DNS Spoofing using BetterCap

DNS Spoofing refers to any attack that tries to change the DNS records returned to a querier to a response the attacker chooses. This can include some of the techniques described in DNS Hijacking, the use of cache poisoning, or some type of man-in-the-middle style attack. Sometimes, we use the term DNS Hijacking and DNS Spoofing interchangeably.

We would be performing MITM (Man in the middle)attack to perform DNS Spoofing

Let us say we are in the network (attacker and victim) and we need to spoof the DNS redirecting a domain to the attacker’s controlled website.

Case: When the user tries to connect to a website: www.ubuntu.com , will be redirected to the website that is hosted in attacker’s device

Pre-Requisite

We need to know the attacker’s and victim IP address along with gateway ip address to perform the attack

In our case , we have an attacker’s machine with the IP address : 192.168.29.129 along with gatewap IP address 192.168.29.2

Note: IP address may vary from network to network.

Attackers IP config details

Victim IP config details:

IP address of victim: 192.168.29.128

Website hosted by the attacker on his IP address:

Attackers need to host a website to redirect on malicious website. In local network attacker could set up using Apache or Xampp Server.

In our case the website which attacker has setup on his IP is somewhat like this:

Now lets get the real thing done!!

Spoofing via Bettercap

BetterCAP is a powerful, flexible and portable tool created to perform various types of MITM attacks against a network, manipulate HTTP, HTTPS and TCP traffic in realtime, sniff for credentials and much more.

We can say it’s an advanced version of Ethercap.

Installation of Bettercap:

sudo apt-get install bettercap (Debain)

Working:

1.Let’s fire up the tool by entering bettercap in the terminal

2. Bettercap has the module of different attack, to see which of the modules are running type help command in the bettercap.

Here we can see that modules are not running , we would be using dns.spoof module to perform the task.

To start/stop any module:

module name on/off

Here, we would be firing up the command dns.spoof on. Guess we havenot set up the parameter for the same!

Lets set up the parameter for dns spoofing i.e dns spoof domains and spoofed IP address. To do so , firing the commands:

set dns.spoof.domains ubuntu.com

set dns.spoof.address 192.168.29.129

Once all the params are set. We are good to go!! Thus starting dns.spoof caplets(modules) using dns.spoof on command

This will spoof the domain with the IP address in the network. Thus visiting the domain in the network would lead to the website hosted by attackers IP.

Lets try visiting the domain ubuntu.com from the victim machine or other endpoints and we are redirected to attackers website.

Hacking Hacking!!