2011-10-12 23:26:10 +00:00
|
|
|
##
|
2014-10-17 16:47:33 +00:00
|
|
|
# This module requires Metasploit: http://metasploit.com/download
|
2013-10-15 18:50:46 +00:00
|
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
2011-10-12 23:26:10 +00:00
|
|
|
##
|
|
|
|
|
|
|
|
require 'msf/core'
|
|
|
|
require 'rex'
|
|
|
|
|
2016-03-08 13:02:44 +00:00
|
|
|
class MetasploitModule < Msf::Post
|
2011-10-12 23:26:10 +00:00
|
|
|
|
2013-09-05 18:41:25 +00:00
|
|
|
def initialize(info={})
|
|
|
|
super( update_info( info,
|
|
|
|
'Name' => 'Multi Gather DNS Reverse Lookup Scan',
|
|
|
|
'Description' => %q{
|
|
|
|
Performs DNS reverse lookup using the OS included DNS query command.
|
|
|
|
},
|
|
|
|
'License' => MSF_LICENSE,
|
|
|
|
'Author' => [ 'Carlos Perez <carlos_perez[at]darkoperator.com>'],
|
2013-09-24 17:33:31 +00:00
|
|
|
'Platform' => %w{ bsd linux osx solaris win },
|
2013-09-05 18:41:25 +00:00
|
|
|
'SessionTypes' => [ 'meterpreter', 'shell' ]
|
|
|
|
))
|
|
|
|
register_options(
|
|
|
|
[
|
2011-10-12 23:26:10 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
OptAddressRange.new('RHOSTS', [true, 'IP Range to perform reverse lookup against.'])
|
2011-10-12 23:26:10 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
], self.class)
|
|
|
|
end
|
2011-10-12 23:26:10 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
# Run Method for when run command is issued
|
|
|
|
def run
|
|
|
|
iprange = datastore['RHOSTS']
|
|
|
|
print_status("Performing DNS Reverse Lookup for IP range #{iprange}")
|
|
|
|
iplst = []
|
2011-10-12 23:26:10 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
a = []
|
|
|
|
ipadd = Rex::Socket::RangeWalker.new(iprange)
|
|
|
|
numip = ipadd.num_ips
|
|
|
|
while (iplst.length < numip)
|
|
|
|
ipa = ipadd.next_ip
|
|
|
|
if (not ipa)
|
|
|
|
break
|
|
|
|
end
|
|
|
|
iplst << ipa
|
|
|
|
end
|
2011-10-12 23:26:10 +00:00
|
|
|
|
2016-03-18 04:26:12 +00:00
|
|
|
case session.platform
|
2016-10-14 00:10:04 +00:00
|
|
|
when /windows/i
|
2013-08-30 21:28:54 +00:00
|
|
|
cmd = "nslookup"
|
|
|
|
when /solaris/i
|
|
|
|
cmd = "/usr/sbin/host"
|
|
|
|
else
|
|
|
|
cmd = "/usr/bin/host"
|
|
|
|
end
|
2016-03-18 04:26:12 +00:00
|
|
|
|
|
|
|
while !iplst.nil? && !iplst.empty?
|
|
|
|
1.upto session.max_threads do
|
2013-08-30 21:28:54 +00:00
|
|
|
a << framework.threads.spawn("Module(#{self.refname})", false, iplst.shift) do |ip_add|
|
|
|
|
next if ip_add.nil?
|
|
|
|
r = cmd_exec(cmd, " #{ip_add}")
|
2016-03-18 04:26:12 +00:00
|
|
|
case session.platform
|
2016-10-14 00:10:04 +00:00
|
|
|
when /windows/
|
2013-08-30 21:28:54 +00:00
|
|
|
if r =~ /(Name)/
|
|
|
|
r.scan(/Name:\s*\S*\s/) do |n|
|
|
|
|
hostname = n.split(": ")
|
|
|
|
print_good "\t #{ip_add} is #{hostname[1].chomp("\n")}"
|
|
|
|
report_host({
|
|
|
|
:host => ip_add,
|
|
|
|
:name => hostname[1].strip
|
|
|
|
})
|
|
|
|
end
|
|
|
|
else
|
|
|
|
vprint_status("#{ip_add} does not have a Reverse Lookup Record")
|
|
|
|
end
|
|
|
|
else
|
|
|
|
if r !~ /not found/i
|
|
|
|
hostname = r.scan(/domain name pointer (\S*)\./).join
|
|
|
|
print_good "\t #{ip_add} is #{hostname}"
|
|
|
|
report_host({
|
|
|
|
:host => ip_add,
|
|
|
|
:name => hostname.strip
|
|
|
|
})
|
|
|
|
else
|
|
|
|
vprint_status("#{ip_add} does not have a Reverse Lookup Record")
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
a.map {|x| x.join }
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
2011-10-17 03:49:49 +00:00
|
|
|
end
|