Land #2760

2013-12-18 17:15:42 +10:00 · 2013-12-18 17:15:42 +10:00 · a4811bd0c3
parent c34638c5e7 5e4c395f86
commit a4811bd0c3
3 changed files with 4112 additions and 0 deletions
--- a/data/wordlists/av-update-urls.txt
+++ b/data/wordlists/av-update-urls.txt
@ -0,0 +1,28 @@
+www.es-web.sophos.com
+www.es-web.sophos.com.edgesuite.net
+www.es-web-2.sophos.com
+www.es-web-2.sophos.com.edgesuite.net
+www.dnl-01.geo.kaspersky.com
+www.downloads2.kaspersky-labs.com
+www.liveupdate.symantecliveupdate.com
+www.liveupdate.symantec.com
+www.update.symantec.com
+www.update.nai.com
+www.download797.avast.com
+www.guru.avg.com
+www.osce8-p.activeupdate.trendmicro.com
+www.forefrontdl.microsoft.com
+es-web.sophos.com
+es-web.sophos.com.edgesuite.net
+es-web-2.sophos.com
+es-web-2.sophos.com.edgesuite.net
+dnl-01.geo.kaspersky.com
+downloads2.kaspersky-labs.com
+liveupdate.symantecliveupdate.com
+liveupdate.symantec.com
+update.symantec.com
+update.nai.com
+download797.avast.com
+guru.avg.com
+osce8-p.activeupdate.trendmicro.com
+forefrontdl.microsoft.com
--- a/data/wordlists/malicious_urls.txt
+++ b/data/wordlists/malicious_urls.txt
--- a/modules/auxiliary/gather/dns_cache_scraper.rb
+++ b/modules/auxiliary/gather/dns_cache_scraper.rb
@ -0,0 +1,116 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+require 'net/dns/resolver'
+
+class Metasploit3 < Msf::Auxiliary
+  include Msf::Auxiliary::Report
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name' => 'DNS Non-Recursive Record Scraper',
+      'Description' => %q{
+        This module can be used to scrape records that have been cached
+        by a specific nameserver. The module allows the user to test
+        every record from a specified file.
+      },
+      'Author' => [
+          'Brandon McCann "zeknox" <bmccann[at]accuvant.com>',
+          'Rob Dixon "304geek" <rob.dixon[at]accuvant.com>'
+      ],
+      'License' => MSF_LICENSE,
+      'References' => [
+        ['URL', 'http://304geeks.blogspot.com/2013/01/dns-scraping-for-corporate-av-detection.html'],
+        ['URL', 'http://www.rootsecure.net/content/downloads/pdf/dns_cache_snooping.pdf']
+      ]))
+
+    register_options([
+        OptString.new('DOMAIN', [ false, "Domain name to query for"]),
+        OptPath.new('WORDLIST', [ false, "Wordlist for domain name queries", ::File.join(Msf::Config.data_directory, "wordlists", "av-update-urls.txt")]),
+        OptAddress.new('NS', [ true, "Specify the nameserver to use for queries" ]),
+      ], self.class)
+
+    register_advanced_options([
+        OptBool.new('TCP_DNS', [false, "Run queries over TCP", false]),
+        OptInt.new('DNS_TIMEOUT', [true, "DNS Timeout in seconds", 5])
+      ], self.class)
+  end
+
+  # method to scrape dns
+  def scrape_dns(domain)
+
+    # dns request with recursive disabled
+    use_tcp = datastore['TCP_DNS']
+    res = Net::DNS::Resolver.new(:nameservers => "#{datastore['NS']}", :recursive => false, :use_tcp => use_tcp)
+    use_tcp ? res.tcp_timeout = datastore['DNS_TIMEOUT'] : res.udp_timeout = datastore['DNS_TIMEOUT']
+
+    # query dns
+    begin
+      query = res.send(domain)
+    rescue ResolverArgumentError
+      print_error("Invalid domain: #{domain}")
+      return
+    rescue NoResponseError
+      print_error("DNS Timeout Issue: #{domain}")
+      return
+    end
+
+    # found or not found
+    if query.answer.empty?
+      vprint_status("#{domain} - Not Found")
+      return
+    end
+
+    @is_vulnerable = true
+    print_good("#{domain} - Found")
+    report_goods(domain)
+  end
+
+  # method to read each line from file
+  def read_file
+    ::File.open("#{datastore['WORDLIST']}", "rb").each_line do |line|
+      scrape_dns(line.chomp)
+    end
+  end
+
+  # log results to database
+  def report_goods(domain)
+    if datastore['TCP_DNS']
+      proto = "tcp"
+    else
+      proto = "udp"
+    end
+
+    report_note(
+      :host => datastore['NS'],
+      :name => "dns",
+      :port => 53,
+      :proto => proto,
+      :type => "dns.cache.scrape",
+      :data => "#{domain} cached",
+      :update => :unique_data
+    )
+  end
+
+  # main control method
+  def run
+    @is_vulnerable = false
+
+    print_status("Making queries against #{datastore['NS']}")
+
+    if datastore['DOMAIN'].blank?
+      read_file
+    else
+      scrape_dns(datastore['DOMAIN'])
+    end
+
+    report_vuln(
+      :host => datastore['NS'],
+      :name => "DNS Cache Snooping",
+    ) if @is_vulnerable
+  end
+end
+