2013-12-13 02:18:18 +00:00
|
|
|
##
|
2014-10-17 16:47:33 +00:00
|
|
|
# This module requires Metasploit: http://metasploit.com/download
|
2013-12-13 02:30:46 +00:00
|
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
2013-12-13 02:18:18 +00:00
|
|
|
##
|
|
|
|
|
|
|
|
require 'msf/core'
|
|
|
|
require 'net/dns/resolver'
|
|
|
|
|
|
|
|
class Metasploit3 < Msf::Auxiliary
|
2013-12-13 02:30:46 +00:00
|
|
|
include Msf::Auxiliary::Report
|
|
|
|
|
|
|
|
def initialize(info = {})
|
|
|
|
super(update_info(info,
|
|
|
|
'Name' => 'DNS Non-Recursive Record Scraper',
|
2013-12-18 07:14:47 +00:00
|
|
|
'Description' => %q{
|
2013-12-13 02:30:46 +00:00
|
|
|
This module can be used to scrape records that have been cached
|
2013-12-13 04:11:02 +00:00
|
|
|
by a specific nameserver. The module allows the user to test
|
|
|
|
every record from a specified file.
|
2013-12-13 02:30:46 +00:00
|
|
|
},
|
2013-12-18 07:14:47 +00:00
|
|
|
'Author' => [
|
2013-12-13 02:30:46 +00:00
|
|
|
'Brandon McCann "zeknox" <bmccann[at]accuvant.com>',
|
|
|
|
'Rob Dixon "304geek" <rob.dixon[at]accuvant.com>'
|
|
|
|
],
|
|
|
|
'License' => MSF_LICENSE,
|
|
|
|
'References' => [
|
2013-12-13 04:57:23 +00:00
|
|
|
['URL', 'http://304geeks.blogspot.com/2013/01/dns-scraping-for-corporate-av-detection.html'],
|
|
|
|
['URL', 'http://www.rootsecure.net/content/downloads/pdf/dns_cache_snooping.pdf']
|
2013-12-13 02:30:46 +00:00
|
|
|
]))
|
|
|
|
|
|
|
|
register_options([
|
|
|
|
OptString.new('DOMAIN', [ false, "Domain name to query for"]),
|
2013-12-13 16:49:44 +00:00
|
|
|
OptPath.new('WORDLIST', [ false, "Wordlist for domain name queries", ::File.join(Msf::Config.data_directory, "wordlists", "av-update-urls.txt")]),
|
2013-12-13 02:30:46 +00:00
|
|
|
OptAddress.new('NS', [ true, "Specify the nameserver to use for queries" ]),
|
|
|
|
], self.class)
|
|
|
|
|
|
|
|
register_advanced_options([
|
|
|
|
OptBool.new('TCP_DNS', [false, "Run queries over TCP", false]),
|
2013-12-17 02:00:13 +00:00
|
|
|
OptInt.new('DNS_TIMEOUT', [true, "DNS Timeout in seconds", 5])
|
2013-12-13 02:30:46 +00:00
|
|
|
], self.class)
|
|
|
|
end
|
|
|
|
|
|
|
|
# method to scrape dns
|
|
|
|
def scrape_dns(domain)
|
|
|
|
|
|
|
|
# dns request with recursive disabled
|
2013-12-17 01:26:40 +00:00
|
|
|
use_tcp = datastore['TCP_DNS']
|
2013-12-13 02:30:46 +00:00
|
|
|
res = Net::DNS::Resolver.new(:nameservers => "#{datastore['NS']}", :recursive => false, :use_tcp => use_tcp)
|
2013-12-17 02:00:13 +00:00
|
|
|
use_tcp ? res.tcp_timeout = datastore['DNS_TIMEOUT'] : res.udp_timeout = datastore['DNS_TIMEOUT']
|
2013-12-13 02:30:46 +00:00
|
|
|
|
|
|
|
# query dns
|
|
|
|
begin
|
|
|
|
query = res.send(domain)
|
2013-12-17 00:46:14 +00:00
|
|
|
rescue ResolverArgumentError
|
|
|
|
print_error("Invalid domain: #{domain}")
|
2013-12-13 02:30:46 +00:00
|
|
|
return
|
2013-12-17 02:00:13 +00:00
|
|
|
rescue NoResponseError
|
|
|
|
print_error("DNS Timeout Issue: #{domain}")
|
|
|
|
return
|
2013-12-13 02:30:46 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
# found or not found
|
|
|
|
if query.answer.empty?
|
|
|
|
vprint_status("#{domain} - Not Found")
|
|
|
|
return
|
|
|
|
end
|
|
|
|
|
2013-12-17 01:16:12 +00:00
|
|
|
@is_vulnerable = true
|
2013-12-13 02:30:46 +00:00
|
|
|
print_good("#{domain} - Found")
|
|
|
|
report_goods(domain)
|
|
|
|
end
|
|
|
|
|
|
|
|
# method to read each line from file
|
|
|
|
def read_file
|
|
|
|
::File.open("#{datastore['WORDLIST']}", "rb").each_line do |line|
|
|
|
|
scrape_dns(line.chomp)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
# log results to database
|
|
|
|
def report_goods(domain)
|
2013-12-13 16:49:44 +00:00
|
|
|
if datastore['TCP_DNS']
|
|
|
|
proto = "tcp"
|
|
|
|
else
|
|
|
|
proto = "udp"
|
|
|
|
end
|
|
|
|
|
2013-12-13 02:30:46 +00:00
|
|
|
report_note(
|
|
|
|
:host => datastore['NS'],
|
|
|
|
:name => "dns",
|
|
|
|
:port => 53,
|
2013-12-13 16:49:44 +00:00
|
|
|
:proto => proto,
|
2013-12-13 02:30:46 +00:00
|
|
|
:type => "dns.cache.scrape",
|
2013-12-17 01:16:12 +00:00
|
|
|
:data => "#{domain} cached",
|
|
|
|
:update => :unique_data
|
2013-12-13 02:30:46 +00:00
|
|
|
)
|
|
|
|
end
|
|
|
|
|
|
|
|
# main control method
|
|
|
|
def run
|
2013-12-17 01:16:12 +00:00
|
|
|
@is_vulnerable = false
|
|
|
|
|
2013-12-13 02:30:46 +00:00
|
|
|
print_status("Making queries against #{datastore['NS']}")
|
|
|
|
|
|
|
|
if datastore['DOMAIN'].blank?
|
|
|
|
read_file
|
|
|
|
else
|
|
|
|
scrape_dns(datastore['DOMAIN'])
|
|
|
|
end
|
2013-12-17 01:16:12 +00:00
|
|
|
|
|
|
|
report_vuln(
|
|
|
|
:host => datastore['NS'],
|
|
|
|
:name => "DNS Cache Snooping",
|
|
|
|
) if @is_vulnerable
|
2013-12-13 02:30:46 +00:00
|
|
|
end
|
2013-12-13 02:18:18 +00:00
|
|
|
end
|
|
|
|
|