Foreword
Some time ago, I learned about man-in-the-middle attacks, and wrote an article to record it.
Principle Introduction
What is a man-in-the-middle attack?
Man-in-the-middle attack (Man-in-the-
Middle Attack, referred to as “MITM attack”) is an “indirect” intrusion attack. This attack mode is to place a computer controlled by the intruder virtually between two communicating computers in the network connection through various technical means. , this computer is called the “man in the middle”
What is DNS?
Baidu Encyclopedia: Domain Name System (Domain Name
System, DNS) is a system for resolving online machine naming on the Internet. Just like visiting a friend, you must first know how to get there. When a host wants to visit another host on the Internet, you must first know its address. The IP address in TCP/IP is a number separated by four segments separated by “.” Composition (the IPv4 address is taken as an example here, and the IPv6 address is the same), it is always not as convenient to remember as the name, so the domain name system is used to manage the corresponding relationship between the name and the IP. But even if the 32-bit binary IP address is written in the form of four tens digits from 0 to 255, it is still too long and too difficult to remember. Therefore, people invented the domain name (Domain
Name), the domain name can associate an IP address with a set of meaningful characters. When a user visits a website, he can either input the IP address of the website or its domain name, and the two are equivalent in terms of access. For example: the IP address of Microsoft’s Web server is 207.46.230.229, and its corresponding domain name is www.microsoft.com, regardless of whether the user enters 207.46.230.229 or www in the browser .microsoft.com, you can visit its Web site.
In layman’s terms, to access another computer on the Internet, you need to know the corresponding IP address, and the IP address is a string of numbers.
It is difficult to remember words, so we will give an easy-to-remember name, which is the principle of DNS operation.
What is DNS spoofing?
Baidu Encyclopedia: DNS spoofing is a deception in which an attacker pretends to be a domain name server.
Principle: If it is possible to pretend to be a domain name server, and then set the IP address of the query as the IP address of the attacker, in this case, the user can only see the homepage of the attacker instead of the homepage of the website that the user wants to obtain when surfing the Internet. This is the basic principle of DNS spoofing. In fact, DNS spoofing is not really “hacking” the other party’s website, but impersonation and bluffing.
So how do we fake our attacking machine as a DNS server, and how do we make the victim machine trust our DNS resolution records? This requires the help of the ARP spoofing attack used in the previous article. First, all the traffic of the victim machine flows through the attack machine, and then we can send the response packet according to the DNS resolution request of the victim machine.
This DNS spoofing test network topology
normal circumstances:
[External link picture transfer failed, the source site may have an anti-theft link mechanism, it is recommended to save the picture and upload it directly (img-ZRBrnT7R-1690782411831)(https://image.3001.net/images/20210511/1620717943_609a3177e673661eebed0.png!small )]
Abnormal situation after DNS spoofing:
Experiment preparation
kali virtual machine, win7 virtual machine, win10 (192.168.0.131), ettercap, arpspoof
Start experiment
First enter in the victim machine
ipconfig/flushdns
Refresh the DNS cache to prevent the previous cache from affecting the experiment
First, enable the arp spoofing attack in the kali virtual machine, and enable the routing and forwarding function (see the previous article for details)
enter
vim /etc/ettercap/etter.dns
Edit ettercap’s configuration file for DNS spoofing
and at the end enter
*.hetianlab.com 192.168.0.131
This sentence means that all dns domain name requests initiated by the second-level domain name hetianlab.com kali
will resolve it to 192.168.0.131
[External link picture transfer failed, the source site may have an anti-theft link mechanism, it is recommended to save the picture and upload it directly (img-vYAni0hU-1690782411843)(https://image.3001.net/images/20210511/1620717947_609a317bcc067733a732f.png!small )]
Next enter
ettercap -G
Open the UI interface of ettercap, and follow the sequence shown in the figure below
select network card
[External link picture transfer failed, the source site may have an anti-theft link mechanism, it is recommended to save the picture and upload it directly (img-YGh7sBzV-1690782411850)(https://image.3001.net/images/20210511/1620717949_609a317d4f0f8cc4123b5.png!small )]
sniffing host
Enable DNS spoofing attacks from plugins
Visit www.hetianlab.com before the victim machine experiment shows
After DNS spoofing is enabled, the victim machine visits www.hetianlab.com to display
Here I chose a ctf topic that I used phpstudy to build on 192.168.0.131. The main reason is that it is easy to use, because many large websites (such as Baidu) have adopted certain anti-DNS spoofing defense measures, and use it to do it The experiment may not be successful, so let’s play with the intranet environment~
Precautions against DNS spoofing
Now that the attack is over, let’s talk about defense
First of all, DNS attacks have certain limitations:
(1) The attacker cannot replace the existing records in the cache, which is why we refresh the DNS cache of the victim machine at the beginning of the experiment
(2) Refresh of DNS server cache time
2. Preventive measures (roughly summarized on Baidu Encyclopedia)
(1) Use the latest version of DNS server software and install patches in time
(2) Turn off the recursive function of the DNS server
(3) Restricted area transmission range
(4) Limit dynamic updates
(5) Adopt a hierarchical DNS architecture
(6) Protect intranet devices. DNS attacks are generally initiated from the intranet. If your intranet devices are safe, there is no risk of infection
Man
(2) Turn off the recursive function of the DNS server
(3) Restricted area transmission range
(4) Limit dynamic updates
(5) Adopt a hierarchical DNS architecture
(6) Protect intranet devices. DNS attacks are generally initiated from the intranet. If your intranet devices are safe, there is no risk of infection
Network security engineer (white hat) enterprise-level learning route
Phase 1: Security Basics (Getting Started)
The second stage: Web penetration (junior network security engineer)
Third stage: advanced part (intermediate network security engineer)
If you are interested in getting started with network security, you can click here if you need it Network security heavy benefits: Getting Started & Advanced A full set of 282G learning resource packages is free to share!
Learning resource sharing
[External link picture transfer failed, the source site may have an anti-leeching mechanism, it is recommended to save the picture and upload it directly (img-0qu14M26-1690782411871) (C:\Users\Administrator\Desktop\
etwork Security Data Map\WeChat Screenshot_20230201105953. png)]
