Dns Spoof Failure

[kazol]

Hi all,

I wanted to do a dns spoof test using Ettercap and dns_spoof plugin. Here are the steps I followed:

A BackTrack 5 Gnome R2 connected wirelessly and a Windows XP SP3 connected wirelessly too.

1) On BackTrack I edit the /usr/local/share/ettercap/etter.dns file to have these:

www.google.com A 87.248.120.148

On a terminal I type this and press enter (192.168.1.75 goes to Windows XP pc):

ettercap -T -q -P dns_spoof -i wlan0 -M ARP /192.168.1.75/ //

Then, before do anything else, I execute this command:

echo 1 > /proc/sys/net/ipv4/ip_forward

After these, the target computer cannot browse anything and always an error page come up.

But in the terminal which I run ettercap I see this new line:

dns_spoof: [www.google.com] spoofed to [87.248.120.148]

Does anybody know what's the problem ?

Thank you in advance

[zimmaro]

hi,
I think it is right!
-if you turn ON your apache2-server (in bt) to see if the victim (xp) go-to "www.google.com" "" "the traffic is redirected from your backtrack apache-server(/var/www/" [where maybe there could be what do-you-want .... site-clone .......etc .....)

ps: if the test is in the same LAN. I'd put in etter.dns the result of ifconfig of backtrack-machine

sorry my english!
bye

[Bl4cks4b3r]

As the above comment mentions MAKE SURE APACHE IS ON. If it is: 1.) have you edited your etter.dns file, as well as edited your etter.conf file to make sure they are both setup correctly (sometimes your LAN IP changes and then it wont redirect to your page because it is trying to redirect to a page that is no longer there), 2.) after that if you are testing on your own network (assumed) then make sure you dont have a filter for DNS turned on in your router/modem (for example if I turn my filter on it will give me an error or just not load because it detects the redirection). I would also look at your script and make sure that the said IP that you used (192.168.1.75) is correct. You shouldnt need to use "echo 1 > /proc/sys/net/ipv4/ip_forward" 3.) have you updated ettercap? Are you running 7.3/7.4? Good luck XD

[aerokid240]

Check iptables or make sure firewall is off for testing purposes. Run wireshark for debugging. Wireshark should answer most of your questions.

[kazol]

I checked everything twice, but still I cannot spoof DNS. The victim couldn't browse anything except of my apache server! My router does not have a firewall or a DNS filter. My ettercap is version 7.3. I checked the etter.conf file but I didn't find anything to change