01 Principle
DNS hijacking is an event where DNS, an application layer protocol based on UDP, is affected. DNS determines which IP address a domain name will resolve to.
The premise of this attack is that the attacker has control over your gateway (it could be a router, switch, or ISP). Generally, under a WLAN, using ARP spoofing can achieve this effect.
During the process of accessing a website, you go through the following stages: Take accessing the homepage of freebuf as an example:
1. Enter freebuf.com in the address bar
2. Access the local hosts file to find the IP corresponding to freebuf.com. If found, access that IP.
3. If not found, proceed to this step and search for freebuf.comâs IP on a (remote) DNS server, then access that IP.
You can use Wireshark to capture the packets and view this process.
This is a DNS request sent to baidu.com
>
This is the response returned by the DNS server:
>
Man-in-the-middle hijacking occurs in the third step: because the malicious attacker controls your gateway, when you send a request to look up the IP of freebuf.com, the man-in-the-middle intercepts it and returns the IP of a malicious website. Your browser will take this IP as the IP for the domain you intended to visit! This IP is created by the attacker to mimic the front-end interface of the target website. When you enter your username, password, or make a payment on this interface, you will fall for it.
The URL of the interface directed by DNS hijacking appears entirely correct, making such attacks very difficult to distinguish!
Attackers can make the webpageâs front-end extremely identical to the original. All kinds of links point to the correct places; only the login form is problematic. Once the username and password are entered, they will be received by the attacker.
02 Prevention
Generally speaking, preventing this kind of attack is very tough! Because the URL and page are normal, those without deep understanding of web technology have no way to start (if the attackerâs page is reproduced accurately enough), but we still have some methods for prevention.
1. Use SSL (HTTPS) for login; the attacker can obtain the public key but cannot get the serverâs private key.
2. Be extremely cautious when the browser prompts certificate issues! Ensure your network environment is secure and that the website is trustworthy before visiting.
3. Avoid logging in casually when connected to public Wi-Fi.
If you see a prompt like the one above, there are two possibilities:
One is that the serverâs HTTPS certificate is not configured correctly,
The other is that you may have been subject to man-in-the-middle hijacking, and the digital certificate cannot pass browser verification.
Generally, only some internal networks in companies and schools, a few personal websites, and (12306) will encounter certificate configuration issues. Other regular large sites, especially those we frequently use, do not have such problems. Where login is required and phishing often occurs, is precisely these sites. Therefore, when encountering such a situation, do not enter your username and password lightly.
The impact of this attack is usually minimal and mostly restricted to an internal network range; overall, there is no need for excessive worry. Of course, if it is an ISP hijacking, that is a different matter altogether. However, ISP hijacking usually just inserts ads, not boldly using this method for phishing attacks.
03 Attackerâs Intent
Phishing Attack to Steal Passwords
Trick users into filling out login forms, changing the POST address to the attackerâs server address to obtain the user name and password of the victim. Note especially: There is a situation where the user hesitates after filling out the form and does not click the submit/login button to send the form, but at this point, the input content has already been sent out via AJAX.
Generally speaking, this submit function should be executed after the button is clicked, but the attacker can use the on event to execute this function every time the user inputs an action, allowing the user to send without clicking.
Phishing Attack to Hijack Payments
Hijack the payment interface to cause the userâs Alipay or bank card payment to be routed into the attackerâs account.
Injecting Ads
This method of DNS hijacking is generally by the ISP for broad-scale hijacking.
(As shown in the bottom right corner of the picture above, itâs similar to ISP ad hijacking. Of course, this could be the siteâs own ad, unable to find a picture of ISP hijacking, so using this picture to demonstrate)
There are two methods
HTTP Hijacking
Embed an ad by inserting a fixed position div in the intercepted HTML text, usually in the bottom right corner.
DNS Hijacking
Hijack the domain name to an attackerâs site that contains ads, then use an iframe to import the site the user wants to visit.
04 Attack Reproduction
We can reproduce this attack method, using multiple devices under a router; one device for hijacking, another for simulating the victimâs test.
Preparation
The hijacking machine: Preferably use Kali LinuxSet up an HTTP server locally or remotely as a phishing site to mimic the target websitePreferably install a high-power wireless network cardInstall hijacking tool ettercap (Kali comes with it)Test machine installing a browser (nonsense, every computer has one, pure command line Linux can use lynx too)Two computers connect to the same wireless router or hub (preferably not using a switch, as you must control the switch itself to proceed, whereas a router only needs deception)
Operation Guide
First, configure the DNS you want to hijack in the configuration file of ettercap. The directory for ettercap DNS configuration files is located at /etc/ettercap/etter.dns Open this file, and youâll see that the author has already provided some examples
The author jokingly resolves Microsoftâs homepage microsoft.com to linux.orgâs IP, long live open source! Linux is supreme! Returning to the topic, we can refer to these examples to write our own hijacking rules in the format of domain DNS record type IP. What is a DNS record type?
For a more detailed description, you can refer to Wikipedia DNS Resolution Record â Wikipedia
Generally, when doing DNS hijacking, we use an A record. For instance, if we want to hijack Baidu to Bing (considering that some friends do not have the means to bypass network filtering), first use ping/traceroute/whois or similar tools to find bing.comâs IP 13.107.21.200
We add a hijacking rule to this file
When conducting DNS hijacking, we need to hijack it to our own HTTP server. Use ifconfig (*nix), ipconfig (Windows) to find your machineâs IP address, normally a LAN address like 192.168.xxx.xxx, 10.xxx.xxx.xx, 172.xxx.xxx.xxx
The next step is to use web servers like apache or nginx to set up our own server. You could use something like LAMP; there are plenty of tutorials online, so we wonât elaborate.
Next, open ettercap
First choose sniff->unified sniff Then open hosts->host list Select all hosts, click add to target 1
Then click Mitm->ARP Posining
Select the first checkbox sniff remote connections
Then in plugin->manage plugin, double-click DNS spoof to activate this plugin
At this point, the target is already in a hijacked state. Using the test machineâs browser to access the site you hijacked will let you see the page you set up on your server. I didnât modify mine, so itâs the default apache page.
Of course, there is a considerable chance of failure in this attack due to the principles of man-in-the-middle attacks, issues with network cards, gateway restrictions, DNS caching, and other factors that may cause hijacking to fail as well.
05 Further Understanding
If you wish to study more in-depth content in this area, you can first review your computer network knowledge, understanding application layer protocols like HTTPS, HTTP, and DNS details. A thorough understanding of the ARP protocol in the data link and transport layers is also required.
Kali Linux has many great tools related to wireless like aircrack-ng, ettercap, arpspoof, sslstrip, etc., which can be used, and you can refer to the Kali documentation for further learning.