Metasploit mailing list archives
Exploit for the DNS cache poisoning vulnerability...
From: natron at invisibledenizen.org (natron)
Date: Thu, 24 Jul 2008 10:14:33 -0500
Juan, your scenario would be a difficult one to exploit with the current code. An external attacker would be able to send spoofed responses to your DNS server, but would not be able to send requests to the server for randomAAAAA.domain.com. An external attacker could, in theory, modify the request generating side of the msf exploit to use one of the ideas Jarrod mentioned in the earlier email (e.g. XSS forcing an internal browser to fire off DNS requests for you), then send the spoofed responses to wherever the DNS server pops them out. Something like: 1) XSS kicks off DNS request to attacker-controlled DNS server, telling attacker the location of the victim's DNS server doing the internet-facing resolving as well as what port(s) it's using 2) XSS kicks off AAAA.domain.com AAAB.domain.com etc 3) MSF spoofs responses and poisons the cache. Nathan 2008/7/24 Juan Miguel Paredes <one.miguel at gmail.com>:
Thanks HD. I'm trying to understand this and get this to work in our lab. In our environment, we have internet-facing DNS servers. The only systems allowed to query the internet-facing DNS servers are internal DNS caching servers. All internal users can only query the caching servers. (sorry, I'm not a DNS guy so my terminology is wrong, I'm sure). Attacker can't hit either the internet-facing DNS server or the caching servers from outside. An attacker would need to be inside the network to begin with. No problem there. However, the attacker would also be forced to target the caching servers. Additionally: 1. The attacker would need to know which internet-facing DNS server the caching server is working with at the time of the attack (or spoof them all). 2. Instead of spoofing the authority as in the msf module, the attacker would have to spoof the internet-facing DNS servers. After that, unpached DNS servers are game. I'm in the process of modifying the .rb modules for our environment, but I thought I should ask: am I on the right track here or am I missing something? Thanks. On Wed, Jul 23, 2008 at 11:20 PM, H D Moore <hdm at metasploit.com> wrote:Woops: http://www.caughq.org/exploits/CAU-EX-2008-0002.txt _______________________________________________ http://spool.metasploit.com/mailman/listinfo/framework_______________________________________________ http://spool.metasploit.com/mailman/listinfo/framework
-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.metasploit.com/pipermail/framework/attachments/20080724/ccd9465c/attachment.htm>
Current thread:
- Exploit for the DNS cache poisoning vulnerability... H D Moore (Jul 23)
- Exploit for the DNS cache poisoning vulnerability... H D Moore (Jul 23)
- Exploit for the DNS cache poisoning vulnerability... Jarrod Frates (Jul 23)
- Exploit for the DNS cache poisoning vulnerability... Jaime Blasco (Jul 24)
- Exploit for the DNS cache poisoning vulnerability... H D Moore (Jul 24)
- Exploit for the DNS cache poisoning vulnerability... Jarrod Frates (Jul 23)
- Exploit for the DNS cache poisoning vulnerability... Juan Miguel Paredes (Jul 24)
- Exploit for the DNS cache poisoning vulnerability... natron (Jul 24)
- Exploit for the DNS cache poisoning vulnerability... Jose Carlos Luna (Jul 24)
- Exploit for the DNS cache poisoning vulnerability... Juan Miguel Paredes (Jul 24)
- Exploit for the DNS cache poisoning vulnerability... H D Moore (Jul 23)