Jump to content

DNSSpoof Switch2 Working?


funnybunny
 Share

Recommended Posts

wanted to determine if anyone else is having issue with switch2 DNSSpoof of the packet squirrel (PS)

firmware v1.2 reloaded twice

default switch2\payload.sh

modified switch2\spoofhost with address=/www.cnn.com/www.foxnews.com

i have got both switch1 TCPDump and switch3 OpenVPN to work flawlessly

switch2 the client computer connected to the PS does not receive an IP therefore is not able to surf the internet for spoofing to even be a problem

when connected to the same client computer switch1 receives an IP and records network traffic and the client computer is able to browse the internet

when connected to the same client computer switch3 receives an IP, starts OpenVPN connection to seedbox, seedbox tun0 active and SSH back through the tunnel is successful to the PS

i understand the DNSSpoof switch2 being more just a trickery option and more than likely something not used in the wild except for screwing with friends

point being i'm wondering if something wrong with my PS

Link to comment
Share on other sites

Why would something be wrong with it if everything else is working fine?

AFAIK you cannot redirect a domain to another domain, it has to be a domain to an IP.

Try doing something like this and then pinging the FQDN from the client:

address=/packetsquirrel/172.16.32.1
address=/packetsquirrel.com/172.16.32.1

# Then ping..
ping packetsquirrel
ping packetsquirrel.com

You could do further testing with a webserver running on the Packet Squirrel as well.

Or do an nslookup or similar.

Link to comment
Share on other sites

Ah maybe I'm not clear on the use of dnsspoof. Appears that is only going to redirect traffic to the PS. In your example when someone want to go to <ps>.com it will send it to the PS IP 172.16.32 1 assuming there will be a fake site there?

My issue involves more the fact that I'm not getting an IP from DHCP therefore the client is not able to surf the internet. Works on the tcpdump and openvpn switches and gets an IP so not quite sure why it's not working. Tried on Windows and Linux

Edited by funnybunny
Link to comment
Share on other sites

You (as a person using a client computer, 'victim') or the PS is not getting an IP from DHCP?

If you want the PS to have an IP from DHCP you need to set it to BRIDGE mode, which will give the PS and the client computer ('victim') an IP from the host network plugged into the PS.

NAT mode means the PS hosts a network, giving the client computer an IP in the range 172.16.32.100+, and has the IP 172.16.32.1.

Link to comment
Share on other sites

  • 2 weeks later...

OK so modified the spoofhost (2.19.81.119 whitehouse.gov)

address=/cnn.com/2.19.81.119
address=/www.cnn.com/2.19.81.119
address=/foxnews.com/2.19.81.119
address=/www.foxnews.com/2.19.81.119

the DHCP works now and the PS receives an IP

ping www.cnn.com reports 2.19.81.119

ping www.foxnews.com reports 2.19.81.119

nslookup www.cnn.com reports 2.19.81.119

nslookup www.foxnews.com reports 2.19.81.119

use firefox to browse cnn.com or www.cnn.com it results in a "invalid URL" page

use firefox to browse foxnews.com or www.foxnews.com it actually goes to the correct web page

my understanding is that going to cnn.com on a machine behind the PS should go to the web page 2.19.81.119 whitehouse.gov but it does not

same with foxnews.com

Link to comment
Share on other sites

My understanding is that since there are a limited number of IPs, web hosting providers have to host multiple websites on a single IP. It could be that the IP you're accessing doesn't know which website to route you to. I could definitely be wrong, though. I don't fully understand how it works.

They may even use different ports for each website and redirect you to a port depending on what website you asked for, which would mean that when you redirect those domains to that IP it's trying to resolve to the same ports as the actual website and they don't exist on that IP.

I don't know. :) I'm just speculating. Maybe one of my many theories are right, maybe not. I'm sure a quick Google will resolve what you're after.

Here's one answer: https://serverfault.com/questions/106882/how-do-you-have-one-ip-address-and-many-websites

Just Google "host multiple websites on one IP", should be enough answers to get a better understanding.

Edited by Dave-ee Jones
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...