Jump to content

Dns Spoof Troubleshooting


thestudent
 Share

Recommended Posts

I have tried everything but my DNSSpoof just doesn't work.

I even tried to change the landing page to "hello.html" which contains a "Hello World" script and I don't even get that.

I've changed my DNS Spoof Host to "172.16.42.1 *"

Is there a certain config file I should be looking at? It's like I don't even get to the index.php file.

I know I could just reset it but I need to learn troubleshooting and would rather only flash if I have to. Thanks for any help.

I have a new Mark IV. The DNS Spoof never worked correctly. It did this weird redirect loop(I've already read that in the forum). Now it just bypasses everything and goes to the actual page. The traffic is definitely going through my Pineapple. I have a urlsnarf tab that I setup to watch traffic.

Edited by thestudent
Link to comment
Share on other sites

I have tried everything but my DNSSpoof just doesn't work.

I even tried to change the landing page to "hello.html" which contains a "Hello World" script and I don't even get that.

I've changed my DNS Spoof Host to "172.16.42.1 *"

Is there a certain config file I should be looking at? It's like I don't even get to the index.php file.

I know I could just reset it but I need to learn troubleshooting and would rather only flash if I have to. Thanks for any help.

I have a new Mark IV. The DNS Spoof never worked correctly. It did this weird redirect loop(I've already read that in the forum). Now it just bypasses everything and goes to the actual page. The traffic is definitely going through my Pineapple. I have a urlsnarf tab that I setup to watch traffic.

I have found on my android phone that if I visited a site before dnsspoof and then after with dnsspoof enabled and ICS working my phone will bypass dns lookup and go directly to the site.

I wish instead of dnsspoof we had a way to send our landing page to any http request? maybe ettercap could do that, would be awesome.

anyway can you test on another device or reset the network settings, I use 1tap cleaner on the android and clear out the cache.

Link to comment
Share on other sites

  • 4 months later...

Okey, I'm not sure which thread I should use since there are so many threads about DNSspoof, but I'll give this one a go.

So I've been experiencing some hickups with dns spoof, meaning that sometimes it's redirecting to the pineapple, and sometimes it's showing the real site. I've actually setteled with this behaviour since I thought it might have to be like this.

However, now I have seen in the dnsspoof log that it's forwarding to an external site(see the spoiler for details) and I'm beginning to wonder why this is happening? As far as I understand I think this is a server from opendns, but is this something that the pineapple is programmed to do? Is it supposed to act like this? If not, what could I do to change this behaviour?

dnsspoof output_1347364116.log [september 11 2012 14:08:48]

dnsspoof: listening on br-lan [udp dst port 53 and not src 172.16.42.1]

172.16.42.197.54039 > 172.16.42.1.53: 63708+ A? www.facebook.com

172.16.42.197.59747 > 172.16.42.1.53: 37762+ A? ar-ar.facebook.com

172.16.42.197.51605 > 172.16.42.1.53: 37683+ A? de-de.facebook.com

172.16.42.197.64158 > 172.16.42.1.53: 43307+ A? developers.facebook.com

172.16.42.197.59849 > 172.16.42.1.53: 8852+ A? es-la.facebook.com

172.16.42.197.53003 > 172.16.42.1.53: 43342+ A? fr-fr.facebook.com

172.16.42.197.63925 > 172.16.42.1.53: 10290+ A? hi-in.facebook.com

172.16.42.197.52556 > 172.16.42.1.53: 18622+ A? it-it.facebook.com

172.16.42.197.58588 > 172.16.42.1.53: 62613+ A? nb-no.facebook.com

172.16.42.197.55966 > 172.16.42.1.53: 14778+ A? nn-no.facebook.com

172.16.42.197.59382 > 172.16.42.1.53: 6099+ A? pt-br.facebook.com

172.16.42.197.52170 > 172.16.42.1.53: 26745+ A? m.facebook.com

172.16.42.197.61771 > 172.16.42.1.53: 31163+ A? pixel.facebook.com

172.16.42.197.55342 > 172.16.42.1.53: 6996+ A? blogg.no

172.16.42.197.58563 > 172.16.42.1.53: 60063+ A? www.facebook.com

172.16.42.197.51883 > 172.16.42.1.53: 24056+ A? static.ak.facebook.com

172.16.42.197.54127 > 172.16.42.1.53: 25725+ A? s-static.ak.facebook.com

172.16.42.197.53771 > 172.16.42.1.53: 8255+ A? static.ak.facebook.com

172.16.42.197.61987 > 172.16.42.1.53: 30144+ A? s-static.ak.facebook.com

172.16.42.197.64644 > 172.16.42.1.53: 26373+ A? www.facebook.com

172.16.42.197.58729 > 172.16.42.1.53: 63919+ A? static.ak.facebook.com

172.16.42.197.59129 > 172.16.42.1.53: 45681+ A? s-static.ak.facebook.com

172.16.42.197.65480 > 172.16.42.1.53: 44979+ A? twitter.com

172.16.42.197.54760 > 172.16.42.1.53: 2090+ A? www.facebook.com

172.16.42.197.50595 > 172.16.42.1.53: 54001+ A? ar-ar.facebook.com

172.16.42.197.53557 > 172.16.42.1.53: 24890+ A? de-de.facebook.com

172.16.42.197.49829 > 172.16.42.1.53: 35630+ A? developers.facebook.com

172.16.42.197.60615 > 172.16.42.1.53: 9045+ A? es-la.facebook.com

172.16.42.197.52402 > 172.16.42.1.53: 19356+ A? fr-fr.facebook.com

172.16.42.197.59823 > 172.16.42.1.53: 59182+ A? it-it.facebook.com

172.16.42.197.50730 > 172.16.42.1.53: 561+ A? hi-in.facebook.com

172.16.42.197.52812 > 172.16.42.1.53: 5458+ A? nb-no.facebook.com

172.16.42.197.57894 > 172.16.42.1.53: 40432+ A? nn-no.facebook.com

172.16.42.197.51194 > 172.16.42.1.53: 36654+ A? pt-br.facebook.com

172.16.42.197.61338 > 172.16.42.1.53: 39990+ A? www.facebook.com

172.16.42.197.59628 > 208.67.222.222.53: 55608+ A? static.ak.facebook.com

172.16.42.197.51382 > 208.67.222.222.53: 42310+ A? s-static.ak.facebook.com

172.16.42.197.51750 > 208.67.222.222.53: 30756+ A? www.facebook.com

172.16.42.197.64212 > 208.67.222.222.53: 5950+ A? static.ak.facebook.com

172.16.42.197.51237 > 208.67.222.222.53: 28688+ A? s-static.ak.facebook.com

172.16.42.197.49947 > 208.67.222.222.53: 54116+ A? www.facebook.com

172.16.42.197.51477 > 172.16.42.1.53: 3482+ A? static.ak.facebook.com

172.16.42.197.55125 > 172.16.42.1.53: 49274+ A? s-static.ak.facebook.com

172.16.42.197.52003 > 172.16.42.1.53: 5791+ A? www.facebook.com

172.16.42.197.63502 > 172.16.42.1.53: 36450+ A? ar-ar.facebook.com

172.16.42.197.55076 > 172.16.42.1.53: 31481+ A? developers.facebook.com

172.16.42.197.51104 > 172.16.42.1.53: 5200+ A? de-de.facebook.com

172.16.42.197.57290 > 172.16.42.1.53: 13701+ A? es-la.facebook.com

172.16.42.197.51135 > 172.16.42.1.53: 61794+ A? fr-fr.facebook.com

172.16.42.197.62896 > 172.16.42.1.53: 4551+ A? hi-in.facebook.com

172.16.42.197.58553 > 172.16.42.1.53: 4433+ A? it-it.facebook.com

172.16.42.197.54654 > 172.16.42.1.53: 5104+ A? nb-no.facebook.com

172.16.42.197.57794 > 172.16.42.1.53: 61713+ A? nn-no.facebook.com

172.16.42.197.63429 > 172.16.42.1.53: 52558+ A? pt-br.facebook.com

172.16.42.197.53818 > 208.67.222.222.53: 44647+ A? error.facebook.com

172.16.42.197.61880 > 208.67.222.222.53: 17368+ A? static.ak.facebook.com

172.16.42.197.57394 > 208.67.222.222.53: 1759+ A? s-static.ak.facebook.com

172.16.42.197.52127 > 208.67.222.222.53: 12831+ A? www.facebook.com

172.16.42.197.65205 > 208.67.222.222.53: 16202+ A? error.facebook.com

172.16.42.197.59769 > 208.67.222.222.53: 62273+ A? m.facebook.com

172.16.42.197.61531 > 208.67.222.222.53: 32421+ A? static.ak.facebook.com

172.16.42.197.60786 > 208.67.222.222.53: 59732+ A? www.facebook.com

172.16.42.197.61219 > 208.67.222.222.53: 8571+ A? s-static.ak.facebook.com

172.16.42.197.53234 > 208.67.222.222.53: 60705+ A? static.ak.facebook.com

172.16.42.197.52201 > 208.67.222.222.53: 24202+ A? s-static.ak.facebook.com

172.16.42.197.63018 > 208.67.222.222.53: 50430+ A? www.facebook.com

172.16.42.197.50838 > 208.67.222.222.53: 6864+ A? static.ak.facebook.com

172.16.42.197.50039 > 208.67.222.222.53: 23606+ A? s-static.ak.facebook.com

172.16.42.197.60051 > 208.67.222.222.53: 34724+ A? error.facebook.com

172.16.42.197.50794 > 172.16.42.1.53: 44897+ A? www.facebook.com

172.16.42.197.53820 > 172.16.42.1.53: 52715+ A? static.ak.facebook.com

172.16.42.197.64152 > 172.16.42.1.53: 52694+ A? s-static.ak.facebook.com

172.16.42.197.62013 > 172.16.42.1.53: 10507+ A? static.ak.facebook.com

172.16.42.197.51664 > 172.16.42.1.53: 55049+ A? www.facebook.com

172.16.42.197.64856 > 172.16.42.1.53: 49788+ A? s-static.ak.facebook.com

Link to comment
Share on other sites

Okey, I'm not sure which thread I should use since there are so many threads about DNSspoof, but I'll give this one a go.

So I've been experiencing some hickups with dns spoof, meaning that sometimes it's redirecting to the pineapple, and sometimes it's showing the real site. I've actually setteled with this behaviour since I thought it might have to be like this.

However, now I have seen in the dnsspoof log that it's forwarding to an external site(see the spoiler for details) and I'm beginning to wonder why this is happening? As far as I understand I think this is a server from opendns, but is this something that the pineapple is programmed to do? Is it supposed to act like this? If not, what could I do to change this behaviour?

Alright, I was having a lot of the same problems and have come to some information about what may be going on.

In a lot of my test situations, I was connecting to the pineapple, then turning dnsspoof on, then testing my sites. I have realized that there is a potential flaw with this. I believe I remember hearing a while ago, that the way Windows handles DNS is a bit wonky. If a primary DNS server fails to respond at any one time, I believe it switches to secondary DNS until that one fails and then it reverts. I realized this when, looking through my dnsspoof logs, I was finding the same things you were. I was interested in where the DNS queries were going, as they were not addressed to the pineapple(172.16.42.1) but some other dns server (in my case openDNS). an Ipconfig on my victim machine shows the pineapple as primary dns and openDNS as secondary. so either one of two things is happening.

Dnsspoof is failing to spoof correct dns and instead is forwarding to opendns

or

windows has detected that the pineapple's dns has failed and has started reverting to secondary dns

My problem with the second is that the dns records are still in dnsspoof's logs. I am not familiar with the intricacies of dnsspoof's logging function, but I do know that dnsspoof does not log dns requests it does not touch. For example if your hosts file has the line '172.16.42.1 *.example.com' any requests NOT to example.com will not show up in the spoof log, so perhaps something in dnsspoof is broken?

Link to comment
Share on other sites

and another thing to mention is that some devices save the ip for a dns record and bypass dnsspoof/dns

Absolutely true. However a dns flush should take care of the problem for troubleshooting. Also, the easiest way to test this is with a simple ping. If you ping the domain from commandline, you can see what ip it resolves to. This takes a whole lot of variables out of the equation (i.e. browsers. etc.)

Link to comment
Share on other sites

Yeah, I think most OS'es store some kind of a DNS cache, therefore I always use ipconfig /flushdns and ipconfig /renew in my Windows OS. May not need both commands, but I like to do both. And I also have as a habit to run a ping to test it.

Anyways, isn't the log that dns spoof creates a kind of "copy" of dns spoof's output? Like when the log shows an opendns ip, I think that DNS Spoof is telling the victim to use the opendns ip. I would rather have DNS spoof not sending ANY ip, if it's unable to send the pineapple's ip.

In my understanding DNS spoof is actually like a regular DNS service, it's broadcasted as the DNS server by DHCP, and every DNS request should go to DNS spoof, right? And the addresses that DNS spoof is configured with should be consistent. And only the requests that DNS spoof is not configured with should be sent to like opendns.

If this is just how it has to be, then I'm fine with that, but I would like to fix it if there is something I'm doing wrong. I guess it's all about learning how to do things properly :)

Link to comment
Share on other sites

Yeah, I think most OS'es store some kind of a DNS cache, therefore I always use ipconfig /flushdns and ipconfig /renew in my Windows OS. May not need both commands, but I like to do both. And I also have as a habit to run a ping to test it.

yes, not only do os's handle dns caching differently, so do browsers. Trying a different browser (winkey + R, iexplore.exe :()

In my understanding DNS spoof is actually like a regular DNS service, it's broadcasted as the DNS server by DHCP, and every DNS request should go to DNS spoof, right? And the addresses that DNS spoof is configured with should be consistent. And only the requests that DNS spoof is not configured with should be sent to like opendns.

This is mostly correct. It is true that the DNS is set by DHCP, but this is the case weather DNSspoof is running or not. The trick is that the pineapple is also a DNS forwarder. The way DNS works is by a series of redirects until the query finds the correct (authoritative) server. DNSspoof works by not forwarding dns queries for specific sites (the ones you configure in the settings). All other queries going through the pineapple are forwarded to the next DNS server, which I believe is google public dns (8.8.8.8 & 8.8.4.4), or to the DNS server handed out by the WAN DHCP lease of the pineapple. It is this reason that dnsspoofing will not work on a target with static DNS set.

Anyways, isn't the log that dns spoof creates a kind of "copy" of dns spoof's output? Like when the log shows an opendns ip, I think that DNS Spoof is telling the victim to use the opendns ip. I would rather have DNS spoof not sending ANY ip, if it's unable to send the pineapple's ip.

so are you saying that if someone requests a page that is not in your dnsspoof records, you do not want to forward it? You could do this by simply not connecting the pineapple to the internet (standalone mode).

Link to comment
Share on other sites

yes, not only do os's handle dns caching differently, so do browsers. Trying a different browser (winkey + R, iexplore.exe :()

This is mostly correct. It is true that the DNS is set by DHCP, but this is the case weather DNSspoof is running or not. The trick is that the pineapple is also a DNS forwarder. The way DNS works is by a series of redirects until the query finds the correct (authoritative) server. DNSspoof works by not forwarding dns queries for specific sites (the ones you configure in the settings). All other queries going through the pineapple are forwarded to the next DNS server, which I believe is google public dns (8.8.8.8 & 8.8.4.4), or to the DNS server handed out by the WAN DHCP lease of the pineapple. It is this reason that dnsspoofing will not work on a target with static DNS set.

[/font][/color]

so are you saying that if someone requests a page that is not in your dnsspoof records, you do not want to forward it? You could do this by simply not connecting the pineapple to the internet (standalone mode).

Well, I might have been asking for much, but lets say I have configured DNS spoof to redirect facebook.com requests to 172.16.42.1, then I would NOT like DNS spoof to occasionally forward the DNS request to openDNS, which in turn will give the real IP to facebook. In the logfile I pasted previously you can clearly see this happen..

That said, there might be something going on that I don't understand.

And I would very much like to give regular internet connection to the victims, as they would not hang for long without interwebz.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...