Wednesday, September 24, 2008

Man-in-the-middle Fake DNS for Metasploit

On Episode 116 of PaulDotCom Security Weekly, Paul mentioned how it would be nice if one could have a little bit finer control over the behavior of Metasploit’s fake DNS server. It seemed like an easy enough hack, so I’ve thrown this together. I can see this being useful in some situations, and hopefully you will too.

Metasploit’s fakedns.rb is good at what it does, which is respond to any DNS query with a spoofed response pointing at a specific IP address. This module, which I’ve decided to name “mitm_fakedns.rb”, is a dirty, filthy hack of fakedns.rb. It’s not nearly as polished and thought-out as the web_search_scan.rb module I wrote and posted about a couple of days ago, but it is kinda neat anyway.

It’ll listen for DNS, and when it gets a request, it will go ahead and pass it on to a real DNS server that you can specify. Once it gets the response from the real DNS server, it’ll modify that response to point to the IP addresses you specify if it matches one of a set of regexes you provide. This allows you to be a little more “surgical” with whatever attack you have planned, by only spoofing domain names of-interest.

Let’s have a look at the “show info”:

HacBook:framework wesley$ sudo ./msfconsole
Password:

_
| | o
_ _ _ _ _|_ __, , _ | | __ _|_
/ |/ |/ | |/ | / | / \_|/ \_|/ / \_| |
| | |_/|__/|_/\_/|_/ \/ |__/ |__/\__/ |_/|_/
/|
\|

=[ msf v3.2-release
+ -- --=[ 299 exploits - 124 payloads
+ -- --=[ 18 encoders - 6 nops
=[ 68 aux

msf > use auxiliary/server/mitm_fakedns
msf auxiliary(mitm_fakedns) > info

Name: MITM DNS Service
Version: 5540

Provided by:
unknown
hdm
Wesley McGrew

Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
FILENAME yes File of ip,regex for filtering responses
REALDNS yes Ask this server for answers
SRVHOST 0.0.0.0 yes The local host to listen on.
SRVPORT 53 yes The local port to listen on.

Description:
This hack of the metasploit fakedns.rb serves as a sort of MITM DNS
server. Requests are passed through to a real DNS server, and the
responses are modified before being returned to the client, if they
match regular expressions set in FILENAME.

Once it's loaded, we can set our variables:

msf auxiliary(mitm_fakedns) > cat /Users/wesley/hosts.txt
[*] exec: cat /Users/wesley/hosts.txt

192.168.1.1,google.com
10.0.0.1,example.com
msf auxiliary(mitm_fakedns) > set FILENAME /Users/wesley/hosts.txt
FILENAME => /Users/wesley/hosts.txt
msf auxiliary(mitm_fakedns) > set REALDNS 192.168.1.254
REALDNS => 192.168.1.254
msf auxiliary(mitm_fakedns) > run
[*] Auxiliary module running as background job
msf auxiliary(mitm_fakedns) >

The file you specify should have an IP address and a regular expression, one pair per line. Once it’s running, you can test it out by pointing “dig” at it:

HacBook:~ wesley$ dig @127.0.0.1 example.com

; <<>> DiG 9.4.1-P1 <<>> @127.0.0.1 example.com
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38312
;; flags: qr ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;example.com. IN A

;; ANSWER SECTION:
example.com. 99270 IN A 10.0.0.1

;; Query time: 39 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Aug 4 22:59:01 2008
;; MSG SIZE rcvd: 45

This should serve as a pretty good drop-in replacement for fakedns.rb for some attacks. Here’s the source:

mitm_fakedns.rb


Article Source

No comments: