infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

@jhart-r7 commits are accepted and conflicts fixed.

bug/bundler_fix
Fatih Ozavci 2014-11-05 15:32:32 +11:00 committed by Jon Hart
parent ab7f6866f5
commit a38cb3ee53
1 changed files with 56 additions and 61 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

117
modules/auxiliary/server/fakedns.rb
View File

@ -20,7 +20,7 @@ class Metasploit3 < Msf::Auxiliary
This module provides a DNS service that redirects
all queries to a particular address.
},
'Author' => ['ddz', 'hdm', 'Fatih Ozavci <viproy.com/fozavci>'],
'Author' => ['ddz', 'hdm', 'fozavci'],
'License' => MSF_LICENSE,
'Actions' =>
[
@ -92,9 +92,10 @@ class Metasploit3 < Msf::Auxiliary
@error_resolving = false
packet, addr = @sock.recvfrom(65535)
@requestor = addr
break if packet.length == 0
next if packet.length == 0
request = Resolv::DNS::Message.decode(packet)
next unless request.qr == 0
#
# XXX: Track request IDs by requesting IP address and port
@ -110,6 +111,18 @@ class Metasploit3 < Msf::Auxiliary
lst = []
request.each_question {|name, typeclass|
# Identify potential domain exceptions
@match_target = false
@match_name = name.to_s
@domain_target_list.each do |ex|
escaped = Regexp.escape(ex).gsub('\*','.*?')
regex = Regexp.new "^#{escaped}$", Regexp::IGNORECASE
if ( name.to_s =~ regex )
@match_target = true
@match_name = ex
end
end
tc_s = typeclass.to_s().gsub(/^Resolv::DNS::Resource::/, "")
request.qr = 1
@ -133,18 +146,6 @@ class Metasploit3 < Msf::Auxiliary
answer = Resolv::DNS::Resource::IN::A.new( @targ || ::Rex::Socket.source_address(addr[3].to_s) )
# Identify potential domain exceptions
@match_target = false
@match_name = name.to_s
@domain_target_list.each do |ex|
escaped = Regexp.escape(ex).gsub('\*','.*?')
regex = Regexp.new "^#{escaped}$", Regexp::IGNORECASE
if ( name.to_s =~ regex )
@match_target = true
@match_name = ex
end
end
if (@match_target and not @bypass) or (not @match_target and @bypass)
# Resolve FAKE response
if (@log_console)
@ -184,57 +185,51 @@ class Metasploit3 < Msf::Auxiliary
request.add_additional(name, 60, ar)
when 'IN::SRV'
# Identify potential domain exceptions
@match_target = false
@match_name = name.to_s
@domain_target_list.each do |ex|
escaped = Regexp.escape(ex).gsub('\*','.*?')
regex = Regexp.new "^#{escaped}$", Regexp::IGNORECASE
if ( name.to_s =~ regex )
print_status("Name : #{regex}")
@match_target = true
@match_name = ex
end
answers = []
authorities = []
additionals = []
resources = Resolv::DNS.new().getresources(Resolv::DNS::Name.create(name), Resolv::DNS::Resource::IN::SRV)
if resources.empty?
@error_resolving = true
print_error("Unable to resolve SRV record for #{name} -- skipping")
next
end
if (@match_target and not @bypass) or (not @match_target and @bypass)
# Prepare the FAKE response
answer = Resolv::DNS::Resource::IN::A.new( @targ || ::Rex::Socket.source_address(addr[3].to_s) )
srv = Resolv::DNS::Resource::IN::SRV.new(5,0,datastore['SRV_PORT'],Resolv::DNS::Name.create(name))
request.add_answer(name, 10, srv)
request.add_additional(Resolv::DNS::Name.create(name), 60, answer)
if (@log_console)
print_status("DNS target domain found: #{@match_name}")
print_status("DNS target domain #{name.to_s} faked")
end
else
# Resolve the SRV records of the domain
begin
responses = Resolv::DNS.new().getresources(Resolv::DNS::Name.create("#{name}"),Resolv::DNS::Resource::IN::SRV)
responses.each {|res|
host = res.target
port = res.port.to_i
weight = res.weight.to_i
priority = res.priority.to_i
host_ip = Resolv::DNS.new().getaddress(host).to_s
srv = Resolv::DNS::Resource::IN::SRV.new(priority,weight,port,Resolv::DNS::Name.create(host))
request.add_answer(name, 10, srv)
ar = Resolv::DNS::Resource::IN::A.new(host_ip)
request.add_additional(Resolv::DNS::Name.create(host), 60, ar)
}
rescue ::Exception => e
@error_resolving = true
next
end
if (@log_console)
print_status("DNS bypass domain found: #{@match_name}")
print_status("SRV records listed for #{@match_name}")
resources.each do |resource|
host = resource.target
port = resource.port.to_i
weight = resource.weight.to_i
priority = resource.priority.to_i
if @bypass || !@match_target
# if we are in bypass mode or we are in fake mode but the target didn't match,
# just return the real response RRs
answers << Resolv::DNS::Resource::IN::SRV.new(priority, weight, port, Resolv::DNS::Name.create(host))
additionals << [ host, Resolv::DNS.new().getaddress(host).to_s ]
if (@log_console)
print_status("DNS bypass domain found: #{@match_name}")
print_status("SRV records listed for #{@match_name}")
end
else
# Prepare the FAKE response
answers << Resolv::DNS::Resource::IN::SRV.new(5,0,datastore['SRV_PORT'],Resolv::DNS::Name.create(name))
additionals << [ host, @targ || ::Rex::Socket.source_address(addr[3].to_s) ]
authorities << Resolv::DNS::Resource::IN::NS.new(Resolv::DNS::Name.create("dns.#{name}"))
if (@log_console)
print_status("DNS target domain found: #{@match_name}")
print_status("DNS target domain #{name.to_s} faked")
end
end
end
ns = Resolv::DNS::Resource::IN::NS.new(Resolv::DNS::Name.create("dns.#{name}"))
request.add_authority(name, 60, ns)
# don't uniq the SRV answers -- return what the real response had
answers.each { |srv| request.add_answer(name, 10, srv) }
# uniq the authorities and additional records since we are artificially
# inserting these into the response
authorities.uniq.each { |ns| request.add_authority(name, 60, ns) }
additionals.uniq.each do |host_and_ip|
host = host_and_ip.first
ip = host_and_ip.last
request.add_additional(Resolv::DNS::Name.create(host), 60, Resolv::DNS::Resource::IN::A.new(ip))
end
when 'IN::PTR'
soa = Resolv::DNS::Resource::IN::SOA.new(