Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: DNS spoofing + S.E.T problem

  1. #1
    Just burned his ISO
    Join Date
    Mar 2011
    Posts
    12

    Default DNS spoofing + S.E.T problem

    Using:
    Backtrack 4 R2 (attacker)
    S.E.T
    dnsspoof ( from the dsniff suite)
    WinXP SP2 with Firefox 3.6.12 (victim)

    Scenario:
    Let’s say we want to sniff a person’s facebook credentials and he is part of our LAN.
    victim’s IP : 192.168.1.2
    attacker’s IP : 192.168.1.10
    We’re testing the S.E.T’s option Website Attack Vectors--> Credential Harvester Attack Method --> Site Cloner.
    But instead of serving the address to the victim directly (for ex. saying to him while chatting “check this new stuff at 192.168.1.10”) we wanna make this more quietly with DNS spoofing. So if he visits facebook.com he will be redirected to 192.168.1.10 where the cloned facebook is.

    We open a terminal and type the following:
    Code:
    cd /pentest/exploits/SET/
    ./set
    After updating the Metasploit Framework and the Social-Engineer Toolkit we take all the steps through S.E.T’s menu and we successfully clone the site:
    https://www.facebook.com

    We also create a plain text(we name it ‘facespoof’) with the line below in it to use it with dnsspoof.
    192.168.1.10 *.facebook.com <----this line tells that if someone wants to go
    to facebook.com send him to 192.168.1.10
    So in a terminal we type:
    Code:
    dnsspoof -i eth0 -f /root/facespoof
    and we get something like this:
    Code:
    dnsspoof: listening on eth0 [udp dst port 53 and not src 192.168.1.10]
    So far so good…
    But when the victim enters in his address bar https://www.facebook.com/” we get an error message “unable to connect”.
    However when he enters http://www.facebook.com/” everything goes fine and our attack is successful.

    Does anyone knows why is this happening?

  2. #2
    Just burned his ISO
    Join Date
    Apr 2011
    Posts
    1

    Default Re: DNS spoofing + S.E.T problem

    quick question,

    is this over LAN or wifi?

  3. #3
    Senior Member LHYX1's Avatar
    Join Date
    Sep 2010
    Location
    Belgium
    Posts
    127

    Default Re: DNS spoofing + S.E.T problem

    I think you are forgetting to arp poison the victim before you start dns spoofing.

  4. #4
    Just burned his ISO
    Join Date
    Mar 2011
    Posts
    12

    Default Re: DNS spoofing + S.E.T problem

    Quote Originally Posted by LHYX1 View Post
    I think you are forgetting to arp poison the victim before you start dns spoofing.
    thanx for your reply!
    Are you sure that arp poison is needed?
    Because except from using the "dnsspoof" tool, I've also tried attacking with
    "ettercap" and arp poison enabled before dns spoofing.(off course I've changed the etter.dns properly)
    And i had the same results:
    http - attack successful
    https - attack unsuccessful

  5. #5
    Just burned his ISO
    Join Date
    Mar 2011
    Posts
    12

    Default Re: DNS spoofing + S.E.T problem

    Quote Originally Posted by Geniused View Post
    quick question,

    is this over LAN or wifi?
    it's over LAN

  6. #6
    Senior Member LHYX1's Avatar
    Join Date
    Sep 2010
    Location
    Belgium
    Posts
    127

    Default Re: DNS spoofing + S.E.T problem

    Yes the arp poisoning is necessary. You have to send the victims traffic (including dns requests and replies) trough your attacker computer before you can spoof them
    I have no idea why you were uncuccessfull before. And what do you actually mean with https doesn't work and http does ? If you enter an url with http:// in front of it it works and if you enter an url with https:// in front of it it doesn't work ? Maybe you should add something like "https://www.*.*.*.*.*.*.* A [IP]" in your etter.dns
    (\ /)
    ( . .)
    c(")(")

    This is bunny.
    Copy and paste bunny into your signature to help him gain world domination.

  7. #7
    Just burned his ISO
    Join Date
    Mar 2011
    Posts
    12

    Default Re: DNS spoofing + S.E.T problem

    Well...
    1.without arp poisoning the dns spoofing works fine with the "dnsspoof". I get redirected.
    2.with arp poisoning ("arpspoof") and dns spoofing ("dnsspoof") it also works but it's a bit slower.
    3.With ettercap (arp poisoning+dns spoofing) works as above(2)

    Quote Originally Posted by LHYX1 View Post
    And what do you actually mean with https doesn't work and http does ? If you enter an url with http:// in front of it it works and if you enter an url with https:// in front of it it doesn't work ?
    That's exactly what i mean!
    When I enter a url with https://.... I get something like: "Unable to connect"

    Quote Originally Posted by LHYX1 View Post
    Maybe you should add something like "https://www.*.*.*.*.*.*.* A [IP]" in your etter.dns
    I've tried that already...It didn't work...!

    p.s (Have you tried this attack? If so, does it work for you?)

  8. #8
    Senior Member LHYX1's Avatar
    Join Date
    Sep 2010
    Location
    Belgium
    Posts
    127

    Default Re: DNS spoofing + S.E.T problem

    For me it works fine with ettercap. But I only tried http urls. I never tried https except for catching logins and passwords with ettercap.
    And are there sites where you directly type https://something.com ? Normaly you enter an http url and when you login or something it get's encrypted with ssl and becomes https.
    And doesn't https runs on an other port then http. Doesn't it get tunneled trough port 443 to encrypt it with ssl. Correct me if I'am wrong
    What happens when you enter an https url ? Does it show a couldn't load the page error or does it just show the page you entered ?
    One more thing. How are you doing this ? Are you using virtual machines or not ?
    If you are only using dnsspoof and it works, how is that possible. Like I said above you have to send the victim's traffic trough your computer. I am pretty certain of this. The only way you could only use dnsspoof is if the victim's traffic is somehow already going trough your computer.
    Last edited by LHYX1; 04-12-2011 at 07:12 AM.
    (\ /)
    ( . .)
    c(")(")

    This is bunny.
    Copy and paste bunny into your signature to help him gain world domination.

  9. #9
    Just burned his ISO
    Join Date
    Mar 2011
    Posts
    12

    Default Re: DNS spoofing + S.E.T problem

    Quote Originally Posted by LHYX1 View Post
    And are there sites where you directly type https://something.com ? Normaly you enter an http url and when you login or something it get's encrypted with ssl and becomes https.
    You're right about that but I examine the case that somebody has the https url sticked to his firefox's "bookmarks toolbar". (I use it like this in my firefox) In my everyday use I don't type http://www.face...com in the address bar, i've got it bookmarked directly as https://www.face....com.

    Quote Originally Posted by LHYX1 View Post
    What happens when you enter an https url ? Does it show a couldn't load the page error or does it just show the page you entered ?
    It shows a "couldn't load page error", as if you had no internet connection.

    Quote Originally Posted by LHYX1 View Post
    One more thing. How are you doing this ? Are you using virtual machines or not ?
    The whole work is being done in VMware Workstation 7.1.3 and the vm's are set to "Bridged networking : Connected directly to the physical network"

    Quote Originally Posted by LHYX1 View Post
    If you are only using dnsspoof and it works, how is that possible. Like I said above you have to send the victim's traffic trough your computer. I am pretty certain of this. The only way you could only use dnsspoof is if the victim's traffic is somehow already going trough your computer.
    Don't know why "dnsspoof" works but i'm surely get redirected to whatever address i've set up.
    Anyway forget about "bare" "dnsspoof", even with arp poisoning(all my latest tries) before dns spoofing the whole thing doesn't work..

    Yet thanks a lot for your interest!!!

  10. #10
    Senior Member LHYX1's Avatar
    Join Date
    Sep 2010
    Location
    Belgium
    Posts
    127

    Default Re: DNS spoofing + S.E.T problem

    I found out that https runs on port 443 by default. The https sites also get spoofed to your attacker machine but you haven't got anything running on port 443. I think that's why it shows a "couldn't load the page error". And I think because you are running the whole thing in vmware you are probably able to acces the traffic without arp poisoning.
    Glad I was able to help
    (\ /)
    ( . .)
    c(")(")

    This is bunny.
    Copy and paste bunny into your signature to help him gain world domination.

Page 1 of 2 12 LastLast

Similar Threads

  1. Replies: 0
    Last Post: 02-11-2010, 02:06 AM
  2. Help with spoofing IP
    By trebor117 in forum OLD Newbie Area
    Replies: 7
    Last Post: 11-20-2009, 05:19 AM
  3. Ettercap DNS Spoofing Not.. Spoofing
    By oxide in forum OLD Newbie Area
    Replies: 4
    Last Post: 04-02-2009, 10:39 PM
  4. spoofing mac problem
    By mstfyounis in forum OLD Newbie Area
    Replies: 12
    Last Post: 12-23-2008, 08:52 AM
  5. mac spoofing
    By hackerz.hell in forum OLD LiveCD Support
    Replies: 2
    Last Post: 04-05-2007, 11:51 PM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •