How to spoof Internet domains on your local network

[Computer_Freak]

Continuing the personal crusade to set everything to work as I want, I'll show you a practical example I use in my house to show how useful it can be replace some internet domains. The main idea is to have a domain, do not point to the IP original, but one in our local network or to a different Internet. Everything is explained here apply only to the local network from the rest of the world still see everything as normal, so this will no longer make phishing (except perhaps in the local network itself ... of course ...).

To begin, we need to mount an environment as follows:

1. Router (actually is optional, but if we avoid us having to change the settings on each computer. Use the script apf that simplifies administration with iptables )
2. DNS cache server ( dnsmasq in this example)
3. Web server (in my case using apache )
4. HTTP proxy cache (optional, transparent or not recommended to use squid )

[Computer_Freak]

I assume that most people do not have at home a cluster or a rack of servers, so all these services are likely to be on the same computer. For possible examples show, the network interface that is connected to the internet would be eth0 and which is connected to the local network would be eth1. In the server will eth1 192.168.1.1. All customers of the network must use the local DNS server as primary DNS server, or if your computer is acting as router between the LAN and the Internet, redirecting all outbound requests to the UDP port 53 (DNS) to our local DNS server. In this way even if attempting to connect to an external DNS to the network, connecting in fact the local DNS.

This port forwarding is done very easily with iptables:

• iptables-A PREROUTING-t nat-i eth1-p udp - dport 53-j DNAT - to 192.168.1.1: 53

You could even do the same making some adjustments in the ADSL router configuration. HTTP proxy cache is not necessary a priority, but is recommended if we want to analyze traffic on our network is used and to take action on it. Later delve into this topic.

[Computer_Freak]

Redirect to another server:

Sometimes I have played any online game on private servers, which usually is accomplished by modifying the file C: \ Windows \ System32 \ drivers \ etc \ hosts for Windows (rough copy of UNIX systems / etc / hosts) making certain IP domain points to some rather than to the real IP. The problem is that many games check if this file has been modified and will not let you continue. What we do is the same modification but directly from the configuration of dnsmasq. In my case, I have tested the game Lineage 2 (whose client you can download for free) and played on private server chaos warriors whose IP is 88.198.49.101.

Modify the / etc / dnsmasq.conf adding:

Code:

  address = / l2testauthd.lineage2.com / 88.198.49.101
 address = / l2authd.lineage2.com / 88.198.49.101
 address = / nprotect.lineage2.com / 216,107,250,194

Restart the service:

Code:

  / Etc / init.d / dnsmasq restart

And we test if it works:

Code:

  debian: / # host l2authd.lineage2.com
 l2authd.lineage2.com A 88.198.49.101
 !  l2authd.lineage2.com A record has zero ttl
 debian: / #

Excellent, we also indicates that you get an immediate response (TTL = 0, which probably implies that it is being replaced. If we try now to install the game on any computer on the network and run it as is (without modifying the hosts file) will see that you successfully connect to server Warriors of chaos instead of the original server of NCSoft.

[Computer_Freak]

Filter web advertising:

Although there are plugins for Mozilla Firefox to avoid seeing advertisements for web pages, this does not prevent consume bandwidth by downloading these ads. My whole network is going through a transparent squid proxy cache. I currently use three of squid log analyzers to draw conclusions:

1. SquidGraph : Generates graphs of bandwidth use, and without caching cached requests etc ... It runs every minute and I use to get instant consumption data bandwidth in the network.
2. Calamaris : Generates reports grouped effectiveness of proxy, domains visited, bandwidth consumption and number of requests by file type, domain, customer, etc ...
3. Sarg : Generate detailed reports of all pages visited by each client, this allows you to see where she sailed in great detail each. Although it may be a violation of privacy in my case I use for these purposes, but to see the volume of requests according to each domain.

[Computer_Freak]

Well, the first action to take is clear, make all these domains of advertising aimed at local server. Thus, all applications shall be made to our server apache. Keep in mind that all subdomains of the domains that redirect will also be redirected (if we add 2o7.net, will also be added ads.2o7.net, for example ...). The problem is (and you will soon give you much in mind if only you doing this) where there are none of these pages on our server. In some text banners that are displayed in a 404 page not found, which is not well at all ... besides that we flood the logs with garbage and requests non-existent.

What we do is create a virtual domain in apache to take care of all these requests. All requests made against the IP 192.168.1.1 not come from a domain that is in another virtual host configured in apache, will be handled by this default setting (we will not include directives ServerName).

[Computer_Freak]

We, begin creating a new file in / etc/apache2/sites-availiable / (eg 'default') with the following configuration:

Code:

  <VirtualHost 192.168.1.1:80>
 ServerAdmin webmaster @ localhost

 DocumentRoot / var / www
 <Directory />
 DirectoryIndex index.html
 Options FollowSymLinks
 AllowOverride None

 <Directory / var / www>
 DirectoryIndex index.html
 Options Indexes FollowSymLinks MultiViews
 AllowOverride All
 Order allow, deny
 allow from all
 </ Directory>

 ErrorLog / var/log/apache2/error.log

 # Possible values include: debug, info, notice, warn, error, crit,
 # Alert, emerg.
 LogLevel warn

 CustomLog / var/log/apache2/access.log Combined

 </ Virtualhost>

Create a symlink to this configuration in / etc/apache2/sites-enabled to activate the site, and a soft link rewrite module and we can restart the service:

Code:

  debian: / # ln-s / etc/apache2/sites-availiable/default / etc/apache2/sites-enabled/default
 debian: / # ln-s / etc/apache2/mods-availiable/rewrite.load / etc/apache2/mods-enabled/rewrite.load
 debian: / # / etc/init.d/apache2 restart

Now running the server (you can try entering http:// 192.168.1.1), we must create a blank page and add a few rules for the mod-rewrite so any requested file is returned as a 0-length file:

Code:

  debian: / # touch / var / www / index.html
 debian: / # vi / var / www / .htaccess

Now in the file. Htaccess wrote the following, this will redirect any request to the index.html file you just created:

Code:

  Options + FollowSymLinks
 RewriteEngine on
 RewriteRule ^ .* $ index.html [L]

There, now if we try to open any of the pages analyzed by Sarg see that returns a blank page.