Since Dnsmasq is already running on the Raspberry PI, it is very easy to forward (unprotected or poorly configured) STA's to wrong IP's. Through the various DNS or HTTP(S) analyzes, you also know which domains are being accessed by clients.
The aim of this tutorial is to set up quickly a simple DNS redirection.
You should already have read (and successful carried out) the following tutorials.
- Setup Raspberry PI
- Prepare Raspberry PI
- Wi-Fi Analysis
- Wi-Fi Jamming
- Simple Access Point
- STA Enumeration
- DNS Analysis
- HTTP Analysis
- HTTPS Analysis
Install (or ensure they are installed) following packages.
# update system (optional)
$ sudo apt update -y && sudo apt upgrade -y
# install optional packages (optional)
$ sudo apt install -y vim
# install needed packages
$ sudo apt install -y lighttpdNote: You could use also use any other common known web server (like Apache, Nginx, etc.) or Build-in web server (like Python, PHP, etc.).
In case you have NoDogSplash service running, I recommend stopping it (for now).
# stop nodogsplash service
$ sudo systemctl stop nodogsplash.serviceAfter successful installation the web server is already started, and you can visit with your browser the "Placeholder page" via http://raspberrypi.local or http://<ip>. But you should re-configure some default settings first.
# show lighttpd.conf (optional)
$ sudo cat /etc/lighttpd/lighttpd.conf
# show placeholder page (optional)
$ sudo cat /var/www/html/index.lighttpd.html
# list directories (optional)
$ sudo ls -la /var/www/
# show group file (optional)
$ sudo cat /etc/group | grep 'www-data'
# show passwd file (optional)
$ sudo cat /etc/passwd | grep 'www-data'
# change file owner and group recursive
$ sudo chown -R www-data:www-data /var/www/html
# add pi user to group www-data
$ sudo usermod -G www-data -a pi
# change permissions recursive
$ sudo chmod -R 775 /var/www/html# reload lighttpd
$ sudo service lighttpd force-reload# create index.html
$ vim /var/www/html/index.htmlThe content of /var/www/html/index.html.
<!doctype html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>Fake Page</title>
</head>
<body>
<div>
<p>Fake page...</p>
</div>
</body>
</html>Open again http://raspberrypi.local inside your browser, you should see now the content of index.html.
There are various options with Dnsmasq to redirect DNS requests. The real simplest one is via /etc/hosts. But you have to check again whether this file is read by Dnsmasq. Check the configuration for this /etc/dnsmasq.conf!
# do not read hosts file (optional)
# no-hosts
Add another entry into /etc/hosts.
# modify hosts file
$ sudo vim /etc/hostsExample entry.
192.168.0.1 example.com
Note: If you have already called up the domain, you can now wait a little or delete the DNS cache. Otherwise, the real website will still be displayed!
Another way to do this attack with Dnsmasq is as follows.
# modify dnsmasq configuration
$ sudo vim /etc/dnsmasq.conf
# add spoof.hosts file
$ sudo vim /etc/dnsmasq.d/spoof.hosts
# restart dnsmasq service
$ sudo systemctl restart dnsmasqAdd the following lines in /etc/dnsmasq.conf configuration file.
addn-hosts=/etc/dnsmasq.d/spoof.hosts
Add the following lines in /etc/dnsmasq.d/spoof.hosts file. It uses the same format as /etc/hosts.
192.168.0.1 www.example.com example.com
Note: There are some more possibilities with Dnsmasq, just search for it.
If the STA is using Domain Name System Security Extensions (DNSSEC) technologies or VPN, this attack will not work!