123 lines
3.2 KiB
Ruby
123 lines
3.2 KiB
Ruby
##
|
|
# ## This file is part of the Metasploit Framework and may be subject to
|
|
# redistribution and commercial restrictions. Please see the Metasploit
|
|
# web site for more information on licensing and terms of use.
|
|
# http://metasploit.com/
|
|
##
|
|
|
|
require 'msf/core'
|
|
require 'rex'
|
|
require 'msf/core/post/common'
|
|
|
|
|
|
class Metasploit3 < Msf::Post
|
|
|
|
include Msf::Post::Common
|
|
|
|
|
|
def initialize(info={})
|
|
super( update_info( info,
|
|
'Name' => 'Multi Gather DNS Forward Lookup Bruteforce',
|
|
'Description' => %q{
|
|
Brute force subdomains and hostnames via wordlist.
|
|
},
|
|
'License' => MSF_LICENSE,
|
|
'Author' => [ 'Carlos Perez <carlos_perez[at]darkoperator.com>'],
|
|
'Platform' => [ 'win','linux', 'osx', 'bsd', 'solaris' ],
|
|
'SessionTypes' => [ 'meterpreter', 'shell' ]
|
|
))
|
|
register_options(
|
|
[
|
|
|
|
OptString.new('DOMAIN', [true, 'Domain to do a fordward lookup bruteforce against.']),
|
|
OptPath.new('NAMELIST',[true, "List of hostnames or subdomains to use.",
|
|
::File.join(Msf::Config.install_root, "data", "wordlists", "namelist.txt")])
|
|
|
|
], self.class)
|
|
end
|
|
|
|
# Run Method for when run command is issued
|
|
def run
|
|
|
|
domain = datastore['DOMAIN']
|
|
hostlst = datastore['NAMELIST']
|
|
a = []
|
|
|
|
print_status("Performing DNS Forward Lookup Bruteforce for Domain #{domain}")
|
|
if session.type =~ /shell/
|
|
# Only one thread possible when shell
|
|
thread_num = 1
|
|
# Use the shell platform for selecting the command
|
|
platform = session.platform
|
|
else
|
|
# When in Meterpreter the safest thread number is 10
|
|
thread_num = 10
|
|
# For Meterpreter use the sysinfo OS since java Meterpreter returns java as platform
|
|
platform = session.sys.config.sysinfo['OS']
|
|
end
|
|
|
|
name_list = []
|
|
if ::File.exists?(hostlst)
|
|
::File.open(hostlst).each do |n|
|
|
name_list << n
|
|
end
|
|
end
|
|
|
|
platform = session.platform
|
|
|
|
case platform
|
|
when /win/i
|
|
cmd = "nslookup"
|
|
when /solaris/i
|
|
cmd = "/usr/sbin/host "
|
|
else
|
|
cmd = "/usr/bin/host "
|
|
end
|
|
while(not name_list.nil? and not name_list.empty?)
|
|
1.upto(thread_num) do
|
|
a << framework.threads.spawn("Module(#{self.refname})", false, name_list.shift) do |n|
|
|
next if n.nil?
|
|
vprint_status("Trying #{n.strip}.#{domain}")
|
|
r = cmd_exec(cmd, "#{n.strip}.#{domain}")
|
|
|
|
case session.platform
|
|
when /win/
|
|
proccess_win(r, "#{n.strip}.#{domain}")
|
|
else
|
|
process_nix(r, "#{n.strip}.#{domain}")
|
|
end
|
|
end
|
|
a.map {|x| x.join }
|
|
end
|
|
end
|
|
end
|
|
|
|
# Process the data returned by nslookup
|
|
def proccess_win(data,ns_opt)
|
|
if data =~ /Name/
|
|
# Remove unnecessary data and get the section with the addresses
|
|
returned_data = data.split(/Name:/)[1]
|
|
# check each element of the array to see if they are IP
|
|
returned_data.gsub(/\r\n\t |\r\n|Aliases:|Addresses:/," ").split(" ").each do |e|
|
|
if Rex::Socket.dotted_ip?(e)
|
|
print_good("#{ns_opt} #{e}")
|
|
report_host(:host=>e, :name=>ns_opt.strip)
|
|
end
|
|
end
|
|
end
|
|
end
|
|
|
|
# Process the data returned by the host command
|
|
def process_nix(r,ns_opt)
|
|
r.each_line do |l|
|
|
data = l.scan(/(\S*) has address (\S*)$/)
|
|
if not data.empty?
|
|
data.each do |e|
|
|
print_good("#{ns_opt} #{e[1]}")
|
|
report_host(:host=>e[1], :name=>ns_opt.strip)
|
|
end
|
|
end
|
|
end
|
|
end
|
|
end
|