Added TARGETACTION options and wildcard support
Jose Selvi
Tod Beardsley
parent
5d8fbefc3d
commit
1d6b2eb3fe
|
|
@ -45,8 +45,8 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
OptAddress.new('SRVHOST', [ true, "The local host to listen on.", '0.0.0.0' ]),
|
OptAddress.new('SRVHOST', [ true, "The local host to listen on.", '0.0.0.0' ]),
|
||||||
OptPort.new('SRVPORT', [ true, "The local port to listen on.", 53 ]),
|
OptPort.new('SRVPORT', [ true, "The local port to listen on.", 53 ]),
|
||||||
OptAddress.new('TARGETHOST', [ false, "The address that all names should resolve to", nil ]),
|
OptAddress.new('TARGETHOST', [ false, "The address that all names should resolve to", nil ]),
|
||||||
OptString.new('DOMAINBYPASS', [ true, "The list of domain names we want to fully resolve", 'www.google.com']),
|
OptString.new('TARGETDOMAIN', [ true, "The list of target domain names we want to fully resolver (bypass) or fake resolve (fake)", 'www.google.com']),
|
||||||
|
OptString.new('TARGETACTION', [ true, "Action for TARGETDOMAIN (fake|bypass)", 'BYPASS']),
|
||||||
], self.class)
|
], self.class)
|
||||||
|
|
||||||
register_advanced_options(
|
register_advanced_options(
|
||||||
|
|
@ -88,7 +88,8 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
@sock.setsockopt(::Socket::SOL_SOCKET, ::Socket::SO_REUSEADDR, 1)
|
@sock.setsockopt(::Socket::SOL_SOCKET, ::Socket::SO_REUSEADDR, 1)
|
||||||
@sock.bind(datastore['SRVHOST'], @port)
|
@sock.bind(datastore['SRVHOST'], @port)
|
||||||
@run = true
|
@run = true
|
||||||
@domain_bypass_list = datastore['DOMAINBYPASS'].split
|
@domain_target_list = datastore['DOMAINTARGET'].split
|
||||||
|
@bypass = ( datastore['TARGETACTION'].upcase == "BYPASS" )
|
||||||
|
|
||||||
print_status("DNS server started")
|
print_status("DNS server started")
|
||||||
begin
|
begin
|
||||||
|
|
@ -137,17 +138,38 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
answer = Resolv::DNS::Resource::IN::A.new( @targ || ::Rex::Socket.source_address(addr[3].to_s) )
|
answer = Resolv::DNS::Resource::IN::A.new( @targ || ::Rex::Socket.source_address(addr[3].to_s) )
|
||||||
|
|
||||||
# Identify potential domain exceptions
|
# Identify potential domain exceptions
|
||||||
@domain_bypass_list.each do |ex|
|
@match_target = false
|
||||||
if (name.to_s <=> ex) == 0
|
@match_name = ""
|
||||||
# Resolve the exception domain
|
@domain_target_list.each do |ex|
|
||||||
ip = Resolv::DNS.new().getaddress(name).to_s
|
escaped = Regexp.escape(ex).gsub('\*','.*?')
|
||||||
answer = Resolv::DNS::Resource::IN::A.new( ip )
|
regex = Regexp.new "^#{escaped}$", Regexp::IGNORECASE
|
||||||
if (@log_console)
|
#if ( ex == name.to_s )
|
||||||
print_status("DNS bypass domain found: #{ex}")
|
if ( name.to_s =~ regex )
|
||||||
print_status("DNS bypass domain #{ex} resolved #{ip}")
|
@match_target = true
|
||||||
end
|
@match_name = ex
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
if (@match_target and not @bypass) or (not @match_target and @bypass)
|
||||||
|
# Resolve FAKE response
|
||||||
|
if (@log_console)
|
||||||
|
print_status("DNS target domain found: #{@match_name}")
|
||||||
|
print_status("DNS target domain #{@match_name} faked")
|
||||||
|
end
|
||||||
|
else
|
||||||
|
# Resolve the exception domain
|
||||||
|
begin
|
||||||
|
ip = Resolv::DNS.new().getaddress(name).to_s
|
||||||
|
answer = Resolv::DNS::Resource::IN::A.new( ip )
|
||||||
|
rescue ::Exception => e
|
||||||
|
print_error("Error resolving #{name.to_s}")
|
||||||
|
next
|
||||||
|
end
|
||||||
|
if (@log_console)
|
||||||
|
print_status("DNS bypass domain found: #{@match_name}")
|
||||||
|
print_status("DNS bypass domain #{@match_name} resolved #{ip}")
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
|
||||||
request.add_answer(name, 60, answer)
|
request.add_answer(name, 60, answer)
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue