Man in the Middle/DNS
So what is DNS anyway?
DNS is domain name resolution protocol - it's how names like "yahoo.com" get turned into IP addresses like "10.20.30.40". It's a fundamental part of the way the internet routing system works, and it makes navigating the web possible - nay, even easy! - for non-machine meatbags.
To perform attacks on DNS traffic, we will, of course, need access to the sheep's traffic. We cannot selectively intercept the sheep's DNS traffic without, well, actually intercepting the sheep's traffic. Therefore, we will need to use a technique to Man in the Middle the sheep before we can proceed to hijack DNS requests.
DNS hijacking consists in an attacker hijacking DNS traffic from the sheep in order to maliciously redirect the sheep to servers of our own choosing.
This is typically achieved at Level 3 and 4 on a network: ARP spoofing to redirect a sheep's traffic through the attacker, and a DNS server to handle requests (to send the sheep to our malicious server) or forward requests on to other DNS servers to take care of. However, it can also be achieved at the physical layer, by modifying the filesystem of a sheep's computer to permanently point to a pirate DNS server.
Current status: failing
Yep, Bettercap can execute MITM DNS attacks. This consists of two steps:
- Define your malicious DNS entries
- Execute your bettercap DNS attack
This will perform DNS spoofing, meaning Bettercap will trick the sheep into sending all of its DNS requests to the attacker instead of to the gateway. This allows the attacker to hijack traffic to certain sites.
When a DNS attack is combined with the HTTP proxy for traffic modification, this allows you to man-in-the-middle a DNS request for a particular domain (say, Microsoft.com), redirect the traffic through the HTTP proxy, and modify either the traffic sent from the sheep to the server, or from the server to the sheep.
See the Bettercap#DNS Spoofing page for more detailed notes.
You can also MITM attack a sheep's DNS using Dnsspoof, which is part of the Dsniff suite. It is a specialized tool intended solely for DNS spoofing. If you use dnsspoof, you should combine it with another tool like arpspoof or Bettercap to perform an ARP poisoning attack, or use some other technique for gaining control of the sheep's traffic.
Tool for conducting various DNS attacks (and other types of attacks)
- Capable of conducting DHCP ACK Injection - attacker monitors DHCP exchanges, interferes by sending packets, attacker acts as fake DHCP server
- DNS Hijacking - hijacking the sheep's DNS channel to control where the sheep's requests point them
man in the middle attacksin which an attacker tricks two parties into thinking they're communicating with each other, but both are communicating with the attacker.
Wireless Attacks: Man in the Middle/Wireless
Wired Attacks: Man in the Middle/Wired
Layer 1 and 2 MITM Attacks:
Network Tap: Man in the Middle/Wired/Network Tap
Layer 3 and 4 MITM Attacks:
ARP Poisoning: Man in the Middle/ARP Poisoning
Traffic Injection/Modification: Man in the Middle/Traffic Injection
DHCP Attacks: Man in the Middle/DHCP
WPAD MITM Attack: Man in the Middle/WPAD
Port Stealing: Man in the Middle/Port Stealing
Rushing Attack: Man in the Middle/Rushing Attack
Attacking HTTPS: Man in the Middle/HTTPS
Session Hijacking: Man in the Middle/Session Hijacking
Man in the Middle Labs:
Dsniff ARP Poisoning:
Bettercap ARP Poisoning: MITM Labs/Bettercap Over Wifi
Bettercap to Replace Images: MITM Labs/Bettercap to Replace Images
MITMf to Backdoor Browsers: MITM Labs/MITMf to Backdoor Browsers
Browser + Wireshark/SSLSniff to Decrypt HTTPS: MITM Labs/Decrypting HTTPS Traffic with Private Key File
Browser + Wireshark to Decrypt HTTPS: MITM Labs/Decrypting HTTPS Traffic by Obtaining Browser SSL Session Info
Bettercap to MITM Android Phone: MITM Labs/Bettercap Android Evo
Bettercap to MITM iPhone: MITM Labs/Bettercap iPhone
Flags · Template:MITMFlag · e