DNSSpoof Doesn't redirect

[daniboy92]

SSLStrip requires traffic to be redirected to it. The only way that you can make this work is by chaining the programs via iptables. I haven't tried it, but technically that works.

Best Regards,

Sebkinne

Can you do a tutorial doing this? This would be awesome use both at same time...

[factgasm]

My pineapple just isn't redirecting as hoped. Can anyone see anything wrong with the following:

The top two do not redirect, the remaining three do.

Redirect.php:

/etc/config/dhcp:

dnsspoof.log:

Just to add that my Pineapple is connected to my laptop with an ethernet cable and the client is an android tablet.

Edited July 15, 2014 by factgasm

[cheeto]

Hey guys,

Nice thread, I've been reading through it and i find it very intuative. This script reminds me of Ghost Phisher. :)

Anyway, I followed Darren's steps and I can't get it to go.

Here's are my steps:

1: set spoof host to: 172.16.42.1 *.zombo.com

2: Make a simple hello world "index.html" file and copy it to MKV's "www" folder.

3: Start DNS spoof

results: when i go to zombo.com it actually goes there. In other words it's not redirecting.

Anyway, I made a small video of what I'm doing. If you have a chance, please take a look and correct me if I'm wrong.

Thanks guys!

cheeto

VIDEO: https://mega.co.nz/#!iMNjzSyB!0uiiRvm2RqteLzzo60vl42108nUogtpPttb3yi-FSQs

[daniboy92]

What about your redirect.php?

Instead... I think dnsspoof doesn't work with Google Chrome... I try with Chrome in my smartphone and doesn't redirect... I try it with default browser and it works fine...

You can try with Chrome but cleaning cookies, history, and all... And see what's happening.

Also you can try with dhcp file in /etc/conf and nginx.conf file mentioned before...

[cheeto]

Thanks for jumping in daniboy92.

I didn't do anything regarding redirect.php

Is there a script i should get?

I left that box as is.

I tried with Firefox & Chrome and i simply couldn't get it to go.

thanks again!!

cheeto

[factgasm]

@cheeto: I think you may need to add some code to the redirect.php for each site you are DNS spoofing.

You can see my recent redirect.php file above.

My Pineapple is redirecting most sites I want to spoof, but not all. I haven't worked out why yet, but it's very satisfying to watch the ones that do get redirected!

[cheeto]

Thanks fatgasm,

So, would this work?:

<?php

$ref = "http://".$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI' ];

if (strpos($ref, ”yahoo")){

header('Status: 302 Found');

header('Location: http://www.gmail.com');

}

require('error.php');

Also, where would i have to place the redirect.php file? in the www directory?

Can you send me a copy of your redirect.php script? (so i can toy around with it)

Thanks again!!

UPDATE: i found the redirect.php script in my www folder.

it reads:

<?php

$ref = "http://".$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI'];

if (strpos($ref, "example")){

header('Status: 302 Found');

header('Location: example.html');

}

require('error.php');

?>

Edited July 16, 2014 by cheeto

[daniboy92]

Don't touch the index.php file, it's not necessary.

In redirect.php you need to set this values:

<?php

$ref = "http://".$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI'];

if (strpos($ref, "zombo")){

header('Status: 302 Found');

header('Location: index.html');

}

require('error.php');

?>

You need to changes this parameters and add a new rule for every Web you want to spoof.

Try with this and see what's happening...

[factgasm]

@cheeto: The Wifi Pineapple ships with www folder already setup and a redirect.php file already in there for you.

If you are using Windows and you install WinSCP then you can view the Pineapple's whole folder and file structure just as if you were looking at in Windows Explorer.

Basically the www folder contains four files, redirect.php, index.html, index.php and error.php.

As daniboy92 said, you need to add code (like the code you mentioned earlier) into the redirect.php for every website you want to spoof.

You could edit the index.html if you want, but only if you want to redirect people to that page. For my purposes, I want to redirect people to other sites on the internet. (take a look at my code in my earlier post).

With regards to the other two files, namely index.php and error.php, I have not come across any reason to want to edit them so for, but I am still learning too!

Here's what the folder and file structure looks like on my Pineapple using WinSCP:

(1) www folder:

(2) Here's my Pineapple's root folder:

I hope this helps.

Edited July 16, 2014 by factgasm

[factgasm]

cheeto: Somethings I appear to have discovered when editing the sites I want to spoof:

(1) Make sure the DNSSpoof infusion is stopped.

(2) Go into the DNSSpoof pane and add the entry you want, for example '172.16.42.1 bbc.co.uk; and then click save. (see my earlier post).

(3) Go into the redirect.php file and add the redirect code for the site you are spoofing (you can do this using WinSCP or PUTTYing into the Pineapple's CLI), then save the redirect file and close it.

(4) Reboot the Pineapple.

To test, switch the Pineapple back on, start the DNSSpoof infusion running and then join some other device (smartphone, tablet, spare PC) to your Pineapple and enter the url for the site you are spoofing into your device's browser. If everything works properly the Pineapple will redirect you to the alternate site!

Sorry, can't post the code from my redirect right now, my Pineapple is packed away for a flight early tomorrow morning, besides take a look at my earlier post, that has some of my code.

I hope this is helpful.

PS Make sure too that you have followed Darren's advice in the post at the top of this page about editting the dhcp file in the Pineapple's /etc/config folder.

Edited July 16, 2014 by factgasm

[cheeto]

THANK you guys SOOOO MUCH!

I'm at work at the moment but as soon as I get home, I'm going to apply these changes.

Regarding the index.html I don't recall my Mkv coming with it. The index.html in the www directory was put there by me. I guess I could always re-flash it to make sure everything is set to stock mode.

Here's my objective:

I want to make a fake gmail / facebook login screens and have the victim enter the credentials and have the information saved in a file. Sort of like Ghost Phisher (amazing script!!!)

Of course, this easier said than done. I assume that I will need a php script to save the credentials onto a file. Is there an easy way around this?

Given the sslstrip limitations, I think this would be the best alternative.

I'll get back to you with the results.

Thanks again guys!!!

cheeto

[daniboy92]

THANK you guys SOOOO MUCH!

I'm at work at the moment but as soon as I get home, I'm going to apply these changes.

Regarding the index.html I don't recall my Mkv coming with it. The index.html in the www directory was put there by me. I guess I could always re-flash it to make sure everything is set to stock mode.

Here's my objective:

I want to make a fake gmail / facebook login screens and have the victim enter the credentials and have the information saved in a file. Sort of like Ghost Phisher (amazing script!!!)

Of course, this easier said than done. I assume that I will need a php script to save the credentials onto a file. Is there an easy way around this?

Given the sslstrip limitations, I think this would be the best alternative.

I'll get back to you with the results.

Thanks again guys!!!

cheeto

Ok, but there is a little problem with this... It seems ssl's websites doesn't work with dnsspoof... If you read my latest post, i can spoof webs without ssl protocol, with ssl protocol only can spoof facebook.com... That is why i want to use sslstrip and dnsspoof together, because I want to remove ssl protection and then spoof the Web (yes, I try it with Gmail, Hotmail and webs like these and can't spoof it). Maybe for you works fine, probe it and summit here, I'm enjoying with these reports.

[cheeto]

How about making several DNSspoofs. Can't you run them all at the same time?

Have Dnsspoof redirect itself to a fake page. (like gmail, hotmail etc...).

This way sslstrip wouln't be really necessary.

just an idea i guess

[cheeto]

Ok guys I followed the instructions and still can't get it to go.

Please check out my video.

https://mega.co.nz/#!2ddFHQSS!-v-LFs3GfZ2u-7CpbvuYhKFp_XC2t1UBnsoip9aJZoA

Thanks again!!!,

cheeto

[daniboy92]

Ok guys I followed the instructions and still can't get it to go.

Please check out my video.

https://mega.co.nz/#!2ddFHQSS!-v-LFs3GfZ2u-7CpbvuYhKFp_XC2t1UBnsoip9aJZoA

Thanks again!!!,

cheeto

Cheeto, do have installed captive files in dnsspoof infusion? If it's installed you need to change in /etc/nginx/nginx.conf

server { # php/fastcgi

listen 8080;

To:

server { # php/fastcgi

listen 80;

Try this and if it doesn't work I recommend reboot to factory settings and do all this steps again.

[cheeto]

Thanks for getting back to me daniboy92,

I do have the dns spoof infusion installed.

In analyzing nginx.conf file I couldn't find the exact command:

server { # php/fastcgi

listen 8080;

but i did find the 8080 and changed it to 80.

Anyway after editing the file i rebooted the mkv and tested it but it simply doesn't work.

I think im going to give up on the infusion and hope for a working update. This is just giving me grey hair.

I really appreciate everyone's help, it's what makes this forum worth visiting.

Cheers,

#configured

#configured

#configured

#configured

#configured

user root root;

worker_processes 1;

#error_log logs/error.log;

#error_log logs/error.log notice;

#error_log logs/error.log info;

events {

worker_connections 1024;

}

http {

include mime.types;

index index.php index.html index.htm;

default_type text/html;

sendfile on;

keepalive_timeout 65;

gzip on;

gzip_min_length 1k;

gzip_buffers 4 16k;

gzip_http_version 1.0;

gzip_comp_level 2;

gzip_types text/plain application/x-javascript text/css application/xml;

gzip_vary on;

server {

listen 80; # Port, make sure it is not in conflict with another http daemon.

server_name www; # Change this, reference -> http://nginx.org/en/docs/http/server_names.html

error_page 404 =200 /index.php;

fastcgi_connect_timeout 300;

fastcgi_send_timeout 300;

fastcgi_read_timeout 300;

fastcgi_buffer_size 32k;

fastcgi_buffers 4 32k;

fastcgi_busy_buffers_size 32k;

fastcgi_temp_file_write_size 32k;

client_body_timeout 10;

client_header_timeout 10;

send_timeout 60; # 60 sec should be enough, if experiencing alof of timeouts, increase this.

output_buffers 1 32k;

postpone_output 1460;

root /www/; # Your document root, where all public material is.

location ~ \.php$ {

fastcgi_index index.php;

include fastcgi_params;

fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;

if (-f $request_filename) {

# Only throw it at PHP-FPM if the file exists (prevents some PHP exploits)

fastcgi_pass unix:/var/run/php5-fcgi.sock; # The upstream determined above

}

}

error_page 404 =200 /index.php;

}

server {

listen 1471; # Port, make sure it is not in conflict with another http daemon.

server_name pineapple; # Change this, reference -> http://nginx.org/en/docs/http/server_names.html

error_page 404 =200 /index.php;

fastcgi_connect_timeout 300;

fastcgi_send_timeout 300;

fastcgi_read_timeout 300;

fastcgi_buffer_size 32k;

fastcgi_buffers 4 32k;

fastcgi_busy_buffers_size 32k;

fastcgi_temp_file_write_size 32k;

client_body_timeout 10;

client_header_timeout 10;

send_timeout 60; # 60 sec should be enough, if experiencing alof of timeouts, increase this.

output_buffers 1 32k;

postpone_output 1460;

root /pineapple/; # Your document root, where all public material is.

location ~ \.php$ {

fastcgi_index index.php;

include fastcgi_params;

fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;

if (-f $request_filename) {

# Only throw it at PHP-FPM if the file exists (prevents some PHP exploits)

fastcgi_pass unix:/var/run/php5-fcgi.sock; # The upstream determined above

}

}

}

}

[factgasm]

There is definitely something wrong with DNSSpoof. Yesterday I had it working for some of the sites I wanted to spoof, but not all.

Late last night I had to reflash my Pineappple (wlan0 and wlan1 had stopped working) so this morning I set my DNSSpoofing back up with the same previous list and some new sites I added too - and experienced the same issue again as I did last night. Some of the sites were spoofed correctly, others were not.

Here's the weird thing - as I started at the top of my list of sites to spoof and worked my way down the first few worked correctly, then the Pineappple encountered the first site it could not spoof it could not spoof any other sites further down the list either. Then when I got back to the top of the list to sites it spoofed first time it could no longer spoof them too.

My Pineapple is connected to my laptop via ethernet and my laptop connected to the internet via its own wifi. Alternatively I tried connecting my laptop to the internet via a USB Dongle but this resulted in the same problems.

It seems as if, once DNSpoof encounters a site that it fails to spoof, then it can no longer spoof other sites either. Its as if some background dll/daemon type process that runs periodically within the Pineapple causes the DNSSpoofing to temporarily stop working or stop working completely until the Pineapple is rebooted.

Further note: The Pineapple is capable of DNSSpoofing just using its default firmware - click the Configuration pane and then the DNS Spoof tab and there you go. However, there is also a separate DNS Spoof infusion which can be installed separately, too.

Thing is, when you install the DNS Spoof infusion, the Configuration pane still retains its DNSSpoofing functionality. This means there are two places where DNSSpoof can be independently stopped and started - which creates the situation where its possible to have DNSSpoof running in one pane but stopped in the other - which strikes me as inconsistent. Apologies if I have misunderstood something here.

Perhaps for later versions of the Pineapple firmware, DNSSpoof could be removed from the Configuration pane and installed as a default infusion instead.

Edited July 18, 2014 by factgasm

[daniboy92]

@cheeto I had your issue two weeks ago... Just set a Factory Reboot from Configuration menu and do all things cleanly... Even delete the DNS from the dhcp.conf file from Darren's answer. And I recommend you probe it without dnsspoof infusion. It's important that you use a browser without data like cookies, cache, history... I hope this can help you.

[cheeto]

Thanks daniboy92,

I will probably do it this weekend. It gets frustsatring when trying to figure something out for hours and it simply won't work.
There is obvouisly a problem with this infusion. It looked so simple when watching the video.... I thought heck, that's
easy. wrong i was.....

Let's cross our fingers that the infusion gets updated.


I really appreciate your help daniboy92!!

Cheers

[daniboy92]

You're welcome cheeto.

Factgasm, it's very logical what are you saying... I think there is a little problem with dnsspoof functionality. I want to see a video from Darren spoofing sites like Gmail, Hotmail, Yahoo... (I don't know why I can spoof facebook.com that uses ssl but not this webs)... And spoofing multiple sites at same time, this will be interesting.

[factgasm]

@daniboy92: Thanks for that. I'd like to see bbc, dailymail and one or two others spoofed too.

Edited July 21, 2014 by factgasm

[factgasm]

With regards to the suggestion that cookies etc get cleaned out from the browser first - how realistic is this?

I trust this means the browser on the victim's device. Is that right?

If so, how likely is it that the victim's browser will be in such fresh condition? I don't think that's going to be very likely.

So, the question is who's browser to clean up? Attacker' or victim's?

[daniboy92]

@factgasm: this is not realistic, but if you want to set a valid test, you need to clean it because webs previously visited has the ssl connection established, if you don't do this, you won't spoof this webs.

So... If the victim has his browser completely empty is another history. The theory is that you are using this for a spoiled hacking, with knowledge from your victim. If he don't have knowledge, obviously it's very difficult to hack them.

[daniboy92]

I mean browser's victim. Your own browser doesn't matter.

[karry]

Hi all,

Have the same problem too.

Got my Pineapple Mark V at bSides Las Vegas a few weeks ago. Just got home from holiday and fired it up. sslstrip works, randomroll works BUT dnsspoof does not. I have read all three pages on this thread and tried all the suggestions throughout but without any luck. I have also tried doing (a whole lot) factory reset before making changes but again without any luck.

I have also followed Darren's "simple" dnsspoof youtube zomba.com example. This should be a really "simple" prove of concept dnsspoof howto video. But it's just not simple for me (and as this thread shows many more).

My setup:

Pineapple side:

Windows 7 fully patched without AV of any kind. Wireless connected to my defauld home AP that runs WPA2. Wired connected to the Pineapple Mark V.

Test client side:

Windows 8 fully patched without AV of any kind. Wireless connected to the pineapple Mark V. Crome, Firefox and Explore installed. (Firefox use forced https so not a good browser to use for sslstrip)

I have tried Darren's "simple" dnsspoof youtube zomba.com example with all three browsers without luck.

What am I (we) doing wrong here? It clearly works on Darren's setup so why is it not working for me (us)?

Is Darren's setup custom or in any way different then mine (ours)? Other firmware? OS? Patch level? etc.?

This should be "simple" to correct but as with all IT it apparently is not.

Any wise words from the designers and architects of this otherwise sweet hardware/software package to get closer to a solution ?

Or any new eyeopening ideas that may fix the dnsspoof issue of not working?

Thanks for all the great ideas and responses throughout this thread! Thanks!

/Karry