WEBVTT

00:01.090 --> 00:05.280
Hello everyone and welcome to part twenty one of my land ethical hacking course.

00:05.450 --> 00:11.830
In this poll we're going to look at DNS spoofing and why it is so interesting and useful for attacking

00:11.890 --> 00:13.770
a computer.

00:14.290 --> 00:21.280
So this falls into the social engineering side of things because essentially the way DNS BFM works is

00:22.060 --> 00:26.230
when a user tries to go to a Web site.

00:26.440 --> 00:33.390
So they go to you URL and Google Chrome or the Internet for example just typed Google dot com.

00:33.610 --> 00:40.020
That is essentially an IP address that needs to be a translation between an IP address and the U.R.L.

00:40.030 --> 00:40.700
itself.

00:41.900 --> 00:46.690
So when you connect to Google dot com or Google Docs you k essentially are just connecting to an IP

00:46.690 --> 00:47.710
address.

00:47.770 --> 00:53.220
And what we can do is with DNS spoofing we can change the IP address that they connect to.

00:53.230 --> 00:58.760
So if we change that IP address we can change it to any single Web site possible.

00:58.760 --> 01:05.360
So when they type in facebook dot com or Radic dot com and they visit Reddit will happen is it redirect

01:05.360 --> 01:09.840
them and they won't even know it because it will still be in the U.R.L. bathroom ready to come.

01:10.280 --> 01:15.710
But what will happen is if we put in our own IP address of our own server then they will be sent to

01:15.710 --> 01:20.910
the and I think you can figure out from there what you can do with it.

01:21.560 --> 01:23.110
Well let's just get started.

01:23.130 --> 01:26.660
If you don't really understand it make more sense throughout this video.

01:26.700 --> 01:32.070
So when open terminal the first thing when I'm going to do is I'm going to start the Apache to server

01:33.270 --> 01:35.820
and if I get the file open for this.

01:35.820 --> 01:40.010
So this is the director of the Apache to server.

01:40.110 --> 01:45.060
So we've got our payloads here but the most important part of this is indexed on each demo.

01:45.210 --> 01:52.120
So when I open it with another application and what I'll do is I'll open it would leave pad and from

01:52.120 --> 01:55.110
the previous videos in this course it's left as my new blog.

01:55.120 --> 01:58.650
But I'll change it now to just add an h1 tag.

01:59.890 --> 02:06.440
And inside this heat one up will not really read it sorry.

02:06.550 --> 02:09.460
So hopefully I'll get the idea of what I'm going to do.

02:09.970 --> 02:12.190
I've got a virtual machine on the Windows 10.

02:12.370 --> 02:17.100
And what we're gonna do is we're going to use my new middle F to actually attack using DNS spoofing.

02:17.920 --> 02:27.800
And then when they visit ready it will redirect them to our server so I'll save that no closer.

02:28.430 --> 02:33.830
And this could work if you're in a public hotspot.

02:34.010 --> 02:39.470
It could work if you are connected to your neighbor's router or if you're in the same house and you're

02:39.470 --> 02:43.610
all connected same router you can do this to another device on the same routes this could be a brothers

02:43.610 --> 02:46.320
or sisters laptop only if you have permission.

02:46.320 --> 02:49.430
So this video is for ethical and educational purposes only.

02:49.430 --> 02:53.690
Make sure you got permission or make sure your own device that you're testing this on to useful this

02:53.690 --> 03:01.220
video for pen testing so now that that's out the way like I was saying if this is your neighbor for

03:01.220 --> 03:05.660
example and you're connected to the router so you've cracked the key and you've gotten to the router

03:06.140 --> 03:11.660
you can use this DNS spoofing attack and then when they visit Web sites it will redirect them to your

03:11.660 --> 03:12.950
Web site.

03:12.950 --> 03:18.740
Same thing if you were in a public hotspots and say you created a fake access point and people are connected

03:18.740 --> 03:23.330
to your fake access pinko free Wi-Fi similar to my hacking demonstration.

03:23.750 --> 03:26.250
So if you haven't watched I recommend you go and do so.

03:26.470 --> 03:30.990
But if people are connecting to your fake access points then you could still do the same thing.

03:31.050 --> 03:37.690
You could use DNS spoofing to make Web sites change the IP addresses of same Web sites.

03:37.730 --> 03:39.820
So now I've changed the index or Hey smile.

03:39.860 --> 03:41.800
And our servers running.

03:41.870 --> 03:47.190
So you need to do is type service Apache to start that reinstall Kelly Linux.

03:47.240 --> 03:49.220
So now we've got that sorted.

03:49.280 --> 03:52.060
The next thing we can do is if we open leaf pod.

03:52.310 --> 03:58.400
So you just type leave part of ATC man in middle f man and middle after C and F for config.

03:58.430 --> 04:03.330
So essentially it's just a config file then it should open a leaf pattern if you scroll down to the

04:03.530 --> 04:04.910
records you see.

04:05.030 --> 04:08.490
You should actually see the sprawl dot org.

04:08.570 --> 04:11.960
So this just this default one just leave this.

04:11.960 --> 04:14.100
But these are a records.

04:14.380 --> 04:19.450
Now you might have a few more you might even of any here as long as you can type them correctly underneath

04:19.460 --> 04:24.320
so if you press enter and then hit tab a few times to the cases just underneath the districts all of

04:24.320 --> 04:27.360
the bracket then you can add different Web sites.

04:27.380 --> 04:29.170
So we can use DNS here.

04:29.240 --> 04:36.060
So if we want to use Reddit it now some Web sites may not work like Facebook I've had some trouble with.

04:36.170 --> 04:41.080
So we'll use ready for this example server type Asterix.

04:41.270 --> 04:44.550
Full stop Reddit dot com.

04:44.960 --> 04:51.890
Then what we need to do is we need to redirect it to a scene IP address so we're not selling them or

04:51.890 --> 04:57.290
in a sense would tell in the computers to send back a different IP address of a different Web site and

04:57.290 --> 05:03.830
because Icesave is warning what we can do is just split this horizontally if type I have config you

05:03.830 --> 05:08.410
can get the IP address of your local server by just getting the IP address of 88 0.

05:08.600 --> 05:10.090
So I'm just going to copy this.

05:10.100 --> 05:16.280
Now this might be Toby Lanzer Rovio depending on what college using and if your machine is virtual or

05:16.280 --> 05:17.050
not.

05:17.390 --> 05:20.150
For me it's easy nature and this is the IP address.

05:20.150 --> 05:22.040
So I'm just gonna paste to here.

05:22.040 --> 05:27.200
So now when they type in Reddit dot com it's gonna send them to this IP address instead of read it's

05:27.320 --> 05:34.430
IP address the Asterix is a wild card so any soap directory of Reddit will also redirect to this IP

05:34.430 --> 05:35.400
address.

05:35.540 --> 05:43.580
So if we save this then the last thing we can do is run the man in the middle f attack.

05:43.640 --> 05:51.890
So to do this you need to type M I see an F for men in the middle f then AARP then we need to spoof

05:52.400 --> 05:54.800
then specify the type of card you using.

05:54.800 --> 05:57.220
Now this might be a little bit confusing.

05:57.290 --> 06:04.400
So if you're in public for example and or even in your own house and you've got your wireless USP card

06:04.880 --> 06:10.430
as a fake access points it's acting as a fake router and people connect to it then what you will need

06:10.430 --> 06:16.010
to use is you will need to use to be land zero here or the name if your Wi-Fi card because I'm using

06:16.010 --> 06:22.100
a bridge connection to my host machines internal wireless card which is connected to the router then

06:22.130 --> 06:23.530
I'm using 88 0.

06:25.880 --> 06:33.080
So if your to make it to give you a better understanding if your neighbor has a laptop and you've got

06:33.080 --> 06:36.980
your computer and you're both connected the same router you haven't got a fake access point you just

06:36.980 --> 06:45.310
directly captives it to their router then you would use your wireless currency and send a wireless card

06:45.310 --> 06:47.590
which could be called a teenager.

06:47.600 --> 06:51.750
It might not be you just have to type I f config and find out.

06:51.760 --> 06:58.210
Then you need to specify the gateway so if you open your terminal and type a R P hyphenate then you

06:58.210 --> 07:00.370
can find out your gateway.

07:00.370 --> 07:07.360
Now depending on if you're using this as a virtual machine as a dual boot on your laptop or computer

07:07.930 --> 07:10.040
or using a wireless card.

07:10.130 --> 07:16.150
So if I enabled my wireless card and connected to my router instead of doing it that way then my gateway

07:16.150 --> 07:18.720
will change even on connected the same router.

07:18.740 --> 07:25.650
The only reason my gateway is different is because this is a virtual machine connected to a bridge connection.

07:25.810 --> 07:32.290
So if I was to disconnect and go up here and connect my Wi-Fi with with my USP adapter then my gateway

07:32.290 --> 07:38.110
would change however you'd still be able to attack their computer because they still connect to the

07:38.100 --> 07:42.600
same router except they're not connected to your fake access points so there's a few things you need

07:42.600 --> 07:43.730
to look out for.

07:43.860 --> 07:47.790
If one thing doesn't work just change it's the next there's not many all the different things you can

07:47.790 --> 07:50.620
actually change.

07:50.910 --> 07:58.260
So once you've got ITI zero or you took a non-zero depending on what you're using then if you type the

07:58.260 --> 08:01.700
gateway so you just need to copy this here.

08:01.890 --> 08:06.000
Like I said it could be different and this will be different for you because this is the IP address

08:06.000 --> 08:15.300
of my router excuse me so I just type in IP hyphen and find out the gateway.

08:15.300 --> 08:20.020
Then you need the target's IP address so you can find out through sniffing.

08:20.040 --> 08:26.540
Or you could find history like wild shark etc. Then you need H S T S and then the last command is DNA

08:26.550 --> 08:35.770
so all the commands are with two hyphens except the ie to specify what type of card we're using.

08:37.250 --> 08:44.860
So once we click enter cervical cancer on this we get men in the middle f we give it a few seconds and

08:44.860 --> 08:45.910
it should start to load.

08:45.910 --> 08:49.740
There we go so now we are using a DNS attack.

08:49.870 --> 08:54.430
I'll close out of this terminal and difficult to our target machine.

08:54.430 --> 08:58.030
Now this is the IP address here of my target machine.

08:58.070 --> 09:03.080
So just approved prove that I'm going to type Sam D then I'll get same deal.

09:03.230 --> 09:08.870
And if a type IP hyphenate you can see the gateway is exactly the same.

09:08.870 --> 09:14.270
So this is another method to make sure if you're testing your own devices then you could type a RPA

09:14.520 --> 09:18.540
hyphen on the windows 10 machine and your copy machine.

09:18.540 --> 09:23.660
Now your laptop could be within Windows 10 it doesn't really matter but you can see the both using the

09:23.660 --> 09:24.410
same gateway.

09:24.870 --> 09:29.900
So if you go back just to prove of closed both Buffalo page you can see the gateways exactly the same

09:32.180 --> 09:35.420
then this is the IP address of the computer itself.

09:35.420 --> 09:41.080
This is the computer that we're attacking their IP address.

09:41.390 --> 09:46.610
So if we go back to our Kelly machine perfected what I'll do is I'll start the browser.

09:46.660 --> 09:52.250
So we've already started the attack anyway so I'll open Internet Explorer.

09:52.890 --> 09:55.180
So let's say this pass and this is a neighbor.

09:55.200 --> 10:00.130
Now you have connected to a Wi-Fi spot and you've used DNS spoofing.

10:00.520 --> 10:04.970
So you've got the gateway correct and you've got the IP address.

10:04.990 --> 10:09.460
So you need to do now is wait for them to actually connect to your Web site.

10:10.840 --> 10:13.420
So if they say for Reddit.

10:13.540 --> 10:14.930
So you just type Reddit.

10:15.040 --> 10:22.330
Dot com click enter and as you can see it says not really Reddit sorry but the U R L is exactly the

10:22.330 --> 10:23.300
same as it would be.

10:23.320 --> 10:29.050
Reddit so it's redirected them to our server.

10:29.050 --> 10:35.530
So that's essentially DNS if it can be very useful if you don't want to use the inject attack with the

10:35.540 --> 10:41.130
middle left because if you remember from the previous few videos we used modern middle F to inject all

10:41.130 --> 10:41.620
beef.

10:41.650 --> 10:45.670
OK so this is a similar way to get them hooked to your beef.

10:45.690 --> 10:49.660
It could be a method to do that could be something completely different.

10:49.680 --> 10:51.720
This is very useful for phishing as well.

10:51.720 --> 10:56.580
So if you create a clone of Reddit or common then you spoof this when they try and visit rather talk

10:56.580 --> 11:00.340
on they'll be sent to your fake one and you can get all their logging information.

11:01.710 --> 11:07.140
So I think you could put two and two together and realize what you can do with your script if you remember

11:07.140 --> 11:07.940
from before.

11:09.390 --> 11:12.830
That will be in the next video.

11:12.900 --> 11:14.820
So that was a for this one.

11:14.820 --> 11:18.870
If it did help please if you like comments if you're stuck with anything I'll be happy to help.

11:18.910 --> 11:21.120
And I will see you in the next video.