DNS poisoning, also referred to as DNS cache spoofing, is a form of computer security hacking in which corrupt Domain Name System data is introduced into the DNS resolver's cache, causing the name server to return an incorrect result record. This results in traffic being diverted to the attacker's computer.
The goal of this attack is to unknowingly redirect Internet users to attacker sites. To carry it out, the hacker uses weaknesses of the Domain Name System (DNS) protocol and/or its implementation through the domain name servers.
As a reminder, the DNS protocol implements the mechanisms allowing to make the correspondence between an IP address and the name of the machine (ex .: www.example.com).
An attacker can create fake DNS entries for the server which may contain malicious content with the same name. For instance, a user types www.google.com, but the user is sent to another fraud site instead of being directed to Google’s servers. As we understand, DNS poisoning is used to redirect users to fake pages that are managed by the attackers.
ANATOMY OF THE ATTACK
If a machine "A" wants to communicate with a machine "B", the machine "A" necessarily needs the IP address of the machine "B". However, "A" may have only the name of "B". In this case, A will use the protocol DNS to get the IP address of "B" from his name.
A DNS request is then sent to a DNS server, declared at the level of "A", requesting the resolution of the name of "B" at its IP address. To identify this request an identification number (actually a field of the DNS protocol header) is assigned to it. Thus, the DNS server will send the response to this request with the same identification number.
The attack will consist of recovering this identification number by sniffing when the attack is carried out on the same physical network, or by using a flaw of the operating systems or the DNS servers which make these numbers predictable for the ability to send a falsified response before the DNS server.
Thus, the machine "A" will use, without knowing it, the IP address of the hacker and not that of the machine "B" initially requested.
LET'S MOVE TO A CONCRETE EXAMPLE
Let’s do a practical example of how DNS poisoning works using Ettercap. To initiate DNS poisoning, you have to start with ARP poisoning. We will use the DNS spoof plugin which is already there in Ettercap.
Before to move further, you must be sure that Ettercap is currently installed on your machine. If you don't have it yet installed, I invite you to have a look on this article which explains how to do a Man-in-the-Middle attack using ARP Poisoning and where you can find the way to install Ettercap for most Linux distributions
Now that you are ready with Ettercap, you will need to do it's to edit etter.dns. This file contains all entries for DNS addresses which are used by Ettercap to resolve the domain name addresses.
In this file, we will add a fake entry of “Facebook”. If someone wants to open Facebook, he will be redirected to the IP address we will put into this file for this specific domain name. To do it, simply open your terminal and type the following command.
sudo nano /etc/ettercap/etter.dns
On the above screenshot, you can see that we are redirecting all the requests sent to facebook to the server IP 188.8.131.52 which it's the server where headleaks.com is hosted.
You don't know where your etter.dns configuration file is located? Why don't you ask? Simply using your terminal and type the following command to locate it.
When you already edited the etter.dns, don't forget to save it using "ctrl+x".
The program can work in several modes - with a graphical interface, without and as a service. We will consider work in the graphical interface. To run a program with a GTK interface, use the -G option:
sudo -E ettercap -G
We use the
-E option for
sudo to save all of our user's environment variables.
DNS poisoning Attack using Ettercap
Let us get to the point and execute the Ettercap ARP Poisoning Attack In Ettercap, click on Sniff > Unified Sniffing and in the new popup select your network interface referenced in the below screenshot by wlp2s0.
Now, click Mitm > ARP poisoning and click OK. Thereafter, check the option Sniff remote connections and click OK.
The rest of the process it's quite easy ! click Plugins > Manage the Plugins select dns_spoof plugin by double-clicking.
You can now click View > Connections and lets Ettercap do the rest. As you can see on the below screenshot, another machine onto the network did send a request to facebook and has been redirected to our server 184.108.40.206 as previously configured on our etter.dns file.
I leave you to imagine what an attacker could do if he came, for example, to clone the Facebook login page on his server and redirects to their issues of visitors on it. Or if it came to do the same thing but this time with PayPal or an online payment gateway.
In this quick example, we saw how network traffic can be sniffed through different tools and methods.
DEFENSES AGAINST DNS POISONING
As an ethical hacker, your work could very likely put you in a position of prevention rather than pen-testing. What you know as an attacker can help you prevent the very techniques you employ from the outside.
Here are defenses against the attacks we just covered from a pen tester’s perspective:
- Update the DNS servers to avoid the predictability of identification numbers and flaws to take control of the server
- Configure the DNS server to resolve directly only machine names of the domain over which it has authority
- Limit the cache and check that it does not keep additional records
- Do not base authentication systems by the domain name
- Implement IP DHCP Snooping on switches to prevent ARP poisoning and spoofing attacks.
- Be careful when deploying wireless access points, knowing that all traffic on the the wireless network is subject to sniffing.
- Encrypt your sensitive traffic using an encrypting protocol such as SSH or IPsec.
- IPv6 has security benefits and options that IPv4 does not have.
- Virtual Private Networks (VPNs) can provide an effective defense against sniffing due to their encryption aspect.
- SSL is a great defense along with IPsec.