Checking for Cache Poisoning
After seeing the SBC/ATT server for Austin get poisoned, serve up advertisements, and eventually get taken offline, I decided to add a module to compare DNS results between two servers. In the following example, the ".gov" TLD has been poisoned with the bailiwicked_domain Metasploit module:
msf > use auxiliary/spoof/dns/compare_results
msf auxiliary(compare_results) > set BASEDNS 4.2.2.3
BASEDNS => 4.2.2.3
msf auxiliary(compare_results) > set TARGDNS poisoned.server
TARDNS => poisoned.server
msf auxiliary(compare_results) > set NAMES www.fbi.gov
NAMES => www.fbi.gov
msf auxiliary(compare_results) > run
[*] Comparing results between 4.2.2.3 and poisoned.server...
[*] Querying servers for www.fbi.gov...
[*] Analyzing results for 1 entries...
[*] - www.fbi.gov A 64.86.183.120
[*] - www.fbi.gov A 64.86.183.99
[*] - www.fbi.gov CNAME a33.g.akamai.net
[*] - www.fbi.gov CNAME fbi.edgesuite.net
[*] + www.fbi.gov A 1.3.3.7
[*] Auxiliary module execution completed
msf > use auxiliary/spoof/dns/compare_results
msf auxiliary(compare_results) > set BASEDNS 4.2.2.3
BASEDNS => 4.2.2.3
msf auxiliary(compare_results) > set TARGDNS poisoned.server
TARDNS => poisoned.server
msf auxiliary(compare_results) > set NAMES www.fbi.gov
NAMES => www.fbi.gov
msf auxiliary(compare_results) > run
[*] Comparing results between 4.2.2.3 and poisoned.server...
[*] Querying servers for www.fbi.gov...
[*] Analyzing results for 1 entries...
[*] - www.fbi.gov A 64.86.183.120
[*] - www.fbi.gov A 64.86.183.99
[*] - www.fbi.gov CNAME a33.g.akamai.net
[*] - www.fbi.gov CNAME fbi.edgesuite.net
[*] + www.fbi.gov A 1.3.3.7
[*] Auxiliary module execution completed
posted by hdm at 3:12 PM
4 Comments:
The problem is how do you deal with situations where the results are supposed to be different, eg where a host is using geolocation DNS to do global load balancing or where they use a CDN?
Thats a good point, but at least this gives you ability to test for things like that. The results it presents are a diff of the responses, not a YES/NO on whether the machine has been poisoned. It is interesting to see which IPs are given for CDN-enabled resolvers and this has uses across the board for diagnostics and security testing.
Where can this module be obtained from?
And also if the module is using your own (ISP) nameserver as the resolver, and has been completely poisoned, how will that return the correct results?
I think a good "dns-validator" would be one that either uses external publicly available dns resources like OpenDNS, or a mini-resolver which isn't poisoned and which only runs when it is needed. (for example a mini-version of BIND configured correctly as a resolver with NO forwarding)
Of course if one of the root-servers for f.ex. the .gov tld or lets say .au tld has been poisoned completely, then it should be harder to find out which records are the correct ones.
Atleast you gave me an idea for an application, keep up the good work ;)
The module is available in the development version of the Metasploit Framework (available via SVN, see the http://metasploit.com/framework/ web site for more information). The idea is to set BASEDNS to a known good server, something like the Level-3 4.2.2.x systems, OpenDNS (as long as you aren't testing a site they proxy), etc.
Post a Comment
Links to this post:
Create a Link
<< Home