Mohsin Nasir

233650
BS CYS (4TH SEM)
NETWORK SECURITY:
LAB#4:
1#IP SPOOFING:
IP Spoofing is a technique where an attacker changes the source IP address in a packet to
impersonate another device. It is used for cyberattacks like DoS, MITM, and bypassing security
measures. Prevention includes packet filtering, authentication, and firewall rules.

IP before spoofing:
Download VPN from vpnbook and unzip vpn files:

Connect to a VPN using a configuration file:

 Starts the OpenVPN client using the specified .ovpn configuration file.
 Routes internet traffic through the VPN tunnel.
your IP will change to the VPN-assigned IP if the VPN is configured correctly.

-----------------------------------------------------------------------------------------------
2#MAC SPOOFING:
MAC spoofing is the act of changing a device’s MAC address (Media Access Control) to bypass
network restrictions, hide identity, or impersonate another device.

sudo ifconfig eth0 down

Disables the network interface eth0, preventing network communication.

sudo macchanger -r eth0

Assigns a random new MAC address to the eth0 interface.

sudo macchanger –m <mac address > eth0

This command manually sets a specific MAC address for the eth0 interface.

Now the current and new mac address is same .

-----------------------------------------------------------------------------------------------
3#WEB SPOOFING:
Web spoofing is a cyberattack where an attacker creates a fake version of a legitimate website
to deceive users into entering sensitive information, such as usernames, passwords, or financial
details. This is often done using phishing techniques and tools like the Social Engineering
Toolkit (SEToolkit) to clone websites.

Use social engineering tool (setoolkit):

Select option 2 from menu (website attack vectors):
Website Attack Vectors in SEToolkit allow attackers to clone websites, inject malicious scripts,
and steal user credentials through phishing techniques.
Now select option 3 (Credential Harvester attack method):
Website attack vectors includes methods like Credential Harvester and MITM attacks to trick
victims into entering sensitive information.
Now select option 2 (site cloner):
The Site Cloner option copies a real website, making it look identical to trick users into entering
their credentials.

set IP of the host and paste the url of the website you to want clone here we paste the url of
github login page.
The attacker's machine hosts a fake GitHub login page, making it look real. When victims enter
their credentials, SEToolkit captures and stores them.

Here we try to login:

When a victim logs into the fake GitHub page, the attacker captures their username, password,
IP address, and browser details. This data is stored in SEToolkit logs for further exploitation.
4#MAN IN THE MIDDLE ATTACK :
MITM ARP Spoofing tricks a victim’s device into sending traffic through the attacker's machine
by sending fake ARP replies. This allows the attacker to intercept, modify, or steal sensitive
data from the network.

ARP SPOOFING:
install bettercap: command “sudo apt-get install bettercap”
Access Bettercap through root terminal:
These are the modules of bettercap:

The net.show command in Bettercap lists all active devices on the network, showing their IP,
MAC address, and hostname. This helps in network reconnaissance before launching attacks
or monitoring traffic.
Help net.probe Displays detailed information about the net.probe module, including its
usage, options, and parameters. It helps users understand how to actively scan for hidden
devices on the network.

The command net.probe on in Bettercap enables active network probing by sending ARP
and ICMP requests. This helps discover hidden or unresponsive devices on the network.

Now again check by help command these services of Bettercap is on :

 events.stream – Continuously displays real-time network events and

detected activities.
 net.probe – Actively scans the network to discover hidden or unresponsive
devices.
 net.recon – Continuously monitors the network to detect new devices and
connections.
After performing net.probe and net.recon now they show all active devices on network.
The command set arp.spoof.target <gateway><_ip> tells Bettercap to attack the
router by sending fake ARP messages. This makes the attacker’s device act like the router,
allowing them to intercept and control network traffic.

The command arp.spoof on makes the attacker’s device act like the router, so all network
traffic from the target passes through the attacker. This lets them see, modify, or steal data.

These services of bettercap is running for collecting data of victim:

The arp -a command in CMD shows a list of IP addresses and their MAC addresses on the
network, helping to identify connected devices.

We have successfully spoofed the target machine and the router

Check both have same mac address:

On Windows (Victim Machine):

Open a browser and visit the Unicorn website

Bettercap collects the victim's network data, including requests and traffic, when they search
for the Unicorn website.

Now victim login in unicorn website.

The victim enters their login credentials on the Unicorn website, Bettercap can capture the
username, password, and session details if HTTPS is not enforced or if an SSL stripping attack is
used.

5# DNS SPOOFING:
DNS spoofing is a cyberattack where hackers trick your device into visiting fake websites by
altering DNS records. This can lead to data theft, phishing, or malware infections.
To start Apache2: command sudo service apache2 start
Check IP of your machine: ifconfig
Start Apache and access it in the browser:

Start betercap : sudo bettercap run help command to check all

modules of bettercap
Help dns.spoof: This will display detailsof all modues of dns spoofing

set dns.spoof.address <IP> tells Bettercap to redirect spoofed DNS requests to the
specified IP. Use your Kali machine's IP if hosting a fake site or another target IP to redirect
victims elsewhere.

set dns.spoof.domains <domain> specifies which domain names Bettercap should spoof.

Check victim ip:

set arp.spoof.target <IP> specifies the target device for ARP spoofing. This allows
Bettercap to intercept and manipulate its network traffic.

net.probe on enables network probing in Bettercap, actively detecting live hosts on the
network. This helps identify potential targets for further attacks

After setting up DNS spoofing, when the victim searches the targeted domain (e.g.,
hackeralt1.com), they will be redirected to your Apache server instead of the real site.
Meanwhile, Bettercap captures their requests and possible credentials, which can be viewed in
the terminal.