Hi,
New here. I've heard of scammers/ phishers using DNS poisoning techniques to make it seem as if "victims" are going to the legitimate site whereas they are being redirected to the scam one.
Can anyone explain what this (DNS poisoning) is? And how it is done?
>> Please move this to the right forum if this is not the place for this question. Apologies if this is the case.
Thanks,
Ramnarayan.
DNS poisoning
-
- forum buddy
- Posts: 16
- Joined: 23 Sep 2005, 16:00
- 19
Basically, DNS is like an address book. It resolves a host name e.g. www.google.com to an IP address e.g. 66.102.9.99 (google's ip). DNS Poisoning happens when you make a user believe they are accessing a legitimate site when in fact the address is being resolved to an different IP, usually one of a server which contains a phishing website, ie, one that records your username or bank details, and then redirects you to the legitimate site, meaning you're not even aware your identity has been stolen.
Hope this makes sense
MD
Hope this makes sense
MD
- ramnarayan
- forum buddy
- Posts: 13
- Joined: 01 Sep 2005, 16:00
- 19
-
- forum buddy
- Posts: 16
- Joined: 23 Sep 2005, 16:00
- 19
Its done using a man-in-middle attack, where the attacker intercepts traffic going both ways. And while its not technically possible to detect, as traffic both ways is intercepted and modified, using encrytion to communicate with another system, which will resolve the hostname to a legitimate IP. However, DNS poisoning can be done on an even lower level, called ARP poisoning (correct me if I'm wrong), where although the target believes a packet has been sent to the correct IP, it has in fact been intercepted and modified, and may not even reach its destination.
Hope this helps
MD
Hope this helps
MD
- bad_brain
- Site Owner
- Posts: 11638
- Joined: 06 Apr 2005, 16:00
- 19
- Location: In your eye floaters.
- Contact:
ARP poisoning manipulates the content of the target´s ARP (adress resolution protocol) cache. In the ARP cache the lookup tables of known hosts (the host must have been contacted before) are stored. an attacker which uses ARP poisoning is changing the MAC-adress (also known as hardware adress) of a known host to an adress which he controls, so he can intercept the network traffic and try to find sensitive informations.
so ARP poisoning is more the part of an active attack against a host or network, for scammers it´s not very useful because the ARP cache is emptied every 30 minutes per default (at least on Unix systems)...
so ARP poisoning is more the part of an active attack against a host or network, for scammers it´s not very useful because the ARP cache is emptied every 30 minutes per default (at least on Unix systems)...
- ramnarayan
- forum buddy
- Posts: 13
- Joined: 01 Sep 2005, 16:00
- 19