[CLOSED] DNS spoofing to captive portal on non-internet connected networks

[oti-tech]

Issue by dismantl
Wednesday Jun 12, 2013 at 22:49 GMT
Originally opened as opentechinstitute/luci-commotion-splash#1

---

To test:

1. Install this version of commotion-splash on a router (using this Makefile: https://github.com/opentechinstitute/commotion-splash/blob/dns-spoof/openwrt/Makefile)
2. bring up a node as an internet gateway (and with this version of commotion-splash, obvio), and connect to it. Open a browser and go to any page; it should captive portal you.
3. run "dig commotionwireless.net" from your computer, and it should give you our server's IP address: 209.66.96.69.
4. Now unplug the ethernet connection to the router's PoE jack, so it is no longer connected to the upstream gateway.
5. Open another browser, and go to redemmas.org. You should still get captive-portaled.
6. To double-check, run "dig indyreader.org" from your computer, and it should give you 1.2.3.4 as the IP address. Shazam!

---

dismantl included the following code: https://github.com/opentechinstitute/luci-commotion-splash/pull/1/commits

[oti-tech]

Comment by areynold
Wednesday Jul 03, 2013 at 19:52 GMT

---

Note: Linked Makefile should use PKG_VERSION:=dns-spoof for testing.

[oti-tech]

Comment by areynold
Wednesday Jul 10, 2013 at 17:26 GMT

---

Could not reproduce steps 5 or 6.

[oti-tech]

Comment by dismantl
Wednesday Jul 10, 2013 at 17:54 GMT

---

Did you accept the captive portal in step 2? If so, you'll need to deauth your MAC or IP address from nodogsplash using the 'ndsctl deauth ' command. Then try step 5 again.

[oti-tech]

Comment by dismantl
Wednesday Jul 10, 2013 at 17:56 GMT

---

Also, make sure /etc/init.d/nodogsplash and /etc/init.d/dnsmasq both got patched correctly. You can also make sure there are two instances of dnsmasq running with 'ps w'; one instance should be "/usr/sbin/dnsmasq -p 5353 --address=/#/1.2.3.4".

[oti-tech]

Comment by areynold
Wednesday Jul 10, 2013 at 18:07 GMT

---

I did not accept the captive portal.
I do see an instance of "/usr/sbin/dnsmasq -p 5353 --address=/#/1.2.3.4"

A bit more on the behavior. When I disconnect the node from the gateway I get a standard network timeout, not captive portal. If I then reconnect to the gateway long enough to be captured, then disconnect before running dig, some hostnames are resolved correctly (i.e., their actual IP addresses) while others time out.

[oti-tech]

Comment by dismantl
Wednesday Jul 10, 2013 at 18:16 GMT

---

can you give the output of 'ps w |grep dnsmasq' ?

Instead of going to redemmas.org in step 5, go to any other non-HTTPS website that you haven't visited before. This is to make sure you aren't going to a domain whose DNS resolution has been cached by the browser.

[oti-tech]

Comment by areynold
Wednesday Jul 10, 2013 at 18:19 GMT

---

2814 nobody 952 S /usr/sbin/dnsmasq -C /var/etc/dnsmasq.conf --server=/#8.8.8.8 --server=/#/192.168.13.84#5353
2888 nobody 944 S /usr/sbin/dnsmasq -p 5353 --address=/#/1.2.3.4

I tried a variety of new sites, all non-SSL. I've tried restarting the browser, restarting the test client, and flushing the local DNS cache.

[oti-tech]

Comment by dismantl
Wednesday Jul 10, 2013 at 18:32 GMT

---

hmm, that should work. Basically, instance #1 of dnsmasq will fallback on 192.168.13.84 port 5353 as the dns server if it fails to resolve a domain w/ 8.8.8.8.

At step 5, can you run dig with a domain you haven't gone to before, and post the output? And it would be worth seeing if dig is available on the router as well, and trying a lookup on the node itself, to see if it falls back to the local dns resolver on port 5353.

[oti-tech]

Comment by dismantl
Wednesday Jul 10, 2013 at 18:36 GMT

---

oh crap, i just noticed something:

2814 nobody 952 S /usr/sbin/dnsmasq -C /var/etc/dnsmasq.conf --server=/#8.8.8.8 --server=/#/192.168.13.84#5353

There is a missing '/' before 8.8.8.8. Can you kill that process and restart it with the slash?

[oti-tech]

Comment by areynold
Wednesday Jul 10, 2013 at 18:37 GMT

---

Sorry. That's a transcription error. I'm not directly connected to the node from this machine. The process does actually read "--server=/#/8.8.8.8"

[oti-tech]

Comment by areynold
Wednesday Jul 10, 2013 at 18:43 GMT

---

From the client:
$ dig indyreader.org

; <<>> DiG 9.8.1-P1 <<>> indyreader.org
;; global options: +cmd
;; connection timed out; no servers could be reached

From the node:

nslookup indyreader.org

Server: 127.0.0.1
Address 1: 127.0.0.1 localhost

nslookup: can't resolve 'indyreader.org': Name or service not known

[oti-tech]

Comment by dismantl
Wednesday Jul 10, 2013 at 18:49 GMT

---

apparently your dig program doesn't list what dns server it uses. Can you try 'host -v indyreader.org' ?

[oti-tech]

Comment by dismantl
Thursday Jul 25, 2013 at 16:21 GMT

---

Confirmed that this does not work. Only works upon reboot, and so isn't very helpful.