In this guide, we will take advantage of Domain Name Service (DNS). As you know, DNS is used to resolve domain names or convert a domain name, such as iguru.gr, to an IP address, 184.108.40.206.
If we can tease this protocol, we could very well send someone looking for a page like www.bankofgreece to our malicious site and harvest their credentials.
Dug Song of the University of Michigan has developed a suite of hacking tools that are well suited for this purpose. We have already used one of its tools, arpspoof, to perform a man-in-the-middle attack. In this attack, we will use the dnsspoof tool, which will allow us to spoof DNS services on a local network.
Remember, even though this breach requires you to be on the same local network, you could gain access to the local network through a remote vulnerability or a weak password on just ONE machine on the network. In institutions with thousands of computers on their network, this means that you need to find a single machine that is exploitable before you can apply this attack to the entire network.
Step 1: Run Kali
Let's start by running Kali.
Step 2: Open dnsspoof
Depending on the version of Kali you are using, you may be able to find dnsspoof in the menu under Sniffing, or you can always find it by opening a terminal and typing dnsspoof.
dnspoof -i -f
Step 3: Setup for Sniffing
We will try to get a Windows 7 system on our network to redirect its www.bankofamerica.com navigation to our website.
Step 4: Clear the DNS cache
First, we need to clear the Windows 7 DNS cache. This way, the Windows client will not use the system's DNS cache and instead use the “up-to-date” DNS service. Actually, this step is not necessary, but we present it to you.
Second, close your browser, open a cmd.exe and type:
c:/ipconfig / flushdns
Now we need to set the network card on the Kali server to promiscuous mode (it, your network card, will accept anyone's packets).
kali > ifconfig eth0 promisc
Now we need to break the connection between the Windows 7 system and www.bankofamerica.com. This forces the user of the Windows 7 machine to re-authenticate. From Kali type:
kali > tcpkill -9 host www.bankamerica.com
After terminating www.bankofamerica.com, stop it tcpkill with Ctrl + C
Step 5: Edit the Hosts file
Here we will use the hosts file to redirect the Windows 7 system search for Bank of America to our website. Let's go to the /etc directory.
kali >cd / Etc
From there, we open the hosts file in any text editor. Let's use leafpad.
kali > leaf pad hosts
Now that we have the hosts file open, we need to add the following line to it. Remember, the hosts file just maps an IP address to a domain name, so we put our IP address and map it to www.bankofamerica.com.
It is important here to use the TAB key between the IP address and the domain. Spaces will be interpreted by the system as part of the domain name.
Step 6: Create a new BoA website
Before we go any further, we now need to disable promiscuous mode on our network card.
kali > ifconfig eth0 -promisc
Now we need to create a website that the user will be taken to when they type www.bankofamerica.com into their browser URL.
If we type the loopback or “home” IP address into our browser, we will see Apache's default web page. This is what we need to replace.
Let's create a simple website. Open the index.html file.
kali> leaf pad /var/www/html/index.html
This is its default form. We want to change it and put the following html and save it.
Of course, if you really wanted to pull off this hack for a real attack, you'd have to take the time to create a website that looks and acts exactly like the website you're spoofing, but that's a whole different scenario. Note that tools like httrack can download and copy entire websites.
Step 7: Start the Apache Web Server
Now, start the web server built into Kali. This is Apache and the service is HTTP, so we go to Kali Linux -> System Services -> HTTP and finally, apache2 start. This will launch the web server on the Kali system that hosts the fake Bank of America website. Of course, if you are more comfortable using the command line, you can start the apache2 webserver by typing:
kali > Services apache2 start
Step 8: Launch Dnsspoof
In our final step, we need to start dnsspoof and direct users to the entries in the “hosts” file first. dnsspoof will intercept DNS queries and send them to the hosts file first before sending them to the DNS server. That way, if we have any entry in our hosts file that the client is looking for, it will be directed as defined by our hosts file.
Remember, we mapped www.bankofamerica.com to our own IP address so they go to our own web server and see our own webpage.
kali > dnspoof -f hosts
Step 9: Navigate to BoA from Windows 7
Now, from your Windows 7 system, type the URL www.bankofamerica.com and it will display our fake website versus the real Bank of America website as below.
Now, when someone on your local network tries to navigate to the Bank of America website, they'll be taken directly to our website!
As you can imagine, with dnsspoof, we can wreak all kinds of havoc on a local network!
And somewhere here we reached the end of our current guide.