2011-08-11 17:43:51 +00:00
|
|
|
##
|
2017-07-24 13:26:21 +00:00
|
|
|
# This module requires Metasploit: https://metasploit.com/download
|
2013-10-15 18:50:46 +00:00
|
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
2011-08-11 17:43:51 +00:00
|
|
|
##
|
|
|
|
|
2016-03-08 13:02:44 +00:00
|
|
|
class MetasploitModule < Msf::Auxiliary
|
2011-08-11 17:43:51 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
def initialize
|
|
|
|
super(
|
|
|
|
'Name' => 'VSploit Zeus DNS Query Module',
|
|
|
|
'Description' => 'This module queries known Zeus Botnet DNS records.',
|
|
|
|
'Author' => 'MJC',
|
|
|
|
'License' => MSF_LICENSE,
|
|
|
|
'References' =>
|
|
|
|
[
|
|
|
|
[ 'URL', 'https://zeustracker.abuse.ch/blocklist.php?download=domainblocklist']
|
|
|
|
]
|
|
|
|
)
|
|
|
|
register_options(
|
|
|
|
[
|
|
|
|
OptString.new('DNS_SERVER',[false, "Specifies a DNS Server"]),
|
|
|
|
OptInt.new('COUNT', [false, "Number of intervals to loop",1]),
|
|
|
|
OptInt.new('DELAY', [false, "Delay in seconds between intervals",3])
|
2017-05-03 20:42:21 +00:00
|
|
|
])
|
2013-08-30 21:28:54 +00:00
|
|
|
end
|
2011-08-11 17:43:51 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
def run
|
|
|
|
@res = Net::DNS::Resolver.new()
|
2011-11-20 02:12:07 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
domain = [
|
|
|
|
"allspring.net","antifoher.biz","asdfasdgqghgsw.cx.cc",
|
|
|
|
"ashnmjjpoljfnl.info","atlaz.net","b3l.org","back.boroborogold.ru",
|
|
|
|
"bandwithcheckstart.com","batmanrobinho.com","bellicbridge.ru",
|
|
|
|
"bestfihteerdr.com","bestprice2you.net","billyd.com.au",
|
|
|
|
"bitschoonerop.com","blackskullbg.sytes.net","botikov.eu.tf",
|
|
|
|
"botnetdown.gicp.net","boutique.vcm-mode.it","brandc.name",
|
|
|
|
"bxkkuskgdjskdn.com","c0re.su","cdvqvnjqqtkqhsoo.info",
|
|
|
|
"christmassuper.com","ciritas.ru","citi-spb.ru","clavn.ru",
|
|
|
|
"client.trackups.org","client.upsclients.net","cnewsus.ru",
|
|
|
|
"cnnus.ru","concapow.in","consoleencydd.com","cqoqgzqmkpkrmlo.com",
|
|
|
|
"ctllutheran.org","currencytradechat.com","cyytmmlxsthywst.com",
|
|
|
|
"damaka.com","datacricketuf.ru","deimingames.com",
|
|
|
|
"dfhhdkdddqjda.start.tl","djerk.info","djpeterblue.com.br",
|
|
|
|
"dlmsonisfzksioqq.org","domio.pwomega.ru","favdstgssdqdsfg.start.tl",
|
|
|
|
"favoritopilodjd.com","favqnornkwvkwfxv.biz","fdhjkfhskas.com",
|
|
|
|
"federalreserve-report.com","federetoktyt.net"
|
|
|
|
]
|
2011-11-20 02:12:07 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
if datastore['DNS_SERVER']
|
|
|
|
@res.nameservers = datastore['DNS_SERVER']
|
|
|
|
end
|
2011-11-20 02:12:07 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
count = 0
|
2011-11-20 02:12:07 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
while count < datastore['COUNT']
|
2011-11-20 02:12:07 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
domain.each do |name|
|
|
|
|
query = @res.query(name, "A")
|
|
|
|
time = Time.new
|
|
|
|
time = time.strftime("%Y-%m-%d %H:%M:%S")
|
|
|
|
print_status("#{time} - DNS Query sent for => #{name}")
|
|
|
|
if query.answer.length == 0
|
|
|
|
print_error("#{time} - #{name} => No Record Found")
|
|
|
|
else
|
|
|
|
a = query.answer[0].to_s.split(/[\s,]+/)
|
|
|
|
print_good("#{time} - #{name} => #{a[-1]}")
|
|
|
|
end
|
|
|
|
end
|
|
|
|
unless count == (datastore['COUNT'] - 1)
|
|
|
|
time = Time.new
|
|
|
|
time = time.strftime("%Y-%m-%d %H:%M:%S")
|
|
|
|
print_status("#{time} - Waiting #{datastore['DELAY']} seconds to query")
|
|
|
|
select(nil, nil, nil, datastore['DELAY'])
|
|
|
|
end
|
|
|
|
count += 1
|
|
|
|
end
|
|
|
|
end
|
2011-08-11 17:43:51 +00:00
|
|
|
end
|