Tutorial on DNS spoofing-Cain on Windows

Tutorial on DNS spoofing-Cain on Windows

Today, we will first introduce how to use the famous Cain tool in windows for DNS Spoof (that is, DNS Spoofing). This tutorial is mainly intended for new users. Therefore, each step is captured in detail, I have explained it and hope it is easy to understand, so that new users can learn things.

A lot of nonsense. The text begins:

First, let's talk about the test environment: the two virtual machines, the XP system, use bridging to simulate the real LAN environment (if you still do not understand the various network access methods of VMware, google or leave a message to ask)

Attacker: 192.168.1.211

Victim: 192.168.1.212

Gateway (TPLink router): 192.168.1.1

Let's first look at how to use the tool, and then discuss the principle.

The steps for installing Cain are not described. You just need to keep following the next step. After confirming that the test environment is normal, open cain.

Click the first icon to select the network card. Generally, only one network card is available ~~~~

The Arp option in Configure allows you to use a forged IP address (which must be an unused IP address.

Switch to the Sniffer tab and click the Blue Cross to scan the active hosts in the LAN. You can customize the range here. (in some cases, you can narrow down the range and then scan the hosts.

Check the scan result. 192.168.1.212 is the XP host to be spoofed, and 192.168.1.1 is the gateway.

Next, switch to the ARP tab, click the blank list, and then click the Blue Cross as shown in the following example to add the spoofing host. Select the gateway on the left (if you do not know the gateway IP address, use ipconfig to check the Default Getway option), and select the host to be spoofed on the right. You can press shift to select multiple.

After confirming, we can see that the spoofing entry has been added and the status is Idle (Idle), because we have not completed the preparation and do not start spoofing for the moment.

Switch to arp dns in the list on the left, and add DNS Spoofing rules in Blue Cross. The above is the domain name to be spoofed. For example, enter baidu.com here, and the following is the IP address to be spoofed. The Resolve button can PING the corresponding IP address based on the domain name. Here we use the IP address of g.cn for demonstration.

 

That is to say, if the spoofing takes effect, the host 192.168.1.212 will be resolved to the google server when accessing baidu.com.

Now, ping the victim host 192.168.1.212 to baidu.com.

The tool will be used, but do you understand the principle? If you can understand the principles of each tool, you will also make good progress.

In order to prevent new beginners from getting dizzy, I will simply explain the principle here. First, you need to understand the basic communication principles of the LAN.

The LAN is used to find the specified host through the MAC address. The arp table defines the correspondence between the IP address and the MAC address. When we send Arp packets to the affected host, the affected host records the corresponding relationship in its arp table. If we tell our MAC address to the affected host, and cheat him. This is the MAC address of the gateway 192.168.1.1. This is the packet sent from the victim host to the Gateway. All the packets are sent to our host. XD. When the victim machine requests baidu.com, we pretend that we are the gateway and return a fake IP address to it. Then, the victim will access the google server.

What if I replace the spoofed IP address with a Trojan address ???

The detailed principle of Arp spoofing can be referred here: http://www.bkjia.com/Article/201209/158646.html

This is the arp table comparison before and after Spoofing

 

The following are some possible problems:

① I WANT TO SPOOF baidu.com to the IP address of the listener community (216.34.181.96), but why does the browser not jump to the listener community after the scam, but an English error page appear?

-- When 216.34.181.96 is requested, the Host field in the message specifies the website to be accessed. When you access the website, the host value is baidu.com, and the domain name does not exist on this ip address, so an error occurs. As described in this article, g.cn uses an independent IP address, so it is normal.

② Why do I still jump to google when the victim host accesses baidu.com?

-- If this happens, I personally think that Cain is not well handled, because this will not happen when testing Ettercap (see the next tutorial ). In this case, manually clear the local DNS cache of the affected machine: ipconfig/flushdns