Foreword
Some time ago, I learned about man-in-the-middle attacks and wrote an article to record them.
Principle introduction
What is a man-in-the-middle attack?
Man-in-the-
MiddleAttack (referred to as “MITM attack”) is an “indirect” intrusion attack. This attack mode uses various technical means to virtually place a computer controlled by the intruder between two communicating computers in a network connection. , this computer is called the “middleman”
What is DNS?
Baidu Encyclopedia: Domain Name System (Domain Name
System (DNS) is a system on the Internet that solves the naming of online machines. Just like when visiting a friend, you first need to know how to get to someone else’s house. When a host wants to access another host on the Internet, it must first know its address. The IP address in TCP/IP is composed of four numbers separated by “.” The composition (here, IPv4 addresses are taken as an example, and the same applies to IPv6 addresses) is always not as convenient to remember as names. Therefore, the domain name system is used to manage the correspondence between names and IPs. But even if the 32-bit binary IP address is written as four ten-digit numbers from 0 to 255, it is still too long and difficult to remember. Therefore, people invented domain names (Domain
Name), a domain name can associate an IP address with a meaningful set of characters. When a user visits a website, he or she can enter either the IP address of the website or its domain name. The two are equivalent for access. For example: the IP address of Microsoft’s Web server is 207.46.230.229, and its corresponding domain name is www.microsoft.com, regardless of whether the user enters 207.46.230.229 or www in the browser .microsoft.com, you can access its Web website.
In layman’s terms, to access another computer on the Internet, you need to know the corresponding IP address, and the IP address is a string of numbers.
The word is difficult to remember, so we will give it an easy-to-remember name. This is how DNS works.
What is DNS spoofing?
Baidu Encyclopedia: DNS spoofing is a deceptive behavior in which attackers impersonate domain name servers.
Principle: If you can impersonate a domain name server, and then set the queried IP address to the attacker’s IP address, then users online will only see the attacker’s homepage, not the homepage of the website the user wants to obtain. This is the basic principle of DNS spoofing. In fact, DNS spoofing is not really “hacking” the other party’s website, but just pretending to be someone else’s website.
So how do we forge our attacking machine as a DNS server, and how do we make the victim machine trust our DNS resolution records? This requires the help of the ARP spoofing attack used in the previous article. First, all the traffic of the victim machine flows through the attack machine. Then we can send response packets based on the DNS resolution request of the victim machine.
This DNS spoofing test network topology
normal circumstances:
Abnormal situation after DNS spoofing:
Experimental preparation
kali virtual machine, win7 virtual machine, win10(192.168.0.131), ettercap, arpspoof
Start experiment
First enter on the victim machine
ipconfig/flushdns
Refresh the DNS cache to prevent the previous cache from affecting the experiment
First enable the arp spoofing attack in the kali virtual machine and enable the routing and forwarding function (see the previous article for details)
enter
vim /etc/ettercap/etter.dns
Edit ettercap’s configuration file for DNS spoofing
and enter at the end
*.hetianlab.com 192.168.0.131
This sentence means that all dns domain name requests kali initiated by the second-level domain name hetianlab.com
will resolve it to 192.168.0.131
Next enter
ettercap -G
Open the UI interface of ettercap and follow the sequence shown in the figure below
Select network card
sniff host
Enable DNS spoofing attacks from the plugin
Visit www.hetianlab.com before the victim machine experiment.
After turning on DNS spoofing, the victim machine displays the display when accessing www.hetianlab.com
Here I chose a CTF question that I built using phpstudy on 192.168.0.131. It is mainly for ease of use, because many large websites (such as Baidu) have adopted certain anti-DNS spoofing defense measures. Use it to do The experiment may not be successful, so I’d better try it in the intranet environment~
Preventive measures regarding DNS spoofing
Now that we’ve talked about attack, let’s talk about defense.
First of all, DNS attacks have certain limitations:
(1) The attacker cannot replace records that already exist in the cache, which is why we refresh the DNS cache of the victim machine at the beginning of the experiment
(2) Refreshing DNS server cache time
2. Preventive measures (roughly summarized on Baidu Encyclopedia)
(1) Use the latest version of DNS server software and install patches in a timely manner
(2) Turn off the recursive function of the DNS server
(3) Restrict regional transmission range
(4) Limit dynamic updates
(5) Adopt a layered DNS architecture
(6) Protect intranet equipment. DNS attacks are generally launched from the intranet. If your intranet equipment is safe, there is no risk of infection.
Man
(2) Turn off the recursive function of the DNS server
(3) Restrict regional transmission range
(4) Limit dynamic updates
(5) Adopt a layered DNS architecture
(6) Protect intranet equipment. DNS attacks are generally launched from the intranet. If your intranet equipment is safe, there is no risk of infection.
Network Security Engineer (White Hat) Enterprise Level Learning Route
Phase 1: Security Basics (Getting Started)
The second stage: Web penetration (junior network security engineer)
The third stage: Advanced part (intermediate network security engineer)
If you are interested in getting started with network security, you can click here if you need it Big benefits of network security: Getting started & advanced full set of 282G learning resource package to share for free!
Learning resource sharing
