I. Introduction


What is DNS Spoofing ?

Firstly, we need to understand what is a DNS server.

DNS stands for Domain Name Server. It is a server that match IPs to their associated hostnames.
Here's a clear and easy example to understand what a DNS server does ;
Copy/paste this IP : 172.217.11.163 - in your browser and you should see the "google.co.uk" webpage displayed.
Why am I being redirected to this website ? Newcomer
Because what you've just entered is the IPv4 of the "website" (server), and because your DNS server knows this IP = google.co.uk, it was replaced.
Why do we need DNS servers ? Newcomer
I'm pretty sure you will forget all these numbers whereas you'll keep in mind simple words like "google" or even "HackThis"



II. How it works


Now that we know what is a DNS server, we'll see about the main subject, how a DNS spoofing ( or DNS cache poisonning ) works.

As you probably understood with the word "spoofing", a DNS spoofing attacks consists in spoofing the hostname of an IP, id est matching an IP and a fake hostname.
How would one make such a thing ? Newcomer
You need to be on the same network as your victim and then use some knowledge you'll get in the next part



III. Method


In this tutorial, we'll make use of Ettercap, a free and open source network security tool for man-in-the-middle attacks on LAN by HackingTeam.

A. Installation


For Windows computers, a little "ettercap windows" search using your favorite website should do the job. For *NIX-like computer, just run the command to download & install a package. As for myself, on ArchLinux ;
Code:
$ pacman -S ettercap-gtk

N.B: Make sure to download the GTK-version package!

B. Configuration


When you're done with this, you can continue and do the right configuration as following ;

Code:
$ gedit /etc/ettercap/etter.conf

You need to change two values, gid & uid, to 0, just like this :

1530820520-picture1.png
Now, scroll down until you see the "Linux" part, and delete the two '#' just as following ;

1530820521-picture2.png

Now that we're done with the configuration, we'll start the real work


C. Configuration of the attack


First thing, let's run Ettercap ;
Code:
$ ettercap -G


Now we want to sniff on the right interface. The right interface I'm talking about is the one you're getting internet from. To find it ;
Code:
$ ifconfig

And take a look at the one displaying an IPv4 address. My interface is named "wlp2s0"

Let's go back to Ettercap ; Sniff > Unified sniffing > Select your interface, wlp2s0

1530820520-picture3.png

When clicking on "OK" ("Valider" for me as you can see in the screenshot), the sniffing automatically starts, but we don't want this, so we stop it like this : Start > Stop sniffing.

As of now, we need to select our victim. We first need to lookup the available hosts on the network. Hit Hosts > Scan for hosts and wait until the scan is done.

1530820521-picture4.png

The scan is done, let's take a look at the available hosts, Hosts > Hosts list.

Here we need to select 2 target. The first one, target1 needs to be your victim ; find who is your victim by any manner you want. And the second one, target2 needs to be your network gateway.
How do I know my network gateway IP ? Newcomer

Here's a little command
Code:
$ route -n

That'll give you something like :
Code:
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.1.254   0.0.0.0         UG    600    0        0 wlp2s0
192.168.1.0     0.0.0.0         255.255.255.0   U     600    0        0 wlp2s0

My gateway, there, is 192.168.1.254


After selecting your targets, Ettercap should looks like ;

1530820518-picture5.png


D. Lauching the attack


Now that everything is set-up, we can proceed to the attack.

1. MITM > ARP Poisonning and choose 'Sniff remote connections'.
2. Plugins > Manage the plugins > Double click on 'dns_spoof' to activate it

We need to edit another file, as following ;

Code:
$ gedit /etc/ettercap/etter.dns


1530820517-picture6.png

You need to edit this file by inserting line(s) just as I did ( where you can read "hackthis" ).
I don't get what you did there, what is this file and what is this IP next to hackthis? Newcomer
This file is basically the one the DNS server will read. As for the line ;

Code:
*.hackthis.co.uk
means : any link from hackthis.co.uk

Code:
A

A type of query, if you want to know more about it, check this link : List of DNS record types

Code:
192.168.1.12

The IP you want the target to be redirect to when visiting the website.

If I had to make a sentence from this line ; If the user (aka the victim aka Target1) is visiting a website matching "*.hackthis.co.uk", then redirects him to the IP "192.168.1.12"
Why this IP and not another one ? Newcomer

This IP I chose is just an example. It could be anything else. I could've made a web server hosted on my computer which is a good phishing of HackThis!!'s login page.
And thus, when the victim visit the page "https://hackthis.co.uk", he thinks he's being using the right page whereas he's being pwned. That's how good this attack is, because the url won't change, it'll remains the same as the actual website.
Free to your imagination to do anything you want

Now, go back to Ettercap and : Start > Start Sniffing

If you followed the aforesaid steps as described, you should've succeeded in your attack!



IV. Prevention


Being the attacker is a cool thing for sure, but what to do if you find yourself in the position of the victim? There's a lot to do !

There are few 3rd party apps that may help you in the detection of DNS poisonning such as ;

Snort ; XArp ; ArpON ; ArpAlert ; Arpwatch and a lot of others you can find by a little Google search.

But... why using 3rd party apps when you can do it manually over a beautiful terminal ?

Code:
$ arp -a


A simple method is to check if you can find a line containing the mac address of your network gateway (router), if not, you're having some problems with your DNS



V. Conclusion


We've learnt what were DNS server, DNS spoofing attacks, how they work, how to attack but also and more importantly how to prevent from getting pwnd of such attacks.

I hope this tutorial will help someone, a day, to get past such problems