/etter.dns
In this file, enter the domain name facebook.com followed by the IP of your machine like the picture below. This means that when the user goes to facebook.com, they will be redirected to our IP address instead which consist of the fake website created earlier with SET.
DNS Spoofing using Ettercap
Sniff -> Unified sniffing, eth0
Hosts -> Scan for Hosts, then open hosts lists
Set your target VM as target 1 and your default gateaway as target 2
After assigning the targets, go to Plugins -> Manage the plugins. Enable dns_spoof by double clicking it
Then go to Mitm -> Arp poisoning (changes the target’s ARP cache with a fake one). Tick Sniff remote connections. Click OK
Lastly, Start -> start sniffing. The attack is now initiated.
Go to facebook.com using your target VM. When you do so, Ettercap will inform you like the following:
Try PING facebook.com from the terminal of your target VM. As you can see, the IP of the site is now the attacker’s IP address.
And when you enter facebook.com on the browser search bar, you will be automatically redirected to the fake website with the ip 10.0.2.4 without the target knowing. Enter some login credentials.
The credentials will then be captured by SET.