meterpeter Dnspoof { Hijacking DNS entrys in hosts File }
This Module allows attackers to Hijack Remote-Host hosts File DNS entrys to be abble to ReDirect target browsing . [url] Credential pharming - Mitre T1374
Remark
- Its 'not' recomended to use the '
Spoof' Module twice before 'Defaulting' the hosts file ..
- To run '
Spoof' or 'Default' Modules of this article, its required 'Client:Administrator' Privs
- For this attack to work the 'Domain Name' to be Redirected must not be in the browser cache.
'Or target browser cache must be clean before this tecnic have any change of success'.
Article Quick Jump List
-
Manipulate DNS entrys in hosts File
-
Retrieve remote-host hosts File Information
-
Revert Remote hosts File to Default Settings
1º - Start 'meterpeter' to deliver 'Client' to target (Update-KB4524147.zip)
2º - Sellect meterpeter 'PostExploit' Module
3º - Sellect meterpeter 'Dnspoof' Module
4º - Sellect meterpeter 'Spoof' Module
In this Module attacker needs to Input 'Ip Addr to Redirect' and 'Domain name to be Redirected'..
Now everytime target access 'www.facebook.com' on is default browser, it will be redirected to attacker apache2 in '192.168.1.71' were we can serve payloads|Phishing WebPages|etc..
1º - Sellect meterpeter 'PostExploit' Module
2º - Sellect meterpeter 'Dnspoof' Module
3º - Sellect meterpeter - 'Check' Module
In this Module attacker can retrieve remote 'hosts' file contents or to check if 'Spoof' Module has successfuly added our dns entry to hosts file (Its Not required Client:admin privs to run this module)..
1º - Sellect meterpeter 'PostExploit' Module
2º - Sellect meterpeter 'Dnspoof' Module
3º - Sellect meterpeter 'Default' Module
When Using 'Spoof' Module, meterpeter will backup the original 'hosts' file that this function uses.
-
Its 'not' recomended to use '
Spoof' Module twice before 'Defaulting' hosts file ..