DNS Hijack: Only spoofing sites listed in etter.dns

Question

I'm trying to create a more practical DNS Hijack MITM attack. I do the traditional ARP poison with dns_spoof method. I don't have any issues getting it to work. The intended domain redirects exactly as expected. The only issue is that the current method isn't realistic. It would make a victim extremely suspicious because every other website would break. An attacker would need to count on the victim going to your domain immediately after you initiate the attack.

ALL websites not listed in the etter.dns host file gets redirected as well. How can we get ettercap to spoof ONLY the websites listed in etter.dns while forwarding everything else to their intended locations?

score 0 · Answer 1 · edited Jul 24 '22 at 11:12

0

Comment out the following lines in /etc/ettercap/etter.conf

redir_command_on = "iptables -t nat -A PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport" 

redir_command_off = "iptables -t nat -D PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"

Note: You will need these lines uncommented if you plan on running SSLStrip.

edited Jul 24 '22 at 11:12

schroeder

123,438
55
284
319

answered Nov 12 '18 at 03:47

user21303

151
2
4
11

what is the technical effect of uncommenting these lines? – schroeder Jul 24 '22 at 11:14

DNS Hijack: Only spoofing sites listed in etter.dns

1 Answers1