Jump to content

Backtrack 5 Dns Spoofing + Set -> How To Redirect To Real Page

Snybit

By Snybit
in Questions

 Share

Recommended Posts

Snybit Newbie

Snybit

Posted
Posted

Hey everyone !

I am using Backtrack 5 Gnome 32 bit version and I've successfully tested the DNS spoofing with ettercap among with the Social Engineering Toolkit. I watched a video in youtube explaining all the process.

So, when a user from my LAN accesses http://www.twitter.com and tries to login, the login fails and I'm able to get its username and password information, however the user is redirected to the same false twitter.com page.

How can I redirect the user to the real twitter.com page after that first login (in which I'm able to get its login data)? I would have to change that dns mapping because the twitter.com url is associated to my backtrack 5 linux machine. How can I redirect the user to the real page? (in this case the twitter page)

Thank you so much !

Link to comment
Share on other sites
bobbyb1980 Newbie

bobbyb1980

Posted
Posted

I wasn't able to get the dns spoofing module to work with ettercap in backtrack. After trying it in txt mode and gui I gave up, especially after considering how out of date it is.

I recently got a similar setup working with a fake ap (fake AP + ICS + SET + Metasploit), I posted the meat and potatoes version in the Jasager forum. Basically if you have a rogue AP, on AP you can set the DHCP to issue your own DNS server addy (attacking machine's IP) to connected clients. Then use the fake_dns module in metasploit on the attacking machine to redirect everything to your machine (there is another module called web_search_scan that supposedly allows you to redirect individual DNS requests to different, specified addresses and acts more like a real server than the fake_dns module, but I have yet to test it).

After that you'd setup a webserver or use the one with SET and choose the type of attack you want (credential harvesting, broswer autopwn, java attack, etc). I found SET to be pretty solid, also updated a few days ago.

So if all goes according to plan, now all of the connected clients SHOULD be able to be rerouted to the malicious pages without setting off alarms in the browser or victim os. Obviously this method could be slightly altered to do this on the LAN without using a fake AP and if you had access to the router/dhcp config. I've been reading up on DNS recently and it's such a huge topic in itself.

There is also a pretty neat tool called Ghost Phisher which allows for fake DNS, DHCP and webservers I tested and it seemed to work. If you search on google code you should find it there.

Link to comment
Share on other sites
Snybit Newbie

Snybit

Posted
  • Author
Posted

My suggestion would be don't re-invent the wheel, Use Social Engineering Toolkit.

Thank you for your reply.

I am using Social Engineering Toolkit, but when the user goes to the false webpage (generated by the social enginnering toolkit) and makes the login, it is always redirected to that same false page. It's like the user makes whatever number of attempts to login and it obviously doesnt login. What I want to do is redirect the user to the real webpage after the first login on the false webpage generated by the social enginnering toolkit. Is there any option on the social engineering toolkit to make that redirection automatically after the first login?

Thank you so much.

Link to comment
Share on other sites
Mr-Protocol Grand Master

Mr-Protocol

Posted
Posted

Thank you for your reply.

I am using Social Engineering Toolkit, but when the user goes to the false webpage (generated by the social enginnering toolkit) and makes the login, it is always redirected to that same false page. It's like the user makes whatever number of attempts to login and it obviously doesnt login. What I want to do is redirect the user to the real webpage after the first login on the false webpage generated by the social enginnering toolkit. Is there any option on the social engineering toolkit to make that redirection automatically after the first login?

Thank you so much.

Not sure, i dont use the DNS spoofing when i use SET so mine auto redirects no problem.

Link to comment
Share on other sites
Mr-Protocol Grand Master

Mr-Protocol

Posted
Posted

Found a more specific answer to your question. Go into set's config directory and nano or gedit orwhatever "set_config". You will find the auto redirect option, make sure it's enabled.

AUTO_REDIRECT=ON

That should be on by Default. His issue is that he is spoofing DNS, so the redirect goes back to him...

Link to comment
Share on other sites
Snybit Newbie

Snybit

Posted
  • Author
Posted

Found a more specific answer to your question. Go into set's config directory and nano or gedit orwhatever "set_config". You will find the auto redirect option, make sure it's enabled.

AUTO_REDIRECT=ON

I have just checked and it is ON by default.

What do you advise me to do?

Thank you so much.

Link to comment
Share on other sites
Snybit Newbie

Snybit

Posted
  • Author
Posted

Just stop DNS spoofing after you capture their credentials or whatever so they have normal access to the internet. Or code the "login" button on the fake Twitter page to redirect to https://twitter.com.

When I create a new fake website through SET, I can't find its location. I want to change the login button to redirect the user to the real page.

For example when I create the http://www.fakewebsite.com and try to search where it is:

locate fakewebsite

It doesn't return any results. Where can I find the created fake website?

Thank you so much

Link to comment
Share on other sites
bobbyb1980 Newbie

bobbyb1980

Posted
Posted

Look in the directory where set is, you'll find all the site templates there. I checked and they already have links to the real pages on the login buttons. IF the situation is that the victim cannot go to "https://www.twitter.com" or whatever it is because they think www.twitter.com is at 192.168.1.10, try removing the url and putting in the REAL ip for twitter on the login button.

I tested yesterday, and set redirects fine for me. Sometime the credential capturing pages don't, but all others seem to redirect fine. I tested it using the fake_dns module in metasploit and with a real DNS server.

As I mentioned before above, I don't use ettercap. I think this type of attack would be much smoother if you had an actual DNS server running that doesn't have problems talking to your router, I think your results will be iffy at best with ettercap.

Link to comment
Share on other sites
Snybit Newbie

Snybit

Posted
  • Author
Posted

Look in the directory where set is, you'll find all the site templates there. I checked and they already have links to the real pages on the login buttons. IF the situation is that the victim cannot go to "https://www.twitter.com" or whatever it is because they think www.twitter.com is at 192.168.1.10, try removing the url and putting in the REAL ip for twitter on the login button.

I tested yesterday, and set redirects fine for me. Sometime the credential capturing pages don't, but all others seem to redirect fine. I tested it using the fake_dns module in metasploit and with a real DNS server.

As I mentioned before above, I don't use ettercap. I think this type of attack would be much smoother if you had an actual DNS server running that doesn't have problems talking to your router, I think your results will be iffy at best with ettercap.

So you use SET + metasploit + a DNS Server?

Do you know any good tutorial?

Thank you so much.

Link to comment
Share on other sites
Snybit Newbie

Snybit

Posted
  • Author
Posted

Look in the directory where set is, you'll find all the site templates there. I checked and they already have links to the real pages on the login buttons. IF the situation is that the victim cannot go to "https://www.twitter.com" or whatever it is because they think www.twitter.com is at 192.168.1.10, try removing the url and putting in the REAL ip for twitter on the login button.

I tested yesterday, and set redirects fine for me. Sometime the credential capturing pages don't, but all others seem to redirect fine. I tested it using the fake_dns module in metasploit and with a real DNS server.

As I mentioned before above, I don't use ettercap. I think this type of attack would be much smoother if you had an actual DNS server running that doesn't have problems talking to your router, I think your results will be iffy at best with ettercap.

I can access the templates that already came with SET. But when I choose to make a new cloned website, I can't locate it anywhere. Do you know how I can find it? I've searched like this "locate msn.com", but it doesn't return any results.

Thank you so much.

Link to comment
Share on other sites
bobbyb1980 Newbie

bobbyb1980

Posted
Posted

Don't know any tutorials on this attack but I'd be interested in seeing them if you find any.

I've used several modules in metasploit to do this. I'm playing with digininja's dns_mitm module right now. Start with fake_dns.

MAKE SURE YOUR VICTIM MACHINE THINKS ITS DNS SERVER IS THE ADDY TO THE fake_dns metasploit module. Many ways to do this.

Setup set to dish out your attack of choice. I've had success running set (html server) and fake_dns module (dhcp server) on the same machine. Obviously no other dns/html servers could be running on the attacking machine.

So if all goes according to plan, attack looks kind of like this...

Step 1 - Victim machine makes DNS request for ip of www.facebook.com

Step 2 - fake_dns server replies with ip of 192.168.1.110 (or whatever your lan ip is)

Step 3 - Victim machine arrives at html server (set)

Fake page templates are in /set/src/html/templates.

Link to comment
Share on other sites
Snybit Newbie

Snybit

Posted
  • Author
Posted

Don't know any tutorials on this attack but I'd be interested in seeing them if you find any.

I've used several modules in metasploit to do this. I'm playing with digininja's dns_mitm module right now. Start with fake_dns.

MAKE SURE YOUR VICTIM MACHINE THINKS ITS DNS SERVER IS THE ADDY TO THE fake_dns metasploit module. Many ways to do this.

Setup set to dish out your attack of choice. I've had success running set (html server) and fake_dns module (dhcp server) on the same machine. Obviously no other dns/html servers could be running on the attacking machine.

So if all goes according to plan, attack looks kind of like this...

Step 1 - Victim machine makes DNS request for ip of www.facebook.com

Step 2 - fake_dns server replies with ip of 192.168.1.110 (or whatever your lan ip is)

Step 3 - Victim machine arrives at html server (set)

Fake page templates are in /set/src/html/templates.

Yes the templates are there but when I create a new website with the option "Site Cloner", the website doesnt go to /set/src/html/templates. Can't find it anywhere :S

Link to comment
Share on other sites
spisakni Newbie

spisakni

Posted
Posted

Anyone having issues with the Java applet attack in SET (svn update today) where semantic anti-virus is blocking the applet. Even when I disable AV I still can't get a meterpreter. It will just keep looping the java applet each time forcing you to hit run. After hitting run it will pause the scheduled 2 seconds and offer the java applet again. Any ideas?

Link to comment
Share on other sites
TT1TTONE Newbie

TT1TTONE

Posted
Posted

I hope TS doesn't mind if I borrow his thread for some simple questions related to DNS-spoofing with Ettecap ;)

I was thinking about doing the same type of spoof (DNS-spoofing with Ettercap, redirecting to a site cloned with HTTrack), but I wonder if it might cause any harm to the network infrastructure, spoofed "victims" or others?

And how do I undo the spoofing, so that people gets to the correct site and not me anymore?

Lastly, the target that gets spoofed in reality (logically) is the attackers (= my) default gateway, right?

//

TT1TTOne

Link to comment
Share on other sites
  • 1 year later...
skimpniff Newbie

skimpniff

Posted
Posted

Yes the templates are there but when I create a new website with the option "Site Cloner", the website doesnt go to /set/src/html/templates. Can't find it anywhere :S

The cloned site is here :

/pentest/exploits/set/src/program_junk/web_clone/index.html

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...