WEBVTT

0
00:01.600 --> 00:02.850
Welcome back!

1
00:02.860 --> 00:09.940
Let's move on and see another attack that can be launched using bettercap on another protocol used

2
00:10.000 --> 00:11.260
in any network.

3
00:11.260 --> 00:16.780
In this lecture I'll show you how to perform a DNS spoofing attack.

4
00:16.840 --> 00:19.170
First, something very important!

5
00:19.180 --> 00:27.520
This video and all the other videos related to network security are for educational and security awareness

6
00:27.580 --> 00:29.130
purposes only.

7
00:29.380 --> 00:36.790
Do not use this knowledge to do illegal activities, but only for ethical or white head hacking.

8
00:37.030 --> 00:41.320
Just to be sure that you'll understand how this attack works

9
00:41.350 --> 00:49.900
I want first to explain to you in just a few words what the DNS protocol does. Each time a user writes

10
00:49.960 --> 00:54.130
a domain name to connect to a service like a Google.com

11
00:54.130 --> 01:03.760
behind the scenes the DNS client on the host aka. DNS resolver will send a DNS query to a DNS server

12
01:04.030 --> 01:09.100
that will respond back with the IP address of that domain.

13
01:09.100 --> 01:19.080
Let me show you a live example of what it's all about. I am opening Wireshark to captured all packets

14
01:19.230 --> 01:23.440
sent and received: capture options

15
01:23.560 --> 01:33.720
the WiFi interface and start ; and using the browser I'm visiting a website like Reddit.com

16
01:37.700 --> 01:46.230
Back to Wireshark I'll stop capturing packets and I'm going at the beginning of the capture.

17
01:47.350 --> 01:56.470
We notice that before connecting to Reddit.com the host has sent a DNS query to the DNS server

18
01:56.710 --> 02:00.110
configured on the system; Okay!

19
02:00.170 --> 02:10.130
The DNS client or the DNS resolver is 192.168.0.113 and 192.

20
02:10.190 --> 02:17.900
168.0.1 is the DNS server and this is the query, a

21
02:17.900 --> 02:21.220
standard query for Reddit.com.

22
02:21.290 --> 02:29.270
The client wants the address of this domain and the server has responded back with the IP address of

23
02:29.270 --> 02:32.970
that domain; after that step

24
02:33.050 --> 02:42.440
the client has connected Reddit.com website using its IP address as the destination; so domain names

25
02:42.530 --> 02:47.060
are only for humans; computers use IP addresses.

26
02:47.330 --> 02:52.230
Let's return to the DNS spoofing attack! Basically

27
02:52.270 --> 02:55.800
there are two types of DNS spoofing attacks.

28
02:55.840 --> 02:57.650
The first one is of type

29
02:57.640 --> 03:04.390
Man the Middle and that means that the attacker will launch an ARP poisoning attack and

30
03:04.420 --> 03:10.580
put himself in the middle of the connection between the client and the DNS server.

31
03:10.630 --> 03:18.610
He will intercept the DNS query sent by the client and respond back to the client with a fake DNS reply

32
03:18.880 --> 03:23.240
indicating an IP address he controls for the domain

33
03:23.260 --> 03:33.160
the client was asking for. And the second type of attack means a DNS server compromise or a direct hijacking

34
03:33.370 --> 03:41.160
of a DNS server which is configured to return a malicious IP address. In this video

35
03:41.230 --> 03:48.610
I'll show you how to successfully execute a DNS spoofing attack using ARP poisoning and bettercap.

36
03:49.170 --> 03:50.920
Let's launch the attack!

37
03:50.920 --> 03:53.360
I'm starting bettercap as usual!

38
04:02.270 --> 04:08.720
There is a special bettercap module named dns.spoof for this attack.

39
04:08.790 --> 04:20.080
Let's see its help: help dns.spoof we start the module as usual using the name of the module on

40
04:20.270 --> 04:30.150
and we stop it using the name of the module off. Let's take a look at the its parameters: dns.spoof.

41
04:30.160 --> 04:36.190
address indicates the IP address to map the spoofed domains too; by default

42
04:36.190 --> 04:41.100
this is the IP address of the interface on which bettercap is running.

43
04:41.110 --> 04:48.280
Maybe you want to run a service, like a web server, on the same machine that runs bettercap and serves

44
04:48.340 --> 04:49.190
the client,

45
04:49.240 --> 04:50.800
a fake website.

46
04:50.800 --> 04:55.380
But if you wish you can change this to any IP address.

47
04:55.450 --> 05:03.790
In this example I won't modify dns.spoof.address because I'm gonna start a web server on this

48
05:03.850 --> 05:08.810
machine, on Kali. Another parameter is 

49
05:08.830 --> 05:16.380
dns.spoof.all: if it's true the module will reply to every DNS request and we set this option

50
05:16.560 --> 05:28.100
to true: setdns.spoof.all true and the last option and the most important is 

51
05:28.130 --> 05:31.280
dns.spoof.domains.

52
05:31.340 --> 05:39.510
This indicates a list of comma separated values of domain names to spoof set dns.

53
05:39.510 --> 05:43.440
spoof.domains bank.com

54
05:43.440 --> 05:54.040
- This is just an example - , * google.com,  * ford.com. Star * means

55
05:54.100 --> 05:58.570
any subdomain like a www.

56
05:58.630 --> 06:05.920
Note that it's possible not to be able to spoof any domain this way.  HSTS domains could not to

57
06:05.920 --> 06:08.350
be spoofed or can be spoofed harder

58
06:08.470 --> 06:11.800
and especially if the user does something stupid.

59
06:11.920 --> 06:13.680
We'll talk about HSTS

60
06:13.720 --> 06:17.090
in another lecture but in a nutshell HSTS

61
06:17.120 --> 06:26.050
or HTTP Strict Transport Security means a list of well known websites like Facebook.com or Twitter.

62
06:26.080 --> 06:30.490
com that are already registered in the browser.

63
06:30.580 --> 06:41.540
I'm starting the module: dns.spoof on
and finally the options for ARP poisoning; these DNS attack

64
06:41.630 --> 06:47.530
is also based on ARP poisoning: set

65
06:47.600 --> 06:55.550
arp.spoof.fullduplex true set arp.spoof.targets 192.

66
06:55.550 --> 07:02.410
168.0.113 the IP address of Windows

67
07:07.450 --> 07:08.070
okay.

68
07:08.080 --> 07:12.970
The address is net.recon on

69
07:15.900 --> 07:23.720
and arp.spoof on Let's check what modules are running! I'm executing

70
07:23.760 --> 07:36.610
help. We notice that net.recon is running. dns.spoof and arp. spoof are also running. The next

71
07:36.610 --> 07:44.110
step is to start a web server on the hacker's machine. Apache is already installed on Kali and I'll just

72
07:44.110 --> 07:51.060
start it. I'm becoming root! Note that starting with Kali version 2020

73
07:51.060 --> 07:55.350
.1 there is an unprivileged user named Kali

74
07:55.470 --> 08:02.540
and if you want to run commands as root you must become root by executing sudo su and the password 

75
08:02.540 --> 08:04.050
is also Kali.

76
08:04.330 --> 08:05.220
I'm root; OK!

77
08:05.340 --> 08:15.250
I'm starting a Apache: systemctl start apache2 the name of the service and I'm checking

78
08:15.250 --> 08:21.330
its status: systemctl status apache2;  okay apache2

79
08:21.340 --> 08:32.320
is running; the apache2 server will send the clients the websites in /var/www/

80
08:32.420 --> 08:33.420
html

81
08:33.550 --> 08:39.150
I'm moving to that directory /var/www/html

82
08:39.340 --> 08:45.320
And here I'm gonna change index .html. I'm opening the file,

83
08:46.490 --> 08:51.230
I'm removing everything and I'm writing

84
08:51.390 --> 08:54.300
"This is a fake website."

85
08:54.300 --> 09:02.850
This is just an example to see how it works. A malicious user will create a clone of a bank or another

86
09:03.000 --> 09:07.980
important website and capture your credentials.

87
09:07.990 --> 09:09.160
I am saving the file.

88
09:10.270 --> 09:22.720
Let's go to the victim machine and ping one of the spoofed domains: ping www.ford.com very

89
09:22.720 --> 09:23.570
nice.

90
09:23.650 --> 09:32.490
We notice how in fact we have pinged the IP address of Kali. Let's open up a browser and connect to

91
09:32.490 --> 09:35.480
www.ford.com

92
09:35.490 --> 09:42.480
I'd recommend you to start a new private or incognito tab or even better delete the browser cache because

93
09:42.480 --> 09:45.590
maybe it already has the real IP

94
09:45.720 --> 09:49.040
in the cache and the attack will not work.

95
09:49.140 --> 09:56.490
Click on controller plus shift plus DL to delete the browser cache. In this example

96
09:56.520 --> 09:59.630
I'm just starting a new private window.

97
10:00.670 --> 10:07.420
And I'm connecting to www.ford.com and we notice the fake website

98
10:11.240 --> 10:21.620
We notice how  Kali has hijacked the DNS section and sent its own address to client for www.ford

99
10:21.740 --> 10:29.520
.com. This is a disruptive attack because a hacker could create a clone of your bank or another financial

100
10:29.520 --> 10:30.490
institution

101
10:30.600 --> 10:36.450
and even though you write the correct address you will be redirected to a phishing website

102
10:36.630 --> 10:41.580
that could steal your credentials and use them later on the real website.