Ettercap is a comprehensive, open-source network security tool used for analyzing, monitoring, and manipulating network traffic in a computer network. Originally developed for Unix-like operating systems, it has since been adapted for Windows as well. Ettercap operates as a man-in-the-middle (MITM) attack tool, allowing cybersecurity professionals, penetration testers, and ethical hackers to inspect and modify data as it passes through a network.
So here we set the interface on which have to start sniffing and related attacks. Then we start sniffing on the interface.
ARP spoofing is the process of linking an attacker’s MAC address with the IP address of a legitimate user on a local area network using fake ARP messages. As a result, data sent by the user to the host IP address is instead transmitted to the attacker.
The main cause of ARP spoofing attacks is the fundamental trust issue within the Address Resolution Protocol (ARP) itself. ARP is a network communication protocol that helps devices translate IP addresses, which are easy for humans to remember, into MAC addresses, which are the unique identifiers used by network devices.
We can prevent it by implementing the IDS(Intrusion detection system). Using the Arp-spoof detecting software.
First we discover all the hosts and choose the target on which we want to perform ARP spoofing attack.
To find the Victim gateway.
So here the target is 192.168.21.128 and the target gateway is 192.168.21.2
Then we perform the ARP poisoning attack
Now we can see that we are able to see the traffic. So our attack is successful.
When analyze the Splunk reports we can see that http request was successful but there was no sign of showing ARP spoof.
In a DNS spoofing attack, the attacker exploits vulnerabilities in the DNS resolution process to provide false information to a DNS resolver, which is responsible for translating domain names into IP addresses. The goal of DNS spoofing is to redirect users to a fraudulent website or to intercept sensitive information.
- Weaknesses in DNS Protocol: The DNS protocol itself can have vulnerabilities that attackers exploit. For example, if the DNS messages are not adequately protected, an attacker might inject false DNS responses into the system.
- Lack of DNS Security Extensions (DNSSEC): DNSSEC is a suite of extensions to DNS designed to add an additional layer of security by signing DNS data with cryptographic signatures. If DNSSEC is not implemented or configured incorrectly, it can leave the DNS system susceptible to spoofing attacks.
To prevent DNS spoofing, organizations and individuals should implement several key measures. Firstly, deploy DNS Security Extensions (DNSSEC) to authenticate and verify the integrity of DNS data through cryptographic signatures. Additionally, configure DNS resolvers to limit open access, ensuring they respond only to authoritative queries.
So to perform the attack we will be using the DNS spoof plugin that is available in Ettercap that we previously used. We also have to modify /etc/ettercap/etter.conf file and /etc/ettercap/etter.dns to change to perform the dns spoofing attack
we will turn on the redirection and which website we spoof the DNS. So first start the dns spoofing using the plugin in the Ettercap plugins.
So we can see that we have dns_spoof plugin. After starting the dns spoofing we will use Arp poisoning again to make the attack successful.
We will add all the gate way as the first target and others host as the second target. Now if we try to navigate to the specified website it should goto Apache server running on the attacker machine.
So the attack is successful.
