DNS spoofing module should be feature complete, with forwarding of
requests which do not have cached answers (can be disabled same as
the native server module), empty replies to reduce client wait on
outstanding DNS requests, and post-send output in verbose mode
to reduce garbage and execution time in the critical/racy path.
This module is best used in conditions where MITM is achieved by
way of MAC spoofing, route interception, or compromise of an inline
host on the datapath. The attacker should avoid forwarding
original requests to the intended destination, or if this is not
possible, prevent replies from traversing the MITM space in order
to avoid race conditions between the spoofer and victim.
Example iptables configuration on MITM host:
iptables -t nat -A POSTROUTING -o eth0 -p udp ! --dport 53 -j ...
Testing:
Internal testing in Virtualbox local network, atop 802.11, and
mostly in Neutron (with port security disabled on the VIFs) atop
OpenStack Liberty ML2+OVS.
Allow retrieval of '*' from stored static entries for spoofing
all domains to any IP using wildcard names. Replace the wildcard
response with the name submitted to the search in the response.
Fix improper checks in DNS::Packet for Resolv objects from decode
to encode.
Misc cleanup for records not responding to :address, convenience
methods, and packet structure.
Import PCAP-based DNS spoofing server module:
This module uses the Capture mixin to sniff and parse packets off
the wire, then match answers to sniffed requests from static
entries in the server's cache. If answers are found, they are
appended to a cloned packet with reverse saddr/daddr pairs at
layers 2-4, the qr bit is set, and it is injected back into the
interface from where it came.
Minor cleanup in the Rex::Proto::DNS::Server::Cache class to allow
multiple address->name pairs and fix issues when adding multiple
static entries.
In order to handle TCP and UDP clients in a common manner, the
DNS server created a Rex::Socket::Udp object to represent the
client object allowing for a client.write(response) approach to
returning results for both TCP and UDP clients. During work on
the common socket abstractions (#6692) it became apparent that
remote pivoted sockets cannot be created with the same exact param
set used on the server socket - sockets dont reuse with localhost
and localport params being the same, an exception is raised from
the Windows side of the pivot abstraction. Creating a new socket
for every request is also needless overhead and noise.
Create the MockDnsClient class to consume peerhost, peerport, and
the DNS server's UDP socket as arguments in order to execute a
sendto() from the existing socket when sending a response. A write
method is provided in the class for common interface between the
UDP and TCP request handlers.
This has been tested in conjunction with #6692 and shown to be
successful as serving remote requests from the IO.select polled
pivot socket running on a Windows host via Meterpreter.
Implement a check for self.cid.nil? in Meterpreter's Channel class
in the :closed? method for compatibility with the Socket's :closed?
Touch up the Rex DNS server's stop method using this method on
pivot sockets.
Add SOL_SOCKET and SO_REUSEADDR options to the Rex UDP sockets
created by the DNS components - the server socket, as well as the
client abstraction socket.
Create default generator methods for DNS request and response in
the Packet module.
Packet.generate_request is directly adapted from
Net::DNS::Resolver.make_query_packet with conveniences added from
the local namespace.
Packet.generate_response is a convenience wrapper for attaching
responses to request, flipping the qr bit, and adjusting the rCode
for NXDomain or NoError depending on whether the response has any
answers or not. Existing responses being passed into this method
with new answers or an empty array will have their rCode updated
accordingly for NoError and NXDomain.
Clean up Rex::Proto::DNS::Server by use of the convenience method
and removal of the :validate method (as its now in Packet).
Add Packet.valid_hostname? as a wrapper for matching against the
Rex::Proto::DNS::Constants::MATCH_HOSTNAME regex.
Add convenience methods for little and big endian operations on
DNS packet contents. Use the convenience methods for quick ID
and request length extraction without full packet parsing.
Advanced options are now camel cased
Use :blank? on datastore options instead of serial checks for :nil?
and :empty?
Rex::Proto::DNS::Server :on_client_data updated to ask the tcp_sock
to close this client if it exists in the rescue clause.
Create Rex::Proto::DNS::Packet and Packet::Raw to allow common
parsing, validation, and raw data operations across both Rex and
Msf namespaces.
The modules contain class methods and do not need to be mixed in
to use their functionality Packet.method is enough, and reduces GC
strain since new objects are not constantly being instantiated, and
these modules contain no internal state.
Clean up UDP socket leak from Rex::Proto::DNS::Server under certain
conditions.
Create Msf::Exploit::DNS::Common mixin to provide descendants with
access to Packet and the hostname Regex.
-----
Testing:
Tested running the RC provided in the pull request
Manual testing in IRB/Pry while porting PoC for CVE-2015-7547
Rex::IO::StreamServer provides consistent methods and accessors
for TcpServer type consumers, but includes logic for client actions
which are not relevant in a datagram context - connect and
disconnect actions, as well as any notion of stateful session
persistence (the clients queue) do not apply in this paradigm.
Implement a Rex::IO::GramServer mixin which provides common methods
for dispatching requests and sending responses. Defines the same
callback structure for procs as used in the StreamServer, though
utilizing dispatch_request_proc and send_response_proc with client
and data parameters for efficient interception of execution flow
when dealing with stateless comms.
Rewire Rex::Proto::DNS server to use instance variables along the
same convention as other modules, implement the GramServer mixin,
and minor misc cleanup.
-----
Change calling conventions in Rex::Proto::DNS::Server to match
other components.
Clean up the Msf::Exploit::DNS namespace with generic server
interfaces.
Fix the advanged options naming convention - as hdm pointed out,
evasion options use the '::' separator, advanced options use "_".
-----
Testing:
Basic functional tests in Pry for now.
Exploit::Remote::TcpServer contains functionality required by the
hybrid Udp/Tcp Exploit::Remote::DNS::Server. In order to avoid
having to maintain a set of compatible methods across the transport
implementations, create a new mixin "above" the TcpServer to handle
common socket operations - Exploit::Remote::SocketServer.
Copy Exploit::Remote::TcpServer to Exploit::Remote::SocketServer.
Remove common code from Exploit::Remote::TcpServer, remove TCP/SSL
specific code from Exploit::Remote::SocketServer. Require and
include Exploit::Remote::SocketServer in Exploit::Remote::TcpServer
Testing:
Basic testing using the telnet capture server which utilzies the
modified Exploit::Remote::TcpServer mixin:
```
use auxiliary/server/capture/telnet
(2016-02-28)15:23 (S:0 J:0)msf auxiliary(telnet) > exploit
[*] Auxiliary module execution completed
(2016-02-28)15:23 (S:0 J:1)msf auxiliary(telnet) >
[*] [2016.02.28-15:23:39] Listening on 0.0.0.0:23...
[*] [2016.02.28-15:23:39] Server started.
[*] [2016.02.28-15:23:48] TELNET LOGIN 127.0.0.1:60408 jack / jill
Interrupt: use the 'exit' command to quit
```
The add_static_hosts method used old interfaces and had not been
tested prior.
Address the interfaces, functionally check the logic, and add the
method into start_service to automatically process the static
hosts entries set in the DS.
Built atop the Rex::Proto::DNS work to implement mixins for client
and server functionality, providing common interfaces for querying
domain name servers, and providing domain name services to clients
across Rex sockets. Fully functional native DNS server module is
included to demonstrate functionality, serve as a spoofing DNS
server, a collecting proxy, or any other number of DNS functions.
-----
At the core of this work is a Rex::Proto::DNS::Resolver object
descended from Net::DNS::Resolver with overrides and alterations
for using Rex sockets. The sockets implementation has been in use
internally for a number of years and is well tested. Changes have
been made to provider better interface for higher level components.
The resolver provides forward lookup capability for the server
(Rex::Proto::DNS::Server) which also implements a self-pruning
Cache subclass capable of holding static entries. The server can
operate in TCP or UDP mode, and provides a common abstraction for
addressing TCP and UDP clients by passing a Rex::Socket::Udp
mock client around with the data object to higher level consumers.
Finally, as is standard practice when building full service objects
from Rex to Msf, the server allows consumers to efficiently take
execution control at the request and response handlers by passing
Procs into the constructor (or manually assigning at runtime) for
execution instead of the default call chain.
The service, lookup, and caching functionality is encapsulated and
stands on its own to be used by consumers other than the standard
Msf::Exploit::Remote namespaces. It is intended to serve as the
driver and transport handler for pending DNS tunnel transports,
and can be used by exploit and auxiliary modules directly.
-----
The Msf::Exploit::Remote namespace receives DNS, DNS::Client, and
DNS::Server mixins providing common interfaces for Rex::Proto::DNS
objects. These mixins create convenience methods for executing
queries, serving requests, and configuring the Rex providers.
DNS::Client mixin attempts to "intelligently" configure the client
resolver's name servers and options from the data store. Accessor,
query, and configuration methods are provided in this mixin. Of
note are the wildcard and switchdns methods which were adapted
from prior work by others (likely Carlos Perez) which can be used
by numerous consumer modules. Consumers should use setup_client
during their run call to ensure the resolver is appropriately
configured.
DNS::Server mixin creates common service wrappers for modules to
utilize along with a configuration mechanism analagous to the
one used by the Client mixin, called setup_server, and calling
the setup_client method if present. Note that when setup_server
is called, the consumer does not need to call setup_resolver.
------
At the framework module level, a native dns server is provided
to showcase the mixin functionality and provide everything from
normal DNS services, to tunneling proxies (with cache disabled),
spoofing services, and MITM functionality via the handler Procs
for requests and responses.
Use auxiliary/server/dns/native_server to get started.
-----
Testing:
Basic local testing completed.
Needs to be checked for info leaks - we used to leak a lot.
Needs to be checked for functionality under varying configs.
Notes:
We have a serious problem with the datastore somewhere in the
Msf namespace. Datastore options must be validated with
options.validate(datastore) or they are all Strings, which
completely destroys any type-dependent logic consuming
datastore values. This must be addressed separately and all
calls to options.validate(datastore) should be removed (other
work has included such calls as well, this just proved that
the problem exists upstream).
Future work:
Implement sessions transports atop the DNS infrastructure in
order to provide native DNS tunneling.
Bail out early unless the monitor thread is running since pruning
will not automatically occur. Continue to raise an exception when
invalid cache attempts are made. If this behavior is not desired,
override the method or create a descendant with altered behavior.
Create default_dispatch_request method in Server to allow an
intercepted dispatch request to fall back into default exec flow.
Add attr_reader to the records hash in Cache
Provide Resolver and Server with comm option for their sockets.
Compose configuration hashes for the Rex Sockets used in requests
based on the Resolver's own configuration, including passing the
Framework context, and CHOST/CPORT options in from Msf namespaces.
Missed the attr_accessors in first commit - added.
Updated Cache stop method to iterate over the resulting Array of
records without holding a write lock over it (:each vs :map).
Glanced over https://www.ietf.org/rfc/rfc1035.txt and set proper
bits for the response and recursion fields prior to passing off the
data for return.
TODO:
Write mixin for easier packet manipulation with configurable
response builders which can determine proper settings for header
fields based on server/resolver configuration. Document to allow
exploit/vector developers to make use of the functionality...
Add Rex::Proto::DNS and Rex::Proto::DNS::Constants namespaces
Create Rex::Proto::DNS::Resolver from Net::DNS::Resolver
Create Rex::Proto::DNS::Server and Rex::Proto::DNS::Server::Cache
Constants -
A Rex::Socket style MATCH_HOSTNAME regex has been added to
help validate DNS names.
Resolver -
Based off of old work creating Rex socket overrides in the
Net::DNS::Resolver as well as allowing for proxying and making
automatic adjustments to use TCP for proxied connections. This
resolver pivots with MSF, uses proxies, and doesnt pull in the
default /etc/resolv.conf information which can lead to info leak.
Automatically sends Net::DNS::Packet and Resolv::DNS::Message
objects to the appropriate nameservers.
TODO: Review for potential low level concurrent resolution impl.
Server::Cache -
Threadsafe wrapper around a Hash which holds Net::DNS::RR keys
with Time.to_i values for counting eviction/stale time without
altering the original record.
Takes records with a TTL of < 1 as static entries which are not
flushed or pruned by the monitor thread.
Server -
A standard Rex level server allowing for client connections with
TCP and UDP listeners. Provides common framework for handling the
different transports by creating a "client" type object as a Rex
UDP socket and passing it back to the dispatch/sender methods.
This server can host listeners on remote pivot targets since it
utilizes Rex sockets, and should not leak internal information
from the resolver as easily either.
Can be configured with a custom resolver regardless of its own
listener configuration (UDP/TCP mix is fine), and carries a
threadsafe wrapper for swapping the resolvers nameservers under
a Mutex.synchronize. Since listeners and resolvers can pivot,
a compromised host in one environment can serve DNS information
obtained by the resolver pivoting through a completely different
target.
The server takes blocks for dispatch and send functions which
when defined, will intercept the standard execution flow which is
to parse the request, check the cache for corresponding records,
then forward the remaining questions in a request via the resolver,
and build + send a response back to the client.
The accessors for dispatch and send, resolver, and cache are
accessible at runtime, though it is likely unsafe to replace the
cache and resolver while they are accessed from other threads.
-----
Testing:
Initial testing performed in IRB/Pry generating manual requests.
Subsequent checks performed using the running server as the sys
resolver.
Additional testing is needed - the default dispatch_request
behavior may not be correct (i need to check the RFCs for this) as
it handles multiple questions for A records. This should be tuned
to be RFC compliant, with inheriting classes changing behavior as
needed. We also need to ensure that we're not leaking our own DNS
information to our targets, so all sorts of abuse is in order.
-----
TODO:
Create Msf::Exploit::DNS namespace utilizing this functionality.
- Move the threaded enum_dns work, as well as work from 6187,
into the namespace
- Review existing modules for functional overlap and move here
as needed. This should be done in separate commits/PRs.
Create specific DNS servers for spoofing, exploit delivery, and
finally handling DNS tunnels (the primary reason for this work).
Write spec
- Convince/coerce a friendly soul in the community to handle
spec for this fiasco while building further functionality.
The -S flag for console commands, backed by search functionality
in Rex' tables, originally pushed upstream in #1604 (iirc), lacks
coverage for a number of commands which benefit a good deal from
inline filtering of the potentially large number of results.
Push more -S flags and surrounding table functionality upstream
to provide coverage for the console commands included in framework.
Include a fix for deleting hosts when DB references are a problem.
Include a fix for the upstream route command wherein scope must be
defined for the routing target by assuming a /32 without explicit
definition.
Note:
With this in place, console behavior when filtering results is
roughly analagous to the R7 filtering in web UI, which should help
those of us trying to use both maintain corresponding workflows.
Testing:
Used in-house for years, though changes to the diff from upstream
and our fork (expunging some internal code) are untested, so would
appreciate eyes and hands on.
RageLtMan