Jump to content


Photo
- - - - -

Using ettercap with dns spoof


  • Please log in to reply
7 replies to this topic

#1 t0xizspill

t0xizspill

    Will I break 10 posts?

  • Members
  • 4 posts
  • Gender:Female
  • Location:Netherlands

Posted 09 May 2013 - 06:46 AM

What im trying to accomplish is switch out a DNS server on a router, since it has a primary and secondary,

 

is it possible to put your ip in there and have it get dns queries from your computer using ettercap's dns spoofing or so?

 

 



#2 systems_glitch

systems_glitch

    Dangerous free thinker

  • Moderating Team
  • 1,652 posts
  • Gender:Male

Posted 09 May 2013 - 07:25 AM

You could also set up a proper DNS server on another machine. I'm assuming you are wanting to replace the DNS nameserver IP broadcast with DHCP leases, right?



#3 t0xizspill

t0xizspill

    Will I break 10 posts?

  • Members
  • 4 posts
  • Gender:Female
  • Location:Netherlands

Posted 09 May 2013 - 08:14 PM

Im looking to hand out and take over the A records on some site DNS's. If the DNS ip was added to a router as a primary, it would just switch out whatever the dns server has.

 

For example, google.com has IP 10.0.0.1

 

DNS server would redirect any queries to google.com to 10.0.0.2 to anyone whose connected to that router.



#4 systems_glitch

systems_glitch

    Dangerous free thinker

  • Moderating Team
  • 1,652 posts
  • Gender:Male

Posted 09 May 2013 - 08:30 PM

Well, that may be applicable to small routers (home, small business, et c.) but not so much with big routers, like the kind that run the Internet. It's easy enough to spoof DNS on a small network, I do it at home to blackhole DNS names from ad/scam sites. For instance, doubleclick.net routes to 127.0.0.1 on my home network.



#5 t0xizspill

t0xizspill

    Will I break 10 posts?

  • Members
  • 4 posts
  • Gender:Female
  • Location:Netherlands

Posted 09 May 2013 - 09:50 PM

Im trying this on a small home router, its a cheap netgear router. You think setting up a dns server then setting A records to the specific sites i need it to redirect would work?



#6 systems_glitch

systems_glitch

    Dangerous free thinker

  • Moderating Team
  • 1,652 posts
  • Gender:Male

Posted 09 May 2013 - 10:12 PM

It should, yes. Generally the better small network routers will let you configure "DNS Overrides," which are basically spoofed A-records. You may not even need to set up an external DNS server.



#7 TheFunk

TheFunk

    SUP3R 31337

  • Binrev Financier
  • 187 posts
  • Country:
  • Gender:Male

Posted 12 May 2013 - 06:30 PM

Keep in mind that anything you do at the network level will affect all the computers on your network. In other words, if you set up a DNS server with spoofed A records as your primary DNS server, and it (for example) points Google to 127.0.0.1, Google will be unavailable for ALL clients on the network, unless they manually type in Google's actual external IP in their web browser.

If you haven't heard of the hosts file, (assuming you're using Windows machines) the hosts file is consulted before a DNS query is made. If you just wish to redirect a few hosts, or a subset of hosts on the network, try editing the Windows hosts file (windows\system32\drivers\etc).

Edit: If you're trying to spoof traffic for all hosts on the network though, definitely do what Glitch suggested with the overrides, it'll be much simpler and more effective than ettercap. You have to remember, your computer is not a server, nor a router, so passing traffic to it slows things down a good deal.


Edited by TheFunk, 12 May 2013 - 06:36 PM.


#8 tekio

tekio

    5(R1P7 |<1DD13

  • Binrev Financier
  • 1,102 posts
  • Gender:Male
  • Location:The Blue Nowhere

Posted 12 May 2013 - 08:04 PM

You can use Cain & Abel. This allows you spoof DNS records (Cain has built in DNS spoofing support that is easy to manage) only to hosts that are subjected to ARP poison routing. Thus, your machine and all others not selected for ARP poison routing will get pristine DNS answers.

 

 

EDIT:

 

Here's an image of the ARP/DNS Poisoning screen. Sorry, for it being so small, but don't really feel like editing it. Just enter the dns name along with the IP address you want it to resole to. All reverse DNS queries will be spoofed as well.

 

Remember, this only functions with hosts that are subject to ARP spoofing. 

 

2zelamx.jpg


Edited by tekio, 12 May 2013 - 08:17 PM.





BinRev is hosted by the great people at Lunarpages!