What Is DNS Poisoning? & Wireshark Tool

What is DNS Poisoning?

What Is DNS Poisoning? – DNS Poisoning is a technique that tricks a DNS Server into believing that it has recieved authentic information when, in reality, it has not.

It results in substitution of a false IP address at the DNS level where web addresses are converted into numeric IP Addresses.

It allows attacker to replace IP address entries for a target site on a given DNS server with IP address of the server he/she controls.

Attacker can create fake DNS entries for the server (containing malicious content) with same names as that of the target server.

Intranet DNS Spoofing

For this technique, you must be connected to the Local Area Network (LAN) and be able to sniff packets. it works well against switches with ARP poisoning the router.

Internet DNS Spoofing, attacker infects Rebecca’s machine with a Trojan and changes the her DNS IP Address to that of the attacker’s.

Proxy Server DNS Poisoning

Attacker sends a Trojan to Rebecca’s machine that changes her proxy server settings in Internet Explorer to that of the Attacker’s and redirects to fake website.

DNS Cache Poisoning

DNS Cache poisoning refers to altering or adding forged DNS records into the DNS resolveer cache so that a DNS query is redirected to a malicious site.

if the DNS resolver cannot validate that the DNS responses have come from an authoritative source, it will cache the incorrect entries locally and serve them to users who make the same request.

How to Defend Against DNS Spoofing

  • Resolve all DNS queries to local DNS server
  • Block DNS requests from going to external servers
  • Configure Firewall to restrict external DNS lookup
  • Implement IDS and deploy it correctly
  • Implement DNSSEC
  • Configure DNS Resolver to use a new random source port for each outgoing query.
  • Restrict DNS recusing service, either full or partial, to authorized users.
  • Use DNS Non-Existent Domain (NXDOMAIN) Rate Limiting
  • Secure Your Internal machines

Wireshark Tool

It lets you capture and interactively browse the traffic running on a computer network.

Wireshark uses Winpcap to capture packets, so it can only capture the packets on the networks supported by Winpcap

It captures live network traffic from Ethernet, IEEE 802.11, PPP/HDLC, ATM, Bluetooth, USB, Token Ring, Frame Relay, FDDI Networks.

Captured files can be programmatically edited via command-line

A set of filters for customised data display can be refined using a display filter.

Display Filters in Wireshark

  1. Display Filtering By Protocol
    • Example: Type the protocol in the filter box; arp, http, tcp,udp, dns, ip.
  2. Monitoring the Specific Ports
    • tcp.port–23
    • ip.addr–192.168.1.100 machine & ip.addr–192.168.1.100 “tcp.port-23”
  3. Filtering by Multiple IP Addresses
    • ip.addr — 10.0.0.4 or ip.addr — 10.0.0.5
  4. Filtering By IP Address
    • ip.addr — 10.0.04
  5. Other Filters
    • ip.dst — 10.0.1.50 “frame.pkt_len> 400
    • ip.addr — 10.0.1.12 “icmp ” frame.number > 15 ” frame.number <30
    • ip.src — 205.153.63.30 or ip.dst — 205.153.63.30

How to Defend Against Sniffing

  • Use HTTPS instead of HTTP to protect usernames and passwords.
  • Use switch instead of hub as switch delivers data only to be intended recipient.
  • Use SFTP, instead of FTP for secure transfer of files.
  • Use PGP and S/MIPE, VPN, IPsec, SSL/TLS, Secure Shell (SSH) one-time passwords (otp)
  • Always encrypt the wireless traffic with a strong encryption protocol such WPA and WPA2.
  • Retrieve MAC directly from NIC instead of OS; this prevents MAC, address spoofing
  • Use tools to determine if any NICs are running in the promiscuous mode.

If You Like This Blog Please Comment Down And For More Hacking Content Click Here

Related posts

Leave a Comment