Knowing which domains are being requested, means you knowing on which web pages the sensible information is on (e.g. what content is from interest, credentials, etc.). It can also be used for further attacks.
The aim is to analyze the DNS queries from connected STA's and DNS forwards + DNS cache, so that you know which domains get requested.
You should already have read (and successful carried out) the following tutorials.
- Setup Raspberry PI
- Prepare Raspberry PI
- Wi-Fi Analysis
- Wi-Fi Jamming
- Simple Access Point
- STA Enumeration
Install (or ensure they are installed) following packages.
# update system (optional)
$ sudo apt update -y && sudo apt upgrade -y
# install needed packages
$ sudo apt install -y vim tcpdumpAs in a previous tutorial Wi-Fi Analysis, you can use tcpdump to analyze the current DNS traffic.
# show DNS traffic for interface wlan0
$ sudo tcpdump -i wlan0 -nn -l udp port 53
# show DNS traffic for interface wlan1
$ sudo tcpdump -i wlan1 -nn -l udp port 53With the help of grep and other Linux standard tools, a more precise filtering is possible.
I hope you remember when and where you configure the DNS log files! The answer is, you did it in the file /etc/dnsmasq.conf.
$ sudo grep "log" /etc/dnsmasq.conf
# Enable logging
log-queries
log-dhcp
log-facility=/tmp/dnsmasq.logWith "vim", "cat", "less", "tail" (as well as many other tools) you can view and evaluate the log file.
# show full content
$ sudo cat /tmp/dnsmasq.log
# show last 10 lines (and follow)
$ sudo tail -f /tmp/dnsmasq.logHowever, this is a bit cumbersome (depending on the size of the log file) and can also be made much easier.
# create new awk file
$ vim dnsmasq.awkThe content of dnsmasq.awk.
( $4 ~ /dnsmasq\[[0-9]+\]:/ ) {
if ( $5 == "query[A]") {
query[$6]++;
} else {
if ( $5 == "forwarded" )
forwarded[$6]++;
else
if ( $5 == "cached" )
cached[$6]++;
}
}
END {
queries=0;
qforwarded=0
qacache=0
printf " %40s | nb | forwarded | answered from cache \n", "name";
for (name in query) {
printf "%s%40s | %9d | %9d | %9d\n", \
( forwarded[name] > query[name] ? "*" : " "), \
name, \
query[name], \
forwarded[name], \
cached[name];
queries += query[name];
qforwarded += forwarded[name];
qacache += cached[name];
}
printf " %40s | %9d | %9d | %9d\n", "total:", queries, qforwarded, qacache;
}Run dnsmasq.awk script.
# execute awk script
$ sudo awk -f dnsmasq.awk /tmp/dnsmasq.log
name | nb | forwarded | answered from cache
* configuration.apple.com.akadns.net | 1 | 2 | 0
* dpm.demdex.net | 1 | 2 | 0
* static.zdassets.com | 1 | 2 | 0
* 2.debian.pool.ntp.org | 1 | 2 | 0
* fbsbx.com | 1 | 2 | 0
...
# execute awk script (and pipe through less)
$ sudo awk -f dnsmasq.awk /tmp/dnsmasq.log | less