Bettercap/Failed DNS Spoofing Attack
Continuing notes from Bettercap#DNS_Spoofing.
Now it's time to run our DNS spoofing attack with our malicious entries file.
Let's review all the things bettercap will be doing:
- Using the wifi network interface
- Sniffing and logging goodies to a file
- Running DNS spoofing attack against the sheep
- Running DNS traffic through Bettercap DNS server
- If facebook request found, forward them to NOPE (http://charlesreid1.com/wiki/File:Nope.jpg)
Each flag in the following bettercap command corresponds to one of the above tasks:
$ bettercap -I wlan1 -O bettercap_extrabacon.log -X --gateway 192.168.0.1 --target 192.168.0.7 \ --dns extrabacon.conf --httpd --httpd-path ./pub
This didn't work. (NOTE: should have added
Alternatives that I tried:
# specify port 53 instead of 5300 (nope) $ bettercap -I wlan1 -O bettercap_extrabacon.log -X --gateway 192.168.0.1 --target 192.168.0.7 --dns extrabacon.conf --dns-port 53 --httpd --httpd-path ./pub # do not specify gateway (nope) $ bettercap -I wlan1 -O bettercap_extrabacon.log -X --target 192.168.0.7 --dns extrabacon.conf --httpd --httpd-path ./pub # run ARP poisoning attack too (nope) $ bettercap -I wlan1 -O bettercap_extrabacon.log -S ARP -X --gateway 192.168.0.1 --target 192.168.0.7 --dns extrabacon.conf --httpd --httpd-path ./pub
The problem is, the image/page is not loading. Possible underlying issues:
- The redirect is happening from port 443, not from port 80, so the firewall isn't redirecting the request to 8081
- The sheep's browser is detecting that an HTTPS request for facebook is being redirected to a non-HTTPS request for something else. It serves up an HTTPS Connection Not Secure warning.
Let's try against an insecure, non-HTTPS sportsball page, to see if it's the HTTPS that's causing problems. Put this in extrabacon.conf:
Now carry out the attack again.
We apparently have success?
Except, not really, because it blocks way more sites than it is supposed to.
For example, MLB and NBA are also blocked, probably because they're associated.
But then, the Kali Linux official site is also blocked.
I restarted the attack, watching the network interface from the beginning with Wireshark. The spoofing attack didn't seem to be working well as multiple DNS requests were being answered by the gateway. I could see requests being intercepted by attacker. But again, the requests were not being dealt with correctly - the DNS server was hijacking too many requests/domains.
I tried changing the port to port 53, but no effect. I also tried running an ARP spoofing attack to try and get all the traffic, not just the DNS traffic, from the sheep flowing through the attacker. That did not work and seemed to break something with the DNS attack. After I stopped trying a DNS and ARP attach together, I saw some very screwy behavior from the sheep: when I typed in a web address in the sheep's browser, I would not see any DNS packets at all showing up at the attacker. (Indication: maybe they're going somewhere else?)
Disconnecting from network, resetting the mac address of the attacker machine, and reconnecting had no effect.
Need to be running an ARP spoof attack simultaneous with the DNS spoof attack - otherwise we'll be waiting for DNS traffic, but it will never come to us, because it only passes between the router and the client and not through the man in the middle.
Picking this back up here: Bettercap/Failed DNS Spoofing Attack 2
man in the middle attacksin which an attacker tricks two parties into thinking they're communicating with each other, but both are communicating with the attacker.
Wireless Attacks: Man in the Middle/Wireless
Wired Attacks: Man in the Middle/Wired
Layer 1 and 2 MITM Attacks:
Network Tap: Man in the Middle/Wired/Network Tap
Layer 3 and 4 MITM Attacks:
ARP Poisoning: Man in the Middle/ARP Poisoning
Traffic Injection/Modification: Man in the Middle/Traffic Injection
DHCP Attacks: Man in the Middle/DHCP
WPAD MITM Attack: Man in the Middle/WPAD
Port Stealing: Man in the Middle/Port Stealing
Rushing Attack: Man in the Middle/Rushing Attack
Attacking HTTPS: Man in the Middle/HTTPS
Session Hijacking: Man in the Middle/Session Hijacking
Man in the Middle Labs:
Dsniff ARP Poisoning:
Bettercap ARP Poisoning: MITM Labs/Bettercap Over Wifi
Bettercap to Replace Images: MITM Labs/Bettercap to Replace Images
MITMf to Backdoor Browsers: MITM Labs/MITMf to Backdoor Browsers
Browser + Wireshark/SSLSniff to Decrypt HTTPS: MITM Labs/Decrypting HTTPS Traffic with Private Key File
Browser + Wireshark to Decrypt HTTPS: MITM Labs/Decrypting HTTPS Traffic by Obtaining Browser SSL Session Info
Bettercap to MITM Android Phone: MITM Labs/Bettercap Android EvoFlags · Template:MITMFlag · e