Friday, June 10, 2016

METASPLOIT - Windows 7 - Bypassing DNS by HOSTS file injection


- Layout for this exercise:

The hosts file is a plain text file used by an operating systems to map hostnames and IP addresses.

- In this practice we'll se how to inject a crafted hosts file into the victim machine, so that
the well known URL is redirected to the attacker's website.

- This is a case of the so called phishing, where a trustworthy website is masqueraded by a fake website.

- One of the keys for this attack to be successful is the name resolution order performed by Windows systems. First, the Windows 7 looks up into the hosts file entries. Second, Domain Name System (DNS) servers are queried.

- For this reason, if a crafted hosts file is injected into the victim's machine, the victim would not be able to notice that the web destination is actually a fake one.

- Let's start the attack backgrounding the active meterpreter session:

- Now, the post explotaition inject_host exploit is used:

- Options for this exploit:

The domain to be faked:

The attacker's IP:

- The active meterpreter session:

- Now, all required options are fulfilled:

- The exploit is launched and successfully completed:

- As a result, back into the victim, the hosts file has got now a new entry, pointing to the attacker's IP: 

- On the attacker's side, with the purpose of taking advantage of the attack, a web server is set up on port 80, adding a message of welcome:

- From the victim's machine, when trying to connect to, the connection is redirected to the attacker's website:

- Let's notice that this redirection or phising could be done on the victim's site with any trustworthy type of websites, like banks, email services, businesss, ... , and on the attacker's side with a fake website where the victim could introduce valid credentials, potentially being stolen by the attacker.

- It is interesting to check the different way that commands ping and nslookup handle this situation.

- When ping-ing, the resolution is between and

- On the other hand nslookup is a network administration command-line tool available for querying the Domain Name System (DNS) to obtain domain name or IP address mapping.

- In this way, nslookup only checks for DNS resolution, not paying attention to the hosts file, and resolves into the real IP

As said before, hosts file is used before DNS resolution by Windows systems.