Jump to content
Hak5 Forums
Whistle Master

[Official] DNSMasq Spoof

Recommended Posts

This might be a bone noob question but is it possible to have multiple landing pages for multiple hosts?

I want to use DNSMasq Spoof in an organisation and harvest the credentials from a number of landing pages - can this be done or does the index.php file on the main landing page have to handle this?

TIA

TS

Edited by TimberSweet

Share this post


Link to post
Share on other sites

@Whistle Master  I have this module working, but when I connect to the management AP and have Evil Portal running, I cannot make it to the WEBUI, it takes me straight to the portal which is awesome for wlan0 but not wlan0-1.  I dont know if its because both AP's are from the same radio or if DNSmasq just broadcast on all interfaces no matter what.  Any thoughts would be apprieciated.   Im connecting my android phone to the Management AP and that is when it happens.

Share this post


Link to post
Share on other sites

Check out the dd-wrt forum searched for 'dnsmasq'

https://www.dd-wrt.com/phpBB2/viewtopic.php?p=1085575&highlight=dnsmasq#1085575

From that post 

Code:
dhcp-option=6,192.168.1.1 
dhcp-option=wl1.1,6,208.67.222.222,208.67.220.220 



The first line forces the DNS to the router's DNSMasq for everyone on all interfaces, which was already in the config. Then the second line specifies a different DNS for that ONE interface to bypass my router's DNSMasq and host-file ad blocking.

Share this post


Link to post
Share on other sites

Maybe try something like this:

Code:
dhcp-option=6,172.16.42.42
dhcp-option=wlan0.1=6,172.42.16.1

I'm not sure what the begining '6' does. Reading the DNSMasq Man page would probably help.

Share this post


Link to post
Share on other sites

the "6" is (probably) DHCP option 6

This option specifies a list of DNS servers available to the client. The servers SHOULD be listed in order of preference.


you can read about that part of the dhcp protocol here:
www.networksorcery.com/enp/protocol/bootp/option006.htm

  • Upvote 1

Share this post


Link to post
Share on other sites
On 10/17/2016 at 8:24 PM, Mother said:

Anyone have a write up on how to get DNSMasq to work properly? 

The web interface for the DNSMasq Spoof module is pretty limited compared to what dnsmasq can actually do for you.  As if often the case, graphical interfaces are nice but the real power is on the command line. 

The dnsmasq service is initialized from the script located at /etc/init.d/dnsmasq.  This script points to a config file located at /var/etc/dnsmasq.conf.  That file (dnsmasq.conf) is autogenerated each time dnsmasq starts by the configuration file located at /etc/config/dhcp (so modifying it is a no-no).

The script at /etc/init.d/dnsmasq also appends an entry to the /var/etc/dnsmasq.conf file that points to /etc/dnsmasq.conf as an additional configuration file.  This file (/etc/dnsmasq.conf) is one of two that you can safely modify. 

The dnsmasq.conf file is located in /etc/ on the Pineapple.  The last entry in the configuration file is:

 addn-hosts=/pineapple/modules/DNSMasqSpoof/hosts/dnsmasq.hosts

This points to the configuration file that contains the entries you see in the Hosts section on the DNSMasq web interface.  This file is the 2nd one you can safely modify.

The syntax for this file, which you can modify from the DNSMasq Spoof web interface (or from the CLI), is:
<ip_address> <name> <name> <name>

where <ip_address> is the IP address you wish the name(s) to resolve to and where <name> is the exact hostname/FQDN that will be entered by the user.

For example: 

172.16.42.1 starwars.com www.starwars.com ftp.starwars.com

Important note: This file, which you can configure via the DNSMasq Spoof web interface does NOT support wildcards (but there is an alternative ...keep reading) and requires you to enter the exact name(s) you expect the user/system to enter.

Hint: If you are not sure of all the names a user may enter for a certain website, try visiting the real site and see if there is an SSL/TLS certificate.  If there is one, examine the Subject Alt Name section in the certificate Extensions area for a list of other DNS Names 

The DNSMasq Spoof web interface on the Pineapple does not allow you to spoof ANY query for a domain name (i.e. no wildcard support).  In order to have wildcard support, complete the following steps:

  • Stop DNSMasq
  • SSH into the Pineapple
  • Open /etc/dnsmasq.conf using your preferred editor.
  • If desired, additional host entries (that will NOT be visible or configurable from the web interface can be added to this dnsmasq.conf file)
    • To add a single entry in the dnsmasq.conf file (IPv6 & ttl are optional):
      host-record=<name>,<name>,<name>,<name><ipv4><ipv6><ttl>
    • Example (with no ttl specified):
host-record=appleinsider,www.appleinsider.com,appleinsider.com,172.16.42.1,2002:46a8:d6a3:1::100
  • You can also create a wildcard entry for any specific domain name by adding the following syntax to the /etc/dnsmasq.conf file:
    • address=/.<domain.tld>/<ip_address>
    • Example:
address=/.startrek.com/172.16.42.1
  •  This will resolve ANYTHING that is .startrek.com to 172.16.42.1.  For example:
    • www.startrek.com --> 172.16.42.1
    • ftp.startrek.com --> 172.16.42.1
    • asdf.startrek.com --> 172.16.42.1
    • beep.boop.boop.beep.startrek.com --> 172.16.42.1
    • server1.europe.startrek.com --> 172.16.42.1
  • The ultimate wildcard value: You can also configure dnsmasq to resolve EVERTHING (literally) to an address by adding the following to /etc/dnsmasq.conf:
    address=/#/172.16.42.1

When making changes to the Hosts section on the DNSMasq Spoof Pineapple page, remember the following:

  1. Each line is an entry
  2. Wildcards (*) are not supported
  3. Seperate each value with a space, NOT a comma
  4. Click Save after modifying the Hosts section
  5. The interface offers no validation of the input.  Put your entries in carefully.
  6. You must stop and restart the service after changing the Hosts section.

Other considerations:

 The /etc/dnsmasq.conf file supports many other entries such as email MX records.  Check out the dnsmasq documentation (Google it) for more options.

        Sample MX record:
            mx-host=<domain.tld>,<server_fqdn>,<priority>

 mx-host=example.com,mail.example.com,10

If your target node already has locally cached entries for the Host entries you create they will not be resolved to what you desire until that entry ages out on the local host.

If the target node has entries in its local hosts file they will be used over the entries in DNSMasq.

If you are testing this in a lab environment you can clear resolver caches on different sytstems as follows:

  • Windows
ipconfig /flushdns
  • Linux - A lot of Linux systems don't cache DNS entries.  But if they do, you have a couple of options depending on the system.  Here are some possibilities:
sudo /etc/init.d/nscd restart
systemctl restart nscd
systemctl restart dnsmasq
systemctl restart rndc
  •  MacOS - For all newer versions of MacOS
sudo dscacheutil -flushcache

If HSTS is enabled for a web site and the IP address to which you send the host is not HTTPS, they will not connect (Google, for example). 

Wanna try things out?
A simple captive portal page that I very badly modified from a wifiphisher (or was it fluxion?) sample page can be downloaded here (I'm was shooting for proof-of-concept rather than convincing and fancy ...don't hate.):

wget http://s3.amazonaws.com/ITdojoClassroomData/landing.tar.gz

Extract these files and place them directly in /www on the Pineapple (NOT in the 'landing' folder).  If desired, you can paste the contents of the index.html file in the Landing Page section of the DNSMasq Spoof page.  This allows you to make modifications to the file from the web interface.  When you save the page in the Landing Page section of the DNSMasq Spoof web page the contents are saved as /www/index.php (which the web server prefers over index.html).  In the fake firmware upgrade page the SSID and PSK values entered are written to a file called wpakeys.txt in the /www/ directory.  The data entered into the index.html file are posted to the firmware.php page which writes them to a text file and then displays a (not very) convincing firmware upgrade progress button.

Hope this helps.

Play nice.

CMW

Edited by cmw
  • Like 1
  • Upvote 1

Share this post


Link to post
Share on other sites

Very useful, thank you. I wanted to follow your example but got stuck at the download

6 hours ago, cmw said:

I am getting: -

HTTP request sent, awaiting response... 403 Forbidden
2017-09-19 22:17:30 ERROR 403: Forbidden.

Just me?

Edited by Just_a_User

Share this post


Link to post
Share on other sites
34 minutes ago, Just_a_User said:

Very useful, thank you for the input. I wanted to follow your example but got to here: -

But am getting: -

HTTP request sent, awaiting response... 403 Forbidden
2017-09-19 22:17:30 ERROR 403: Forbidden.

Fixed.  Try again.

  • Like 1

Share this post


Link to post
Share on other sites

cmw steps up and belts it out of the park.

If this level of ‘offering’ were fed to us for other modules; yes, it’s hand holding but for the information provided. I for one better absorb information when I can deconstruct a situation.  I love content here as everyone is civil and concise.

thank you cmw for your time and energy spent sharing.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now


  • Recently Browsing   0 members

    No registered users viewing this page.

×