Spoofing – CompTIA Security+ SY0-401: 3.2

| September 7, 2014


The bad guys are very good at providing fake information to us. In this video, you’ll learn how spoofing works and how pharming and phishing have become common ways to illicitly obtain our private information.

<< Previous Video: Replay AttacksNext: Spam >>


Spoofing is when you pretend to be something that you really aren’t. Maybe you’re a fake DNS server or a fake web server. We see spoofing in email, when we will get an email message that looks like it came from somebody we trust, but in reality that From address has been spoofed or modified. And it’s not really who we think it came from.

You can also perform spoofing in a man-in-the-middle attack. You can change information as it’s going by, so that the information that is received was very different than the information that was originally sent. You can even see spoofing happen with traditional telephones, with caller ID spoofing. So you look down when your phone rings. And it says there’s a call from the White House but, of course, it’s simply a spoof name and number that’s popping up on your telephone.

One type of spoofing is called DNS poisoning. This is when we’re changing the domain name server information itself. And you can change it inside of the server if you’re taking advantage of a known vulnerability, although this is something that’s a bit difficult to accomplish.

Another way to spoof DNS information is to spoof it on the client machine and not on the DNS server. If you change the host file on a client machine, it will use that host file before it ever talks to a DNS server. You can also do DNS poisoning by changing the responses that are sent back to the user. So as the user makes the request to the DNS server, we intercept that message going by and send back a fake response, pretending to be the DNS server. And when we do that, we can redirect the client to go to any IP address we’d like.

Here’s how this might happen. We’ve got two users, User 1 and User 2. And we’ve got a DNS server and the bad guy sitting in the middle. The User 1 is going to want to query for Professor Messer.com. He needs an IP address of that particular web server. So he sends a DNS request on to the DNS server. In the DNS server, it has the correct address of 162.159.246.164. And it sends that response back to the client.

The client, upon getting that response, will simply fill in the gaps and then perform the normal communication to the professormesser.com server, using that correct IP address. The second user performs the same function. Sends a request out to the DNS server. But before he can, the bad guy sends an update message to the DNS server. And the DNS server does nothing to validate that. That means that the software in the DNS server is faulty. Once it receives that bad poisoned information from the bad guy, it changes the IP address for that particular website.

And now the second user sends the same request for the same domain name, but the response that goes back is the poisoned information that has been sent of 100.100.100.100. Now User 2 has received an incorrect IP address for the professormesser.com website. And now all the bad guy has to do is wait for that user to visit his malicious site.

We call this redirection to a bogus site, pharming, with a PH. This means that we were able to take advantage of a vulnerability in a client or a DNS server, to be able to redirect that traffic wherever we’d like it to go. Usually the bad guys are combining this pharming function with also phishing. So they’ll send people to a site. And they think they’re going to PayPal and putting in their credentials, but they’re actually putting their credentials into the bad guy’s server. It’s all a combination of redirecting the user and then presenting the user with something that looks familiar, but really is not.

This is very difficult for anti-virus and anti-malware software to stop, because everything looks legitimate. The DNS query performed properly. The IP address was received. The user went out to a site that looks absolutely correct. There’s no malicious software involved from the client’s machine. And there’s no malicious software on the server. This means that we have to be extra diligent. Whenever we’re communicating to a site and providing our private information, we need to check certificates and make sure that the site is truly legitimate.

Tags: , , , , , ,

Category: CompTIA Security+ SY0-401

Comments are closed.

X