On Episode 116 of PaulDotCom Security Weekly, Paul mentioned how it would be nice if one could have a little bit finer control over the behavior of Metasploit’s fake DNS server. It seemed like an easy enough hack, so I’ve thrown this together. I can see this being useful in some situations, and hopefully you will too.
Metasploit’s fakedns.rb is good at what it does, which is respond to any DNS query with a spoofed response pointing at a specific IP address. This module, which I’ve decided to name “mitm_fakedns.rb”, is a dirty, filthy hack of fakedns.rb. It’s not nearly as polished and thought-out as the web_search_scan.rb module I wrote and posted about a couple of days ago, but it is kinda neat anyway.
It’ll listen for DNS, and when it gets a request, it will go ahead and pass it on to a real DNS server that you can specify. Once it gets the response from the real DNS server, it’ll modify that response to point to the IP addresses you specify if it matches one of a set of regexes you provide. This allows you to be a little more “surgical” with whatever attack you have planned, by only spoofing domain names of-interest.
Let’s have a look at the “show info”:
HacBook:framework wesley$ sudo ./msfconsole Password: _ | | o _ _ _ _ _|_ __, , _ | | __ _|_ / |/ |/ | |/ | / | / \_|/ \_|/ / \_| | | | |_/|__/|_/\_/|_/ \/ |__/ |__/\__/ |_/|_/ /| \| =[ msf v3.2-release + -- --=[ 299 exploits - 124 payloads + -- --=[ 18 encoders - 6 nops =[ 68 aux msf > use auxiliary/server/mitm_fakedns msf auxiliary(mitm_fakedns) > info Name: MITM DNS Service Version: 5540 Provided by: unknown <ddz> hdm <email@example.com> Wesley McGrew <firstname.lastname@example.org> Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- FILENAME yes File of ip,regex for filtering responses REALDNS yes Ask this server for answers SRVHOST 0.0.0.0 yes The local host to listen on. SRVPORT 53 yes The local port to listen on. Description: This hack of the metasploit fakedns.rb serves as a sort of MITM DNS server. Requests are passed through to a real DNS server, and the responses are modified before being returned to the client, if they match regular expressions set in FILENAME.
Once it's loaded, we can set our variables:
msf auxiliary(mitm_fakedns) > cat /Users/wesley/hosts.txt [*] exec: cat /Users/wesley/hosts.txt 192.168.1.1,google.com 10.0.0.1,example.com msf auxiliary(mitm_fakedns) > set FILENAME /Users/wesley/hosts.txt FILENAME => /Users/wesley/hosts.txt msf auxiliary(mitm_fakedns) > set REALDNS 192.168.1.254 REALDNS => 192.168.1.254 msf auxiliary(mitm_fakedns) > run [*] Auxiliary module running as background job msf auxiliary(mitm_fakedns) >
The file you specify should have an IP address and a regular expression, one pair per line. Once it’s running, you can test it out by pointing “dig” at it:
HacBook:~ wesley$ dig @127.0.0.1 example.com ; <<>> DiG 9.4.1-P1 <<>> @127.0.0.1 example.com ; (1 server found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38312 ;; flags: qr ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;example.com. IN A ;; ANSWER SECTION: example.com. 99270 IN A 10.0.0.1 ;; Query time: 39 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Mon Aug 4 22:59:01 2008 ;; MSG SIZE rcvd: 45
This should serve as a pretty good drop-in replacement for fakedns.rb for some attacks. Here’s the source: