0

HOSTS FILE ATTACK

Lab 1 INFO24178 Computer and Network Security Winter 2016

FEBRUARY 2, 2016
Sheridan College, Davis Campus

Contents
Lab 1: Hosts File Attack ................................................................................................................................ 2
Task Description ....................................................................................................................................... 2
Project 3-3: Hosts File Attack ................................................................................................................ 2
Introduction .............................................................................................................................................. 3
Literature Review ..................................................................................................................................... 3
Key concepts ......................................................................................................................................... 3
Differential diagnosis: ARP versus DNS poisoning ................................................................................ 3
Modus operandi .................................................................................................................................... 4
Lab Objective ............................................................................................................................................ 4
Procedure ............................................................................................................................................. 5
Result .................................................................................................................................................. 10
Reversal .............................................................................................................................................. 10
Additional Note .................................................................................................................................. 10
Conclusion .......................................................................................................................................... 10
Bibliography................................................................................................................................................ 12

Lab 1: Hosts File Attack

Task Description
Project 3-3: Hosts File Attack
Complete requirements 1 - 13, take screen capture of significant changes/modifications.
Include with your formatted report submission.

Use Rubric as outline for submission, failure to do will mean deducted marks. You have been
warned, don't submit document with images having not proper figure notation, no reference
that are used in body of text.

Introduction
Hosts file attack is one of the ways of DNS poisoning and redirecting a request for a Webpage to a malicious
site. This technique does not require any sophisticated knowledge or experience and is easy to carry out.
The attack has the ability to cause major impact with minimal resources. In this lab, we will be able to
understand how this attack can be carried out and the ease with which it can be achieved.

Literature Review
DNS poisoning as a means to conduct a hosts file attack can cause serious impact on the users
and businesses. On Jan 21, 2014, The Register a leading UK daily reported how Chinese netizens
were not able to access social media and messaging websites that affected about 3 million users.
This incident required about 12 hours to resolve and was a major setback for the Internet Service
Providers and businesses and individuals who depended on these services. (Leyden, 2014)
DNS poisoning was unveiled in July 2008 and it highlighted the simplicity and ease of the attack
that lacked any sophistication in terms of the resources or bandwidth requirements to bring
down major establishments. (Halley, 2008)
Key concepts
DNS : Domain Name System (DNS) is a hierarchical name system that matches computer names
and numbers for IP address resolution.
ARP: Address Resolution Protocol (ARP) is a part of the TCP/IP protocol for determining the MAC
address based on the IP address.
Differential diagnosis: ARP versus DNS poisoning
ARP poisoning is an example of corrupting the ARP cache that involves substitution of the IP
address by a fraudulent MAC address while DNS poisoning substituting a fraudulent IP address
for a symbolic name causing the computer to redirect to another device.

Modus operandi
The attacker may choose to substitute the fraudulent IP address so that the computer is
automatically redirected to another device. This can be done at two different locations

The local host table

The external DNS server

Lab Objective
Demonstration of the hosts file attack in the local host table as a technique of Domain Name System (DNS)
poisoning.

Procedure
Initial State

Search result for the

website www.course.com

Search result for the website

www.sheridancollege.ca

Altering the Hosts file

Start > All Programs > Accessories

Figure 1 Finding the Notepad to run as an administrator

Right-click Notepad > Run as administrator Click File > Open

Click File Name drop-down arrow to change from Text Documents (*.txt) to All Files (*.*)

7
Navigate to the file C:\Windows\system32\drivers\etc\hosts and open it

Insert the IP address here press tab and

then mention the web address

Find the IP address of the webpage using the ping utility in the command prompt
Figure 2 Obtaining the IP address of Sheridan College ping www.sheridancollege.ca

At the end of the file enter 142.55.47.60. This is the IP address of Sheridan College
Figure 3 IP address of Sheridan College written but the web address is of www.course.com

Remember to click File and then Save AND close ALL windows.

10

Result
Now open the Web Browser and enter address www.course.com . The output is the webpage
of Sheridan College!
Figure 4 Note the output of the web address www.course.com

Reversal
Reverse the steps that you carried out and remove the web address in the hosts file. Otherwise
you will never be able to see the www.course.com page!
Additional Note
Remember to clear the browser cache and close the browser completely after you have
reversed the change in the hosts file. Failure to do so would not complete the reversal.
Conclusion
Hosts only attacks are simple to conduct and cause serious business impact. DNS attacks can be
prevented by keeping your DNS resolver private and protected and regularly checking open
resolvers on your network. Enhancing security configuration by adding variability to outgoing

11

requests such as using a random source port, using random query IDs and using random case
and letter combinations of the domain names. (Rubens, 2013)
"No one cares about your security as much as you do, so we advise hosting and managing
yourself -- if you have the skills to do so," says Brenton.

12

Bibliography
1. Halley, B. (2008, October 20). How DNS cache poisoning works. Retrieved from
www.networkworld.com: http://www.networkworld.com/article/2277316/tech-primers/howdns-cache-poisoning-works.html
2. Leyden, J. (2014, January 21). Retrieved from www.theregister.co.uk:
http://www.theregister.co.uk/2014/01/21/china_dns_poisoning_attack/
3. Rubens, P. (2013, December 5). How to prevent DNS attacks. Retrieved from
www.esecurityplanet.com: http://www.esecurityplanet.com/network-security/how-to-preventdns-attacks.html