Effectively change the hosts file of your iPhone, iPad or Android with ettercap

Based on “Test web apps on iOS by DNS spoofing your LAN with Ettercap” by Henrique Barosso. Modified to work on a Mac running OS X.

To access a website or service that uses a virtual host but isn’t in DNS, you need to add it to the hosts file of the machine you’re using for testing.

Unfortunately, you can’t edit the hosts file of a (non-jailbroken) iPhone or iPad. This makes testing difficult.

As a work around, we’re going to use ARP spoofing to intercept DNS requests from your iPhone or iPad and respond to those requests with the IP address of your virtual server.

So, if accessing your development environment requires a hosts file entry like

192.254.12.1	devserver.mysite.com

then this process will let you tell your iPhone or iPad to resolve devserver.mysite.com in the same way.

A few things to keep in mind before you do this:

  • you need to have sudo on your Mac
  • your iPhone or iPad and Mac need to be on the same WiFi network, and
  • you can do a lot of evil, evil things by ARP spoofing on a public network; do not do this, it’s illegal

With that said, to get this going:

  1. Install ettercap. I recommend using homebrew to manage linux ports on your Mac:

    % brew install ettercap
  2. Find the IP address of the device (iPhone or iPad) you’d like to test with. On iOS 7 you can see your phone’s IP address by navigating to Settings > Wi-Fi > Wireless Network Name . Let’s say it’s 192.168.1.105.

  3. Turn of WiFi on the device you want to test with; this will clear its ARP cache.
  4. Edit /usr/local/etc/ettercap/etter.dns and add an entry for the virtual server you would like to test, e.g.
    # Websites for testing
    devserver.mysite.com   A   192.254.12.1
    	
  5. Enable the firewall and IP forwarding:
    % sudo sysctl -w net.inet.ip.forwarding=1
    % sudo sysctl -w net.inet.ip.fw.enable=1	
  6. Start ettercap and activate the dns_spoof plugin:
    % sudo ettercap -i en1 -T -q -M ARP:remote -P dns_spoof /192.168.1.105/ //

    Remember to replace 192.168.1.105 with the IP address of your phone or tablet.

  7. Turn WiFi back on on your device.

    If everything worked properly, you should see some output from ettercap, letting you know that it’s intercepted an ARP request on your device.

    % sudo ettercap -i en1 -T -q -M ARP:remote -P dns_spoof /192.168.1.101/ //
    Password:
    
    ettercap 0.8.0 copyright 2001-2013 Ettercap Development Team
    
    Listening on:
       en1 -> XX:XX:XX...
    
    SSL dissection needs a valid 'redir_command_on' script in the etter.conf file
    Privileges dropped to UID 65534 GID 65534...
    
      33 plugins
      42 protocol dissectors
      57 ports monitored
    16074 mac vendor fingerprint
    1766 tcp OS fingerprint
    2182 known services
    
    Randomizing 255 hosts for scanning...
    Scanning the whole netmask for 255 hosts...
    * |==================================================>| 100.00 %
    
    Scanning for merged targets (1 hosts)...
    
    * |==================================================>| 100.00 %
    
    7 hosts added to the hosts list...
    
    ARP poisoning victims:
    
     GROUP 1 : 192.168.1.101 CC:XX:XX:XX:XX
    
     GROUP 2 : ANY (all the hosts in the list)
    Starting Unified sniffing...
    
    
    Text only Interface activated...
    Hit 'h' for inline help
    
    Activating dns_spoof plugin...
    
    dns_spoof: [devserver.mysite.com] spoofed to [192.254.12.1]
    
  8. Try navigating to devserver.mysite.com on your device. If it doesn’t work, then try turning your WiFi on and off again to flush the ARP cache.
  9. Once you’re done testing, press q to exit ettercap.

That’s it! If you have questions, concerns, or enhancement suggestions please let me know on twitter (@josephby) or join the conversation on Hacker News.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s