Module: Msf::Exploit::Remote::DNS::Client

Includes:

Common, Tcp, Udp

Included in:

Enumeration

Defined in:

lib/msf/core/exploit/remote/dns/client.rb

Constant Summary

Constants included from Common

Msf::Exploit::Remote::DNS::Common::MATCH_HOSTNAME, Msf::Exploit::Remote::DNS::Common::Packet

Instance Attribute Summary

Attributes included from Tcp

#sock

Attributes included from Udp

#udp_sock

Instance Method Summary

• #client ⇒ Object

  Convenience method for DNS resolver as client Executes setup_resolver if none exists.

• #initialize(info = {}) ⇒ Object

  Initializes an exploit module that interacts with a DNS server.

• #process_nameservers ⇒ Object

  Sets the resolver’s nameservers Uses explicitly defined NS option if set Uses RHOSTS if not explicitly defined.

• #query(domain = , type = 'A') ⇒ Dnsruby::RR

  Convenience wrapper around Resolver’s query method - send DNS request.

• #query_async(queries = [], threadmax = , &block) ⇒ Array

  Performs a set of asynchronous lookups for an array of domain,type pairs.

• #set_nameserver(ns = []) ⇒ Object

  Switch DNS forwarders in resolver with thread safety.

• #setup_resolver ⇒ Object

  Create and configure Resolver object.

• #switchdns(domain) ⇒ Object

  Switch nameservers to use explicit NS or SOA for target.

• #wildcard(domain, type = "A") ⇒ String

  Detect if target has wildcards enabled for a record type.

Methods included from Tcp

#chost, #cleanup, #connect, #connect_timeout, #cport, #disconnect, #handler, #lhost, #lport, #peer, #print_prefix, #proxies, #rhost, #rport, #set_tcp_evasions, #shutdown, #ssl, #ssl_cipher, #ssl_verify_mode, #ssl_version

Methods included from Udp

#chost, #cleanup, #connect_udp, #cport, #deregister_udp_options, #disconnect_udp, #handler, #lhost, #lport, #rhost, #rport

Instance Method Details

#client ⇒ Object

Convenience method for DNS resolver as client Executes setup_resolver if none exists

# File 'lib/msf/core/exploit/remote/dns/client.rb', line 189

def client
  setup_resolver unless @dns_resolver
  @dns_resolver
end

#initialize(info = {}) ⇒ Object

Initializes an exploit module that interacts with a DNS server.

# File 'lib/msf/core/exploit/remote/dns/client.rb', line 21

def initialize(info = {})
  super

  deregister_options('RHOST')
  register_options(
    [
      Opt::RPORT(53),
      Opt::Proxies,
      OptString.new('DOMAIN', [ false, "The target domain name"]),
      OptString.new('NS', [ false, "Specify the nameservers to use for queries, space separated" ]),
      OptString.new('SEARCHLIST', [ false, "DNS domain search list, comma separated"]),
      OptInt.new('THREADS', [true, "Number of threads to use in threaded queries", 1])
    ], Exploit::Remote::DNS::Client
  )

  register_advanced_options(
    [
      OptString.new('DnsClientDefaultNS', [ false, "Specify the default to use for queries, space separated", '8.8.8.8 8.8.4.4' ]),
      OptInt.new('DnsClientRetry', [ false, "Number of times to try to resolve a record if no response is received", 2]),
      OptInt.new('DnsClientRetryInterval', [ false, "Number of seconds to wait before doing a retry", 2]),
      OptBool.new('DnsClientReportARecords', [false, "Add hosts found via BRT and RVL to DB", true]),
      OptBool.new('DnsClientRVLExistingOnly', [false, "Only perform lookups on hosts in DB", true]),
      OptBool.new('DnsClientTcpDns', [false, "Run queries over TCP", false]),
      OptPath.new('DnsClientResolvconf', [true, "Resolvconf formatted configuration file to use for Resolver", "/dev/null"])
    ], Exploit::Remote::DNS::Client
  )

  register_autofilter_ports([ 53 ]) if respond_to?(:register_autofilter_ports)
  register_autofilter_services(%W{ dns }) if respond_to?(:register_autofilter_services)
end

#process_nameservers ⇒ Object

Sets the resolver’s nameservers Uses explicitly defined NS option if set Uses RHOSTS if not explicitly defined

# File 'lib/msf/core/exploit/remote/dns/client.rb', line 198

def process_nameservers
  if datastore['NS'].blank?
    nameservers = datastore['DnsClientDefaultNS'].split(/\s|,/)
  else
    nameservers = datastore['NS'].split(/\s|,/)
  end

  invalid = nameservers.select { |ns| !Rex::Socket.dotted_ip?(ns) }
  if !invalid.empty?
    raise "Nameservers must be IP addresses. The following were invalid: #{invalid.join(", ")}"
  end

  nameservers
end

#query(domain = , type = 'A') ⇒ Dnsruby::RR

Convenience wrapper around Resolver’s query method - send DNS request

Parameters:

• domain (String) (defaults to: ) —

  Domain for which to request a record

• type (String) (defaults to: 'A') —

  Type of record to request for domain

Returns:

• (Dnsruby::RR) —

  DNS response

# File 'lib/msf/core/exploit/remote/dns/client.rb', line 60

def query(domain = datastore['DOMAIN'], type = 'A')
  client.query(domain, type)
end

#query_async(queries = [], threadmax = , &block) ⇒ Array

Performs a set of asynchronous lookups for an array of domain,type pairs

Parameters:

• queries (Array) (defaults to: []) —

  Set of domain,type pairs to pass into #query

• threadmax (Fixnum) (defaults to: ) —

  Max number of running threads at a time

• block (Proc) —

  Code block to execute with the query result

Returns:

• (Array) —

  Resulting set of responses or responses processed by passed blocks

# File 'lib/msf/core/exploit/remote/dns/client.rb', line 72

def query_async(queries = [], threadmax = datastore['THREADS'], &block)
  running = []
  while !queries.empty?
    domain, type = queries.shift
    running << framework.threads.spawn("Module(#{self.refname})-#{domain} #{type}", false) do |qat|
      if block
        block.call(query(domain,type))
      else
        query(domain,type)
      end
    end
    while running.select(&:alive?).count >= threadmax
      Rex::ThreadSafe.sleep(1)
    end
  end
  return running.join
end

#set_nameserver(ns = []) ⇒ Object

Switch DNS forwarders in resolver with thread safety

Parameters:

• ns (Array, String) (defaults to: []) —

  List of (or single) nameservers to use

# File 'lib/msf/core/exploit/remote/dns/client.rb', line 94

def set_nameserver(ns = [])
  if ns.respond_to?(:split)
    ns = [ns]
  end
  @lock.synchronize do
    @dns_resolver.nameserver = ns.flatten
  end
end

#setup_resolver ⇒ Object

Create and configure Resolver object

# File 'lib/msf/core/exploit/remote/dns/client.rb', line 150

def setup_resolver
  options.validate(datastore) # This is a hack, DS values should not be Strings prior to this
  config = {
    :config_file => datastore['DnsClientResolvconf'],
    :nameservers => process_nameservers,
    :port => datastore['RPORT'],
    :retry_number => datastore['DnsClientRetry'].to_i,
    :retry_interval => datastore['DnsClientRetryInterval'].to_i,
    :use_tcp => datastore['DnsClientTcpDns'],
    :context => {'Msf' => framework, 'MsfExploit' => self}
  }
  if datastore['SEARCHLIST']
    if datastore['SEARCHLIST'].split(',').all? do |search|
      search.match(MATCH_HOSTNAME)
    end
      config[:search_list] = datastore['SEARCHLIST'].split(',')
    else
      raise 'Domain search list must consist of valid domains'
    end
  end
  if datastore['CHOST']
    config[:source_address] = IPAddr.new(datastore['CHOST'].to_s)
  end
  if datastore['CPORT']
    config[:source_port] = datastore['CPORT'] unless datastore['CPORT'] == 0
  end
  if datastore['Proxies']
    vprint_status("Using DNS/TCP resolution for proxy config")
    config[:use_tcp] = true
    config[:proxies] = datastore['Proxies']
  end
  @dns_resolver_lock = Mutex.new unless @dns_resolver_lock
  @dns_resolver = Rex::Proto::DNS::Resolver.new(config)
end

#switchdns(domain) ⇒ Object

Switch nameservers to use explicit NS or SOA for target

Parameters:

• domain (String) —

  Domain for which to find SOA

# File 'lib/msf/core/exploit/remote/dns/client.rb', line 107

def switchdns(domain)
  if datastore['NS'].blank?
    resp_soa = client.query(target, "SOA")
    if (resp_soa)
      (resp_soa.answer.select { |i| i.is_a?(Dnsruby::RR::SOA)}).each do |rr|
        resp_1_soa = client.search(rr.mname)
        if (resp_1_soa and resp_1_soa.answer[0])
          set_nameserver(resp_1_soa.answer.map(&:address).compact.map(&:to_s))
          print_status("Set DNS Server to #{target} NS: #{client.nameserver.join(', ')}")
          break
        end
      end
    end
  else
    vprint_status("Using DNS Server: #{client.nameserver.join(', ')}")
    client.nameserver = process_nameservers
  end
end

#wildcard(domain, type = "A") ⇒ String

Detect if target has wildcards enabled for a record type

Parameters:

• domain (String) —

  Domain to test

• type (String) (defaults to: "A") —

  Record type to test

Returns:

• (String) —

  Address which is returned for wildcard requests

# File 'lib/msf/core/exploit/remote/dns/client.rb', line 133

def wildcard(domain, type = "A")
  addr = false
  rendsub = rand(10000).to_s
  response = query("#{rendsub}.#{target}", type)
  if response.answer.length != 0
    vprint_status("This domain has wildcards enabled!!")
    response.answer.each do |rr|
      print_status("Wildcard IP for #{rendsub}.#{target} is: #{rr.address.to_s}") if rr.class != Dnsruby::RR::CNAME
      addr = rr.address.to_s
    end
  end
  return addr
end