Metasploitable/DNS Bind
From charlesreid1
Searching for Exploits
Searching for exploits of the DNS service that is running, ISC BIND 9.4.2, we find the following exploit: https://www.exploit-db.com/exploits/6122/
This exploit is labeled auxiliary/spoof/dns/bailiwicked_domain. It allows us to insert malicious DNS records into the DNS server.
DNS Exploit: bailiwicked domain
We can use this exploit by running:
msf > use auxiliary/spoof/dns/bailiwicked_domain
More information:
This exploit targets a fairly ubiquitous flaw in DNS implementations which allow the insertion of malicious DNS records into the cache of the target nameserver. This exploit caches a single malicious nameserver entry into the target nameserver which replaces the legitimate nameservers for the target domain. By causing the target nameserver to query for random hostnames at the target domain, the attacker can spoof a response to the target server including an answer for the query, an authority server record, and an additional record for that server, causing target nameserver to insert the additional record into the cache. This insertion completely replaces the original nameserver records for the target domain.
To interpret:
- Metasploit induces the target nameserver to ask for information from a target domain. It then gathers information about the responses to craft its attack.
- Metasploit then induces the target nameserver to ask for random subdomains at the target domain, and sends fake responses from the target domain back to the target nameserver in an attempt to confuse the target nameserver.
- When the attack/spoofing is successful, the target nameserver will receive a new authority server record (faked by Metasploit), and will insert this new record into its DNS cache.
- This means the target nameserver has a new DNS record for the target domain, containing whatever DNS servers were set in the Metasploit attack.
- Now, anyone requesting the target domain from the target nameserver will actually be routed to your (malicious) nameserver, where you can tamper with the request before forwarding it along.
Doing It
Metasploit
We can set up the attack by setting the remote host and the various options through Metasploit.
Start by loading the exploit and showing the available options:
msf > use auxiliary/spoof/dns/bailiwicked_domain msf auxiliary(bailiwicked_domain) > show options Module options (auxiliary/spoof/dns/bailiwicked_domain): Name Current Setting Required Description ---- --------------- -------- ----------- DOMAIN example.com yes The domain to hijack INTERFACE no The name of the interface NEWDNS yes The hostname of the replacement DNS server RECONS 208.67.222.222 yes The nameserver used for reconnaissance RHOST yes The target address SNAPLEN 65535 yes The number of bytes to capture SRCADDR Real yes The source address to use for sending the queries (Accepted: Real, Random) SRCPORT yes The target server's source query port (0 for automatic) TIMEOUT 500 yes The number of seconds to wait for new data TTL 33918 yes The TTL for the malicious host entry XIDS 0 yes The number of XIDs to try for each query (0 for automatic) msf auxiliary(bailiwicked_domain) >
Tcpdump
Watching in another window with tcpdump, we can see a steady flow of DNS queries:
# tcpdump -i eth0
Flags
 |
Metasploit any and all resources related to metasploit on this wiki
Category:Metasploit - pages labeled with the "Metasploit" category label MSF/Wordlists - wordlists that come bundled with Metasploit MSFVenom - msfvenom is used to craft payloads Meterpreter - the shell you'll have when you use MSF to craft a remote shell payload.
Category:Security · Category:Metasploit · Category:Kali
|
|
Metasploitable: The Red Team Metasploitable is a virtual machine with baked-in vulnerabilities, designed to teach Metasploit. This set of articles discusses the RED TEAM's tools and routes of attack.
Exploiting MySQL with Metasploit: Metasploitable/MySQL Exploiting PostgreSQL with Metasploit: Metasploitable/Postgres
Exploiting VSFTP Backdoor: Metasploitable/VSFTP SSH Penetration by Brute Force: Metasploitable/SSH/Brute Force SSH Penetration with Keys: Metasploitable/SSH/Keys SSH Penetration with Metasploit: Metasploitable/SSH/Exploits Brute-Forcing Exploiting NFS: Metasploitable/NFS Exploiting DNS Bind Server: Metasploitable/DNS Bind
Metasploitable Services: distcc: Metasploitable/distcc
Metasploitable Apache: Exploiting Apache (with Metasploit): Metasploitable/Apache Exploiting Apache (with Python): Metasploitable/Apache/Python Tor's Hammer DoS Attack: Metasploitable/TorsHammer * Apache DAV: Metasploitable/Apache/DAV * Apache Tomcat and Coyote: Metasploitable/Apache/Tomcat and Coyote
Metasploitable Memory: General approach to memory-based attacks: Metasploitable/Memory Investigating memory data: Metasploitable/Volatile Data Investigation Dumping Memory from Metasploit: Metasploitable/Dumping Memory
Metasploitable Fuzzing: (Have not done much work on fuzzing Metasploitable...)
Category:Security · Category:Metasploit · Category:Metasploitable · Category:Kali
|
|
Metasploitablue: The Blue Team Metasploitable is a virtual machine with baked-in vulnerabilities, designed to teach Metasploit. This set of articles discusses the BLUE TEAM's methods for defending Metasploitable: defending against and responding to intrusions.
Hence the name, Metasploita-blue. Overview: Metasploitable/Defenses Metasploitable/Defenses/Stopping · Metasploitable/Defenses/Detecting
Metasploitable On-Machine Defenses: Linux Volatile Data System Investigation: Metasploitable/Volatile Data Investigation Linux Artifact Investigation: Metasploitable/Artifact Investigation Linux Iptables Essentials: Metasploitable/Iptables Firewall Assurance and Testing: Metasploitable/Firewall Password Assessment: Metasploitable/Password Assessment Standard Unix Ports: Unix/Ports
Netcat and Cryptcat (Blue Team): Metasploitable/Netcat and Metasploitable/Cryptcat Nmap (Blue Team): Metasploitable/Nmap Network Traffic Analysis: Metasploitable/Network Traffic Analysis Suspicious Traffic Patterns: Metasploitable/Suspicious Traffic Patterns Snort IDS: Metasploitable/Snort
|