DNSSpoof success rate

[factgasm]

Can anyone get their Pineapple to DNSSpoof 100% of websites they want spoofed without failure? (Excepting https sites)

My Pineapple only spoofs intermittently and unreliably and until I can get it working correct 100% of the time its no good to me in the field.

Edited July 18, 2014 by factgasm

[barry99705]

When I run the random roll infusion it will spoof pretty much everything I throw at it.

[King_Hrothgar]

100% here on IE and Firefox for Windows 7, Chrome on Android and Iceweasel on Kali. However, there is a very serious limitation in the way DNSspoof works. When a browser (doesn't matter which as far as I can tell) tries to locate a site, it will make a DNS request but only if it hasn't already connected to that site previously that session. If it has already connected to that site, then the DNS info is cached from the previous visit. This results in some "odd" things such as:

1) If I DNS spoof a client to visit fake.com instead of real.com, after I cease DNS spoofing, they will still go to fake.com until they end their browser session (typically requires a reboot of the device, not simply closing the browser).

2) If they have visited that site prior to me engaging in DNS spoofing, they will still visit the real site since the IP address for it is already cached. DNS spoofing is completely ineffective as no DNS requests are made for the target site.

3) Changing to a different browser will fix either problem without restarting since each browser caches the DNS info seperately.

Other than somehow deleting the victim machine's cache remotely or causing their device to restart, I don't know of a way to overcome these limitations.

[daniboy92]

@King_Hrothgar and what about sites with ssl protocol? Can you spoof webs like Gmail, Hotmail, Twitter...? I'm asking you because I can't spoof sites with ssl except Facebook.

[Darren Kitchen]

These limitations could potentially be overcome with iptables rules to redirect the IP traffic rather than the DNS queries. Meaning if example.com is cached as 93.184.216.119 and you reroute that IP to 172.16.42.1 it wouldn't matter if the browser has DNS cached or not.

[King_Hrothgar]

@King_Hrothgar and what about sites with ssl protocol? Can you spoof webs like Gmail, Hotmail, Twitter...? I'm asking you because I can't spoof sites with ssl except Facebook.

Pay close attention to what the browser actually looks up when you try to spoof a site. If you're using firefox or chrome, I promise you it's sticking in https regardless of what you enter into the address bar if you are going to a common site (twitter, youtube and so on). Assuming the browser hasn't cached the IP already, this often results in simply blocking the website. DNSspoof is primarily effective against outdated browsers or when spoofing less common sites, like this one.

If you are looking for a more reliable spoofing method, I suspect Darren's method would be very effective though I've never tried it.

[Sebkinne]

Yeah, the proxy we are releasing soon as part of the WiFi Pineapple firmware will be able to see the domain requested and can spoof / intercept / inject code into the response.

More info on this when it's ready!

Best Regards,

Sebkinne

[m40295]

seb you tease, is it defcon time yet .... comon augest

[factgasm]

Yeah, the proxy we are releasing soon as part of the WiFi Pineapple firmware will be able to see the domain requested and can spoof / intercept / inject code into the response.

More info on this when it's ready!

Best Regards,

Sebkinne

This sounds very encouraging.

[factgasm]

. . . . or when spoofing less common sites, like this one.

I prefer to think of Hak5 Forums as being "more select" than "less common".

Edited July 30, 2014 by factgasm