July 8, 2016
Infosec 101: DNS - What is it and How do I Spoof it?
July 8, 2016
DNS stands for Domain Name System and it does the job of translating the name of websites you enter in the address bar into an IP address.
When you enter www.google.com into the address bar, it gets translated to the respective IP address and after that, a connection is established.
Here's how the process goes:
1. You enter the hostname www.xyz.com into the address bar2. Your computer searches for the IP in the local DNS cache. If it's not found, a DNS query is performed.3. The query is sent to recursive name servers - these are with your ISP and have their own cache.4. If the recursive servers don’t have the answer, they will query the root nameserver.5. The root nameserver will look at your request from right to left for TLD (.com , .in , .us)6. The query is then directed to the top level domain (TLD) nameserver7. The query is looked at (from right to left minus the TLD part) for specific domain.8. Finally, the query goes to the authoritative DNS servers. These know everything there is to know about a domain. These have DNS records like - A, mx etc. and the recursive server will retrieve the record and give it back to you. Common DNS records:A = forward DNS lookupMX = mail exchange recordPTR = reverse DNS lookup What's a nameserver?A computer that's permanently connected to the internet and translates a domain name into an IP address. What's Ettercap?Ettercap is a free and open source network security tool for man-in-the-middle attacks on a LAN. It can be used for computer network protocol analysis and security auditing Spoofing DNS using EttercapThe victim will try to connect to msn.com and instead will see the attacker hosted webpage.Scenario: 2 machines - Kali Linux and Windows 8On Kali Linux1. locate a file by the name etter.dns#locate etter.dnsthe file will be under /etc/ettercapopen the file using the nano editorscroll down and you'll ee a line*wildcards in PTR are not allowedthere will be examples given and like them, add your entry.for instance -> www.msn.com A 192.168.1.8where A is the DNS record, and the IP is of your Kali Linux machineave and exit.2. go to this directory/proc/sys/net/ipv4there will be a file by the name ip_forward.open the file with nano and you'll find that it's set to 0. make it 1.save and exit.3. use the dns_spoof plugin of ettercap# ettercap -T -q -M arp:remote -P dns_spoof //and the plugin will start(enter q to abort)(enter ettercap –help to see options)go to your Windows machine and ping the msn website.you'll see that reply being received is from 192.168.1.8 - the Kali machine - instead of the msn.com's IP.Smilarly, if you were to enter www.msn.com in the browser on Windows, you'll be redirected to the Kali Linux machine where you can host your own page for malicious / non malicious intent.All of this will make much more sense if you familiarize yourself with ARP spoofing.
That's all for this post. Queries are welcome in the comments.