How to perform DNS Cache Poisoning (Spoofing)


CompTIA PenTest PT0-002

Introduction to DNS Cache Poisoning (or DNS Spoofing)

Domain Name System (DNS) is a hierarchical system used across networks as a naming system that resolves human-readable domain names such as www.example.com into machine-usable IP addresses like 192.0.2.1

DNS Cache Poisoning is an attack that's also known as DNS Spoofing. It's a type of cyber attack where hackers exploit vulnerabilities in the Domain Name System (DNS). This diverts traffic from legitimate servers to malicious ones. The hacker does this by corrupting the DNS cache, which is a temporary database maintained by a DNS server. It holds records of all the recent visits and attempted visits to websites and other domains.

You know how DNS servers resolve human-readable domain names into IP addresses right? When you type in www.example.com, it takes you to 93.184.216.34. Well, when a user wants to visit a website, their computer sends a DNS query through the network until it reaches a DNS server that can figure out what IP address matches with that domain name. From there, they establish connection.

So during this attack, hackers want to insert false entries into that DNS cache I mentioned earlier on. This way, requests for a legitimate site are shot somewhere else entirely; somewhere controlled by the attacker themselves. This malicious site can be used for phishing information or spreading malware, among other things like stealing sensitive information too.

How to perform DNS Cache Poisoning (Spoofing)

 

DISCLAIMER:
This article is intended for educational purposes only. The tools and techniques discussed herein should be used in a legal, ethical manner, exclusively for security research or within authorized penetration testing activities. Unauthorized use of these tools against networks, systems, or applications without explicit permission can lead to legal consequences and ethical violations.

 

Demonstration of DNS Spoofing using DNSMASQ

In this lab, we’ll explore DNS spoofing by performing it on a Kali Linux attacker machine with Metasploitable as the victim. We’ll use

  • dnsmasq which is a lightweight DNS forwarder and DHCP server, which can be used to set up a malicious DNS server and
  • ettercap to execute the attack which is a comprehensive suite for man-in-the-middle attacks on LAN

You can refer to Setup Lab Environment for CompTIA PenTest+ Exam (PT0-002) if you don't have a lab to practice the DNS cache positioning.

  • Kali Linux: Your attacker machine where you’ll run DNS spoofing tools.
  • Metasploitable: A victim/target machine for the attack. Make sure it uses the attacker’s DNS server.
  • Network Configuration: All VMs in your lab should be on the same virtual network so they can talk to each other.

 

Step 1. Configure the Malicious DNS Server with dnsmasq

First let's start with the installation of dnsmasq (if not installed already).

apt-get install dnsmasq

Configure dnsmasq to perform the DNS spoofing. Add the following line to redirect all DNS requests for example.com to the attacker's IP address. Replace 10.10.1.10 with your Kali Linux VM's IP address:

sudo nano /etc/dnsmasq.conf
address=/example.com/10.10.1.10

Restart dnsmasq to apply the changes:

sudo systemctl restart dnsmasq

Ensure dnsmasq is running:

sudo systemctl status dnsmasq
How to perform DNS Cache Poisoning (Spoofing)

 

Step 2: Perform DNS Spoofing with ettercap

On Kali Linux, launch ettercap in graphical mode:

sudo ettercap -G

In the ettercap GUI, select Sniffing at startup, choose your sniffing interface and save.

How to perform DNS Cache Poisoning (Spoofing)

 

Scan for hosts on the network: Hosts > Scan for hosts.

How to perform DNS Cache Poisoning (Spoofing)

 

Select Hosts > Hosts list. You can modify the list by using the Right click on individual host. For my sake I will remove some of the hosts and keep 10.10.1.11 and 10.10.1.12 only for spoofing.

How to perform DNS Cache Poisoning (Spoofing)

 

Start ARP poisoning: MITM > ARP poisoning.

NOTE:
ARP poisoning is an essential part of DNS spoofing. What it does is all the traffic that the victim sends, including DNS requests will be sent to the attacker's machine. It’s really good at this so you might want to use this method if you’re working in places where you can’t control the network infrastructure or just can’t change any DNS server settings on certain machines.
How to perform DNS Cache Poisoning (Spoofing)

 

Ensure "Sniff remote connections" is checked and confirm.

How to perform DNS Cache Poisoning (Spoofing)

Now that ARP poisoning is set up, all traffic from the Metasploitable VM should flow through the Kali Linux VM, allowing you to intercept and manipulate DNS requests.

 

Step 3: Demonstration of the Attack

On the Metasploitable VM, when a user attempts to navigate to example.com, the DNS request will be intercepted by the Kali Linux VM. Due to the dnsmasq configuration, the request will be redirected to the malicious IP address specified in dnsmasq, simulating a DNS spoofing attack.

To test the same you can connect to Metasploitable VM terminal or console and execute:

nslookup example.com 10.10.1.10

Replace 10.10.1.10 with the address you have given for DNS resolution in dnsmasq. This command tells nslookup to resolve example.com using the DNS server at 10.10.1.10. If your DNS spoofing setup is working correctly, the response should show the spoofed IP address you configured in dnsmasq, not the real IP address of example.com.

How to perform DNS Cache Poisoning (Spoofing)

dig is another DNS querying tool that is more flexible than nslookup and provides detailed information about the query. Execute the following command, substituting example.com with your target domain and 10.10.1.10 with the IP address of your Kali Linux DNS server:

dig @10.10.1.10 example.com
How to perform DNS Cache Poisoning (Spoofing)

The output will provide detailed information about the DNS query, including the ANSWER SECTION, which shows the spoofed IP address if your DNS spoofing is successful.

 

Step 4. Analyzing the results with Wireshark

I have triggered tcpdump to capture the packet trace between Metasplotable and Kali Linux VM so we can also validate the outcome on Wireshark. I have executed the following command on Kali Linux and then executed nslookup from Metasplotable VM

tcpdump -i eth0 -w /tmp/dns_spoofing.pcap

Here is a snippet of Wireshark packet capture for the response received:

How to perform DNS Cache Poisoning (Spoofing)

The Answers section lists example.com and the spoofed IP Address which we had setup with dnsmasq.

 

Demonstration of DNS Spoofing using ETTERCAP

Ettercap will be installed by default on Kali Linux. We will use the same setup with Metasploitable and DVWA which will act as a client sending DNS request which will be spoofed by Ettercap on Kali Linux.

 

Step 1: Configuring Ettercap for DNS Spoofing

Ettercap's functionality extends beyond ARP poisoning to include a DNS spoofing plugin, which we'll configure to intercept and modify DNS queries on the fly. Modify /etc/ettercap/etter.dns and append entry for the domains you wish to spoof with the corresponding address you want them to resolve to. In our case we will use example.com and resolve it to our kali Linux's IP i.e. 10.10.1.10.

example.com A 10.10.1.10

 

Step 2: Enabling IP Forwarding

To ensure that your machine can forward the intercepted traffic, enable IP forwarding:

echo 1 > /proc/sys/net/ipv4/ip_forward

 

Step 3: Install DNS Spoof Plugin

We need to install DNS spoof plugin which can be installed either via GUI or CLI. If you are using GUI session then navigate to Plugins in the Menu and select Manage plugins

How to perform DNS Cache Poisoning (Spoofing)

 

Next you will get a list of supported plugins. Select dns_spoof and right click on it, click on Activate to activate the plugin.

How to perform DNS Cache Poisoning (Spoofing)

 

You should see a message as Activating dns_spoof plugin… which would mean that the plugin is active.

How to perform DNS Cache Poisoning (Spoofing)

 

If you are interested in CLI method then you can execute below command which also should return the same output (Replace <interface> with your actual interface such as eth0):

ettercap -Tq -M arp:remote -P dns_spoof -i <interface>
How to perform DNS Cache Poisoning (Spoofing)

 

Step 4: Monitoring and Verification

While Ettercap runs, it's vital to monitor the network to ensure the spoofing is effective. You can now connect to DVWA or Metasploitable VM terminal or console and re-execute the nslookup and dig command I gave in the previous section:

dig @10.10.1.10 example.com
nslookup example.com 10.10.1.10

The output should onfirm DNS requests for the targeted domains are redirected to the specified IP addresses. You can also monitor the ettercap output:

dns_spoof: A [example.com] spoofed to [10.10.1.10] TTL [3600 s]
dns_spoof: A [example.com] spoofed to [10.10.1.10] TTL [3600 s]
How to perform DNS Cache Poisoning (Spoofing)

 

Summary

Cyberattackers use DNS cache poisoning or DNS spoofing to manipulate domain name system (DNS) responses, redirecting users to fraudulent websites and thereby compromising internet communication. These attackers exploit vulnerabilities in the DNS protocol, slipping fake address records into the DNS cache. Legitimate requests are redirected to malicious sites as a result. This event might lead to the theft of sensitive information, malware distribution, or phishing scams. Understanding and defending against this particular kind of cyber attack is pivotal for maintaining network infrastructure security and protecting users from any potential threats and privacy breaches down the line.

 

Deepak Prasad

Deepak Prasad

He is the founder of GoLinuxCloud and brings over a decade of expertise in Linux, Python, Go, Laravel, DevOps, Kubernetes, Git, Shell scripting, OpenShift, AWS, Networking, and Security. With extensive experience, he excels in various domains, from development to DevOps, Networking, and Security, ensuring robust and efficient solutions for diverse projects. You can connect with him on his LinkedIn profile.

Can't find what you're searching for? Let us assist you.

Enter your query below, and we'll provide instant results tailored to your needs.

If my articles on GoLinuxCloud has helped you, kindly consider buying me a coffee as a token of appreciation.

Buy GoLinuxCloud a Coffee

For any other feedbacks or questions you can send mail to admin@golinuxcloud.com

Thank You for your support!!

Leave a Comment