Dnsruby provides advanced options like DNSSEC in its data format
and is a current and well supported library.
The infrastructure services - resolver, server, etc, were designed
for a standalone configuration, and carry entirely too much weight
and redundancy to implement for this context. Instead of porting
over their native resolver, update the Net::DNS subclassed Rex
Resolver to use Dnsruby data formats and method calls.
Update the Msf namespace infrastructure mixins and native server
module with new method calls and workarounds for some instance
variables having only readers without writers. Implement the Rex
ServerManager to start and stop the DNS service adding relevant
alias methods to the Rex::Proto::DNS::Server class.
Rex services are designed to be modular and lightweight, as well
as implement the sockets, threads, and other low-level interfaces.
Dnsruby's operations classes implement their own threading and
socket semantics, and do not fit with the modular mixin workflow
used throughout Framework. So while the updated resolver can be
seen as adding rubber to the tire fire, converting to dnsruby's
native classes for resolvers, servers, and caches, would be more
like adding oxy acetylene and heavy metals.
Testing:
Internal tests for resolution of different record types locally
and over pivot sessions.
DNS spoofing module should be feature complete, with forwarding of
requests which do not have cached answers (can be disabled same as
the native server module), empty replies to reduce client wait on
outstanding DNS requests, and post-send output in verbose mode
to reduce garbage and execution time in the critical/racy path.
This module is best used in conditions where MITM is achieved by
way of MAC spoofing, route interception, or compromise of an inline
host on the datapath. The attacker should avoid forwarding
original requests to the intended destination, or if this is not
possible, prevent replies from traversing the MITM space in order
to avoid race conditions between the spoofer and victim.
Example iptables configuration on MITM host:
iptables -t nat -A POSTROUTING -o eth0 -p udp ! --dport 53 -j ...
Testing:
Internal testing in Virtualbox local network, atop 802.11, and
mostly in Neutron (with port security disabled on the VIFs) atop
OpenStack Liberty ML2+OVS.
Allow retrieval of '*' from stored static entries for spoofing
all domains to any IP using wildcard names. Replace the wildcard
response with the name submitted to the search in the response.
Fix improper checks in DNS::Packet for Resolv objects from decode
to encode.
Misc cleanup for records not responding to :address, convenience
methods, and packet structure.
Import PCAP-based DNS spoofing server module:
This module uses the Capture mixin to sniff and parse packets off
the wire, then match answers to sniffed requests from static
entries in the server's cache. If answers are found, they are
appended to a cloned packet with reverse saddr/daddr pairs at
layers 2-4, the qr bit is set, and it is injected back into the
interface from where it came.
Minor cleanup in the Rex::Proto::DNS::Server::Cache class to allow
multiple address->name pairs and fix issues when adding multiple
static entries.
In order to handle TCP and UDP clients in a common manner, the
DNS server created a Rex::Socket::Udp object to represent the
client object allowing for a client.write(response) approach to
returning results for both TCP and UDP clients. During work on
the common socket abstractions (#6692) it became apparent that
remote pivoted sockets cannot be created with the same exact param
set used on the server socket - sockets dont reuse with localhost
and localport params being the same, an exception is raised from
the Windows side of the pivot abstraction. Creating a new socket
for every request is also needless overhead and noise.
Create the MockDnsClient class to consume peerhost, peerport, and
the DNS server's UDP socket as arguments in order to execute a
sendto() from the existing socket when sending a response. A write
method is provided in the class for common interface between the
UDP and TCP request handlers.
This has been tested in conjunction with #6692 and shown to be
successful as serving remote requests from the IO.select polled
pivot socket running on a Windows host via Meterpreter.
Implement a check for self.cid.nil? in Meterpreter's Channel class
in the :closed? method for compatibility with the Socket's :closed?
Touch up the Rex DNS server's stop method using this method on
pivot sockets.
Add SOL_SOCKET and SO_REUSEADDR options to the Rex UDP sockets
created by the DNS components - the server socket, as well as the
client abstraction socket.
Create default generator methods for DNS request and response in
the Packet module.
Packet.generate_request is directly adapted from
Net::DNS::Resolver.make_query_packet with conveniences added from
the local namespace.
Packet.generate_response is a convenience wrapper for attaching
responses to request, flipping the qr bit, and adjusting the rCode
for NXDomain or NoError depending on whether the response has any
answers or not. Existing responses being passed into this method
with new answers or an empty array will have their rCode updated
accordingly for NoError and NXDomain.
Clean up Rex::Proto::DNS::Server by use of the convenience method
and removal of the :validate method (as its now in Packet).
Add Packet.valid_hostname? as a wrapper for matching against the
Rex::Proto::DNS::Constants::MATCH_HOSTNAME regex.
Add convenience methods for little and big endian operations on
DNS packet contents. Use the convenience methods for quick ID
and request length extraction without full packet parsing.
Advanced options are now camel cased
Use :blank? on datastore options instead of serial checks for :nil?
and :empty?
Rex::Proto::DNS::Server :on_client_data updated to ask the tcp_sock
to close this client if it exists in the rescue clause.
Create Rex::Proto::DNS::Packet and Packet::Raw to allow common
parsing, validation, and raw data operations across both Rex and
Msf namespaces.
The modules contain class methods and do not need to be mixed in
to use their functionality Packet.method is enough, and reduces GC
strain since new objects are not constantly being instantiated, and
these modules contain no internal state.
Clean up UDP socket leak from Rex::Proto::DNS::Server under certain
conditions.
Create Msf::Exploit::DNS::Common mixin to provide descendants with
access to Packet and the hostname Regex.
-----
Testing:
Tested running the RC provided in the pull request
Manual testing in IRB/Pry while porting PoC for CVE-2015-7547
Rex::IO::StreamServer provides consistent methods and accessors
for TcpServer type consumers, but includes logic for client actions
which are not relevant in a datagram context - connect and
disconnect actions, as well as any notion of stateful session
persistence (the clients queue) do not apply in this paradigm.
Implement a Rex::IO::GramServer mixin which provides common methods
for dispatching requests and sending responses. Defines the same
callback structure for procs as used in the StreamServer, though
utilizing dispatch_request_proc and send_response_proc with client
and data parameters for efficient interception of execution flow
when dealing with stateless comms.
Rewire Rex::Proto::DNS server to use instance variables along the
same convention as other modules, implement the GramServer mixin,
and minor misc cleanup.
-----
Change calling conventions in Rex::Proto::DNS::Server to match
other components.
Clean up the Msf::Exploit::DNS namespace with generic server
interfaces.
Fix the advanged options naming convention - as hdm pointed out,
evasion options use the '::' separator, advanced options use "_".
-----
Testing:
Basic functional tests in Pry for now.
Bail out early unless the monitor thread is running since pruning
will not automatically occur. Continue to raise an exception when
invalid cache attempts are made. If this behavior is not desired,
override the method or create a descendant with altered behavior.
Create default_dispatch_request method in Server to allow an
intercepted dispatch request to fall back into default exec flow.
Add attr_reader to the records hash in Cache
Provide Resolver and Server with comm option for their sockets.
Compose configuration hashes for the Rex Sockets used in requests
based on the Resolver's own configuration, including passing the
Framework context, and CHOST/CPORT options in from Msf namespaces.
Missed the attr_accessors in first commit - added.
Updated Cache stop method to iterate over the resulting Array of
records without holding a write lock over it (:each vs :map).
Glanced over https://www.ietf.org/rfc/rfc1035.txt and set proper
bits for the response and recursion fields prior to passing off the
data for return.
TODO:
Write mixin for easier packet manipulation with configurable
response builders which can determine proper settings for header
fields based on server/resolver configuration. Document to allow
exploit/vector developers to make use of the functionality...
Add Rex::Proto::DNS and Rex::Proto::DNS::Constants namespaces
Create Rex::Proto::DNS::Resolver from Net::DNS::Resolver
Create Rex::Proto::DNS::Server and Rex::Proto::DNS::Server::Cache
Constants -
A Rex::Socket style MATCH_HOSTNAME regex has been added to
help validate DNS names.
Resolver -
Based off of old work creating Rex socket overrides in the
Net::DNS::Resolver as well as allowing for proxying and making
automatic adjustments to use TCP for proxied connections. This
resolver pivots with MSF, uses proxies, and doesnt pull in the
default /etc/resolv.conf information which can lead to info leak.
Automatically sends Net::DNS::Packet and Resolv::DNS::Message
objects to the appropriate nameservers.
TODO: Review for potential low level concurrent resolution impl.
Server::Cache -
Threadsafe wrapper around a Hash which holds Net::DNS::RR keys
with Time.to_i values for counting eviction/stale time without
altering the original record.
Takes records with a TTL of < 1 as static entries which are not
flushed or pruned by the monitor thread.
Server -
A standard Rex level server allowing for client connections with
TCP and UDP listeners. Provides common framework for handling the
different transports by creating a "client" type object as a Rex
UDP socket and passing it back to the dispatch/sender methods.
This server can host listeners on remote pivot targets since it
utilizes Rex sockets, and should not leak internal information
from the resolver as easily either.
Can be configured with a custom resolver regardless of its own
listener configuration (UDP/TCP mix is fine), and carries a
threadsafe wrapper for swapping the resolvers nameservers under
a Mutex.synchronize. Since listeners and resolvers can pivot,
a compromised host in one environment can serve DNS information
obtained by the resolver pivoting through a completely different
target.
The server takes blocks for dispatch and send functions which
when defined, will intercept the standard execution flow which is
to parse the request, check the cache for corresponding records,
then forward the remaining questions in a request via the resolver,
and build + send a response back to the client.
The accessors for dispatch and send, resolver, and cache are
accessible at runtime, though it is likely unsafe to replace the
cache and resolver while they are accessed from other threads.
-----
Testing:
Initial testing performed in IRB/Pry generating manual requests.
Subsequent checks performed using the running server as the sys
resolver.
Additional testing is needed - the default dispatch_request
behavior may not be correct (i need to check the RFCs for this) as
it handles multiple questions for A records. This should be tuned
to be RFC compliant, with inheriting classes changing behavior as
needed. We also need to ensure that we're not leaking our own DNS
information to our targets, so all sorts of abuse is in order.
-----
TODO:
Create Msf::Exploit::DNS namespace utilizing this functionality.
- Move the threaded enum_dns work, as well as work from 6187,
into the namespace
- Review existing modules for functional overlap and move here
as needed. This should be done in separate commits/PRs.
Create specific DNS servers for spoofing, exploit delivery, and
finally handling DNS tunnels (the primary reason for this work).
Write spec
- Convince/coerce a friendly soul in the community to handle
spec for this fiasco while building further functionality.
RageLtMan