Jump to content

DNSSpoof Doesn't redirect


Go to solution Solved by Darren Kitchen,

Recommended Posts

Hello,

When i set ON DNSSpoof and i type example.com (i have this file created with a "Hello World" inside) but it doesn't redirect me...

When i type 172.16.42.1/example.html it shows me my fake web page... With or without DNSSpoof activate... But when i activate DNSSpoof doesn't redirect me to my fake page...

I have lastest update firmware...

Internet connection... i don't know why this is failing all time

Link to post
Share on other sites
  • Replies 57
  • Created
  • Last Reply

Top Posters In This Topic

Seems to be a problem with dnsspoof on 1.4.1. Verified and send a potential patch to Seb. We'll push an update asap.

Edit: My issue was isolated. Couldn't reproduce. It wasn't a bug with 1.4.1 as tested with fresh fruit. Nor an incompatibility with an installed infusion.

What do you get when you issue the following directly via SSH?

dnsspoof -i br-lan -f /etc/pineapple/spoofhost
Link to post
Share on other sites

Seems to be a problem with dnsspoof on 1.4.1. Verified and send a potential patch to Seb. We'll push an update asap.

Edit: My issue was isolated. Couldn't reproduce. It wasn't a bug with 1.4.1 as tested with fresh fruit. Nor an incompatibility with an installed infusion.

What do you get when you issue the following directly via SSH?

dnsspoof -i br-lan -f /etc/pineapple/spoofhost

Thanks for your answer Darren,

I tried this command via SSH and it is the same... Doesn't redirect and doesn't spoof...

What i do is:

/etc/php.ini

; UNIX: "/path1:/path2"
;include_path = ".:/php/includes"
doc_root = ""
user_dir =
extension_dir = "/usr/lib/php"
enable_dl = On
;cgi.force_redirect = 0---> Change this two and set it to 0, before was 1.
cgi.force_redirect = 0---->
;cgi.nph = 1
;cgi.redirect_status_env = ;
cgi.fix_pathinfo=1
;fastcgi.impersonate = 1;
;fastcgi.logging = 0
;cgi.rfc2616_headers = 0

Create a test.php in /www with: <?php phpinfo(); ?> written ---> To test a php info web.

Then, type 172.16.42.1/test.php---> shows the web perfectly.

Then: touch /www/example.html

echo "Hello Mundo!" > example.html

Then on my Chrome: 172.16.42.1/example.html

Shows my web perfectly...

Then i start via SSH or UI dnsspoof: and doesn't redirect me...

Link to post
Share on other sites

This is ridiculous...

After install my normal infusions (sslstrip, nmap, ettercap, randomroll (this doesn't work...), deauth, evilportal, opkgmanager) i lose completely the option to view via pineapples's IP my test.php and other test for dnsspoof...

It's absolutely annoying and frustrating...

I don't know how to set a validate configuration...

Link to post
Share on other sites

Are you saying it's working before you install infusions then not afterwards? If so which infusion is breaking it?

No darren. It doesn't work after or before... It's just a partial working before install any infusion.

Before install it can redirect to my example.hmtl (with dnspoof running or without it) browsing to 172.16.42.1/example.html, but doesn't work if i type example.com with dnsspoof activating..

Anyway i need a complete redirection from dnsspoof.

So the conclusion is: it doesn't work before or after install pineapple infusion. Even after a Factory Reset.

Edited by daniboy92
Link to post
Share on other sites

Ok I'm looking into what may be causing the issue. In the meantime I did a quick video to get everyone up to speed on the feature. I haven't had any problems with it thus far, but perhaps that's just my luck. Can you do me a favor and provide the complete ifconfig or ipconfig results of a connected client? I'd like to see what DNS it's using.

Video:

https://www.youtube.com/watch?v=nggQan4XZ1E

Link to post
Share on other sites

Yes, of course Darren:


test@test-VirtualBox:~$ ifconfig

eth0 Link encap:Ethernet dirección HW 08:00:27:6c:42:32

ACTIVO DIFUSIÓN MULTICAST MTU:1500 Métrica:1

Paquetes RX:0 errores:0 perdidos:0 overruns:0 frame:0

Paquetes RX:0 errores:0 perdidos:0 overruns:0 frame:0 carrier:0

colisiones:0 long.colaTX:1000

Bytes RX:0 80.0 B) TEX bytes:0 (0.0 B)

wlan0 Link encap:Ethernet direcciónHW 00:e0:4c:38:26:20

Direc. inet:192.168.0.5 Difus.:192.168.0.255 Másc:255.255.255.0

Direccón inet6: fe09::ef3:eff4:fe38_2620/64 Alcance:Enlace

ACTIVO DIFUSIÓN MULTICAST MTU:1500 Métrica:1

Paquetes RX:5822 errores:0 perdidos:0 overruns:0 frame:0

Paquetes RX:1222 errores:0 perdidos:0 overruns:0 frame:0 carrier:0

colisiones:0 long.colaTX:1000

Bytes RX:1370711 (1.4 MB) TEX bytes:150480 (150.4 KB)

And this is what shows iwconfig:

test@test-VirtualBox:~$ iwconfig

wlan0 IEEE 802.11bgn ESSID:"Pineapple5_133B"

Mode:Managed Frequency:2.462 GHz Access Point: 00:45:33:B5:13:BB

Bit Rate=72.2 Mb/s Tx-Power20 dBm

Retry long limit:7 RTS thr:off Fragment thr:off

Encryption key:off

Power Management:on

Link Quality=70/70 Signal level=-17 dBm

Rx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0

Tx excessive retries:0 Invalid misc:51 Missed beacon:0

When i navigate into my Ubuntu searching for example.com:

OJ0YQ0n.jpg

But at same time in my pineapple (today is showing something, yesterday showed nothing)

mojh1ZX.jpg

No matter what device i choose: a virtual machine, a real computer, my Android... I have internet conecction except on webs that i want to spoof...

EDIT: When i start ping to example.com it shows the real example.com's IP... Not pineapple's IP.

Edited by daniboy92
Link to post
Share on other sites

I've got the same results, I've just finished watching the video on how it works and I'm not being redirected to my "Hello World!" page instead of Zombo.com (which by the way is quite comical).

When I go to 172.16.42.1 without the port it lets me see it but if I use zombo.com, www.zombo.com or anything like that it just takes me to the regular page.

Here is my DNSSpoof config: http://cl.ly/image/1I0t082I0N46

My ifconfig results: http://cl.ly/image/1b1I1j0Y0i3I

And my results from the command you posted: http://cl.ly/image/1G2n161z1C3T (I hope that's all that should appear)

Let me know if anything else is needed or if I'm being stupid and missing something obvious :P

Thanks

Edited by Skipper
Link to post
Share on other sites

I changed the /etc/nginx/nginx.conf file from:

server { # php/fastcgi
listen 8080;

to

server { # php/fastcgi
listen 80;

Now it works fine. However, beware this may interfere with any other httpd daemons like the captive portal.

Edited by midnitesnake
Link to post
Share on other sites

I changed the /etc/nginx/nginx.conf file from:

server { # php/fastcgi
listen 8080;

to

server { # php/fastcgi
listen 80;

Now it works fine. However, beware this may interfere with any other httpd daemons like the captive portal.

So, we don't change the port to 8080 - we ship it as default as 80.

I know that the EvilPortal Infusion changes the port. Maybe it doesn't change it back.

This makes sense though, as the vanilla firmware has no such issues.

Best Regards,

Sebkinne

Link to post
Share on other sites

I changed the /etc/nginx/nginx.conf file from:

server { # php/fastcgi
listen 8080;
to

server { # php/fastcgi
listen 80;
Now it works fine. However, beware this may interfere with any other httpd daemons like the captive portal.
Thank you so much... I will try this. But, we need a valid and definitive configuration for work with this tool without problems with other infusions...

Darren, Seb, please let us know a solution for this...

Link to post
Share on other sites

Thank you so much... I will try this. But, we need a valid and definitive configuration for work with this tool without problems with other infusions...

Darren, Seb, please let us know a solution for this...

It's not something we can solve, as it isn't an issue with our firmware. It's an issue if you have used / set up the evil portal infusion. I suggest you point this issue out to the author of that infusion.

Best regards,

Sebkinne

Link to post
Share on other sites

Can confirm what Seb is saying. I too watched the latest video, and was working on my spoofed webpage, when I decided to see if there was some code in evil portal infusion that I could use (there's not). After I installed the infusion my DNSspoof quit working. Upon reflashing the 1.4.1 firmware, everything worked as normal.

Thanks for finding the change in nginx.conf though! I knew it was something to do with nginx, but it was just easier for me to reflash and start fresh.

Link to post
Share on other sites

But that is not my case...

Even when i do a Factory Reset dnsspoof DOESN'T work for me... I only access to my fake webs via IP (172.16.42.1/example.html)... But not putting the domain (www.example.com)...

It's when i install infusions when even doesn't work via IP...

Edited by daniboy92
Link to post
Share on other sites
  • Solution

/etc/config/dhcp

        list 'dhcp_option' '6,172.16.42.1,8.8.8.8'
        list 'dhcp_option' '6,172.16.42.1,208.67.222.222'

Try removing the ",8.8.8.8" and ",208.67.222.222" parts. Reboot, try again. Wondering if clients are using those DNS servers rather than the preferred 172.16.42.1

Link to post
Share on other sites

That seemed to work for me, although it's not redirecting for https pages and when I try to use SSLStrip with DNSSpoof it overrides the redirection and just shows you the stripped page, no redirection.

/etc/config/dhcp

        list 'dhcp_option' '6,172.16.42.1,8.8.8.8'
        list 'dhcp_option' '6,172.16.42.1,208.67.222.222'

Try removing the ",8.8.8.8" and ",208.67.222.222" parts. Reboot, try again. Wondering if clients are using those DNS servers rather than the preferred 172.16.42.1

Link to post
Share on other sites

/etc/config/dhcp

        list 'dhcp_option' '6,172.16.42.1,8.8.8.8'
        list 'dhcp_option' '6,172.16.42.1,208.67.222.222'

Try removing the ",8.8.8.8" and ",208.67.222.222" parts. Reboot, try again. Wondering if clients are using those DNS servers rather than the preferred 172.16.42.1

Thank you Darren... It works fine for me..

But now i have a issue... Yes, one more time..

Now i can spoof example.com and facebook.com. On facebook.com when i put my username and my password the web redirects correctly to same spoofed web, but in dnsspoof logs i can't see the user and password... What's the piece of this puzzle?

Link to post
Share on other sites

Ok, all it's OK. I find the pineapple-phish.log in /tmp folder. Now set this to my custom log.

Now my pineapple it's working fine and without problems...

All was problems with DNS (thank you Darren) and the nginx.conf file (thanks midnitesnake)

Thank you!!!.

Link to post
Share on other sites

The SSLStrip infusion seemed to bypass the DNSSpoof and by looking at teh IP tables I am guessing that is correct. However stopping the infusion it still hangs onto the routing and so you need to delete it for DNSSpoof to work correctly.

So... What we need to work with dnspoof and sslstrip simultaneously without problems?

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    No registered users viewing this page.


×
×
  • Create New...