Jump to content

[Official] DNSMasq Spoof


Recommended Posts

This might be a bone noob question but is it possible to have multiple landing pages for multiple hosts?

I want to use DNSMasq Spoof in an organisation and harvest the credentials from a number of landing pages - can this be done or does the index.php file on the main landing page have to handle this?

TIA

TS

Link to comment
Share on other sites

  • 7 months later...

@Whistle Master  I have this module working, but when I connect to the management AP and have Evil Portal running, I cannot make it to the WEBUI, it takes me straight to the portal which is awesome for wlan0 but not wlan0-1.  I dont know if its because both AP's are from the same radio or if DNSmasq just broadcast on all interfaces no matter what.  Any thoughts would be apprieciated.   Im connecting my android phone to the Management AP and that is when it happens.

Link to comment
Share on other sites

Check out the dd-wrt forum searched for 'dnsmasq'

https://www.dd-wrt.com/phpBB2/viewtopic.php?p=1085575&highlight=dnsmasq#1085575

From that post 

Code:
dhcp-option=6,192.168.1.1 
dhcp-option=wl1.1,6,208.67.222.222,208.67.220.220 



The first line forces the DNS to the router's DNSMasq for everyone on all interfaces, which was already in the config. Then the second line specifies a different DNS for that ONE interface to bypass my router's DNSMasq and host-file ad blocking.

Link to comment
Share on other sites

Maybe try something like this:

Code:
dhcp-option=6,172.16.42.42
dhcp-option=wlan0.1=6,172.42.16.1

I'm not sure what the begining '6' does. Reading the DNSMasq Man page would probably help.

Link to comment
Share on other sites

  • 2 months later...
On 10/17/2016 at 8:24 PM, Mother said:

Anyone have a write up on how to get DNSMasq to work properly? 

The web interface for the DNSMasq Spoof module is pretty limited compared to what dnsmasq can actually do for you.  As if often the case, graphical interfaces are nice but the real power is on the command line. 

The dnsmasq service is initialized from the script located at /etc/init.d/dnsmasq.  This script points to a config file located at /var/etc/dnsmasq.conf.  That file (dnsmasq.conf) is autogenerated each time dnsmasq starts by the configuration file located at /etc/config/dhcp (so modifying it is a no-no).

The script at /etc/init.d/dnsmasq also appends an entry to the /var/etc/dnsmasq.conf file that points to /etc/dnsmasq.conf as an additional configuration file.  This file (/etc/dnsmasq.conf) is one of two that you can safely modify. 

The dnsmasq.conf file is located in /etc/ on the Pineapple.  The last entry in the configuration file is:

 addn-hosts=/pineapple/modules/DNSMasqSpoof/hosts/dnsmasq.hosts

This points to the configuration file that contains the entries you see in the Hosts section on the DNSMasq web interface.  This file is the 2nd one you can safely modify.

The syntax for this file, which you can modify from the DNSMasq Spoof web interface (or from the CLI), is:
<ip_address> <name> <name> <name>

where <ip_address> is the IP address you wish the name(s) to resolve to and where <name> is the exact hostname/FQDN that will be entered by the user.

For example: 

172.16.42.1 starwars.com www.starwars.com ftp.starwars.com

Important note: This file, which you can configure via the DNSMasq Spoof web interface does NOT support wildcards (but there is an alternative ...keep reading) and requires you to enter the exact name(s) you expect the user/system to enter.

Hint: If you are not sure of all the names a user may enter for a certain website, try visiting the real site and see if there is an SSL/TLS certificate.  If there is one, examine the Subject Alt Name section in the certificate Extensions area for a list of other DNS Names 

The DNSMasq Spoof web interface on the Pineapple does not allow you to spoof ANY query for a domain name (i.e. no wildcard support).  In order to have wildcard support, complete the following steps:

  • Stop DNSMasq
  • SSH into the Pineapple
  • Open /etc/dnsmasq.conf using your preferred editor.
  • If desired, additional host entries (that will NOT be visible or configurable from the web interface can be added to this dnsmasq.conf file)
    • To add a single entry in the dnsmasq.conf file (IPv6 & ttl are optional):
      host-record=<name>,<name>,<name>,<name><ipv4><ipv6><ttl>
    • Example (with no ttl specified):
host-record=appleinsider,www.appleinsider.com,appleinsider.com,172.16.42.1,2002:46a8:d6a3:1::100
  • You can also create a wildcard entry for any specific domain name by adding the following syntax to the /etc/dnsmasq.conf file:
    • address=/.<domain.tld>/<ip_address>
    • Example:
address=/.startrek.com/172.16.42.1
  •  This will resolve ANYTHING that is .startrek.com to 172.16.42.1.  For example:
    • www.startrek.com --> 172.16.42.1
    • ftp.startrek.com --> 172.16.42.1
    • asdf.startrek.com --> 172.16.42.1
    • beep.boop.boop.beep.startrek.com --> 172.16.42.1
    • server1.europe.startrek.com --> 172.16.42.1
  • The ultimate wildcard value: You can also configure dnsmasq to resolve EVERTHING (literally) to an address by adding the following to /etc/dnsmasq.conf:
    address=/#/172.16.42.1

When making changes to the Hosts section on the DNSMasq Spoof Pineapple page, remember the following:

  1. Each line is an entry
  2. Wildcards (*) are not supported
  3. Seperate each value with a space, NOT a comma
  4. Click Save after modifying the Hosts section
  5. The interface offers no validation of the input.  Put your entries in carefully.
  6. You must stop and restart the service after changing the Hosts section.

Other considerations:

 The /etc/dnsmasq.conf file supports many other entries such as email MX records.  Check out the dnsmasq documentation (Google it) for more options.

        Sample MX record:
            mx-host=<domain.tld>,<server_fqdn>,<priority>

 mx-host=example.com,mail.example.com,10

If your target node already has locally cached entries for the Host entries you create they will not be resolved to what you desire until that entry ages out on the local host.

If the target node has entries in its local hosts file they will be used over the entries in DNSMasq.

If you are testing this in a lab environment you can clear resolver caches on different sytstems as follows:

  • Windows
ipconfig /flushdns
  • Linux - A lot of Linux systems don't cache DNS entries.  But if they do, you have a couple of options depending on the system.  Here are some possibilities:
sudo /etc/init.d/nscd restart
systemctl restart nscd
systemctl restart dnsmasq
systemctl restart rndc
  •  MacOS - For all newer versions of MacOS
sudo dscacheutil -flushcache

If HSTS is enabled for a web site and the IP address to which you send the host is not HTTPS, they will not connect (Google, for example). 

Wanna try things out?
A simple captive portal page that I very badly modified from a wifiphisher (or was it fluxion?) sample page can be downloaded here (I'm was shooting for proof-of-concept rather than convincing and fancy ...don't hate.):

wget http://s3.amazonaws.com/ITdojoClassroomData/landing.tar.gz

Extract these files and place them directly in /www on the Pineapple (NOT in the 'landing' folder).  If desired, you can paste the contents of the index.html file in the Landing Page section of the DNSMasq Spoof page.  This allows you to make modifications to the file from the web interface.  When you save the page in the Landing Page section of the DNSMasq Spoof web page the contents are saved as /www/index.php (which the web server prefers over index.html).  In the fake firmware upgrade page the SSID and PSK values entered are written to a file called wpakeys.txt in the /www/ directory.  The data entered into the index.html file are posted to the firmware.php page which writes them to a text file and then displays a (not very) convincing firmware upgrade progress button.

Hope this helps.

Play nice.

CMW

Link to comment
Share on other sites

Very useful, thank you. I wanted to follow your example but got stuck at the download

6 hours ago, cmw said:

I am getting: -

HTTP request sent, awaiting response... 403 Forbidden
2017-09-19 22:17:30 ERROR 403: Forbidden.

Just me?

Link to comment
Share on other sites

34 minutes ago, Just_a_User said:

Very useful, thank you for the input. I wanted to follow your example but got to here: -

But am getting: -

HTTP request sent, awaiting response... 403 Forbidden
2017-09-19 22:17:30 ERROR 403: Forbidden.

Fixed.  Try again.

Link to comment
Share on other sites

  • 3 weeks later...

cmw steps up and belts it out of the park.

If this level of ‘offering’ were fed to us for other modules; yes, it’s hand holding but for the information provided. I for one better absorb information when I can deconstruct a situation.  I love content here as everyone is civil and concise.

thank you cmw for your time and energy spent sharing.

Link to comment
Share on other sites

  • 1 month later...

Question,

Let's say I have a the following config in dnsmasq spoof...

172.16.42.42    facebook.com

(Site cloned using httrack, served via Simple HTTP Server)

anyway, once the victim enters their email & password, how will I be able to capture/show the creds entered?

I tried DWall and SSLSplit, no luck. I'd appreciate if someone could provide insight.

Thanks!

Link to comment
Share on other sites

5 hours ago, jtkrl said:

Question,

Let's say I have a the following config in dnsmasq spoof...

172.16.42.42    facebook.com

(Site cloned using httrack, served via Simple HTTP Server)

anyway, once the victim enters their email & password, how will I be able to capture/show the creds entered?

I tried DWall and SSLSplit, no luck. I'd appreciate if someone could provide insight.

Thanks!

Use Evil Portal.  Thats what its made for.

Link to comment
Share on other sites

On 11/29/2017 at 6:30 AM, b0N3z said:

Use Evil Portal.  Thats what its made for.

I already have an EvilPortal (fake starbucks wifi). I'm using DNSMasq Spoof to serve a fake banking website (to show impact) and I want to capture credentials entered there. Is there a way without using burpsuite?

 

Btw, I already resolved this issue by using credential harvester from setoolkit. Now I'm facing another issue where DNSMasq Spoof doesn't want to cooperate when I set up my lab again today. I swear it was working last night. >_>

Link to comment
Share on other sites

How come DNSMasq Spoof doesn't always work?

I have restarted the module and reentered the IP and URLs, but when I type that specific URL in the Victim-PC, I still don't get a redirect. So now I'm cheating by modifying the host file on the victim PC. How do I fix this?

Link to comment
Share on other sites

  • 4 months later...

Hi guys I've literally tried everything and just about pulled my hair out I need help with DNSMasq. I've read so many post to try and get this to fix but it won't redirect to the site so I'll put in the file 172.16.42.1 example.com and I do that then I connect to the Access Point and go to example.com and it brings me to the real site. I've also tried just DNSSpoof and that doesn't work either. But If I use Captive Portal it redirect it so I don't understand what I'm doing wrong here any feedback help so I don't pull more of my hair out thanks.

Link to comment
Share on other sites

  • 9 months later...

Hello,

on a WIFI Pineapple TETRA with firmware 2.4.2 DNSMasq Spoof works for me. DNSspoof doesn't. Where is the difference between them?

And is there a way to make DNSMasq Spoof working for HTTPS requests? For these requests I currently receive an error on the client webbrowser. 

Thanks.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...