Week
Six ↓
In a pharming attack, Domain Name System (DNS) host record is manipulated to redirect a
website’s traffic to another malicious
website. This could also be done by exploiting DNS server software vulnerabilities.
An example of this attack, also called a
DNS spoofing was recorded in 2010 in which the Great firewall of china blocked
websites on the DNS level by pointing to an incorrect address. An ISP then mistakenly
configured its DNS server to pull information from these servers and this
cached information was spreads across many other ISPs until there was a major
inaccessibility of internet resources (Chris, 2016).
OVERVIEW OF DNS CACHE POISONING
DNS helps to contact the appropriate server about any domain name to be accessed. This server resolves this domain name into an IP address and information is accessible upon locating this logical address. Since it is not feasible for the internet to have one DNS server, ISPs use Home routers as DNS servers and cache DNS entries on your computer. This reduces the latency in looking up DNS information.
This DNS cache/host file (located on C:\Windows\System32\drivers\etc in windows) can be manipulated to specify that a domain name can be reached through the attacker’s IP address. In the screenshot below, the victim is redirected to a spoofed website upon entering the “facebook.com”. This DNS spoofing attack can be done with a tool called Morpheus.
OVERVIEW OF DNS CACHE POISONING
DNS helps to contact the appropriate server about any domain name to be accessed. This server resolves this domain name into an IP address and information is accessible upon locating this logical address. Since it is not feasible for the internet to have one DNS server, ISPs use Home routers as DNS servers and cache DNS entries on your computer. This reduces the latency in looking up DNS information.
This DNS cache/host file (located on C:\Windows\System32\drivers\etc in windows) can be manipulated to specify that a domain name can be reached through the attacker’s IP address. In the screenshot below, the victim is redirected to a spoofed website upon entering the “facebook.com”. This DNS spoofing attack can be done with a tool called Morpheus.
“Morpheus is a framework tool which automates
TCP/UDP packet manipulation tasks by using etter filters to manipulate target requests/responses
under MitM attacks, replacing the TCP/UDP packet contents before forward the
packet back to the target host” (TWR, 2016). With Morpheus, DNS lookups can be
hijacked and manipulated in an easy way.
Mitigation
DNSSEC provides a solution to this by using asymmetric keys to sign DNS entries. This way, all records are authenticated to tell trusted and illegitimate records apart (Chris, 2016).
References
Chris Hoffman. (September 2016). What is
DNS Cache Poisoning? Retrieved from https://www.howtogeek.com/161808/htg-explains-what-is-dns-cache-poisoning/
TWR. (December, 2016). Morpheus-Automated
Ettercap TCP/IP Hijacking Tool. Retrieved from https://latesthackingnews.com/2016/12/19/morpheus-automated-ettercap-tcpip-hijacking-tool/
Video Credit: MrPedroUbuntu. December 26,
2016
No comments:
Post a Comment