DNS Spoofing and MITMEC521 Fall 2016

Group 5

Nicholas Musella, Louis Polcari, Aparna Rolfe, Shantanu Bobhate, Ashwin Tharappel

What is DNS?Domain Name System: Address-book for the internet

Maps user-friendly hostnames to machine-friendly IP addresses

For example, browsing to domain name google.com is translated to the IP address 216.58.217.142 by a DNS server

Second Level Domain

Top Level Domain

root

.net .edu

.bu nyu

gov .com

.facebook

.google

.mail .drive

.eu

How does DNS work?1. Your browser sends a DNS query over the Internet to find the IP address of a website2. The first DNS server hit (referred to as the Recursive Resolver) talks to a Root Server, which are

running all over the world. All of the Root servers know DNS information about Top Level Domain (TLD) servers such as .com, .net, .org etc, and it sends the query to the appropriate TLD server.

3. The TLD server will respond with the IP address of the DNS server for the website4. Lastly the Recursive Resolver sends a query to the DNS server, and the DNS server responds with

the IP address for the website.5. DNS Query Types:

a. Iterativeb. Recursive

Source: https://en.wikibooks.org/wiki/Communication_Networks/DNS

DNS VulnerabilitiesRequesting client has no way to a verify the authenticity of a DNS response.

Thus, first DNS reply message received is processed.

DNS Spoofing Attack:

1. Attacker eavesdrops for DNS queries

2. Attacker provides the first DNS response

3. Client connects to malicious site

- i.e.: www.facebook.com → Attacker IP

Source: http://www.windowsecurity.com/img/upl/image0081270494115187.jpg

DNS Tools on LinuxUseful commands:

dig: provides information of the domain status and the nameserversnslookup: queries DNS nameservers for forward and reverse lookupswhois: returns data about how the Internet sees your domaindnsspoof: forges DNS replies to legitimate DNS queries on the LAN

Modifying a Linux hosts file for local DNS resolution

127.0.0.1 localhost127.0.1.1 kali.kalixxx.yyy.zzz.aaa facebook.com

MITMObjective is to intercept all traffic between two targets

If victim and attacker are on the same LAN (subnet) with one gateway:

- Attacker needs to spoof both the victim and the gateway (i.e. trick the victim into believing attacker is the gateway and trick the gateway into believing attacker is the victim)

- Once spoofing is in play, attacker will be transparently intercepting all traffic between the two targets

Source: http://www.windowsecurity.com/articles-tutorials/authentication_and_encryption/Understanding-Man-in-the-Middle-Attacks-ARP-Part1.html

Recon & MITM Tools on Linuxroute: prints the host’s routing table

arp: prints the host’s ARP table (MAC/IP address mappings of other hosts on the LAN)

arpspoof: redirects packets from a target host on the LAN intended for another host on the LAN by forging ARP replies

NOTE: Refer to the man pages for information on how to use these commands

Harvesting credentialsNow that we’re listening to everything, what can we do?

- Monitor traffic in Wireshark- Steal credentials every time an insecure (http) login is made

But what about secure traffic?Secure Socket Layer (SSL) is a form of commercial encryption that utilizes the public key system to prevent user details from being intercepted by 3rd parties

Can be compromised too!- sslstrip

HTTPTCP

HTTP:

SSLTCP

HTTPS:

HTTP

Source: http://www.windowsecurity.com/articles-tutorials/authentication_and_encryption/Understanding-Man-in-the-Middle-Attacks-ARP-Part4.html

Defense!1. DNSSEC

a. Authentication and validity of DNS responses using digital signatures and a chain of trust

2. Securing the LAN

3. Monitoring ARP Traffic

4. Secure internal network devices

5. Ensure secure connections use HTTPS (TLS / HSTS)

MITM Defense: Port-Security & DAI An Ethernet switch can be configured to learn a certain number of distinct MAC addresses on its

ports and disable those ports if a strange MAC address is detected or more than the allowed number of MAC addresses are detected. Below is an example of port-security configured on an access port of a Cisco switch that allows only the first learned MAC address on interface FastEthernet0/1 to operate.

PHO305_SW#show run int f0/1!interface FastEthernet0/1 switchport mode access switchport access vlan 521 switchport port-security switchport port-security maximum 1 switchport port-security mac-address sticky switchport port-security violation shutdown!

MITM Defense: Port-Security & DAI An Ethernet switch can be also be configured with Dynamic ARP Inspection. The switch intercepts

and inspects all ARP packets that arrive on user ports and upon packet arrival, it checks the MAC and IP address reported in the ARP reply packet against known and trusted values. If an ARP reply contains invalid information or values that conflict with entries in the trusted database, it is dropped and a message is generated. Below is an example of a Cisco switch configured with DAI.

PHO305_SW#show run!!come_as_you_are!ip dhcp snooping ← mac/ip mappings held in this databaseip arp inspection vlan 521!

Core ElementsWhat we did:

Created a lab that allows the students to experience, from the perspective of an attacker targeting a victim, conducting a MITM and DNS Spoofing attack on a LANImplemented:

● Setting up a fake website/server● ARP spoofing● DNS spoofing● Harvesting credentials● Compromising SSL communications

Design decisions:● Utilized Ubuntu Desktop as victim OS for ease of distribution● Limited to a single victim for simplicity in teaching the students● Attacker and victim located on same subnet (vmnet) to sandbox all traffic● DNS Server and Gateway are co-located on virtualized LAN as a result

Lab URLhttps://algorithmics.bu.edu/fw/Sandbox/Group5Lab

CommandsUseful Syntax:1. ifconfig, ip route, route -n, arp -n, service apache2 start/stop2. arpspoof -i eth0 -t <victim IP> -r <gateway IP>3. dnsspoof -i eth0 -f your_hosts_file.dns 4. iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT

--to-port <chosen_port>5. sslstrip -l <chosen_port>

Troubleshooting:1. Check promiscuous mode(“P” flag): netstat -i 2. Set promiscuous mode eth0: ip link set eth0 promisc on3. List all iptable port redirecting: iptables -t nat -L4. DNSSpoof not presenting webpage: iptables -t nat -A PREROUTING -p tcp --dport

80 -j REDIRECT --to-ports 80; “....” --dport 443 “...”5. Flush Ubuntu DNS cache: sudo /etc/init.d/dns-clean restart; sudo

/etc/init.d/networking force-reload6. Delete single port forwarding: same iptable command as above replacing “-A” with “-D”