i start trying DNS Spoofing, first time was working when i try it on my smartphone and it was great but when i try it on my windows I'v open the browser he stay loading and show message that insecure certificat.
what i should do!!!!
Forum Thread: DNS Spoofing Doesn't Work
- Hot
- Active
-
Forum Thread:
When My Kali Linux Finishes Installing (It Is Ready to Boot), and When I Try to Boot It All I Get Is a Black Screen.
8
Replies
3 days ago -
Forum Thread:
HACK ANDROID with KALI USING PORT FORWARDING(portmap.io)
12
Replies
1 wk ago -
Forum Thread:
Hydra Syntax Issue Stops After 16 Attempts
2
Replies
1 mo ago -
Forum Thread:
Hack Instagram Account Using BruteForce
208
Replies
1 mo ago -
Forum Thread:
Metasploit reverse_tcp Handler Problem
47
Replies
2 mo ago -
Forum Thread:
How to Train to Be an IT Security Professional (Ethical Hacker)
22
Replies
3 mo ago -
Metasploit Error:
Handler Failed to Bind
41
Replies
3 mo ago -
Forum Thread:
How to Hack Android Phone Using Same Wifi
21
Replies
3 mo ago -
How to:
HACK Android Device with TermuX on Android | Part #1 - Over the Internet [Ultimate Guide]
177
Replies
3 mo ago -
How to:
Crack Instagram Passwords Using Instainsane
36
Replies
3 mo ago -
Forum Thread:
How to Hack an Android Device Remotely, to Gain Acces to Gmail, Facebook, Twitter and More
5
Replies
3 mo ago -
Forum Thread:
How Many Hackers Have Played Watch_Dogs Game Before?
13
Replies
3 mo ago -
Forum Thread:
How to Hack an Android Device with Only a Ip Adress
55
Replies
4 mo ago -
How to:
Sign the APK File with Embedded Payload (The Ultimate Guide)
10
Replies
4 mo ago -
Forum Thread:
How to Run and Install Kali Linux on a Chromebook
18
Replies
5 mo ago -
Forum Thread:
How to Find Admin Panel Page of a Website?
13
Replies
6 mo ago -
Forum Thread:
can i run kali lenux in windows 10 without reboting my computer
4
Replies
6 mo ago -
Forum Thread:
How to Hack School Website
11
Replies
6 mo ago -
Forum Thread:
Make a Phishing Page for Harvesting Credentials Yourself
8
Replies
6 mo ago -
Forum Thread:
Creating an Completely Undetectable Executable in Under 15 Minutes!
38
Replies
8 mo ago
-
How To:
Scan for Vulnerabilities on Any Website Using Nikto
-
How To:
Hack Apache Tomcat via Malicious WAR File Upload
-
How To:
Top 10 Things to Do After Installing Kali Linux
-
How To:
Perform Advanced Man-in-the-Middle Attacks with Xerosploit
-
How To:
Dox Anyone
-
How To:
Use Burp & FoxyProxy to Easily Switch Between Proxy Settings
-
How To:
Crack Shadow Hashes After Getting Root on a Linux System
-
Android for Hackers:
How to Turn an Android Phone into a Hacking Device Without Root
-
How To:
Use Command Injection to Pop a Reverse Shell on a Web Server
-
How To:
Bypass File Upload Restrictions on Web Apps to Get a Shell
-
How To:
Crack SSH Private Key Passwords with John the Ripper
-
How To:
Exploit EternalBlue on Windows Server with Metasploit
-
How To:
Check if Your Wireless Network Adapter Supports Monitor Mode & Packet Injection
-
How to Hack Wi-Fi:
Stealing Wi-Fi Passwords with an Evil Twin Attack
-
How To:
Gain SSH Access to Servers by Brute-Forcing Credentials
-
How To:
Find Passwords in Exposed Log Files with Google Dorks
-
How To:
Create Custom Wordlists for Password Cracking Using the Mentalist
-
How To:
Use SpiderFoot for OSINT Gathering
-
How To:
Exploit PHP File Inclusion in Web Apps
-
Tutorial:
DNS Spoofing
2 Responses
You have probably tried to dns spoof a website that uses SSL
when you visit the legitimate website, the server of that website sends you a ssl certificate containing a public key
This certificate needs to be signed by a trusted CA(certificate authority)
So if you spoof a ssl protected website, you'll need to send that certificate to the client.
That won't cause an error in the browser of the victim, but you won't be able to see anything because after receiving the certificate, the client will encrypt the data with the public key
and that data can only be decrypted with the private key.(The Public and Private key pair are two uniquely related cryptographic keys
they are mathematically related, so whatever is encrypted with the public key can only be decrypted by the private one.)
But the private key is only available to the client, so you cannot decrypt the connection.
Now you might think:
what if I send a self signed certificate?
That won't work either because the certificate needs to be signed by a trusted CA, and since you're not one, the same error will be displayed.
And you won't be able to get a signed certificate by a trusted CA unless you prove that the website is in fact yours.
To be able to successfully spoof the DNS address of a website on your network you'll need to use something like sslstrip, and that doesn't always work.
If you have any further questions on the subject, I'll be glad to help,
hope my answer helped,
happy hacking, -ali
Excellent answer from Ali. I'd go as far to say DNS spoofing is dead. SSLStrip and SSLStrip2 rarely if ever work and any half recent iteration/version of Chrome/Firefox/pretty much any browser won't even let your victim proceed to any SSL protected website if it detects MITM, proxying, HTTP data interference of any kind. So even the most n00b/reckless of users can't just ignore security warnings and proceed anyway. Best bet is to deauth, rougue/clone the AP and phish what you need with a persistent router firmware update demand from http://theirtelco/update.ga before they work out what's going on.
EDIT ... in theory, of course.
Share Your Thoughts