allow dns server on different port

[digininja]

Tell us what this change does. If you're fixing a bug, please mention
the github issue number.

Please ensure you are submitting from a unique branch in your repository to master in Rapid7's.

Verification

List the steps needed to make sure this thing works

Start a DNS server on a non-standard port - I'm on 5353

• Start msfconsole
• use auxiliary/admin/dns/dyn_dns_update
• set RPORT 5353
• set all the other options
• monitor the DNS logs for update requests
• Run the module
• See the entry in the logs
• Check the update has happened with dig
• Just setting the RPORT so nothing unusual, does it need documenting?

The one thing I can't get it to do is to show the RPORT in the list of options. I've copied code that works from other modules but it won't show up.

[smcintyre-r7]

Tested this and it's working as intended. Changed my BIND server to run on port 5353 and ran through the test case.

Testing Output

msf6 payload(linux/x86/meterpreter_reverse_tcp) > use auxiliary/admin/dns/dyn_dns_update 
msf6 auxiliary(admin/dns/dyn_dns_update) > 
msf6 auxiliary(admin/dns/dyn_dns_update) > show options 

Module options (auxiliary/admin/dns/dyn_dns_update):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   CHOST                      no        The source address to use for queries and updates
   DOMAIN    test.lan         yes       The domain name
   HOSTNAME  solo             yes       The name record you want to add
   IP        172.2.1.1        no        The IP you want to assign to the record
   RHOST     192.168.159.10   yes       The vulnerable DNS server IP address
   RPORT     53               yes       DNS server port
   TYPE      A                yes       The record type you want to add. (Accepted: A, AAAA, CNAME, TXT)
   VALUE                      no        The string to be added with TXT or CNAME record


Auxiliary action:

   Name    Description
   ----    -----------
   UPDATE  Add or update a record. (default)


msf6 auxiliary(admin/dns/dyn_dns_update) > set RHOST 192.168.250.4
RHOST => 192.168.250.4
msf6 auxiliary(admin/dns/dyn_dns_update) > dig @192.168.250.4 solo.test.lan
[*] exec: dig @192.168.250.4 solo.test.lan


; <<>> DiG 9.11.19-RedHat-9.11.19-1.fc32 <<>> @192.168.250.4 solo.test.lan
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached
msf6 auxiliary(admin/dns/dyn_dns_update) > dig @192.168.250.4 -p 5353 solo.test.lan
[*] exec: dig @192.168.250.4 -p 5353 solo.test.lan


; <<>> DiG 9.11.19-RedHat-9.11.19-1.fc32 <<>> @192.168.250.4 -p 5353 solo.test.lan
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 63071
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 7235c591da227df39c39d7e75f2db59aa3fd7ccd335df6e5 (good)
;; QUESTION SECTION:
;solo.test.lan.			IN	A

;; AUTHORITY SECTION:
test.lan.		38400	IN	SOA	dns. zeroSteiner.gmail.com. 1596816071 10800 3600 604800 38400

;; Query time: 2 msec
;; SERVER: 192.168.250.4#5353(192.168.250.4)
;; WHEN: Fri Aug 07 16:11:58 EDT 2020
;; MSG SIZE  rcvd: 130

msf6 auxiliary(admin/dns/dyn_dns_update) > set RPORT 5353
RPORT => 5353
msf6 auxiliary(admin/dns/dyn_dns_update) > run

[+] Did not find an existing A record for solo.test.lan
[*] Sending dynamic DNS add message...
[+] The record 'solo.test.lan => 172.2.1.1' has been added!
[*] Auxiliary module execution completed
msf6 auxiliary(admin/dns/dyn_dns_update) > dig @192.168.250.4 -p 5353 solo.test.lan
[*] exec: dig @192.168.250.4 -p 5353 solo.test.lan


; <<>> DiG 9.11.19-RedHat-9.11.19-1.fc32 <<>> @192.168.250.4 -p 5353 solo.test.lan
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10785
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 36480d1d07b2a3b2f9288c455f2db5aaba7249f40b630b80 (good)
;; QUESTION SECTION:
;solo.test.lan.			IN	A

;; ANSWER SECTION:
solo.test.lan.		86400	IN	A	172.2.1.1

;; AUTHORITY SECTION:
test.lan.		38400	IN	NS	dns.

;; Query time: 32 msec
;; SERVER: 192.168.250.4#5353(192.168.250.4)
;; WHEN: Fri Aug 07 16:12:15 EDT 2020
;; MSG SIZE  rcvd: 103

msf6 auxiliary(admin/dns/dyn_dns_update) >

I'll have this merged in momentarily, thanks @digininja !

[smcintyre-r7]

Release Notes

Updated the auxiliary/admin/dns/dyn_dns_update module to allow the remote port to be specified, enabling this module to target DNS servers which run on non-standard ports.

[digininja]

Thanks.

…

On Fri, 7 Aug 2020 at 21:17, Spencer McIntyre ***@***.***> wrote: Release Notes This updates the auxiliary/admin/dns/dyn_dns_update module to allow the remote port to be specified. This makes it able to target servers that run on non-standard ports. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#13957 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAA4SWL43EPBFNNNVU35SHLR7ROMHANCNFSM4PXQKQ6A> .