1
00:00:00,450 --> 00:00:07,430
Now in this lecture we're going to learn what DNA spoofing is and how to perform it.

2
00:00:07,530 --> 00:00:16,410
DNS is a server that convert domain names such as Google dot com to the IP of the server that is hosting

3
00:00:16,440 --> 00:00:18,420
this Web site.

4
00:00:18,660 --> 00:00:27,150
So when you type Google dot com in your web browser the request goes to a DNS server the server responds

5
00:00:27,210 --> 00:00:37,090
with the IP where Google dot com files are stored and the browser will load the web site from this IP.

6
00:00:37,090 --> 00:00:43,840
Now when we are the man in the middle the request for Google dot com will pass to us first before it

7
00:00:43,840 --> 00:00:45,940
goes to the DNS server.

8
00:00:45,940 --> 00:00:53,530
Therefore instead of giving the IP of the server that is hosting Google dot com we can actually give

9
00:00:53,590 --> 00:01:02,950
any IP we want so we can redirect them to a fake Web site with a backdoor or with evil code hijack software

10
00:01:03,010 --> 00:01:10,600
updates and so much more will actually have examples on this in future lectures.

11
00:01:10,630 --> 00:01:18,250
But for now let's see how we can run a basic DNS spoofing attack in which we redirect requests from

12
00:01:18,250 --> 00:01:24,270
a specific Web site to our own Web site or our own Web server.

13
00:01:24,280 --> 00:01:32,290
Now before we run Buttercup let us decide on where to redirect our target to so we can redirect them

14
00:01:32,290 --> 00:01:33,610
to any Web site we want.

15
00:01:33,610 --> 00:01:38,680
For example when someone requests Google dot com we can redirect them to Yahoo.

16
00:01:39,220 --> 00:01:45,360
But what I want to do is I want to redirect them to my own Web site to a local Web site.

17
00:01:45,370 --> 00:01:52,990
Then I'm going to start on Cali so Cali comes with its own Web server so we can actually use it as a

18
00:01:52,990 --> 00:01:57,640
Web site and to do this all we have to do is just start the web server.

19
00:01:57,640 --> 00:02:06,890
So we're going to do a service Apache to start so Apache 2 is the name of the web server and we're saying

20
00:02:06,890 --> 00:02:09,290
that we want to start the service.

21
00:02:09,290 --> 00:02:16,040
If I hit enter we see no errors which means that the server is working now and to access this Web site

22
00:02:16,040 --> 00:02:17,480
to access the server.

23
00:02:17,540 --> 00:02:25,640
We have to go to Carlie's IP so as you know to get our IP we can do if config and we can see our IP

24
00:02:25,640 --> 00:02:27,270
is 10 0 to 15.

25
00:02:27,830 --> 00:02:38,130
So if I just go to a web browser and go to 10 0 to 15 you'll see I'll get the default page of this Web

26
00:02:38,130 --> 00:02:39,710
site.

27
00:02:39,980 --> 00:02:46,970
Now the pages for this default Web site is stored in var w WW hasty e-mail.

28
00:02:47,060 --> 00:02:54,670
So I'm going to open my file manager and I'm going to click here on the title bar press forward slash

29
00:02:54,680 --> 00:02:55,630
to open it.

30
00:02:55,790 --> 00:03:07,170
And we're going to go to var w w w hasty AML and as you can see these are the files for this Web site.

31
00:03:07,220 --> 00:03:13,250
So if you want to install a fake Web site or any type of Web site all you have to do is just put its

32
00:03:13,250 --> 00:03:15,040
files in here.

33
00:03:15,500 --> 00:03:20,090
Now index notation here Mel is the file that gets loaded here by default.

34
00:03:20,330 --> 00:03:22,560
So this is what you see in here.

35
00:03:22,580 --> 00:03:25,040
So I'm actually going to right click it.

36
00:03:25,040 --> 00:03:28,040
I'm going to open it with another application.

37
00:03:28,040 --> 00:03:33,920
I'm going to select my text editor and this will open the hasty e-mail code for me.

38
00:03:34,100 --> 00:03:38,540
And I'm actually just going to remove this and I'll just put a smiley face.

39
00:03:38,540 --> 00:03:40,830
Like I said we're just doing this for testing.

40
00:03:40,850 --> 00:03:47,840
So just showing you which files get loaded by default and where you can actually put a Web site if you

41
00:03:47,840 --> 00:03:51,140
wanted to host a proper web site here.

42
00:03:51,410 --> 00:03:58,860
So I'm gonna go back here and if I refresh the page you can see we get the smiley face in here.

43
00:03:58,920 --> 00:04:00,240
That's perfect.

44
00:04:00,240 --> 00:04:04,530
Right now we still haven't executed our DNS spoofing attack.

45
00:04:04,650 --> 00:04:11,100
But what I want to do is when my target tries to go to a specific Web site I'm going to redirect them

46
00:04:11,100 --> 00:04:14,160
to this page that shows this smiley face.

47
00:04:14,910 --> 00:04:17,740
So let's go to the target machine first.

48
00:04:18,180 --> 00:04:19,920
Let's go to our Target's Web site.

49
00:04:19,920 --> 00:04:22,080
I'm gonna do this against my own Web site.

50
00:04:22,110 --> 00:04:30,880
That security dot org so if you load this Web site you'll see you will get an actual security web site

51
00:04:30,880 --> 00:04:33,670
with a number of topics and all that kind of stuff.

52
00:04:33,670 --> 00:04:37,920
Basically the Web site is working as expected.

53
00:04:37,960 --> 00:04:40,380
Now let's go ahead and run this attack.

54
00:04:40,600 --> 00:04:43,680
So I'm going to go to Buttercup.

55
00:04:43,840 --> 00:04:48,010
I'm going to run it using the exact same command that we've been using so far.

56
00:04:48,940 --> 00:04:54,340
So we're just doing better come up with the interface with this proof couplets so we can intercept data

57
00:04:54,580 --> 00:04:57,460
and modify it as it's flowing through our computer.

58
00:04:58,510 --> 00:05:00,700
And as you can see it's running with no errors.

59
00:05:00,760 --> 00:05:02,650
So that's all good.

60
00:05:02,680 --> 00:05:07,210
Now the module that we want to use is called DNS poof.

61
00:05:07,600 --> 00:05:11,580
So if I do help right now you can see it right here.

62
00:05:11,590 --> 00:05:14,490
It's called DNS proof and it's not running.

63
00:05:14,710 --> 00:05:21,070
And as usual if we don't know how to use a module all we have to do is do help followed by the module

64
00:05:21,070 --> 00:05:21,530
name.

65
00:05:21,550 --> 00:05:24,350
And in this case it's DNS spoof.

66
00:05:24,550 --> 00:05:30,040
And as you can see we get all the options that we can set for this module.

67
00:05:30,040 --> 00:05:32,770
First option being the DNS spoof address.

68
00:05:32,770 --> 00:05:37,630
This is the address that the user will be redirected to.

69
00:05:37,630 --> 00:05:44,580
So if you want to redirect them to another Web site you have to put the IP of this other Web site here.

70
00:05:44,680 --> 00:05:50,450
In my case I want to redirect them to my local Web site to the Web site that we have here which is running

71
00:05:50,470 --> 00:05:52,650
at 10 0 to 15.

72
00:05:52,700 --> 00:06:00,070
Therefore I'm not going to have to modify this because by default this is set to the IP of my interface

73
00:06:01,780 --> 00:06:06,310
the next thing that we want to modify is the DNS dot poof Dot.

74
00:06:06,400 --> 00:06:09,800
All we want to set this to true.

75
00:06:09,880 --> 00:06:14,330
So that better cop response to any DNS requests.

76
00:06:15,070 --> 00:06:22,600
So just like any other option within Buttercup to change its value we have to do set followed by the

77
00:06:22,600 --> 00:06:24,840
option name that we want to modify.

78
00:06:24,910 --> 00:06:33,430
And in this case it's DNS dot spoof dot all and we want to set this to true.

79
00:06:33,590 --> 00:06:33,980
Sorry.

80
00:06:33,980 --> 00:06:36,980
This has all been produced by the sniffer.

81
00:06:37,040 --> 00:06:43,250
The next option that we want to set is the DNS dot spoof dot domains.

82
00:06:43,250 --> 00:06:48,800
This will specify the domains that we want to target that we want to spoof.

83
00:06:48,830 --> 00:06:53,110
And as mentioned we can use a comma to separate more than one domain.

84
00:06:53,990 --> 00:07:01,020
And as you know we want to target that security dot org and we want to redirect that to our own Web

85
00:07:01,020 --> 00:07:06,390
site running on Carly so we need to change this option right here.

86
00:07:06,460 --> 00:07:13,250
And as Dodd spoofed domains and again we're going to do this by doing said the option name which is

87
00:07:13,250 --> 00:07:21,940
defined as Dodd spoof the domains and we're going to set this to Z Security dot org.

88
00:07:22,400 --> 00:07:28,250
As mentioned in the option we can use the comma to specify more than one domain and the other domain

89
00:07:28,280 --> 00:07:34,070
that I want to specify is star dot Z Security dot org.

90
00:07:34,910 --> 00:07:41,990
So the star right here is a wild card and it basically means that I want to target any subdomain dot

91
00:07:42,080 --> 00:07:44,940
Z Security dot org.

92
00:07:45,180 --> 00:07:47,880
So I'm going to hit enter and we don't see any errors.

93
00:07:47,910 --> 00:07:56,310
So everything is set as expected and all we need to do now is start the DNS spoof and to do this we

94
00:07:56,310 --> 00:08:06,270
just need to run DNS dot spoof on exactly the same way that we start any other module I'm going to hit

95
00:08:06,300 --> 00:08:06,920
enter.

96
00:08:07,230 --> 00:08:09,280
And this should be running right now.

97
00:08:09,360 --> 00:08:16,350
And as you can see it's telling us that it's going to spoof that security dot org to this IP which is

98
00:08:16,350 --> 00:08:21,410
again this is our IP we verified this using the conflict command.

99
00:08:21,570 --> 00:08:28,280
And keep in mind we actually did not have to give whether cup this IP it got it automatically.

100
00:08:28,440 --> 00:08:34,170
It's also telling us that the other target is startled that security dot org and it'll be spoofed to

101
00:08:34,170 --> 00:08:39,140
this now let's go to the target machine and test this.

102
00:08:39,270 --> 00:08:45,300
And before you test this please keep in mind you might need to eat for a minute or two for the changes

103
00:08:45,300 --> 00:08:46,810
to propagate.

104
00:08:46,860 --> 00:08:53,010
Also if you just loaded this Web site just like I did right now it's a good idea to remove all your

105
00:08:53,010 --> 00:08:54,470
browsing data.

106
00:08:54,720 --> 00:09:01,350
You won't have to do this in real life scenarios unless the target person is constantly loading the

107
00:09:01,350 --> 00:09:04,080
same page which doesn't happen a lot.

108
00:09:04,100 --> 00:09:12,780
What if the target person goes ahead and browsers a few web sites comes back to Z Security dot org and

109
00:09:12,780 --> 00:09:19,560
perfect as you can see we get redirected to the smiley face and instead of loading that security dot

110
00:09:19,620 --> 00:09:21,130
org.

111
00:09:21,380 --> 00:09:29,060
Now this will work against all Web sites even if they use hasty G.P.S. as you saw earlier Z security

112
00:09:29,060 --> 00:09:36,380
users hash TTP Yes and it loaded over a hash TTP as by default the only Web sites that this will not

113
00:09:36,380 --> 00:09:44,270
work against are Web sites that use h s t s because again as I mentioned before the browser has a list

114
00:09:44,270 --> 00:09:45,460
of these Web sites.

115
00:09:45,560 --> 00:09:52,310
The list is stored locally on the target computer so it doesn't send your requests and it will only

116
00:09:52,310 --> 00:09:55,330
load these Web sites over hash TTP s.

117
00:09:55,400 --> 00:10:01,640
So even though the attack will work the browser will refuse to load the web site that we are spoofing

118
00:10:01,640 --> 00:10:02,550
them to.

119
00:10:03,380 --> 00:10:09,620
Now as you can see what we did so far is not very useful all we did is just we showed a smiley face

120
00:10:10,070 --> 00:10:17,270
but DNS spoofing is very very useful in so many scenarios you can use it for example when someone is

121
00:10:17,270 --> 00:10:24,050
trying to go to a log in page and show them a fake page or if they're trying to go to Z security for

122
00:10:24,050 --> 00:10:30,720
example and then just show them another Z Security Web site with some malware embedded into it.

123
00:10:30,860 --> 00:10:36,830
You can also use it to serve fake updates so whenever they have a software that's going to check for

124
00:10:36,830 --> 00:10:43,250
updates we can DNS proof that request and send them a fake update with a backdoor and we'll see that

125
00:10:43,250 --> 00:10:44,750
later on in the course.

126
00:10:44,750 --> 00:10:50,140
So it's a really really handy skill that can be used in so many scenarios.