WINDOWS 7 - BYPASSING DNS BY HOSTS FILE INJECTION
- Layout for this exercise:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiCnoYXJPq7jjPRU1712rNj0hjJV6WVPGwpLbuyyBKkdqAj93GwLIQe5UpO49F30PaqSyDVuCbI_e-t3WeZTEItv3-d4EruCOVM6ZMP_dpjIeNRDFtQpJ4WREGDI5-QHPUFYi2KHFPFTUva/s1600/W7_LAYOUT.jpg)
- The hosts file is a plain text file used by an operating systems to map hostnames and IP addresses.
- In this
practice we'll se how to inject a crafted hosts file into the
victim machine, so that
the well
known URL www.google.com is redirected to the attacker's
website.
- This is
a case of the so called phishing, where a trustworthy website
is masqueraded by a fake website.
- One of
the keys for this attack to be successful is the name resolution
order performed by Windows systems. First, the Windows 7 looks up
into the hosts file entries. Second, Domain Name System (DNS)
servers are queried.
- For this
reason, if a crafted hosts file is injected into the victim's
machine, the victim would not be able to notice that the web
destination is actually a fake one.
- Let's
start the attack backgrounding the active meterpreter session:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhqvT-_s3-ItIws3YWvxWWlSJJvpSRMFOR74U5gdxgiS695YVsE3j6fCHXxQinXhHDg67UHmaq94w24VsUFR9Q5b3PUXqQgJ9OMDHR8OA7GbzpqtFm6C-ZbC047uxddeDpwGZqvIHs4sKAX/s1600/screenshot.1.jpg)
- Now, the
post explotaition inject_host exploit is used:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg3OQVL7qy-knQVlD-3SMKN9g2RIqSBtXRgIn_-Gf3IKaO4oFrR4lDU4DT4LdH2WhcAhsWx6PkwZtKoHFZjnhOVSphJkHfoutmcOCsCvHRN6KRxlROv4hNy0ytabXcmgNzZbLSDqqXxit04/s1600/screenshot.2.jpg)
- Options
for this exploit:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiXjgUFOextoOhaT2ZAvv7w-9TYqsjShnF8qMLqPzjnjGdl7nan7gUcKV5Lo85Wj9AsmFSxuuXImHc1GYtRmTU5Modb4gR0tqhkDALk4CA-83tPD3zC3RiROwPVnnTDzSsudmetEvzvwL8o/s1600/screenshot.6.jpg)
- The domain to be faked:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiFiTKh84KfuMe_4fRJbA78Vpv__5arYjBXRD80ovrL5LdsSooplJev_oJ4EcSAV4CTWcGMqcIlKz5aXijXEE0A9gVuyzPIk3R2OEy8lySvarjlHyOi8jOxwIpu8rDhL7O2A7cOiCkm27pS/s1600/screenshot.7.jpg)
- The attacker's IP:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjPO3c-7ZFR9o3uhIqgtZLFXyQJIY9k5R2I3R-Y79DRytC8ytLyZHu6vzx55P_f7XASGdKwgFTb2bXfoWBY-mQDX06U18mgpJByQs0EUHEhLpMF3uzAxenC9Qe3n0tzvzx3sEyoAtMzmKR4/s1600/screenshot.8.jpg)
- The
active meterpreter session:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhDT8UWbD7jCTM9r_Y3QnaWyYUpOq852_0zAmTfF6zi6Xn6IzjqIwD6oLEkZJmmU70K4IvhgDrOPqv4HJQE9NbF26dSX7JJH3MXPI87FDfUV8ny-luTylOWTf7eS2cm8rOYVnk6iViFcJ1d/s1600/screenshot.9.jpg)
- Now, all required options are fulfilled:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg0sYZao54Lo2QXq5-ILdIMBu1KLZ4xYF-XcvBWPVhic3RF7QwKB3Fpy7zeCHtmQ2-Sk3rKwN4QX4ydhs6D9hmOzUMUiT1T7W5ZG6EW5K4ROAIhzhG-gXCA0cupizTPyrqd45Bf60QZvH42/s1600/screenshot.11.jpg)
- The
exploit is launched and successfully completed:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj-3zqZco8vHQFuUW_r5zktBTM1LVwyY09D-SIT36QwRx6Dav5BZb8dZGvzElzSYWxzi61Ps0KIKgBxnfRA8mjYq7Egt5Pq83uHt38sqS3jTRBK4shDwRhGDNSHUAju13Ww_Mz6W-NfLe00/s1600/screenshot.10.jpg)
- As a
result, back into the victim, the hosts file has got now a new entry,
pointing www.google.com to the attacker's IP:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh1tAatS2GtL2fSUEBvMzMWToA0zHIRLwoQM9OI_r4tVmfl3zSkbsToBtw9mqPd35R6tlvxgSYlXjEEKKpnVZ1U7XRMf0TDfvbw-eQKryASrV3WxH3D9lHeDzsjC9ayRnxAnSWB_7EbhveC/s1600/screenshot.17.jpg)
- On the attacker's side, with the purpose of taking advantage of the attack, a web server is set up on port 80, adding a message of welcome:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgWED1TrC62CQDVoBtgk8pceFmYIxr1XnUdD9yIdEY3KQYK6xG-O4L5q50hR4szLli5BmBbd7hd5R4zDH8TsL8yo4C4DM0F3m-_fzNcyMGH-P5dWJ1PRZhgWVNCvMGEMRxCDQ4KY4pKVz6X/s1600/screenshot.3.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjsWMv46T6Kz-loONl58AnUgqOir2Ft8PYoO2JxPcjBvhK-Gx_ai2uuwQRuyI4WvxV0WNRq4a1JFSL8E-yIv8BGznwzjT0GKM1qKhy2DtWdTCwhTqnu_W6OBb8mzCiwGm-vBRcMs66pcMfS/s400/screenshot.4.jpg)
- From the victim's machine, when trying to connect to www.google.com, the connection is redirected to the attacker's website:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEicRw7XQmEdznIKbN55mtH7hL_AKT_K7xQz90PDsx0i5NI2FScNEQ3g_q-Zg03fgoiqEbvm3n5xLwU_7O8hc26Y3vh2w7Cy5Y_IByo0bh3_POnRb6ll6WHkz44EwX5qIEABmZP1y7iWA9ez/s1600/screenshot.12.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhosf26EbSDkN-5gnLKB88CN4EiAVv9Tj6bpEtBygXVZ0nAA9VJihO9lj9FlRmLZsN0wtVh6jkrTNOcWprv_vvBPFTr0tNssvOdDTEIsbuL_M1d3owbDsgJmGW2me3ReZ8b3ZXouBfF5D8T/s1600/screenshot.13.jpg)
- Let's
notice that this redirection or phising could be done on the victim's
site with any trustworthy type of websites, like banks, email
services, businesss, ... , and on the attacker's side with a fake
website where the victim could introduce valid credentials,
potentially being stolen by the attacker.
- It is
interesting to check the different way that commands ping and
nslookup handle this situation.
- When
ping-ing www.google.com,
the resolution is between www.google.com and 192.168.1.12:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi_4n9hqPAy2GK9QLM8SaqjeK11Wfz5HC64_-fZvSIkQnOfhhOlsVCaY_ogaKtfUIcCp1B5LP1fI6IEhNQEWvUQVtRMuivU9D75fmBgQlBPENkdeCqi2g-XhUxhO22cJYOMoqTnw1kKKJdI/s1600/screenshot.15.jpg)
- On the other hand nslookup is a network administration command-line tool available for querying the Domain Name System (DNS) to obtain domain name or IP address mapping.
- In this
way, nslookup only checks for DNS resolution, not paying attention to
the hosts file, and resolves www.google.com into the real IP
216.58.216.228:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhJJMxJR5vQpsjJdVPjLBcUbMmJauqudM7PWQWERPes69V2AzRvGUO9YcEUKXy2vRza1YfbqLo_zB4Cef9zzwMiYFfGKNe3PrkKCA2g8w_BqyJvJajXLzP5iNJcIZWoFWUQN-wKvMR1jWFH/s1600/screenshot.16.jpg)
- As said before, hosts file is used before DNS resolution by Windows systems.