quick question,
is this over LAN or wifi?
DNS spoofing + S.E.T problem
Using:
Backtrack 4 R2 (attacker)
S.E.T
dnsspoof ( from the dsniff suite)
WinXP SP2 with Firefox 3.6.12 (victim)
Scenario:
Let’s say we want to sniff a person’s facebook credentials and he is part of our LAN.
victim’s IP : 192.168.1.2
attacker’s IP : 192.168.1.10
We’re testing the S.E.T’s option Website Attack Vectors--> Credential Harvester Attack Method --> Site Cloner.
But instead of serving the address to the victim directly (for ex. saying to him while chatting “check this new stuff at 192.168.1.10”) we wanna make this more quietly with DNS spoofing. So if he visits facebook.com he will be redirected to 192.168.1.10 where the cloned facebook is.
We open a terminal and type the following:
After updating the Metasploit Framework and the Social-Engineer Toolkit we take all the steps through S.E.T’s menu and we successfully clone the site:Code:cd /pentest/exploits/SET/ ./set
https://www.facebook.com
We also create a plain text(we name it ‘facespoof’) with the line below in it to use it with dnsspoof.
192.168.1.10 *.facebook.com <----this line tells that if someone wants to go
to facebook.com send him to 192.168.1.10
So in a terminal we type:
and we get something like this:Code:dnsspoof -i eth0 -f /root/facespoof
So far so good…Code:dnsspoof: listening on eth0 [udp dst port 53 and not src 192.168.1.10]
But when the victim enters in his address bar “https://www.facebook.com/” we get an error message “unable to connect”.
However when he enters “http://www.facebook.com/” everything goes fine and our attack is successful.
Does anyone knows why is this happening?
Re: DNS spoofing + S.E.T problem
quick question,
is this over LAN or wifi?
Re: DNS spoofing + S.E.T problem
I think you are forgetting to arp poison the victim before you start dns spoofing.
Re: DNS spoofing + S.E.T problem
thanx for your reply!Originally Posted by LHYX1
Are you sure that arp poison is needed?
Because except from using the "dnsspoof" tool, I've also tried attacking with
"ettercap" and arp poison enabled before dns spoofing.(off course I've changed the etter.dns properly)
And i had the same results:
http - attack successful
https - attack unsuccessful
Re: DNS spoofing + S.E.T problem
it's over LAN
Re: DNS spoofing + S.E.T problem
Yes the arp poisoning is necessary. You have to send the victims traffic (including dns requests and replies) trough your attacker computer before you can spoof them
I have no idea why you were uncuccessfull before. And what do you actually mean with https doesn't work and http does ? If you enter an url with http:// in front of it it works and if you enter an url with https:// in front of it it doesn't work ? Maybe you should add something like "https://www.*.*.*.*.*.*.* A [IP]" in your etter.dns
(\ /)
( . .)
c(")(")
This is bunny.
Copy and paste bunny into your signature to help him gain world domination.
Re: DNS spoofing + S.E.T problem
Well...
1.without arp poisoning the dns spoofing works fine with the "dnsspoof". I get redirected.
2.with arp poisoning ("arpspoof") and dns spoofing ("dnsspoof") it also works but it's a bit slower.
3.With ettercap (arp poisoning+dns spoofing) works as above(2)
That's exactly what i mean!
When I enter a url with https://.... I get something like: "Unable to connect"
I've tried that already...It didn't work...!Maybe you should add something like "https://www.*.*.*.*.*.*.* A [IP]" in your etter.dns
p.s (Have you tried this attack? If so, does it work for you?)
Re: DNS spoofing + S.E.T problem
For me it works fine with ettercap. But I only tried http urls. I never tried https except for catching logins and passwords with ettercap.
And are there sites where you directly type https://something.com ? Normaly you enter an http url and when you login or something it get's encrypted with ssl and becomes https.
And doesn't https runs on an other port then http. Doesn't it get tunneled trough port 443 to encrypt it with ssl. Correct me if I'am wrong
What happens when you enter an https url ? Does it show a couldn't load the page error or does it just show the page you entered ?
One more thing. How are you doing this ? Are you using virtual machines or not ?
If you are only using dnsspoof and it works, how is that possible. Like I said above you have to send the victim's traffic trough your computer. I am pretty certain of this. The only way you could only use dnsspoof is if the victim's traffic is somehow already going trough your computer.
Last edited by LHYX1; 04-12-2011 at 07:12 AM.
(\ /)
( . .)
c(")(")
This is bunny.
Copy and paste bunny into your signature to help him gain world domination.
Re: DNS spoofing + S.E.T problem
You're right about that but I examine the case that somebody has the https url sticked to his firefox's "bookmarks toolbar". (I use it like this in my firefox) In my everyday use I don't type http://www.face...com in the address bar, i've got it bookmarked directly as https://www.face....com.
It shows a "couldn't load page error", as if you had no internet connection.
The whole work is being done in VMware Workstation 7.1.3 and the vm's are set to "Bridged networking : Connected directly to the physical network"
Don't know why "dnsspoof" works but i'm surely get redirected to whatever address i've set up.
Anyway forget about "bare" "dnsspoof", even with arp poisoning(all my latest tries) before dns spoofing the whole thing doesn't work..
Yet thanks a lot for your interest!!!
Re: DNS spoofing + S.E.T problem
I found out that https runs on port 443 by default. The https sites also get spoofed to your attacker machine but you haven't got anything running on port 443. I think that's why it shows a "couldn't load the page error". And I think because you are running the whole thing in vmware you are probably able to acces the traffic without arp poisoning.
Glad I was able to help
(\ /)
( . .)
c(")(")
This is bunny.
Copy and paste bunny into your signature to help him gain world domination.
Posting Permissions
