Bettercap/Failed DNS Spoofing Attack 2: Difference between revisions
From charlesreid1
(Created page with "Second experiment, now that I know I need to be running an ARP spoofing attack simultaneous with the DNS attack. Start by running the Bettercap command: <pre> bettercap -I w...") |
No edit summary |
||
| Line 1: | Line 1: | ||
Second experiment, now that I know I need to be running an ARP spoofing attack simultaneous with the DNS attack. | Second experiment, now that I know I need to be running an ARP spoofing attack simultaneous with the DNS attack. | ||
==Configure DNS File== | |||
We configured this attack to hijack requests for charlesreid1.com: | |||
<pre> | |||
# Empty lines or lines starting with # will be ignored. | |||
local .*charlesreid1\.com | |||
</pre> | |||
==Run ARP+DNS Attack== | |||
Start by running the Bettercap command: | Start by running the Bettercap command: | ||
| Line 10: | Line 22: | ||
</pre> | </pre> | ||
This sets up the ARP poisoning, and runs the DNS spoofing on port 53. It runs an HTTP host to host | This sets up the ARP poisoning, and runs the DNS spoofing on port 53. It runs an HTTP host to host the NOPE page. | ||
Now, we have the sheep being DNS-spoofed. Let's test it out. | |||
==Testing It Out== | |||
On the sheep, I visit an insecure site, but NOT one that is in the DNS configuration file: http://nytimes.com | |||
Immediately the sheep shows the NOPE page. It's not supposed to. | |||
I visit another insecure site, NOT one that is in the DNS configuration file: http://nba.com | |||
Again, the sheep shows the NOPE page. It's not supposed to. | |||
I visit a secure site: https://dropbox.com. | |||
The Dropbox site loads as expected - no redirects, no issues. | |||
I visit another secure site: https://en.wikipedia.org | |||
Wikipedia loads as expected. | |||
I visit an insecure site: http://mlb.com | |||
The sheep shows the NOPE page. It's not supposed to. | |||
This attack is not working as expected. | |||
It's possible my DNS cache is crusty. | |||
==Packet Traffic== | |||
Watching the | |||
Revision as of 05:05, 25 August 2016
Second experiment, now that I know I need to be running an ARP spoofing attack simultaneous with the DNS attack.
Configure DNS File
We configured this attack to hijack requests for charlesreid1.com:
# Empty lines or lines starting with # will be ignored. local .*charlesreid1\.com
Run ARP+DNS Attack
Start by running the Bettercap command:
bettercap -I wlan1 -O bettercap_extrabacon.log -S ARP -X \
--gateway 192.168.0.1 --target 192.168.0.7 \
--dns extrabacon.conf --dns-port 53 \
--httpd --httpd-path ./pub
This sets up the ARP poisoning, and runs the DNS spoofing on port 53. It runs an HTTP host to host the NOPE page.
Now, we have the sheep being DNS-spoofed. Let's test it out.
Testing It Out
On the sheep, I visit an insecure site, but NOT one that is in the DNS configuration file: http://nytimes.com
Immediately the sheep shows the NOPE page. It's not supposed to.
I visit another insecure site, NOT one that is in the DNS configuration file: http://nba.com
Again, the sheep shows the NOPE page. It's not supposed to.
I visit a secure site: https://dropbox.com.
The Dropbox site loads as expected - no redirects, no issues.
I visit another secure site: https://en.wikipedia.org
Wikipedia loads as expected.
I visit an insecure site: http://mlb.com
The sheep shows the NOPE page. It's not supposed to.
This attack is not working as expected.
It's possible my DNS cache is crusty.
Packet Traffic
Watching the