Hack Like a Pro: How to Spoof DNS on a LAN to Redirect Traffic to Your Fake Website

How to Spoof DNS on a LAN to Redirect Traffic to Your Fake Website

Hack Like a Pro: How to Spoof DNS on a LAN to Redirect Traffic to Your Fake Website

Welcome back, my novice hackers!

There are SOOOO many ways to hack a system or network, which means you need to think creatively in order to be successful.

Many novice hackers focus way too much energy on cracking passwords (which should be a last resort unless you have specialized tools or a 10,000 machine botnet) or exploiting a vulnerability in an operating system (increasingly rare). With all the protocols that computer systems use (DNS, SMTP, SMB, SNMP, LDAP, DHCP, etc), there is bound to be a vulnerability in one that we can exploit to get what we're after.

DNS Spoofing: Redirecting Users to Your Website

In this hack, we will be exploiting the Domain Name Service (DNS). As you know, DNS is used for domain name resolution or converting a domain name such as wonderhowto.com to an IP address, 8.26.65.101. If we can mess with this protocol, we could very well send some one looking for a domain name such as bankofamerica.com to our malicious website and harvest their credentials.

Dug Song of the University of Michigan developed a suite of hacking tools that are excellent for this purpose. We have already used one of his tools, arpspoof, for doing a man-in-the-middle attack. In this attack, we will be using his dnsspoof tool, which will enable us to spoof DNS services on a local area network.

Remember, even though this hack requires that you be on the same LAN, you could get access to the LAN through a remote vulnerability or a weak password on just ONE machine on the network. In institutions with thousands of computers on their network, that means you must find a single machine that is exploitable to be able implement this attack for the entire network.

Step 1: Fire Up Kali

Let's get started by firing up Kali and going to Applications -> Kali Linux -> Sniffing -> Network Sniffers, and finally, dnsspoof, as seen in the screenshot below.

Step 2: Open Dnsspoof

When you click on dnsspoof, the following terminal opens. Notice how simple the syntax is.

  • dnsspoof -i <interface> -f <hostsfile>

Step 3: Set Up for Sniffing

We will trying to get a Windows 7 system on our network to redirect its bankofamerica.com navigation to our own website. Let's use Google Chrome, or any browser, to navigate there.

Step 4: Flush the DNS Cache

First, we need to flush the DNS cache of the Windows 7 system. In this way, the Windows client won't use the cached DNS on the system and will instead use our "updated" DNS service. In reality, this step is not necessary, but for our demonstration it speeds things up.

First, close the browser and type:

  • ipconfig /flushdns

Now we need to set our network card on our Kali server to promiscuous mode (she, your network card, will accept anyone's packets).

  • ifconfig eth0 promisc

Now we need to kill the connection between the Windows 7 system and [www.bankofamerica.com]. This forces the Windows 7 machine user to re-authenticate.

  • tcpkill -9 host [www.bankamerica.com]

After killing www.bankofamerica.com, stop the tcpkill with a ctrl c.

Step 5: Create Hosts File

In my Linux tutorial on client DNS, I showed you how the hosts file in Linux acts like a static DNS. Here we will be using the hosts file to redirect that Windows 7 system's search for Bank of America to our website. Let's go to the /usr/local directory.

  • cd /usr/local

From there, let's open the hosts file in any text editor. Kali doesn't have kwrite that we had been using in BackTrack, but it does have a graphical VIM, or gvim, so let's use that.

  • gvim hosts

Now that we have the hosts file open, we need to add the following line to it. Remember, the hosts file is simply mapping an IP address to a domain name, so we put our IP address in and map it to [www.bankofamerica.com].

It's important here to use the TAB key between the IP address and the domain. Spaces will be interpreted by the system to be part of the domain name.

Step 6: Create a New BOA Webpage

Before we go any further, we now need to turn off promiscuous mode on our network card (she decided to commit to you and only you).

  • ifconfig eth0 -promisc

Now we need to create a website that the user will be directed to when they type bankofamerica.com in the URL of their browser. Let's create a simple webpage. If you want more info on how to create a simple webpage and host it in Linux, check out my Linux guide on Apache web servers.

Now open the index.html.

  • gvim /var/www/index.html

This is what it looks like by default. We want to change it and put in the following html and save it.

<html>
<body> <h1>This is the Fake Bank of America Web Site! </h1>
</body>
</html)>

Of course, if you really wanted to pull off this hack, you would want to take the time to build a website that looks and acts just like the site you're spoofing, but that is another tutorial entirely.

Step 7: Start a the Apache Web Server

Now, start the web server built into Kali. This is Apache and the service is HTTP, so we go to Kali Linux -> System Services -> HTTP, and finally, apache2 start. This will start our web server on our Kali system hosting the fake Bank of America website.

Step 8: Start Dnsspoof

In our last step, we need to start dnsspoof and direct users to the entries in our "hosts" file first. Dnsspoof will intercept DNS queries and send them first to our hosts file before then sending them along to the DNS server. In this way, if we have any entry in our hosts file that the client is looking for, it will directed as specified by our hosts file.

Remember, we mapped bankofamerica.com to our IP address so that they will go to OUR web server and see OUR website.

  • dnsspoof -f hosts

Step 9: Navigate to BOA from Windows 7

Now, from the Windows 7 system, type in the URL bankofamerica.com and it will pull up our fake website vs. the real Bank of America site.

Now, when anyone on the local area network attempts to navigate to the Bank of America website, they will instead come to our website!

As you can imagine, with dnsspoof in place, we can wreak all kinds of havoc on a LAN!

URL box image via Shutterstock

145 Comments

root@AttackerBoy:~# ifconfig eth0 promisc
root@AttackerBoy:~# tcpkill -9 http://www.bankamerica.com
pcap_compile: syntax error
tcpkill: couldn't initialize sniffing

any ideas?

Is eth0 in promiscous mode?

I have had a lot of trouble with my mitm attack. Is this also because I need to put eth0 in promiscuous mode?

Also two more questions. 1. Do I need to buy a wireless card? 2. How do I take eth0 out of promiscuous mode?

This attack REQUIRES that your eth0 be in promiscuous mode.

Ok thanks. Does a mitm attack also require eth0 in promiscuous?

So that's why it wasn't working! :D Also if I wanted to get into wifi hacking, what wireless card would you suggest and where can I find out how to set it up with my Kali Linux virtual machine

Buy the Alfa cards. They are inexpensive and work well. Setting it up is simply plugging it into a USB slot and then telling your VM to connect to it.

To tell my VM to connect to it what do I put in the network settings? Right now It is on bridged, but when I put in my wireless card what should I put instead?

(Assuming VMWare Workstation)
Edit -> Virtual Network Editor (w/Admin Privelages)
Change VMNet0 to be bridged with your (future) wireless card.

AK

hey but there is no hosts file in /usr/local
am i supposed to create a new one???
or i can use the hosts file from /etc directory

how could I do this? or know?

Ahmed Turjuman:

ifconfig eth0 promisc

ghost_

thanks ghost_ for your reply. you can see up that I already wrote this... but, after I type tcpkill -9 http://www.bankamerica.com should I be connected on the another windows 7 system to that website? if so.. I did this and still the same error shows up.. can u please explain ?

Thanks in Forward.
AttackerBoy

I don't know if you ever fixed it or not, but the problem with your command is exactly as your console says. there was a syntax error. You are missing the "host" part before the website. it should look like this:

tcpkill -9 host www.bankofamerica.com

Is there a way to easily redirect a webpage and all of its children to my IP? for example, could i redirect "facebook.com" and all the possible "facebook.com/XXXXXX" to my IP?

Eight:

This dnsspoof will do exactly that.

OTW

How long tcpkill is supposed to end ? I've been waiting for at least 10 minutes and I get no answer after the listening on eth0 ...

Did I miss something ? Or is it perhaps because I'm running a VM ?

Xarkes:

tcpkill should give you a response almost immediately. A couple things to check. Is your NIC in promiscuous mode? Is the system you are trying to kill on the same subnet?

OTW

Thanks for your answer. Yeah my eth0 is in promiscuous mode and I have access to the apache server using the local IP. I will have a try with a real Os instead of a VM.

How to creat fack location

ACP:

I think you are asking me, how would you create a fake website? That is beyond the scope of this area on hacking, but there are many tutorials online on creating websites. In addition, you can simply download a site to your hard drive with HTTPtrack.

OTW

must we hv remote acess to at least one target machine before attack?????

Secret:

You must have access to ONE machine on the LAN to effectively use dnsspoof.

OTW

so i am using a wireless connection so i typed in
dnsspoof -i wlan0 -f hosts
and it outputted
dnsspoof: fopen: No such file or directory

What am i doing wrong?

The reason for this problem is exactly as your error states. In your current directory, there is no file called "hosts" for dnsspoof to read. Create a hosts file in your current directory or navigate to the directory of one that already exists.

Are you using kali or backtrack?

I am using kali

Did you go the dnsspoof directory?

No. Do I have to save the hosts file there?

No, but notice in Step #1 above we opened the dnsspoof directory.

Yes I did navigate to the dnsspoof directory

Now that you are in that directory, what happens when you type dnsspoof?

When I type
dnsspoof -i wlan0

it works, but when i type in what you had above
dnsspoof -i wlan0 -f

hosts, it says
dnsspoof: fopen: No such file or directory.

Thanks again for your help!

Just out of curiosity, if I were to use this on a private network, where each person has a private login to get onto the the internet, could a admin trace this back to my login?

On a public network, such as the free wifi at the coffee shop, could they trace it to anyone specific?

That's an interesting question. Remember, you likely compromised someone else's machine so if anything is detected, it will appear to come from that machine. In addition, this hack doesnt require internet access.

As for a public network, it is unlikely to be detected.

This would definitely make an interesting grad prank.....

I have downloaded a site using httrack and i have a copy of the site on my hard drive....how do i host it on my local host without using coding on html ?? Can someone who is not on my local area still access the mirrored site ?

Evil:

You need to put the site into your Apache directory. Take a look at this tutorial here .

OTW

You Asked 2 Questions:

1.How to host site on kali?

Ans: You can host a site on kali using Apache. Place the files of the site in your apache directory which is "/var/www/" and start the apache server by clicking on Kali Linux -> System Services -> HTTP, and select, apache2 start

2.How to make it public site?

Ans: To make your site a public site so people who are out of your LAN can see it you need to forward your Port 80, and goto whatismyip.com to find out your ip. give your ip to the person whom you want to see the site. When he will open the Ip in his browser he will be redirected to your hosted site.

Thanks.
D4rkF34r

www.D4rk-F34r.blogspot.com

Hey OTW,
In your example you use a wired connection, but it is possible to use the wireless interface?

Thanks

Okay promisc doesn't seem to work with the wlan0 interface. I used airmon-g start wlan0 instead. I think this has the same effect. Am I right?

When i try to do this, I have no problem with forcing the victim to re-authenticate with the website, however, I can't seem to get the target to be redirected to my fake website. Do I need to perform a MITM and get in the middle before i try to redirect their traffic?

First, is your site functional?

Second, did you turn off tcpkill?

OTW

yes, my site is functional. No, i did not turn off tcpkill. I retried the whole process and turned off tcpkill but still i could connect to bank of america without a problem, and was never redirected. After a while of still connecting to bank of america though, i got a "problem loading page" screen, so my target is being affected by dnsspoof but is not being redirected to my ip for some reason

Yes I did. No luck still though, might the problem lie in my dnsspoof host file? I have it setup as so:
192.168.1.21 www.bankofamerica.com
with a tab in between.

Also, in real life applications though, if I can ever get this to work, I may not be able to flush the DNS of a computer that is not exploited but is on my LAN. What difference does it make if I do not flush the DNS?

In real life , nothing. It just speeds up the dns refresh.

Alright, well I can't seem to get it to work and I am not sure why, but I suspect that the DNS requests are being checked against my hosts file, but for some reason, it seems as if my dnsspoofer is not replying with an IP address, atleast I think this may be it.

hii sir, please if i have my own fake web link, how can i use it with this tool e.g if me fake website i want to redirect the target to is "www.gdd.com" where in the syntax will i include that and how will i do that.

Horls:

If you want to direct people looking for bankofamerica.com to your website gdd.com, you would not have to do any thing different from the tutorial. Just use the IP for gdd.com in the hosts file.

OTW

OTW :

out of curiosity would you be in a position to advice whether Elitewrap is still a good installation for a hacker ?...this is because I have seen that it dates back to 1999 when it was created by the developer.

how do you know that the user is viewing bankofamerica ?

You don't, but if they are, you kill it. If they aren't, its not necessary to kill the connection. You can skip that step then.

Well this topic has certainly been popular.

ghost_

Alright, so I got it to work, but it only works if I type in www.bankofamerica..com, if i use a link or anything else it will not work. Can this be fixed?

Eight:

I'm not sure it can without deleting the browser's cookies.

OTW

Is there any way to redirect all web pages on one page (apache + mysql to evil twin wifi password) on my own Rogue AP? So doesn't mather what victim types, it will redirect him to 127.0.0.1. Is there any way to do it without internet connection? (Something like rogue ap where someone connects enter info and then just error page? - i did this page in apache but works just on my pc).

Thanks

tnx for this tuts,its really useful..

After I type in the dnsspoof command it says, dnsspoof: listening on wlan0 (udp dst port 53 and not src 192.168.1.126) and just hangs there.

please help,
thanks

Its not hanging. Its doing its job. Its looking for DNS queries to re-direct to your hosts file.

Did you do everything in the tutorial as I specified?

yea but I used the hosts file in etc because the one in var didn't do anything

Soooo...you didn't follow my directions and then you ask me why it didn't work?????

okay, I see your point. sorry to bother you, I'll try again

alright, I tried again, I used the hosts file in var/local, but it doesn't even redirect me. and still no dns-queries came up

What do my directions say?

i meant usr/local my bad. I'm going to try a few more times, and get back to you.

Great tutorial thanks OTW.
How can we use this for the same LAN ?
By example I want to redirect all users on the same lan to my local ip, instead of the virtual machine.

I am using kali and virtualbox for tests. It works on my wlan0 interface which is bridged with virtualbox. but another PC on my LAN isn't being redirected to my ip..

And what about websites with the https protocol like facebook.
If i write any http website like wonderhowto.com it works.
but as soon as I want to assign my local ip to www.facebook.com it doesn't work.
is this because facebook redirects the website to an https server or ?

Thanks in advance

Big Gie:

Welcome to Null Byte!

The tutorial above is all on the same LAN, so I don't understand your question. Can you help understand?

OTW

well I have a mobile phone + a virtual pc on my lan.

the virtual PC (which is using virtualbox on my kali installation) is being redirected to my local ip with the hosts file.

But my mobile phone isn't being redirected.
How can I fix this ?

Is the phone on the same subnet?

yes my pc and my phone are both using 255.255.255.0

Could it be a dnscache' ing thing ?
Let me start another laptop

Same on my netbook using Lubuntu.
i did a /etc/init.d/dns-clean restart
even installed and restarted nscd

So what could it be that my LAN isn't being redirected to my kali pc ?

They must be on the same subnet first.

The info you gave me is the subnet mask, not the subnet. It could be a dns cache thing, but first let's make ceratin they are on the same subnet.

I think that they are on the same subnet, as I can ping back and forth. from netbook to kali and from kali to netbook.
I can ssh into the netbook and back.
if I write 192.168.1.8 ( ip of kali ) on the netbook I get an output of the page what is inside /var/www/
so I think that they are in the same subnet.

If you want I can provide you teamviewer login for the 2 pc's, if you have the time / want to check

If you can ping they are on the same subnet, but the phone probably is not.

Now go through my tutorial with the netbook as let me know what happens.

Yeah then it works but only on the virtual pc's inside the netbook.
As I said:
other pc's from the same network ( LAN ) aren't being redirected to the kali PC.

I do the following on the kali pc:

ifconfig wlan0 promisc
tcpkill -i wlan0 -9 host www.mydomain.com
ifconfig wlan0 -promisc

my hosts file looks like this:
/usr/local/hosts:

192.168.1.8 www.mydomain.com
With a tab between the ip and domain

there is a index.html inside /var/www/
and apache is started (when i go to http://192.168.1.8 on the netbook it shows up).

after it I run: dnsspoof -i wlan0 -f hosts

but no luck :(

Hello, Very good your tutorial. Here I have a question that has little to do with this topic but I see you have enough knowledge on linux kali.

my question is.

It can kill the internet connection just by knowing their ip ??. make that ip lose internet accessibility?

I can not access my router settings. but would like to know how would have to do to remove internet access from other IP.

Jair:

Disconnecting an internet connection is really very simple. In this tutorial, you can do it as long as you as on the same network. I have a tutorial on how to knock someone off a WiFi AP. Check that one out.

OTW

I did follow the instructions, then i type dnsspoof and it says "listening on eth0 udp dst port 53 and not src 192.168.1.101" and then i try to visit the site, but nothing happens.

Daniel:

Instead of 192.168.1.101, you should use the IP address of your system.

OTW

After someone enters their credentials to the fake site, is there anyway to then forward those credentials to the legitimate site (allowing them to actually log into the site), as well as having all further traffic from the target's computer be sent to the real site.

Bobby:

You could easily write a script to do exactly that.

OTW

this redirects only the pages that are on the host file...right? i wanted to know if there is a way to redirect everything to our fake page....is that possible?

to log into a bank account do i need to spoof mac address?

also i think using sslstrip and ettercap will not work because banks will not allow http? only https? so i cant do it that way.

Chris:

I think you are misunderstanding this tutorial. You are not hacking into the bank. Instead, you are creating a website that looks like the bank to have people log in to your site.

The MAC address and HTTP v. HTTPS is irrelevant.

OTW

yes but when you have the login details to log into a account wouldn't you need to spoof your mac address or be in their LAN so it doesn't detect you as an intruder?

~dnsspoof -f hosts
~dnsspoof: libnetgetipaddr4(): ioctl(): Cannot assign requested address

any help on this ? I've followed all steps, apache2 is running properly ( I can acces it from my win7 host trough ip) but dnsspoof isn't redirecting any traffic at all...

Can you show me a screenshot?

What does your hosts file look like?

My first inclination is that IP address is your hosts file is wrong.

my ip (tab) (my host in )

well, its not : i've tripple checked everything...

Well...you could show me your hosts file and I might be able to help or you could insist nothing is wrong and give up. What is your choice?

Also, did you flush your dns?

I would recommend showing him the hosts file.

ghost_

sorry for the late response, had an emergency call.

Yes I flushed the dns on the windows machine

my host file as requested ;

As I expected, your hosts file is the problem. Those brackets don't belong around the domain name.

tried without the brackets, still getting the same error...

What is that mark after the IP address?

That just comes up everytime I use tab-key ... If I delete the mark, the tab dissapears

Try a different text editor.

if I open up in leafpad then the marks are gone, so the marks are purely notepad related.

I meant, create it in a different text editor.

I did, in leafpad , saved it to /usr/local/ as 'hosts' , viewed with leafpad ; all ok, tested dnsspoof -f hosts : still the same error.

after that
Viewed hosts file in leafpad ; unchanged
viewed file in notepad : got the marks again

I got exact problem as @SR LEX (above problem)
except that marks

hi i just want to know how i can get access to all network traffic passes through local wifi network so that i can analyse all packet passes using wireshark

Just connect to your AP and run wireshark on wlan0.

anymore thoughts about the error ?

(dnsspoof: libnetgetipaddr4(): ioctl(): Cannot assign requested address)

still not resolved..

I hate to ask the obvious, but are you logged in as root? Are those addresses on your subnet? Have you tried just using one IP address in your hosts file?

Yes, logged in as root.
My hosts file just contains just one IP adress ( my local kali IP )

I've also did a full fresh install of kali ( just to make sure that I didn't f'ed some shit up in the past, but the problem still remains. )

after some research I've found a possible cause for the error ;
dnsspoof: libnetgetipaddr4(): ioctl(): Cannot assign requested address

Someone on a forum said that if the wireless adapter wasn't in NAT mode it could cause this error in a VM, also IP forwarding could cause this error to occur. I'm not working in a Virtual environment and haven't tested this 'theory' yet, but since I've found this I hope it can help some of the other users here that are using a VM and have the time to test it.

ps : Keep me posted if this worked for you !

Hi im new here, is anybody can help me how to set up wireless on kali linux to promiscuous mode? im having some error when im trying to set (ifconfig wlan0 promisc) to promisc mode and kill the connection between win 7 and target website.

root@kali:~# ifconfig wlan0 promisc
root@kali:~# tcpkill -9 host http://www.xxxxxxxx.xx
tcpkill: eth0: no IPv4 address assigned
tcpkill: couldn't initialize sniffing
root@kali:~#

am i miss anything? please advise.thanks

-Adzuan-

I just recently found this blog and I like eet, it reminds me of "A day with Tape" blog from when backtrack was still the shit... I succesfully cracked wpa2/psk password but now I am trying to get the router user/pass, which apperantly isnt the default configuration. So I guess I must fire up my php skills and make a simple fwrite login / password box, fire up apache, and with a little juicer web design and bullshit social engineering I could get force them to type the user / pass out of sheer frustration. ThankYou lol

What does tcpkill say when it is done?

Nothing as in "tcpkill: listening on eth0 host www.example.com"?

Thank OTW your the best!

is this work on Wlan0 Too ??

yes, if you are on the same network.

it can be use for grab or move some traffic from another website into my website? if Yes How

So, instead of launching an apache server, could I redirect users to an already launched apache server containing an exploit, such as an adobe flash player exploit? If so, would the process be the same, minus setting up my own server?

Sincerely,
Defalt

P.S. You've helped me learn so much, and I plan on learning much more, Thank you!

Yes, you could direct them to any server you want.

You are very welcome. Glad you found us at Null Byte.

This works like a charm in my virtual network, yet when I attempt to recreate it on my actual network it fails. I've looked through time and time again yet I cannot seem to successfully recreate my results. I've checked the document formatting, I see nothing wrong there, I've entered my subnet IP as a URL and it displays the desired website (The fake BOA). Yet it fails when I run dnsspoof. Any feedback is highly appreciated.

Sincerely,
Defalt

Thanks James. Would please inform him that he is violating international copyright laws?

I cannot seem to get this to work on the new Kali Sana. I don't know if it is me or not but whenever i try to perform this the other device is able to connect to the intended site. Do i need to arpspoof the gateway and target?

Not working, admin! DNSspoof shows something about port 53 and source not my local IP.

please someone tell me in details how to run a credential harvester attack on wan?i'm using kali linux 2.0 2016.No matter what i try my all ports are closed everytime.I have already checked firewall and other settings.

Dose it only work on a network because I don't want to redirect any one else except the people on my network to mess with people.

Is there anyway of doing that on WAN?

Share Your Thoughts

  • Hot
  • Latest