DNS poisoning

For beginners, flames not allowed...(just by the staff :P)
Post Reply
User avatar
ramnarayan
forum buddy
forum buddy
Posts: 13
Joined: 01 Sep 2005, 16:00
16

DNS poisoning

Post by ramnarayan »

Hi,

New here. I've heard of scammers/ phishers using DNS poisoning techniques to make it seem as if "victims" are going to the legitimate site whereas they are being redirected to the scam one.

Can anyone explain what this (DNS poisoning) is? And how it is done?

>> Please move this to the right forum if this is not the place for this question. Apologies if this is the case.

Thanks,
Ramnarayan.

masterdriverz
forum buddy
forum buddy
Posts: 16
Joined: 23 Sep 2005, 16:00
15

Post by masterdriverz »

Basically, DNS is like an address book. It resolves a host name e.g. www.google.com to an IP address e.g. 66.102.9.99 (google's ip). DNS Poisoning happens when you make a user believe they are accessing a legitimate site when in fact the address is being resolved to an different IP, usually one of a server which contains a phishing website, ie, one that records your username or bank details, and then redirects you to the legitimate site, meaning you're not even aware your identity has been stolen.

Hope this makes sense

MD

User avatar
ramnarayan
forum buddy
forum buddy
Posts: 13
Joined: 01 Sep 2005, 16:00
16

Post by ramnarayan »

Hi MD,

Thanks for answering my question. Now, since this can be done, can someone explain how its done or even if someone can detect if this has been done to one's DNS record?

MD, once again, thanks for the answer!

Regards,
Ramnarayan.

masterdriverz
forum buddy
forum buddy
Posts: 16
Joined: 23 Sep 2005, 16:00
15

Post by masterdriverz »

Its done using a man-in-middle attack, where the attacker intercepts traffic going both ways. And while its not technically possible to detect, as traffic both ways is intercepted and modified, using encrytion to communicate with another system, which will resolve the hostname to a legitimate IP. However, DNS poisoning can be done on an even lower level, called ARP poisoning (correct me if I'm wrong), where although the target believes a packet has been sent to the correct IP, it has in fact been intercepted and modified, and may not even reach its destination.

Hope this helps

MD

User avatar
bad_brain
Site Owner
Site Owner
Posts: 11600
Joined: 06 Apr 2005, 16:00
16
Location: The zone.
Contact:

Post by bad_brain »

ARP poisoning manipulates the content of the target´s ARP (adress resolution protocol) cache. In the ARP cache the lookup tables of known hosts (the host must have been contacted before) are stored. an attacker which uses ARP poisoning is changing the MAC-adress (also known as hardware adress) of a known host to an adress which he controls, so he can intercept the network traffic and try to find sensitive informations.
so ARP poisoning is more the part of an active attack against a host or network, for scammers it´s not very useful because the ARP cache is emptied every 30 minutes per default (at least on Unix systems)... :wink:

User avatar
ramnarayan
forum buddy
forum buddy
Posts: 13
Joined: 01 Sep 2005, 16:00
16

Post by ramnarayan »

MD and Bad Brain - Thanks for the info!

Still trying to digest some of it, but I hope I will understand the entire concept soon and try to simulate it if I can (in my brain atleast).

Learning everyday i spend here!

Thanks guys.

User avatar
bad_brain
Site Owner
Site Owner
Posts: 11600
Joined: 06 Apr 2005, 16:00
16
Location: The zone.
Contact:

Post by bad_brain »

np...read a little about the TCP/IP protocol family, you´ll find some nice stuff in the textfiles section. it´s very useful to know how networking basically works, and in my opinion it´s even unevitable... :wink:

User avatar
Merchant
suck-o-fied!
suck-o-fied!
Posts: 70
Joined: 30 Oct 2005, 17:00
15
Location: In the shadows of your mind...
Contact:

Post by Merchant »

hey, i kinda jumped in, i wanted to know, what is the technical aspect of DNS? is it a program, ect...? can anyone tell me??

Merchant

Ameradi
On the way to fame!
On the way to fame!
Posts: 46
Joined: 20 May 2005, 16:00
16
Location: Germany
Contact:

Post by Ameradi »

Hey Merchant... check this out :

http://en.wikipedia.org/wiki/DNS

User avatar
Merchant
suck-o-fied!
suck-o-fied!
Posts: 70
Joined: 30 Oct 2005, 17:00
15
Location: In the shadows of your mind...
Contact:

Post by Merchant »

muchas gracias

Merch

Post Reply