MITM & Sniffing Tools

How To Sniff DNS Using DNSspoof & Ettercap ? [MITM Series : 2]

Welcome to all my beloved hackers, In this article we’ll learn DNS spoofing using dnsspoof and ettrcap

In previous part of this series we’ve discussed about ARP spoofing in this series of MITM

What is DNS ?

DNS stands for domain name server which is used to resolve the domain names into IP address.
Basically DNS resolvers asks for a domain and the DNS records contain domain names with respect IP address will return the IP address of the domain so that we can visit the site.
DNS was introduced to use strings in web addresses.
There are many DNS services are like DDNS, RDNS etc

What is DNS spoofing ?

DNS spoofing is a active attack where we used to poison DNS requests and we change the IP address of the domain which the victim queries to our own IP address. and we setup web server in local machine which is fake page. we can perform phishing using this attack.

Attack scenario

You need to be in a LAN network or an hot-spot WLAN to perform this attack. We’ll discuss DNS spoofing using dnsspoof and ettercap. you need to have network packet analyzer. sniff the connections. and you need to have apache server to create fake web page on your local server.

DNS spoofing using dnsspoof

dnsspoof is a terminal shell tool where we can perform DNS spoofing on our terminal.
to get this tool run this command on terminal

sudo apt-get install dnsspoof

After getting this tool at command line you can use it
the basic syntax of this tool is

dnsspoof [-i interface] [-f hostsfile] [expression]

It’s very simple to use this
you first need to turn your NIC into promiscuous mode to sniff all the connections going on LAN
run this comamnd to do that

ifconfig wlan1 promisc

the wlan1 is a interface that I’m using in your case that might be different so if you are on Ethernet you can specify eth0 and if you are on WiFi internal you can specify wlan0 and for external wlan1.

Now you have to change the DNS records of the LAN using tcpkill its just by

 tcpkill -9 host []

make sure you changed the website name of your victim site.

After doing this you have to change the hosts file where you have to specify your IP address and spoof the domain. so open the hosts file find in usr/local
edit that file specify add this line


It’s important here to use the TAB key between the IP address and the domain. Spaces will be interpreted by the system to be part of the domain name.

Find your IP address using ifconfig

Now we need to create a website that the user will be directed to when they type in the URL of their browser. Let’s create a simple webpage. If you want more info on how to create a simple webpage and host it in Linux, check out my Linux guide on Apache web servers.
go to var/www/html folder create index.html file in there and place fake website as you desired and save it.
go to terminal and start apache server running this command

service apache2 start

and at last run this command to start spoofing DNS

dnsspoof -h hosts

Now, when anyone on the local area network attempts to navigate to the website, they will instead come to our website!

DNS Spoofing using ettercap

It’s very easy to spoof DNS using ettercap. Ettercap is a GUI tool where you can perform almost all types of MITM attacks on LAN
first if you dont have ettercap you need to install that by running this command on terminal

sudo apt-get install ettercap

then start ettercap in GUI mode by running this command on terminal

ettercap -G

Now go to top bar and select unified Sniffing and go to Host list and scan for hosts and if you get all the hosts including your victim you need to select
Gateway IP address to Target 1 and victims IP address to target 2 then go to terminal and edit the etter.conf file located in /etc/ettercap/etter.conf

edit the uid and gid values at the top to make them say 0 so go ahead and do that.
and scroll down and find Linux in the file and remove both the # signs below where it says “if you use iptables”.
then save the file.

Go to the MITM tab and select ARP poisoning, choose Sniff remote connections and press OK. Now go to Plugins > Manage the plugins and double click dns_spoof to activate that plugin.

This etter.dns file is the hosts file and is responsible for redirecting specific DNS requests. Basically, if the target enters they will be redirected to your’s website, but this file can change all of that. This is where the magic happens, so let’s edit it.

First, however, let me explain what can and should be done with the hosts file. So in a real life scenario, an attacker would use this opportunity to redirect traffic to their own machine for data sniffing. This is done by starting an Apache server on the Kali machine and changing the default homepage to a clone of, let’s say or so that when the victim visits those websites, after being redirected to the attacker machine they will see the clones of the aforementioned sites. This will probably fool the unsuspecting user into entering their credentials where they really shouldn’t. Enough talk, let’s do it.

First, redirect traffic from any website you would like to your Kali machine. For that, go down to where it says “microsoft sucks ;)” and add another line just like that below it, but now use whatever website you would like. Also, don’t forget to change the IP address to your IP address. you can find your IP address in Ifconfig command.

Now add index.html file in var/www/html which has the fake page of the site which is going to be redirected.
Start apache2 server running this command

service apache2 start

And you are all set. wait for victim to connect. use wireshark to sniff.
if you dont know wire shark we’ve tutorial on that please read that.

I hope this article was helpful in understanding the DNS spoofing using both ettercap and dnsspoof. Please like and share if you have any queries please comment in.
we’ll continue MITM series for DHCP spoofing and DOS in future part.

The following two tabs change content below.

Anuj Mishra

Admin, Founder & Chief Editor at HackeRoyale
Engineer. Blogger. Ethical hacker. Penetration Tester. Deep Webbie. Bug hunter. Security Analyst. Web Developer. Techie. Programmer. Foodie. Music Lover. Traveller. Enthusiast.

Comment Now !