Question related to DNS spoof

[overwraith]

So, I have been learning about C# and ASP.net, and have been wondering, how do linux systems support "server behind" files on web sites? How would I write handlers for any site that I chose to forward people to? Is PHP the answer? Also, I have heard about people making "pixel perfect" representations of websites, are there special tools for that?

[cooper]

Did you check out Mono yet?

[overwraith]

I don't have that much pen testing experience, can you please elaborate?

[cooper]

The concept of a "code behind" file is technology-specific. It's the concept whereby you separate your visual markup from the logic that is to be visualised. A brief history of web development.

You choose to create a page on your local apache httpd backed website that lists all the episodes for the current season of Hak5. Initially you might set it up such that you write an HTML file that contains a listing of all the episodes with the appropriate links. You make it look really cool and nifty and then... a new episode appears. You need to edit your file a bit to include the new show. This happens maybe once more when you get miffed.

So you learn a programming language like Perl. It's nice because apache httpd has a module that supports it natively. You rename your html file to cgi (a requirement of the module) and suddenly you can code a loop inside your HTML. And because Darren isn't a complete douche all the episode names are consecutively numbered so all is great. Less code, less fuss. You still need to update the code once every week, but only to increment the number of episodes. At some point you even wise up and compute the appropriate episode number based on the year's week number. FANTASTIC! You don't have to change anything anymore. This ROCKS!

After a bit you meet another fan of the show and you get together every so often and talk tech for a bit, and this other guy says he's good at creating websites. To demonstrate this, he took a copy of the HTML produced by your cgi and just ran with it. Next time you guys meet up he shows you what he's done and you're BLOWN AWAY! This guy isn't good, he's MAGNIFICENT! An artist in his own right. Problem is, he only knows HTML and doesn't understand shit about programming, let along something as funky as Perl. So you decide to go with C# and ASP.Net where the ASP.Net part is sufficiently like HTML that your artistic friend is comfortable working on that and other pages, and you being the programming genius that you are dive headlong into a flurry of C# development. The end result is a complete Hak5 fan page that puts the real Hak5 website to shame.

The pattern is called Model-View-Controller or MVC, where a View (the html page) renders the Model (the listing data) that is produced by the Controller (your C# code). From what I understand, code behind is really nothing more than a controller and possibly also the model using Microsoft technology as they coined the term when they did ASP.net. In Java it's simply a pattern that's been around for a while that got very popular for obvious reasons (separation of concern to name a big one). One thing that's true in both the Java and the C# case is that it's quite easy to make the compiled controller code inaccessible to the outside world. One of the classic hacks in the early 2000's was to use some technique to get the website to cough up the unprocessed CGI/PHP/ASP code. When you got that, you could figure out what the developer had done wrong and exploit that, or even find the login credentials to the database, and where that database was hosted. All sorts of mayhem was possible then. The inaccessibility of the code prevented much of this.

[cooper]

Oh, and lest I forget, you asked about how the concept is done on Linux. It's not a Linux concept, it's a C# concept. And Mono is the implementation of a C# runtime and toolchain for Linux. Google it.

[overwraith]

Well, that was pretty enlightening. Actually what I was asking wasn't so much how to do it in C#, it was how to host a web page on the pineapple, complete with a server behind, using whatever would normally be used. The pineapple has DNS poisoning capability, logically it should be able to host cloned websites. I am pretty sure that some people actually make software that can clone web pages, and thus you have a fake to forward to clients when they try to connect to the real one, and are connected to the pineapple. The cloning software doesn't even have to really be on linux or anything, just has to run the web page on it. I have some Windows boxes, that's about it. I do understand that C# is pretty windows specific, and would not make much sense to run off a pineapple. In my ethics class we are learning about lots of things, identity theft being one of them. Would like to see how it is preformed, on my own network of course. That "Pixel perfect" quip was actually described by my book I think.

Edited May 12, 2014 by overwraith

[cooper]

C# is NOT Windows-specific. The WPF part is but the rest is not and Mono is itself proof of this. The runtimes for C# and Java are rather taxing on a low-powered machine like the Pineapple so as you suggest it would be best not to host anything written in that on the Pineapple itself.

Since you want to clone a website, which site did you pick? Why did you pick it? What about that site would you like to alter and why not alter it on the fly? You manage to effectively MITM your victim on his way to the intended destination (otherwise how is he to see your 'clone' website in the first place) and now you can do whatever you want. The victim wants to see a page on a.b.com? YOU ask a.b.com for that page and return it as if it were your own. You keep doing this with everything else. On the page(s) that you want something to happen just that little but different, simply modify the request as you pass it onto the intended destination of modify the response as you deliver it back.

That's how SSLStrip does its thing. It sits between you and your destination and all https paths in the response are modified to http paths. You get a 'secure login' page which is effectively going over http.

An alternate mode of ssl strip, discussed in Moxie's talk but I don't know if it's in the actual program, is where you have a wildcard site certificate that will match *.yourdomain.tld and you pick the tld such that firefox won't punycode the URL, like .cn, and provide your victim with a URL that looks like this

https://trusted.website.com/secure/login?referrer=www.yourdomain.cn

but thanks to the beauty of weird-ass characters in UTF8 the / characters are actually different characters that render to similar looking glyphs. So to the browser the hostname you requested was actually (I've made the even subdomain parts of the hostname bold to better show what's happening) "trusted. website.comXsecureXlogin?referrer=www.yourdomain.cn" which as it just so happens matches your *.yourdomain.cn wildcard certificate. You can send your victim YOUR certificate and he'll have an authentic HTTPS connection. Just not with trusted.website.com

With the latter approach, in firefox, the location bar will display the name that's on the cert used to secure the connection so it's kinda visible that it doesn't say "Website, LLC" or whatever but instead "YourDomain, LLC". But it'll be all green and chances are people won't notice. In chrome, nothing will be shown. The lock icon will be green and all signs will point at Go!

Edited May 12, 2014 by Cooper

[overwraith]

Just realized something, so the DNS spoof program built into the pineapple redirects a domain name request to the ip address specified. So one would not necessarily host the website on the pineapple. So you could host it on a windows machine or something. Now would you be able to host the page using IIS, or something? Also we still have not touched at all on software that would actually be used to clone websites.

[cooper]

I would suggest simply writing it, but I'm a coder so that's my typical reaction to such situations.

What I'm saying is that basically you don't want to host a website, you want to be a proxy to it. Doing that means you can mimic ALL traffic, not just the traffic your victim tried to send to target.com you can listen in on the conversation, modify it as and when you see fit and nobody would be the wiser.

So as far as I'm concerned the answer to the question "What software should I use to clone a website?" is "You shouldn't want to be doing that."

[overwraith]

An alternate mode of ssl strip, discussed in Moxie's talk but I don't know if it's in the actual program, is where you have a wildcard site certificate that will match *.yourdomain.tld and you pick the tld such that firefox won't punycode the URL, like .cn, and provide your victim with a URL that looks like this

I will have to try to find that talk you mentioned, that URL modification looks fun. So the URL is inserted into the site somehow?

[cooper]

You're basically a proxy. Your victim asks you for a page. You go onto the internet and fetch it, modify it to your liking and return it to the victim as if it were the original.

Here's the talk he gave accompanied by the slides.

[hfam]

Thanks gents, that was an inspiring discussion!

Appreciate the conceptual breakdown, thanks Cooper!

Off to check out the provided link

[Prometheus-2486]

Take a look at Social Engineering Toolkit if you haven't. One of its features allows you to "clone" a website (login page only, not a deep clone) on your machine, and then if you have the Pineapple redirect to your machines IP under whatever conditions you give it, the target will get your cloned version and bobs your uncle. SET offers credential harvesting and other goodies as well. Only problem with this credential harvesting attack is SET, when run as a normal MitM instead of a Pineapple, will redirect the target to the real site after a "failed login", but when run with the Pineapple the target isn't redirected properly and they get an endless loop of your cloned site.

Edited May 13, 2014 by Prometheus-2486

[overwraith]

ty prometheus. Good info.

Edited May 13, 2014 by overwraith