infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
metasploit-framework/lib/rex/proto/dns.rb

18 lines
330 B
Ruby
Raw Normal View History

Initial implementation of Rex::Proto::DNS Add Rex::Proto::DNS and Rex::Proto::DNS::Constants namespaces Create Rex::Proto::DNS::Resolver from Net::DNS::Resolver Create Rex::Proto::DNS::Server and Rex::Proto::DNS::Server::Cache Constants - A Rex::Socket style MATCH_HOSTNAME regex has been added to help validate DNS names. Resolver - Based off of old work creating Rex socket overrides in the Net::DNS::Resolver as well as allowing for proxying and making automatic adjustments to use TCP for proxied connections. This resolver pivots with MSF, uses proxies, and doesnt pull in the default /etc/resolv.conf information which can lead to info leak. Automatically sends Net::DNS::Packet and Resolv::DNS::Message objects to the appropriate nameservers. TODO: Review for potential low level concurrent resolution impl. Server::Cache - Threadsafe wrapper around a Hash which holds Net::DNS::RR keys with Time.to_i values for counting eviction/stale time without altering the original record. Takes records with a TTL of < 1 as static entries which are not flushed or pruned by the monitor thread. Server - A standard Rex level server allowing for client connections with TCP and UDP listeners. Provides common framework for handling the different transports by creating a "client" type object as a Rex UDP socket and passing it back to the dispatch/sender methods. This server can host listeners on remote pivot targets since it utilizes Rex sockets, and should not leak internal information from the resolver as easily either. Can be configured with a custom resolver regardless of its own listener configuration (UDP/TCP mix is fine), and carries a threadsafe wrapper for swapping the resolvers nameservers under a Mutex.synchronize. Since listeners and resolvers can pivot, a compromised host in one environment can serve DNS information obtained by the resolver pivoting through a completely different target. The server takes blocks for dispatch and send functions which when defined, will intercept the standard execution flow which is to parse the request, check the cache for corresponding records, then forward the remaining questions in a request via the resolver, and build + send a response back to the client. The accessors for dispatch and send, resolver, and cache are accessible at runtime, though it is likely unsafe to replace the cache and resolver while they are accessed from other threads. ----- Testing: Initial testing performed in IRB/Pry generating manual requests. Subsequent checks performed using the running server as the sys resolver. Additional testing is needed - the default dispatch_request behavior may not be correct (i need to check the RFCs for this) as it handles multiple questions for A records. This should be tuned to be RFC compliant, with inheriting classes changing behavior as needed. We also need to ensure that we're not leaking our own DNS information to our targets, so all sorts of abuse is in order. ----- TODO: Create Msf::Exploit::DNS namespace utilizing this functionality. - Move the threaded enum_dns work, as well as work from 6187, into the namespace - Review existing modules for functional overlap and move here as needed. This should be done in separate commits/PRs. Create specific DNS servers for spoofing, exploit delivery, and finally handling DNS tunnels (the primary reason for this work). Write spec - Convince/coerce a friendly soul in the community to handle spec for this fiasco while building further functionality.
2016-02-24 07:58:26 +00:00
# -*- coding: binary -*-
module Rex
module Proto
module DNS
module Constants
MATCH_HOSTNAME=/^(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)+([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9]\.*)$/
end
end
end
end
Create basic packet manipulation modules Create Rex::Proto::DNS::Packet and Packet::Raw to allow common parsing, validation, and raw data operations across both Rex and Msf namespaces. The modules contain class methods and do not need to be mixed in to use their functionality Packet.method is enough, and reduces GC strain since new objects are not constantly being instantiated, and these modules contain no internal state. Clean up UDP socket leak from Rex::Proto::DNS::Server under certain conditions. Create Msf::Exploit::DNS::Common mixin to provide descendants with access to Packet and the hostname Regex. ----- Testing: Tested running the RC provided in the pull request Manual testing in IRB/Pry while porting PoC for CVE-2015-7547
2016-02-29 07:52:41 +00:00
require 'rex/proto/dns/packet'
Initial implementation of Rex::Proto::DNS Add Rex::Proto::DNS and Rex::Proto::DNS::Constants namespaces Create Rex::Proto::DNS::Resolver from Net::DNS::Resolver Create Rex::Proto::DNS::Server and Rex::Proto::DNS::Server::Cache Constants - A Rex::Socket style MATCH_HOSTNAME regex has been added to help validate DNS names. Resolver - Based off of old work creating Rex socket overrides in the Net::DNS::Resolver as well as allowing for proxying and making automatic adjustments to use TCP for proxied connections. This resolver pivots with MSF, uses proxies, and doesnt pull in the default /etc/resolv.conf information which can lead to info leak. Automatically sends Net::DNS::Packet and Resolv::DNS::Message objects to the appropriate nameservers. TODO: Review for potential low level concurrent resolution impl. Server::Cache - Threadsafe wrapper around a Hash which holds Net::DNS::RR keys with Time.to_i values for counting eviction/stale time without altering the original record. Takes records with a TTL of < 1 as static entries which are not flushed or pruned by the monitor thread. Server - A standard Rex level server allowing for client connections with TCP and UDP listeners. Provides common framework for handling the different transports by creating a "client" type object as a Rex UDP socket and passing it back to the dispatch/sender methods. This server can host listeners on remote pivot targets since it utilizes Rex sockets, and should not leak internal information from the resolver as easily either. Can be configured with a custom resolver regardless of its own listener configuration (UDP/TCP mix is fine), and carries a threadsafe wrapper for swapping the resolvers nameservers under a Mutex.synchronize. Since listeners and resolvers can pivot, a compromised host in one environment can serve DNS information obtained by the resolver pivoting through a completely different target. The server takes blocks for dispatch and send functions which when defined, will intercept the standard execution flow which is to parse the request, check the cache for corresponding records, then forward the remaining questions in a request via the resolver, and build + send a response back to the client. The accessors for dispatch and send, resolver, and cache are accessible at runtime, though it is likely unsafe to replace the cache and resolver while they are accessed from other threads. ----- Testing: Initial testing performed in IRB/Pry generating manual requests. Subsequent checks performed using the running server as the sys resolver. Additional testing is needed - the default dispatch_request behavior may not be correct (i need to check the RFCs for this) as it handles multiple questions for A records. This should be tuned to be RFC compliant, with inheriting classes changing behavior as needed. We also need to ensure that we're not leaking our own DNS information to our targets, so all sorts of abuse is in order. ----- TODO: Create Msf::Exploit::DNS namespace utilizing this functionality. - Move the threaded enum_dns work, as well as work from 6187, into the namespace - Review existing modules for functional overlap and move here as needed. This should be done in separate commits/PRs. Create specific DNS servers for spoofing, exploit delivery, and finally handling DNS tunnels (the primary reason for this work). Write spec - Convince/coerce a friendly soul in the community to handle spec for this fiasco while building further functionality.
2016-02-24 07:58:26 +00:00
require 'rex/proto/dns/resolver'
require 'rex/proto/dns/server'