DNS Spoofing using BetterCap
DNS Spoofing refers to any attack that tries to change the DNS records returned to a querier to a response the attacker chooses. This can include some of the techniques described in DNS Hijacking, the use of cache poisoning, or some type of man-in-the-middle style attack. Sometimes, we use the term DNS Hijacking and DNS Spoofing interchangeably.
We would be performing MITM (Man in the middle)attack to perform DNS Spoofing
Let us say we are in the network (attacker and victim) and we need to spoof the DNS redirecting a domain to the attacker’s controlled website.
Case: When the user tries to connect to a website: www.ubuntu.com , will be redirected to the website that is hosted in attacker’s device
We need to know the attacker’s and victim IP address along with gateway ip address to perform the attack
In our case , we have an attacker’s machine with the IP address : 192.168.29.129 along with gatewap IP address 192.168.29.2
Note: IP address may vary from network to network.
Attackers IP config details
Victim IP config details:
IP address of victim: 192.168.29.128
Website hosted by the attacker on his IP address:
Attackers need to host a website to redirect on malicious website. In local network attacker could set up using Apache or Xampp Server.
In our case the website which attacker has setup on his IP is somewhat like this:
Now lets get the real thing done!!
Spoofing via Bettercap
BetterCAP is a powerful, flexible and portable tool created to perform various types of MITM attacks against a network, manipulate HTTP, HTTPS and TCP traffic in realtime, sniff for credentials and much more.
We can say it’s an advanced version of Ethercap.
Installation of Bettercap:
sudo apt-get install bettercap (Debain)
1.Let’s fire up the tool by entering bettercap in the terminal
2. Bettercap has the module of different attack, to see which of the modules are running type help command in the bettercap.
Here we can see that modules are not running , we would be using dns.spoof module to perform the task.
To start/stop any module:
module name on/off
Here, we would be firing up the command dns.spoof on. Guess we havenot set up the parameter for the same!
Lets set up the parameter for dns spoofing i.e dns spoof domains and spoofed IP address. To do so , firing the commands:
set dns.spoof.domains ubuntu.com
set dns.spoof.address 192.168.29.129
Once all the params are set. We are good to go!! Thus starting dns.spoof caplets(modules) using dns.spoof on command
This will spoof the domain with the IP address in the network. Thus visiting the domain in the network would lead to the website hosted by attackers IP.
Lets try visiting the domain ubuntu.com from the victim machine or other endpoints and we are redirected to attackers website.