DNS Spoofing: DNS is an important service for just about any network today. Some networks, such as those that use Active Directory, cannot even function without DNS being present in the environment.
With these points in mind, we need to look at an attack, the attacking party modifies the DNS server to change the flow of traffic to go from their normal host-to-IP-address mapping to addresses that they desire instead.
In some cases, the website that has traffic redirected to them may be designed to spread malware.
Performing DNS Spoofing
In this exercise you will perform a DNS spoofing attack to redirect traffic to a website you control instead of then normal website. To perform this exercise you will need to use Kali Linux 2.0.
- In Kali choose dnsspoof from Sniffing menu.
- At the command prompt enter the following command: dnsspoof –i <interface> -f <hostfile>.
In this command –i tells dnsspoof which network interface to listen on and –f tells dnsspoof which host names to respond to. For example, -f tells dnsspoof which addresses to use to respond to queries configured in the hosts file.
- Use a web browser on another machine on the network, such as Windows system, to browse to a site such as Zelda.com.
- Flush DNS on the Windows system the ipconfig command with the following syntax:
ipconfig / flushdns
- On the Kali system set the network card to run in promiscuous mode using ifconfig like so:
ifconfig <interface nam> promisc
- Terminate the connection to Zelda.com on the Windows system by entering the following on the Kali system:
Tcpkill -9 host [www.zelda.com]
- In Kali open the hosts file located in the /usr/local folder.
- Open the hosts file in a text editor.
- Save the hosts file.
- Turn off promiscuous mode on the Kali system by entering the following:
Ifconfig <interface name> -promisc
- Create a new Zelda web page.
- Create a website that the user will be directed to when they type Zelda.com in the URL of their browser. Start dnsspoof and direct users to the new address for Zelda.com.
Now when dnsspoof is running, any attempt to access Zelda.com will redirect users to the new location.