Redirecting Traffic on LAN (DNS Spoofing)

DNS Spoofing is an attack where the attacker uses DNS vulnerability to gain access to the network. It redirects DNS traffic to the attacker by having the user redirected on the fake website created by the attacker rather than the real website.

Prerequisite

Open two VM and check its IP addresses. Run ifconfig on both VMs to check their IP.

The IP of the first VM, which will act as an attacker is 10.0.2.4

The IP of the second VM, which will act as the victim is 10.0.2.15

Generating a fake web page using Social Engineering Tool (SET)

Run setoolkit to start Social Engineering Toolkit (SET) in the terminal. This tool is pre-installed with Kali Linux so there’s no need for further configuration and installation.

Social-Engineering Attacks -> Website Attack Vectors -> Credential Harvester Attack Method -> Site Cloner

You will then be asked to enter IP of your machine (10.0.2.4) and the URL to clone in this case, I’ll be cloning www.facebook.com

Now, leave this terminal open and move on to the next step. To check for your fake website, enter 10.0.2.4 in the browser.

Configure Ettercap Files

Locate etter.conf and open it. leafpad /etc/ettercap/etter.conf

On the top of the file, edit the following:

Set the uid and gid values to 0.

Then, comment out the two lines in the linux section like the picture below

After, that locate etter.dns and open it. leafpad /etc/ettercap/etter.dns

In this file, enter the domain name facebook.com followed by the IP of your machine like the picture below. This means that when the user goes to facebook.com, they will be redirected to our IP address instead which consist of the fake website created earlier with SET.

DNS Spoofing using Ettercap

Open Ettercap

Sniff -> Unified sniffing, eth0

Hosts -> Scan for Hosts, then open hosts lists

Set your target VM as target 1 and your default gateaway as target 2

After assigning the targets, go to Plugins -> Manage the plugins. Enable dns_spoof by double clicking it

Then go to Mitm -> Arp poisoning (changes the target’s ARP cache with a fake one). Tick Sniff remote connections. Click OK

Lastly, Start -> start sniffing. The attack is now initiated.

Result

Go to facebook.com using your target VM. When you do so, Ettercap will inform you like the following:

Try PING facebook.com from the terminal of your target VM. As you can see, the IP of the site is now the attacker’s IP address.

And when you enter facebook.com on the browser search bar, you will be automatically redirected to the fake website with the ip 10.0.2.4 without the target knowing. Enter some login credentials.

The credentials will then be captured by SET.

Leave a Reply

Your email address will not be published. Required fields are marked *