DNS Spoofing

Photo by Markus Spiske

Merely knowing how hackers do this will decrease the likeliness of this attack happening to you. Awareness is much more powerful than people give it credit.

In this article I will humbly attempt to describe how a hacker uses DNS Spoofing. In a future article, I’ll share how to detect this kind of a attack to protect yourself even more.

What is DNS Spoofing?

This can be relatively involved in terms of setting up everything in order to conduct this type of attack, so I guess you can take some comfort in also knowing that this isn’t the easiest thing to do for most people.

m.i.t.m.

This is essentially the first step before doing the actual spoofing. To spoof, one must achieve the position of “man in the middle” within a network please refer to the crude illustration below. The person circled in red has attained the m.i.t.m. position

After attaining the m.i.t.m. position within the network, the malicious hacker can start intercepting packets from you and your router. As these packets are being intercepted they are being stashed in a queue. This is done to control the flow of packets and allow the hacker to modify them.

However, the hacker will let most of the packets flow through unmodified. For this type of attack, the hacker only needs to modify the packets coming from the Router to the User. This is how the hacker can change what you see and is highlighted red in the crudely drawn illustration below

What can a malicious hacker do while sending you spoofed DNS responses?

  • copy another website to look just like the login page or checkout page
  • this allows them to capture your login credentials or credit card info if you don’t catch on that the website is spoofed
  • or they might spoof a search engine site, like google.com, and track your search queries…

What are some Visual Clues of a Spoofed Website?

are there obvious signs on a website that it has been spoofed?

  • oddly copied — most hackers are lazy and they’ll crudely copy how a website looks
  • http instead of https — don’t be totally scared of http websites, most of them are harmless, BUT be weary of http sites that ask for user input. As a general rule of thumb only input information on https websites.
  • website error loading, or displaying server default page — most legitimate companies have managed sites so that their content is live on the internet 24/7 so if you see some odd errors, it could be a bumbling hacker trying to spoof the website you just searched. Example below:

What does a Hacker Do Once They Have Intercepted Your Internet Packets?

To change what you see, they will modify the rdata field, found within the \an \ layer of the packet. Circled in red below

Here’s Roughly How It’s Done

Step 1:

Create the queues that will capture the packets flowing between the User and the Router. Commands underlined in red below:

Step 2:

Run a DNS Spoofing program, like the one below:

#!usr/bin/env python
import netfilterqueue
import scapy.all as scapy
def process_packet(packet):
scapy_packet = scapy.IP(packet.get_payload())
print(scapy_packet.show())
packet.accept()
queue = netfilterqueue.NetfilterQueue()
queue.bind(0, process_packet)
queue.run()

The above python program can’t actually modify the packets, but when you run it, it will show packet information.

Step 3:

Modify the packet. Like I mentioned, the program above won’t modify any info, but that is the last step to DNS spoofing.

The website I used in the examples above is one that I’m developing for a company. They granted me permission to use their website for these educational screenshots.

Conclusion

I hope this helps provide you with more situational awareness in your digital life. Read Part Deux to learn more.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store