19.DNS POISIONING TUTORIAL
This
is an introduction to DNS poisoning which also includes an example of
quite a nifty application of it using the IP Experiment. It's purely
educational, so I'm not responsible for how you use the information in
it. You're free do redistribute this tutorial wherever you like, but
please keep it in its original form and credit me.
To start, you'll need
* A computer running Linux (Ubuntu in my case)
* A basic understanding of how the Domain Name System (DNS) works
Note that this is a more advanced topic; don't try this if you don't know what you're doing.
Why DNS?
The DNS provides a way for
computers to translate the domain names we see to the physical IPs they
represent. When you load a webpage, your browser will ask its DNS server
for the IP of the host you requested, and the server will respond. Your
browser will then request the webpage from the server with the IP
address that the DNS server supplied.
Here's a pretty diagram to help explain it
If we can find a way to tell the
client the wrong IP address, and give them the IP of a malicious server
instead, we can do some damage
Malicious DNS Server
So if we want to send clients to
a malicious web server, first we need to tell them its IP, and so we
need to set up a malicious DNS server.
The server I've selected is dnsmasq - its lightweight and the only one that works for this purpose (that I've found)
To install dnsmasq on Ubuntu, run sudo apt-get install dnsmasq, or on other distributions of Linux, use the appropriate package manager.
Once you've installed it you can go and edit the configuration file (/etc/dnsmasq.conf)
sudo gedit /etc/dnsmasq.conf
The values in there should be
sufficient for most purposes. What we want to do is hard-code some IPs
for certain servers we want to spoof
The format for this is address=/HOST/IP
So for example;
address=/facebook.com/63.63.63.63
..where 63.63.63.63 is the IP of your malicious web server
Save the file and restart dnsmasq by running
sudo /etc/init.d/dnsmasq restart
You now have a DNS server running which will redirect requests for facebook.com to 63.63.63.63
Malicious Web Server
You probably already have a web server installed. If not, install apache. This is pretty basic, so I won't cover it here.
There are a couple of things you
can do with the web server. It will be getting all the traffic intended
for the orignal website, so the most likely cause of action would be to
set up some sort of phishing site
I'll presume you know how to do that though
Another alternative is to set up
some sort of transparent proxy which logs all activity. I might come
back to this in the future.
I Can Be Ur DNS Server Plz?
Okay, so now you've got a DNS
server pointing clients to your malicious server. But no one's going to
listen to it, because it's not anyone's DNS server.
You need to set your victim to
use your malicious server as its DNS server. If you can access their
router settings, this can normally be set. Normally there are two DNS
servers specified; change one of them to the IP of your malicious DNS
server, hit enter and voila!
Now just wait for your victim to browse to the spoofed website and you'll have fun playing with their data!
An alternative is to, instead of a spoof webserver, set up a Metasploit browser_autopwn module as detailed here. You can have lots of fun with that ;)
If you don't know, the IP
Experiment basically harvests people's IPs through websites such as
forums and scans them for open ports. A surprising number of these IPs
have port 80 open and more often that not, that leads straight to a
router configuration mini-site. 'Admin' and 'password' will get you far
in life; its fairly easy to login and change the DNS settings, and BOOM.
You have a victim!
The same techniques can be applied to in many different ways.
Thanks
Comments
Post a Comment