1. Purpose of the experiment
Use ettercap to conduct ARP spoofing and DNS hijacking for man-in-the-middle attacks , use Wireshark to analyze relevant characteristic data, improve proficiency in ettercap and Wireshark, and have a deeper understanding of man-in-the-middle attacks.
2. Experimental principle
There are two common ways of ARP spoofing: one-way ARP spoofing and two-way ARP spoofing
One-way ARP spoofing : The attacker only sends a forged ARP response packet to the target host, changing the correspondence between the target host's IP address and MAC address to the attacker's MAC address. In this way, the target host sends network traffic to the attacker's MAC address, and the attacker can obtain the network traffic.
Two-way ARP spoofing (two-way ARP spoofing in this experiment) : The attacker not only sends a forged ARP response packet to the target, but also sends a forged ARP request packet to the gateway, changing the correspondence between the gateway's IP address and MAC address to the attacker's MAC address. In this way, the target sends network traffic to the attacker's MAC address, and the attacker forwards the network traffic to the gateway, implementing a man-in-the-middle attack.
DNS hijacking : The attacker redirects the user's legitimate DNS query request to a malicious website or server controlled by the attacker by tampering with the local DNS cache or spoofing the DNS requests of other devices in the network at an intermediate node. In this way, the attacker can obtain sensitive information of the user, including account names, passwords, and so on. For example, when a user enters the URL of a website in the browser, the browser will send a DNS query request to the local DNS server to query the IP address of the website. If the attacker hijacks this request, a false IP address will be returned, redirecting the user to a fake website, thereby achieving the purpose of hijacking.
3. Experimental environment
Tool software: VMware, ettercap, Wireshark
Experiment preparation: virtual machine Kali Linux 2022.2, virtual machine Windows XP
Note: In this experiment, Kali is the attack aircraft, and XP is the target aircraft
4. Experimental content (experimental steps, test data, etc.)
The first part, using the ettercap graphical interface for ARP spoofing
Start the Kali virtual machine and XP virtual machine to ensure that they are in the state of network connectivity
Enter the Kali attack machine, sudo -i to enter the root authority, ifconfig to view the ip address and MAC address
The ip address of the attacking machine Kali (Kali is abbreviated as inet address, and the full name is Internet Protocol address): 192.168.63.132
The MAC address of the attacking machine Kali (Kali is abbreviated as ether address, the full name is Ethernet address, also called MAC address): 00:0c:29:c8:3f:d6
Screenshot of attack aircraft Kali:
Open XP, ipconfig -all to view the ip address
IP address of target machine XP: 192.168.63.139
The IP address of the gateway: 192.168.63.2
The MAC address of the target machine XP: 00-0c-29-21-43-27 (it has no effect in this experiment, it is convenient to write and analyze with the MAC address of the gateway)
arp -a view arp cache table
Gateway's physical address (MAC address): 00-50-56-ff-58-48
Note: The MAC address of the gateway here is not the MAC address of XP. Host gateways under the same network segment have the same ip address and MAC address. The ip address of the gateway in this experiment is 192.168.63.2, and the MAC address of the gateway is 00-50-56-ff-58-48, regardless of whether it is viewed in XP Or view in Kali, the IP address and MAC address of the gateway are the same
Target machine XP screenshot:
Open the terminal in Kali and enter ettercap -G to open the ettercap graphical interface
The scan for hosts scan found that there are 4 hosts alive in the network segment, among which 192.168.63.139 is the ip address of the target machine, and 192.168.63.2 is the ip address of the gateway
Add the ip address of the target machine XP to target 1, and add the ip address of the gateway to target 2, as shown in the figure:
Select ARP poisoning in the upper right corner
After clicking, arp spoofing starts, and the following information pops up in the window:
GROUP1: IP address of target machine XP MAC address of target machine XP
GROUP2: IP address of the gateway MAC address of the gateway
Enter the target machine XP, arp-a to view the arp cache table
The MAC address of the original gateway is changed to the MAC address of the attacking machine Kali , and ARP spoofing is successful
MAC address of the original gateway: 00-50-56-ff-58-48
The MAC address of the current gateway (it has been changed to Kali’s MAC address under ARP spoofing): 00-0c-29-c8-3f-d6
Commands that may be used in this part of the experiment
1. Sniff -> unified sniffing
2. Hosts -> scan for hosts -> hosts list
3. Add gateway address to target1
4. Add target address to target2
5. Mitm -> arp poisoning (check sniff remote connections)
6. Start sniffing
In the second part, practice using ettercap for DNS hijacking, start the Apache service, and let the target host access any website and hijack the kali system homepage.
After successful ARP spoofing, perform DNS hijacking
Under Kali's root privileges
cd /home/kali
vi /etc/ettercap/etter.dns
Add the ip address 192.168.63.132 of the attacking machine Kali to the following location, so that the network access of the target machine XP is transferred to the attacking machine Kali
Enter service apache2 start to start the Apache server
Access the loopback address of the Firefox browser 127.0.0.1 in Kali, which is displayed as the default welcome page of the Apache server, as shown in the figure below:
Let's start DNS hijacking
Open ettercap, Plugins in the upper right corner
Double-click to select dns_spoof, and an asterisk will be added in front of it
Ping Baidu on the target machine XP, and found that the response is the ip address of the attack machine Kali: 192.168.63.132, not the ip address of the target machine XP: 192.168.63.139. In fact, it has already indicated that the DNS hijacking was successful.
Next, let’s take a look at the characteristics of successful DNS hijacking
Open the browser on the target machine XP to visit www.baidu.com, what is displayed is not the Baidu page, but the default welcome page of the Apache server of the attack machine Kali, as shown in the figure below:
The third part, use Wireshark to capture packets to analyze the characteristic data of ARP spoofing and DNS hijacking, analyze and take screenshots
Find and start Wireshark in the upper left corner of the host Kali
select eth0
Enter in the terminal of the target machine XP: ping www.baidu.com
If you enter a domain name instead of an ip address when using the ping command, DNS resolution will be performed first during execution, and the domain name will be resolved into the corresponding ip address before the ping test can be performed, so at this time, ping Baidu's domain name will send DNS ask
Filtering DNS in Wireshark on Attacker Kali
Grab the target machine XP ping Baidu domain name package, as shown below:
5. Experimental experience
I used a virtual machine environment to practice ARP spoofing and DNS hijacking, and benefited a lot.