Is it possible?

[unname28]

I'm just started hacking and I've some questions.
When I use nmap for host discovery, I've found many routers that their username and password are default.
I was wondering,  Can I make my own DNS server and change their router setting so they'll redirect to websites that I want? And if it is, Where can I find some tutorial about DNS server?

[madf0x]

Yes, and in fact no reason you would NEED to modify the router configuration. DNS spoofing works by simply responding to DNS queries on the local network faster than the external DNS servers can respond.

As for guides, google is your friend here, and as you are new the standard 'test things in a lab first, make sure you REALLY know what you're doing or else you run a severely higher risk of getting in trouble'-advice applies.

[unname28]

Does DNS spoofing work even when the victim is trying to  use https to access the website?

[madf0x]

Thats where some issues come into play.

See ssl is backed by certificates that are cryptographically signed by one or more certificate authorities. Theres nothing stopping you from making a certificate for facebook.com google.com or whatever site you want, but youd only be able to sign it yourself. Since you are not a 'trusted' certificate authority by the browser it will throw a huge warning to the user. Lots of people ignore the warning and proceed anyways cause 'omg I need this email nao!' but it is far from stealthy. Thats where attacks like sslstrip come into play, where you try to downgrade the connection to http only, but a savvy user will notice that his connection suddenly isn't https anymore and may start to wonder why. Still far more subtle than a blaring warning page to the user. Some less popular sites, companies, and colleges will actually use a self-signed certificate(esp for internal or semi-internal sites/portals) and these are ones you can get away with using your own certificate easily as after all legitimate users are used to the warning page presented by the browser anyways. Especially nasty with custom web portals, for example I know college in my state that has free wifi for students but uses a custom web portal that authenticates using their college domain credentials. This means it would be trivial to snarf up some domain credentials to use as a foothold on the college internal network. I was not surprised in the latest when they later announced that the student services store had been compromised(and while I had a good laugh at the incident, no it was not me lol).

In the case of non-browser applications sometimes you run into vulnerabilities where the application fails to check for the validity of the certificate at all, silently accepting whatever it's given to. This vuln has been cropping up more and more in smartphone apps, effectively rendering their use of ssl useless such as with the recent Yik-Yak flaw.


edit: also the above all holds true even if you manipulate the router's dns configuration. As this attack vector and vulnerabilities don't have anything to do with dns itself, but rather implementation flaws with ssl(which are too numerous to list here, but this is some of the more practical applications to take away with).

[unname28]

Thanks for reply!  I searched the internet and find some tutorial about "dnsmasq" . I started spoofing certain non-https websites and It works well but as you said https has some problem. but there is another problem, I changed my android phone dns setting to my computer which dnsmasq was running, when I use the local IP (192.168. etc)  as dns server, it works well but when I use my actual internet IP,  It doesn't work even when though I forwarded port 53 to the pc.

I should note that when I run this command :

dig @192.168.1.5 +short www.example.com

It works well but when I enter this

dig @INTERNET_IP +short www.example.com


I will got this message:

reply from unexpected source: 192.168.1.1#53, expected INTERNET_IP#53

I donno why this happens, I forward port 53 to 192.168.1.5 so INTERNET_IP must point to 192.168.1.5 but it doesn't

[madf0x]

I'm not entirely clear what your situation is, but sounds like your NAT is giving you some difficulties and may not be forwarding correctly, other theres another hop in your path that isn't forwarding properly. There could be an issue with having a device on the local network trying to reach out to it's own 'public' address and the router is getting confused along the way, if you are trying that try disconnecting your phone from the wifi and use it's mobile network to reach out to your dns server(which may need additional configuration to make sure it uses your dns server).

Note that theres only a few DNS attacks that utilize your own public dns servers and they are FAR FAR FAR from stealthy in the anonymity sense. For learning, sure, but if you try an attack in the wild and point it at your public DNS you are literally pointing your victims home, meaning prosecution will be trivial if your attack gets caught whie doing something you shouldn't.

edit: you edited yur post with more info and yeah, your device is getting confused cause of routing paths trying to preform dns queries on a public address thats redirected to a local address.

[unname28]

I used another network and noticed that my router is not accessable from there.

[madf0x]

Then likely your External ip address is wrong, or you have another hop that isn't redirecting traffic right. Some ISPs will do this with their modems, so if you have a setup like computer->wifi router->modem->internet then changing the config of the modem isn't going to work. Also might have firewall rules preventing your traffic. Or you could just be plain doing something wrong.

Sorry but at this stage troubleshooting is an exercise for you to figure out whats really going on and figure out how to fix it.

[unname28]

Yeah you're right, thabks for help