DNS Attacks

So what is DNS anyway? DNS is domain name resolution protocol - it's how names like "yahoo.com" get turned into IP addresses like "10.20.30.40". It's a fundamental part of the way the internet routing system works.

DNS Hijacking

DNS Hijacking consists in modifying the way the sheep's DNS system works. This can be achieved at multiple levels (e.g., at the system level, by breaking into and modifying the client's system to permanently point to a pirate DNS server; or at the network level, by conducting a MITM attack on DNS requests.) By poisoning routes, the attacker receives the sheep's DNS requests and can respond to specific DNS requests from the sheep to a destination of the attacker's choosing.

See #EvilFOCA tool below.

Tools

Bettercap

Yep, Bettercap can execute MITM DNS attacks. This consists of two steps:

• Define your malicious DNS entries
• Execute your bettercap DNS attack

This will perform DNS spoofing, meaning Bettercap will trick the sheep into sending all of its DNS requests to the attacker instead of to the gateway. This allows the attacker to hijack traffic to certain sites.

When a DNS attack is combined with the HTTP proxy for traffic modification, this allows you to man-in-the-middle a DNS request for a particular domain (say, Microsoft.com), redirect the traffic through the HTTP proxy, and modify either the traffic sent from the sheep to the server, or from the server to the sheep.

See the Bettercap page for more detailed notes.

EvilFOCA

Windows tool

Link: https://github.com/ElevenPaths/EvilFOCA

Tool for conducting various DNS attacks (and other types of attacks)

• Capable of conducting DHCP ACK Injection - attacker monitors DHCP exchanges, interferes by sending packets, attacker acts as fake DHCP server
• DNS Hijacking - hijacking the shee's DNS channel to control where the sheep's requests point them

Flags

monkey in the middle attacks in which an attacker tricks two parties into thinking they're communicating with each other, but both are communicating with the attacker. MITM Wireless Attacks: MITM/Wireless Wired Attacks: MITM/Wired Layer 1 and 2 MITM Attacks: MITM/Layer 1 and 2 Network Tap: MITM/Wired/Network Tap Evil Twin Attack: Evil Twin  · MITM/Evil Twin Layer 3 and 4 MITM Attacks: MITM/Layer 3 and 4 Traffic Sniffing: MITM/Sniffing ARP Poisoning: MITM/ARP Poisoning Traffic Injection/Modification: MITM/Traffic Injection DNS Attacks: MITM/DNS  · Bettercap/Failed DNS Spoofing Attack  · Bettercap/Failed DNS Spoofing Attack 2 DHCP Attacks: MITM/DHCP WPAD MITM Attack: MITM/WPAD Port Stealing: MITM/Port Stealing Rushing Attack: MITM/Rushing Attack Attacking HTTPS: MITM/HTTPS Layer 5 MITM Attacks: Session Hijacking: MITM/Session Hijacking Toolz: Ettercap  · Bettercap  · MITMf  · EvilFOCA Wireshark  · Aircrack Dsniff  · Arpspoof  · Dnsspoof SSLSniff  · SSLStrip  · Frankencert Driftnet  · Karma MITM Labs: {{MITMLabs}} Category:MITM  · Category:Attacks  · Category:Kali Attack Layers Template:MITMLabs  · Template:MITMFlag Flags  · Template:MITMFlag  · e