Jump to content

DNSSpoofing in modern browsers


Alberto

Recommended Posts

Hi,

I've got an open AP set up on the MarkV where clients can connect to. Now I also have dnsspoof set up and everything seems to be working except for sites like Facebook/Twitter/Gmail. Other sites get spoofed perfectly but for whatever reason sites with SSL don't work.

The browser would say the site was unable to load.

Did anything change in the couple of weeks, because it was working a couple of weeks ago (Facebook/Twitter/Gmail/etc).

Kind regards,

Alberto

Link to comment
Share on other sites

im not all that familiar with the pineapple yet, however are you sure you have an ssl enabled web server that can accept https connections? can you verify this manually? When it comes to dns spoofing there really isn't a whole lot of difference between http and https as far as the initial spoof goes. you obviously would have issues if you tried to reuse someone elses certificate, but something that was self-signed shouldn't be an issue. But if you didn't get any SSL related warnings i'd be more inclined to think you just don't have an ssl enabled server.

Link to comment
Share on other sites

Yeah i've had this same issue for years nothing new I've yet to figure away around it.

Link to comment
Share on other sites

This is because modern browsers are now implementing a technology called HSTS. You can read about it here https://en.m.wikipedia.org/wiki/HTTP_Strict_Transport_Security

The coming pineapple update supposedly has a partial workaround for SSL/HSTs.

Can't wait.

To bad most users only go to those sites so to them, it'll just be like "internet isn't working :'( "

Link to comment
Share on other sites

This is because modern browsers are now implementing a technology called HSTS. You can read about it here https://en.m.wikipedia.org/wiki/HTTP_Strict_Transport_Security

The coming pineapple update supposedly has a partial workaround for SSL/HSTs.

Can't wait.

To bad most users only go to those sites so to them, it'll just be like "internet isn't working :'( "

It won't last long before its patched and will no longer work.

I like stuff that isn't likely to be patched fast like Wireless security attacks we have yet to get a new encryption i mean were years behind god forbid a major wireless flaw is found in wpa and wpa2 that we are not aware about yet and we don't even have a new encryption to save us :B

I honestly believe their is a flaw in wpa/wpa2 we have yet to discover it's like trying to throw a rock into the middle of the ocean from land if their is a will their is always a way to break it and wps attacks were just the start of breaking wpa and wpa2

Link to comment
Share on other sites

I don't see what HSTS has to do with it??

DNS Spoofing occurs before HSTS ever comes into play. In order for HSTS to work the connection needs to be made to the facebook servers for it to force SSL/HSTS

The exception to this rule is if your browser uses a preload list.

HOWEVER, a preload list simply states that xxx.com MUST use SSL. It doesn't verify the certificate or even the IP address...

So if you spoof the DNS response - as far as the browser is concerned, it is getting a valid IP for a domain. As long as that IP has a server that can respond with SSL, it has no idea that it's connecting to the wrong server.

As such, I don't see what HSTS has to do with this issue at all.

And for what its worth, I wrote a perl script less than 2 months ago that would work successfully on sites using HSTS - including facebook - provided you had a properly configured web server.

Link to comment
Share on other sites

I don't see what HSTS has to do with it??

DNS Spoofing occurs before HSTS ever comes into play. In order for HSTS to work the connection needs to be made to the facebook servers for it to force SSL/HSTS

The exception to this rule is if your browser uses a preload list.

HOWEVER, a preload list simply states that xxx.com MUST use SSL. It doesn't verify the certificate or even the IP address...

So if you spoof the DNS response - as far as the browser is concerned, it is getting a valid IP for a domain. As long as that IP has a server that can respond with SSL, it has no idea that it's connecting to the wrong server.

As such, I don't see what HSTS has to do with this issue at all.

And for what its worth, I wrote a perl script less than 2 months ago that would work successfully on sites using HSTS - including facebook - provided you had a properly configured web server.

its been a while since I messed with mitm. If you dns spoof facebook to your machine, will you capture cookie information? Then you can process this information and provide a proper response to the client?

Transparent proxy, (now days) I could never come up with a full 100% working mitm transparent proxy... I enjoy modifying request/response data!

has any one noticed when the data is encrypted, the certs are grabbed. You can still see in plain text the domain of the cert handle!

Edited by i8igmac
Link to comment
Share on other sites

its been a while since I messed with mitm. If you dns spoof facebook to your machine, will you capture cookie information? Then you can process this information and provide a proper response to the client?

Transparent proxy, (now days) I could never come up with a full 100% working mitm transparent proxy... I enjoy modifying request/response data!

has any one noticed when the data is encrypted, the certs are grabbed. You can still see in plain text the domain of the cert handle!

Depends on what you mean capture cookie information.

When you spoof facebook.com, you are telling the client that YOU are facebook.com - As such the client will send the cookie data to you, yes. But as you aren't actually facebook, facebook won't respond with updated cookie/session data if thats what you mean.

A transparent proxy is a bit more complicated. The SSL connection would need to be initiated from the proxy to facebook, meaning you would need to essentially be a web browser in that sense. unsure what the time out would be, but you would essentially need to create a connection from the victim to your proxy, keep the connection open, then use the data you can gain (such as session/cookie data) to authenticate.

However - on sites like facebook, i do believe they use some sort of OS/Browser finger printing. They tend to notify if you log in from a new browser and send an alert or 3 depending on your settings. Unsure if they'll let you reuse the same cookie so you may need to authenticate again or enter a secret phase which may alert the user if they have half a brain cell. Or you might be able to grab the user-agent and all that special crap that identifies you, and spoof it as well.

Any ways - i'm mostly on to theoretical stuff now - I haven't gone to great lengths to try this. So it may be doable. Probably won't be easy. Or it might not be doable. Won't know until someone tries and succeeds lol

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...