Added TARGETACTION options and wildcard support
Jose Selvi
Tod Beardsley
parent
5d8fbefc3d
commit
1d6b2eb3fe
|
|
@ -45,8 +45,8 @@ class Metasploit3 < Msf::Auxiliary
|
|||
OptAddress.new('SRVHOST', [ true, "The local host to listen on.", '0.0.0.0' ]),
|
||||
OptPort.new('SRVPORT', [ true, "The local port to listen on.", 53 ]),
|
||||
OptAddress.new('TARGETHOST', [ false, "The address that all names should resolve to", nil ]),
|
||||
OptString.new('DOMAINBYPASS', [ true, "The list of domain names we want to fully resolve", 'www.google.com']),
|
||||
|
||||
OptString.new('TARGETDOMAIN', [ true, "The list of target domain names we want to fully resolver (bypass) or fake resolve (fake)", 'www.google.com']),
|
||||
OptString.new('TARGETACTION', [ true, "Action for TARGETDOMAIN (fake|bypass)", 'BYPASS']),
|
||||
], self.class)
|
||||
|
||||
register_advanced_options(
|
||||
|
|
@ -88,7 +88,8 @@ class Metasploit3 < Msf::Auxiliary
|
|||
@sock.setsockopt(::Socket::SOL_SOCKET, ::Socket::SO_REUSEADDR, 1)
|
||||
@sock.bind(datastore['SRVHOST'], @port)
|
||||
@run = true
|
||||
@domain_bypass_list = datastore['DOMAINBYPASS'].split
|
||||
@domain_target_list = datastore['DOMAINTARGET'].split
|
||||
@bypass = ( datastore['TARGETACTION'].upcase == "BYPASS" )
|
||||
|
||||
print_status("DNS server started")
|
||||
begin
|
||||
|
|
@ -137,17 +138,38 @@ class Metasploit3 < Msf::Auxiliary
|
|||
answer = Resolv::DNS::Resource::IN::A.new( @targ || ::Rex::Socket.source_address(addr[3].to_s) )
|
||||
|
||||
# Identify potential domain exceptions
|
||||
@domain_bypass_list.each do |ex|
|
||||
if (name.to_s <=> ex) == 0
|
||||
# Resolve the exception domain
|
||||
ip = Resolv::DNS.new().getaddress(name).to_s
|
||||
answer = Resolv::DNS::Resource::IN::A.new( ip )
|
||||
if (@log_console)
|
||||
print_status("DNS bypass domain found: #{ex}")
|
||||
print_status("DNS bypass domain #{ex} resolved #{ip}")
|
||||
end
|
||||
end
|
||||
end
|
||||
@match_target = false
|
||||
@match_name = ""
|
||||
@domain_target_list.each do |ex|
|
||||
escaped = Regexp.escape(ex).gsub('\*','.*?')
|
||||
regex = Regexp.new "^#{escaped}$", Regexp::IGNORECASE
|
||||
#if ( ex == name.to_s )
|
||||
if ( name.to_s =~ regex )
|
||||
@match_target = true
|
||||
@match_name = ex
|
||||
end
|
||||
end
|
||||
|
||||
if (@match_target and not @bypass) or (not @match_target and @bypass)
|
||||
# Resolve FAKE response
|
||||
if (@log_console)
|
||||
print_status("DNS target domain found: #{@match_name}")
|
||||
print_status("DNS target domain #{@match_name} faked")
|
||||
end
|
||||
else
|
||||
# Resolve the exception domain
|
||||
begin
|
||||
ip = Resolv::DNS.new().getaddress(name).to_s
|
||||
answer = Resolv::DNS::Resource::IN::A.new( ip )
|
||||
rescue ::Exception => e
|
||||
print_error("Error resolving #{name.to_s}")
|
||||
next
|
||||
end
|
||||
if (@log_console)
|
||||
print_status("DNS bypass domain found: #{@match_name}")
|
||||
print_status("DNS bypass domain #{@match_name} resolved #{ip}")
|
||||
end
|
||||
end
|
||||
|
||||
|
||||
request.add_answer(name, 60, answer)
|
||||
|
|
|
|||
Loading…
Reference in New Issue