AdSense

Friday, June 10, 2016

METASPLOIT - Windows 7 - Bypassing DNS by HOSTS file injection



WINDOWS 7 - BYPASSING DNS BY HOSTS FILE INJECTION
- Layout for this exercise:




The hosts file is a plain text file used by an operating systems to map hostnames and IP addresses.


- In this practice we'll se how to inject a crafted hosts file into the victim machine, so that
the well known URL www.google.com is redirected to the attacker's website.

- This is a case of the so called phishing, where a trustworthy website is masqueraded by a fake website.


- One of the keys for this attack to be successful is the name resolution order performed by Windows systems. First, the Windows 7 looks up into the hosts file entries. Second, Domain Name System (DNS) servers are queried.

- For this reason, if a crafted hosts file is injected into the victim's machine, the victim would not be able to notice that the web destination is actually a fake one.

- Let's start the attack backgrounding the active meterpreter session:


- Now, the post explotaition inject_host exploit is used:



- Options for this exploit:

The domain to be faked:




The attacker's IP:
- The active meterpreter session:

- Now, all required options are fulfilled:














- The exploit is launched and successfully completed:


- As a result, back into the victim, the hosts file has got now a new entry, pointing www.google.com to the attacker's IP: 


























- On the attacker's side, with the purpose of taking advantage of the attack, a web server is set up on port 80, adding a message of welcome:






- From the victim's machine, when trying to connect to www.google.com, the connection is redirected to the attacker's website:






- Let's notice that this redirection or phising could be done on the victim's site with any trustworthy type of websites, like banks, email services, businesss, ... , and on the attacker's side with a fake website where the victim could introduce valid credentials, potentially being stolen by the attacker.

- It is interesting to check the different way that commands ping and nslookup handle this situation.

- When ping-ing www.google.com, the resolution is between www.google.com and 192.168.1.12:


- On the other hand nslookup is a network administration command-line tool available for querying the Domain Name System (DNS) to obtain domain name or IP address mapping.



- In this way, nslookup only checks for DNS resolution, not paying attention to the hosts file, and resolves www.google.com into the real IP 216.58.216.228:





As said before, hosts file is used before DNS resolution by Windows systems.






Posted by at
Labels: