0

Would it be possible to create a fake twin access-point for a router with a custom DNS-configuration in a way to fool mobile apps like for example Instagram to send authentication requests to my own server instead of the Instagram servers?

Normally when someone opens an app like Instagram a request gets send through their router which forwards it to the ISP's DNS-server. The DNS-server retrieves the IP (179.60.195.174) of instagram.com to authenticate the user.

But what if the user uses my fake twin access point for a wi-fi connection and my fake access points instagram.com to e.g 192.168.1.2 which will contain a basic Apache-server showcasing the Instagram login-page? Or in case the Instagram-app does not use a web-view for their app but sends the credentials to 179.60.195.174 it will send the credentials to 192.168.1.2.

Is this a possible attack? Would DNS-cache be an issue?

O'Niel
  • 2,914
  • 3
  • 20
  • 31

1 Answers1

3

No, this attack is generally not possible.

Any app which is even remotely serious uses TLS to protect its network traffic. So while you may be able to mess with DNS resolution, you won't get a valid certificate for instagram.com. When the app tries to establish a TLS connection to your server in an attempt to reach instagram.com, you cannot present an appropriate certificate, and so the connection attempt will immediately fail. You will never get any credentials. At best, you can perform a denial-of-service attack by blocking requests to instagram.com -- until the client figures out they've connected to a rogue access point.

Even the DNS attack won't necessarily work. The client doesn't have to accept your DNS resolver. If they choose their own, and if the DNS traffic is protected through DNS-over-TLS (DoT) or DNS-over-HTTPS (DoH), you cannot manipulate the DNS responses either.

Of course a man-in-the-middle attack is potentially possible if plaintext network protocols are used, or if the app doesn't check certificates. But in this case, messing with DNS resolution becomes useless. The attacker already receives all network traffic (including credentials) and can send any HTTP response they want, so there's no need to set up a fake Instagram server under a different IP address.

Ja1024
  • 5,769
  • 14
  • 21
  • Thanks for the answer. Can you point me in the right direction to test this attack? – O'Niel Mar 06 '24 at 01:19
  • What exactly do you want to test? Like I said, the attack you describe isn't realistic. And if you purposely disable all certificate checks or write your own app which uses plaintext HTTP, then messing with DNS is useless, because a man-in-the-middle attacker already receives all network traffic (including credentials) and can send anything they want. There's no need to set up a fake Instagram server under a different IP address. – Ja1024 Mar 06 '24 at 07:26