Understanding a DNS Spoofing + Phishing Attack
What is a DNS Spoofing and Phishing attack?
The term “Spoofing” refers to “spoofing” carried out by a cyber attacker using various techniques to falsify data in a communication. Thus, a DNS spoofing attack is the forgery of an IP address (spoofing) when a name resolution query is made to the Domain Name System (DNS).
Therefore, if we launch a “DNS Spoofing” (Domain Name System) attack, what we are doing is that, when the victim enters a web address (domain name) in their browser, such as “www.google.com”, this is redirected to another web address (to another domain name) previously established by the attacker in the attack configuration. In other words, when the victim enters a domain name that has been spoofed by the attacker, the victim will access the web page that the attacker has specified for that domain name.
This is done by poisoning the DNS cache of the victim machine, known as “DNS Poisoning”. It goes without saying that if the website to which the victim is redirected is a plagiarism of an original website, we are talking about a phishing attack, usually for malicious purposes but possibly also for investigative purposes, as in our case.
How can we carry out a combined attack?
We can launch a phishing attack through DNS Spoofing. The following case consists of a phishing attack in a local area to obtain the login credentials of accounts of the social networks “Twitter” and “Facebook”.
The user, after entering the “Twitter” or “Facebook” website in their browser, will be automatically redirected to our malicious website, identical to the original one, by means of a DNS Spoofing attack. Once the user has entered their credentials, these will be saved in a text file on the attacker’s side of the server, and after three seconds they will be redirected to the original website, simulating an error in sending the access credentials.
Subsequently, after entering the credentials on the original website, the victim will log in without any problems and continue browsing without noticing what has happened. In this way, we can obtain as many user credentials from the organisation’s users as we are able to “clone” service websites.
Starting the manual and automated cloning phase with SEToolkit
Cloning a website of the category of these organisations such as “Twitter” or “Facebook” has its complications, as their programmers have made a great effort to try to ensure that it is not easily achieved. That is why I will present the code I have programmed in a basic way, designed to capture the credentials when they are entered in the trap website, with the consequent redirection to the original website.
In the case of “Twitter”, we must find the “form action” in the “index.html” file, which will be executed once the user clicks on the “submit” button after entering their login credentials. We will have to change this to our “post.php” file, which will be in charge of “obtaining the credentials entered”.
Our “post.php” file will be in charge of storing the credentials entered by the user in the “content.txt” file, and then redirecting the user to the original “Twitter” website so as not to arouse suspicion.
In the case of “Facebook”, we will have to find in its “index.html” file the “action” to change it to our “text.php” file, programmed to capture the credentials once the user has clicked on the “send” button.
The content of the “text.php” file that will be executed after clicking on the “send” button will be as follows:
Normally, an attacker who intends to launch such an attack will do so by using a toolkit called “SEToolkit” (Social Engineer Toolkit). This suite of tools is the toolkit par excellence for the preparation of social engineering attacks. SEToolkit” thus makes it possible to automate phishing attacks in a matter of seconds by cloning any web page and launching it on its own web server. This suite of social engineering tools can be downloaded from “https://github.com/trustedsec/social-engineer-toolkit”.
Next we will show how to clone a website and place it on our web server, which will run under our attacking machine. We will then perform a DNS Spoofing attack with “ettercap”, to redirect web requests from the victim machine to our web server, where the cloned website will be hosted, ready for credentials theft.
We launch “SEToolkit” from the command line and see the following:
As we can see, this tool allows us to create different attack vectors, including social engineering attacks, as we have already mentioned.
We choose this first option and it takes us to the next menu:
Here we can see the number of attack vectors provided by the tool.
The first option can be used to set up a targeted e-mail attack against a specific victim.
The second option will be the one we will choose for the cloning of a web page, with which we can trick a victim and steal his or her login credentials.
The third option allows us to create infected media (usb, hdd…), using the classic “autorun.inf” as an infection vector.
With the fourth option, we can create malicious files (client and server), using the payloads offered by metasploit, simplifying the attacker’s work.
The fifth option, as its name suggests, allows us to send personalised mass e-mails to numerous victims.
The sixth option deals with creating an attack vector against an Arduino platform; and the rest of the options are made clear by their single reading.
Continuing with the practice, we choose the option “Website Attacks Vectors” and arrive at the following menu:
As we can see in the image above, a description of each option is given. The option we are going to choose is the third one, which will allow us to clone a web page, and start a web server directly on our own machine, where it will automatically host the cloned website, ready for credentials theft.
At this point we choose the second option “Site Cloner” and proceed.
We are asked exclusively for the IP address of our attacking machine where to start the web server on which to host the cloned page, and then we are asked for the web address of the page we want to clone. Once this is done, the stage is set for us to start launching our “DNS Spoofing” attack, with which we force the victim to connect to our web server. By the way, the cloned web page was that of “Facebook”, a classic.
Execution phase and credential capture
At this point we are going to see how to perform the “DNS Spoofing” attack. We are going to do it using “ettercap”. Firstly with the scenario that we have prepared automatically with SEToolkit; and later with the scenario prepared in our own way, as it is more didactic due to the fact that it requires a more manual and universal methodology.
Running the attack with Ettercap and SEToolkit
We assume that we have both websites cloned and prepared for credential subtraction. SEToolkit raises its own HTTP server on port 80 by default, of course modifiable. With cloned websites that have secure data transmission (TLS/SSL), and run on port 443, it will be convenient to use digital certificates such as those provided free of charge by “Let’s Encrypt”. (https://letsencrypt.org/es/), so that no suspicions are raised in the signatures, when the browser visits the website.
Now, to start the “DNS Spoofing” attack, we must configure the “etter.dns” file, which in the case of “Kali Linux” can be found in “/etc/ettercap/etter.dns”. In the file we must write the address of the website we want to steal the credentials, and then the IP address of the server where the “trap” website is, where we want to redirect the victim. We will do this as follows.
Once the “etter.dns” file is configured, we can start “ettercap”. We can do it graphically or by command line. On our attacking machine we will do it graphically, which will always be easier and more intuitive; but if we want to start “ettercap” on a previously exploited machine, with the purpose of capturing credentials from the local area of an organisation, we will do it by command line.
When we start the program we must choose our wireless network, which in this case is “wlan0”.
We then scan the local network and proceed to classify the machines from which we want to capture/sniff the network traffic. In “target 1” we will place the IP address of the gateway, through which all network packets will pass before going “outside”; and in “target 2” we will place the IP addresses of the machines in the organisation from which we want to capture/sniff network traffic.
We then launch the MITM (Man In The Middle) attack with which we will place ourselves in the middle of the data transmissions, between the organisation’s machines and the router that gives them “access to the internet”. In this way we will intercept all the packets sent, among which we will be able to capture their credentials, in addition to launching the “DNS Spoofing” attack, which is the subject that concerns us at this precise moment. We perform the “ARP table poisoning” as follows.
Subsequently, once the ARP table poisoning has started and the sniffing has begun, we proceed to activate the “dns_spoof” plugin with which we will launch the “DNS Spoofing” attack.
At this precise moment, when the victim goes to visit the “Facebook” page, he will be directed to the IP address specified in the “etter.dns” file. Exactly the same will happen with the “Twitter” page. The stage is now set for the attack to succeed, and the victim will visit the specified websites and enter their login credentials.
Once the victim connects to the attacking server, we will be able to see it in some detail:
The victim machine will be redirected to our website where they will enter their login credentials.
Once the victim clicks on the “send” button their credentials will be ours:
Subsequently, the victim will be redirected to the original page which will open without requesting any credentials, if the cookie session is still active on their machine from a previous login to the platform. The proof of this is that the credentials entered in this case are false, and yet we have logged in to the platform without any problems.
Executing the attack manually
At the beginning of this article we had cloned the Facebook and Twitter websites manually. At this point we are going to proceed by starting an HTTP server (apache in this case) on a machine with IP 192.168.4.88, where the Twitter website will be hosted, and another HTTP server on another machine with IP 192.168.4.111 where the Facebook website will be hosted.
Now, we execute the “DNS Spoofing” attack with “ettercap” as we have seen before, with the file “etter.dns” as we can see in the following image:
Thus, if the victim currently visits the Facebook website, he/she will be redirected to the HTTP server of the machine with IP 192.168.4.111 and will see the following:
After entering their credentials, these will be saved in our “text.txt” file on the server, and the victim will then be redirected to the official Facebook website, as we have programmed in “text.php” through the instruction “header (“Location:https://www.facebook.com”);”.
In the same way, if the victim currently visits the Twitter website, he or she will be redirected to the HTTP server of the machine with IP 192.168.4.88 and will see the cloned page:
After entering their credentials, these will be saved in our “content.txt” file, located on the server, and then the victim will be redirected to the official Twitter website after three seconds, as we have programmed in the “post.php” file through the instruction “”.
Conclusions and recommendations
Throughout the exercise, we were able to see how “relatively” easy it is for cybercriminals to prepare different scenarios to execute phishing attacks. By using automated tools such as SEToolkit, and through basic programming skills, we have seen how to prepare a halfway decent scenario for investigative purposes. Obviously, the attack vectors that can be used to take advantage of these scenarios are very diverse; from the use of Man In The Middle (MITM) like the one we have seen in this exercise, to the sending of very well prepared e-mails, SMS messages, and other vectors of social engineering in short.
In reference to a phishing attack, it can usually be quickly identified by checking that the website visited does not comply with security standards, as we must ensure that it starts with “https”, and has a closed padlock icon verifying the secure connection by checking for valid digital signatures.
Unusually, in very sophisticated network team operations, we may encounter much more sophisticated attacks using valid digital certificates using the HTTPS protocol, which allow certain detection controls to be evaded. In these cases, good cybersecurity awareness training is required to be able to recognise potential social engineering attack vectors, as well as the different types of attacks on internal networks.
In reference to a Man In The Middle (MITM) attack, which results in DNS Spoofing, we should know that nowadays 80% of computer devices warn through their antivirus systems and web browsers that they are suffering a possible attack, where the user’s data can be intercepted. At that very moment, the user should disconnect from the network where he/she is, as there is a high probability that a cyber-attacker is trying to capture network traffic for bad purposes, either to obtain the victim’s credentials, or to redirect him/her to a specific web page as we have seen in this exercise, or to download malware under the label of “Windows update”, among others. Extraordinarily, in certain Red Team Operations where the main objective must be to go unnoticed, such attacks on data networks can be executed by using devices designed for that purpose, such as the “WiFi pineapple”, (https://shop.hak5.org/products/wifi-pineapple), which carries out this type of attack at the hardware level, providing the attacker with a varied suite of post-exploitation tools (credential capture, captive portal, etc.). The only thing that needs to be achieved in these cases is for the victim to connect to the WiFi network trap that the attacker has designed for the operation.