DNS BailiWicked Domain Attack
This exploit attacks a fairly ubiquitous flaw in DNS implementations which Dan Kaminsky found and disclosed ~Jul 2008. This exploit replaces the target domains nameserver entries in a vulnerable DNS cache server. This attack works by sending random hostname queries to the target DNS server coupled with spoofed replies to those queries from the authoritative nameservers for that domain. Eventually, a guessed ID will match, the spoofed packet will get accepted, and the nameserver entries for the target domain will be replaced by the server specified in the NEWDNS option of this exploit.
Rank
- Normal
Authors
- I)ruid < druid [at] caughq.org >
- hdm < hdm [at] metasploit.com >
- Cedric Blancher < sid [at] rstack.org >
Vulnerability References
Development
Similar Modules
Usage Information
$ msfconsole
## ### ## ##
## ## #### ###### #### ##### ##### ## #### ######
####### ## ## ## ## ## ## ## ## ## ## ### ##
####### ###### ## ##### #### ## ## ## ## ## ## ##
## # ## ## ## ## ## ## ##### ## ## ## ## ##
## ## #### ### ##### ##### ## #### #### #### ###
##
msf > use auxiliary/spoof/dns/bailiwicked_domain
msf auxiliary(bailiwicked_domain) > set NEWDNS [STRING]
msf auxiliary(bailiwicked_domain) > set RHOST [TARGET IP]
msf auxiliary(bailiwicked_domain) > set SRCPORT [PORT]
msf auxiliary(bailiwicked_domain) > run
## ### ## ##
## ## #### ###### #### ##### ##### ## #### ######
####### ## ## ## ## ## ## ## ## ## ## ### ##
####### ###### ## ##### #### ## ## ## ## ## ## ##
## # ## ## ## ## ## ## ##### ## ## ## ## ##
## ## #### ### ##### ##### ## #### #### #### ###
##
msf > use auxiliary/spoof/dns/bailiwicked_domain
msf auxiliary(bailiwicked_domain) > set NEWDNS [STRING]
msf auxiliary(bailiwicked_domain) > set RHOST [TARGET IP]
msf auxiliary(bailiwicked_domain) > set SRCPORT [PORT]
msf auxiliary(bailiwicked_domain) > run
Module Options
| DOMAIN | The domain to hijack (default: example.com) |
| INTERFACE | The name of the interface |
| NEWDNS | The hostname of the replacement DNS server |
| RECONS | The nameserver used for reconnaissance (default: 208.67.222.222) |
| RHOST | The target address |
| SNAPLEN | The number of bytes to capture (default: 65535) |
| SRCADDR | The source address to use for sending the queries (accepted: Real, Random) (default: Real) |
| SRCPORT | The target server's source query port (0 for automatic) |
| TIMEOUT | The number of seconds to wait for new data (default: 500) |
| TTL | The TTL for the malicious host entry (default: 39070) |
| XIDS | The number of XIDs to try for each query (0 for automatic) (default: 0) |
| GATEWAY | The gateway IP address. This will be used rather than a random remote address for the UDP probe, if set. |
| NETMASK | The local network mask. This is used to decide if an address is in the local network. |
| UDP_SECRET | The 32-bit cookie for UDP probe requests. |
| VERBOSE | Enable detailed status messages |
| WORKSPACE | Specify the workspace for this module |