Re: [m0n0wall] spoofing sites using monowall

From:	Chris Buechler <cbuechler at gmail dot com>
To:	m0n0wall at lists dot m0n0 dot ch
Subject:	Re: [m0n0wall] spoofing sites using monowall
Date:	Wed, 15 Dec 2004 21:01:21 -0500

On Thu, 16 Dec 2004 06:36:28 +1000, Quark IT - Hilton Travis
<hilton at quarkit dot com dot au> wrote:
> >
> > in your  192.168.1.2 webserver
> > you create a similar content for yahoo.
> >
> > when your user type yahoo.com in your browser,
> > they will be redirected to 192.168.1.2 unknowingly
> >
> > your users sign-in into the spoof yahoo site.
> >
> > i never done this, so any comments?
> 

What Hilton said is exactly right.  

But if you want to capture somebody's Yahoo username and password, as
in your example, if you already control the firewall you could do it
with a whole lot less effort just capturing the data as it passes the
wire.  Yahoo, by default, doesn't use SSL, so it's trivial to pick
that up.

Even with SSL, in that position it's easy enough to pull a man in the
middle attack of sorts on the SSL with the very slick dsniff suite's
webmitm.  Ditto for SSH.
http://www.monkey.org/~dugsong/dsniff/faq.html#How%20do%20I%20sniff%20/%20hijack%20HTTPS%20/%20SSH%20connections

You could set up DNS overrides for the domains you want to hijack and
avoid the use of dnsspoof in dsniff, so it could assist you some in
that regard.

Plenty of ways to do it, all illegal unless properly authorized or
done to yourself on your own network, but the last of which I'd mess
with would be recreating a Yahoo lookalike and redirecting the DNS.

-Chris