72 | Chapter 2: Network Security Testing Basics
Example 2-14. Using dnsspoof
root@kali:~# dnsspoof -i eth0 -f myhosts udp dst port 53
dnsspoof: listening on eth0
[
udp dst port 53
]
192.168.86.227.37972 > 192.168.86.1.53: 10986+ A? www.bogusserver.com
192.168.86.227.49273 > 192.168.86.1.53: 28879+ A? www.bogusserver.com
192.168.86.227.48253 > 192.168.86.1.53: 53068+ A? www.bogusserver.com
192.168.86.227.49218 > 192.168.86.1.53: 45265+ A? www.bogusserver.com
You’ll notice that at the end of the command line, I have included BPF to focus the
packets that are captured. Without this,
tcpdump
would default to looking only at
UDP port 53, but not the IP address of the host it is being run on. I removed that part
and included my own BPF in order to run tests on my local system. You’ll see the
requests get flagged when they come in. This output is similar to what you might see
from
tcpdump
.
You may be wondering why you’d bother to take the extra step of using
dnsspoof
if
you have to use Ettercap or
arpspoof
(another ARP spoofing utility, though this one
was written by Dug Song and included in the same suite of tools as
dnsspoof
). What
you can do with
dnsspoof
that you can’t do with just ARP spoofing is directing a sys‐
tem to actually visit another IP address, thinking they are going to somewhere legiti‐
mate. You could create a rogue web server, for example, making it look like the real
server but including some malicious code to gather data or infect the target. This is
not the only purpose for doing DNS spoofing, but is a popular one.
Summary
Typically, attacks against systems will happen over the network. Although not all
attacks go after network protocols, there are enough that do that it’s worth spending
some time understanding the network elements and the protocols associated with the
different layers. Here are some key points to take away from this chapter:
• Security testing is about finding deficiencies in confidentiality, integrity, and
availability.
• The network stack based on the OSI model is physical, data, network, transport,
session, presentation, and application.
• Stress testing can reveal impacts to at least availability.
• Encryption can make it difficult to observe network connections, but weak
encryption can reveal issues with confidentiality.
• Spoofing attacks can provide a way to observe and capture network traffic from
remote sources.
Summary | 73
• Capturing packets using tools like tcpdump and Wireshark can provide insights
into what’s happening with applications.
• Kali provides tools that are useful for network security testing.
|
