Update auxiliary/spoof/dns/native_spoofer

[zeroSteiner]

The auxiliary/spoof/dns/native_spoofer module needed to be refactored to use the new Dnsruby API. Prior to these changes, the module would crash when it received a request.

This also applies rubocop fixes. Fixes #16297. While testing this module, I had issues getting it to work from a VMWare virtual machine. What did work however was running it on native hardware. I'm pretty sure the VMWare issue is outside the control of Metasploit and unrelated to the changes proposed here.

Verification

List the steps needed to make sure this thing works

• Start msfconsole
• use auxiliary/spoof/dns/native_spoofer
• set STATIC_ENTRIES 1.2.3.4 example.com, this makes sure that the static entries functionality is available
• set VERBOSE true, this makes it easier to see what's going on including the DNS responses
• Run the module
• From another host, send DNS queries to the system where Metasploit is running
• See the DNS response in both Metasploit and the client

Example Output

In this example, 192.168.250.134 is a client on the same LAN. That client then sends DNS requests to the system where Metasploit is running. It requests google.com and example.com to show that both the static entries and recursive functionalities are working as intended.

msf6 auxiliary(spoof/dns/native_spoofer) > show options 

Module options (auxiliary/spoof/dns/native_spoofer):

   Name              Current Setting                       Required  Description
   ----              ---------------                       --------  -----------
   DISABLE_NS_CACHE  false                                 no        Disable DNS response caching
   DISABLE_RESOLVER  false                                 no        Disable DNS request forwarding
   DOMAIN                                                  no        The target domain name
   FILTER            dst port 53 and host 192.168.250.134  no        The filter string for capturing traffic
   INTERFACE                                               no        The name of the interface
   NS                192.168.250.4                         no        Specify the nameservers to use for queries, space separated
   Proxies                                                 no        A proxy chain of format type:host:port[,type:host:port][...]
   RPORT             53                                    yes       The target port (TCP)
   SEARCHLIST                                              no        DNS domain search list, comma separated
   SNAPLEN           65535                                 yes       The number of bytes to capture
   SRVHOST           192.168.250.160                       yes       The local host to listen on for DNS services.
   SRVPORT           53                                    yes       The local port to listen on.
   STATIC_ENTRIES    1.2.3.4 example.com                   no        DNS domain search list (hosts file or space/semicolon separate entries)
   THREADS           1                                     yes       Number of threads to use in threaded queries
   TIMEOUT           500                                   yes       The number of seconds to wait for new data


Auxiliary action:

   Name     Description
   ----     -----------
   Service  Serve DNS entries


msf6 auxiliary(spoof/dns/native_spoofer) > run
[*] Auxiliary module running as background job 2.
msf6 auxiliary(spoof/dns/native_spoofer) > SIOCSIFFLAGS: Operation not permitted
msf6 auxiliary(spoof/dns/native_spoofer) > 
[*] Caching response google.com:172.217.15.110 A
[+] Sent packet with header:
--EthHeader-----------------------------------
  eth_dst   50:eb:71:1a:59:8c PacketFu::EthMac
  eth_src   36:a6:88:92:60:5b PacketFu::EthMac
  eth_proto 0x0800            StructFu::Int16 
--IPHeader------------------------------------
  ip_v      4                 Integer         
  ip_hl     5                 Integer         
  ip_tos    0                 StructFu::Int8  
  ip_len    144               StructFu::Int16 
  ip_id     0x403c            StructFu::Int16 
  ip_frag   0                 StructFu::Int16 
  ip_ttl    64                StructFu::Int8  
  ip_proto  17                StructFu::Int8  
  ip_sum    0xc3a8            StructFu::Int16 
  ip_src    192.168.250.160   PacketFu::Octets
  ip_dst    192.168.250.134   PacketFu::Octets
--UDPHeader-----------------------------------
  udp_src   53                StructFu::Int16 
  udp_dst   39435             StructFu::Int16 
  udp_len   124               StructFu::Int16 
  udp_sum   0xeefc            StructFu::Int16 
------------------------------------------------------------------
00-01-02-03-04-05-06-07-08-09-0a-0b-0c-0d-0e-0f---0123456789abcdef
------------------------------------------------------------------
10 4a 81 80 00 01 00 01 00 04 00 00 06 67 6f 6f   .J...........goo
67 6c 65 03 63 6f 6d 00 00 01 00 01 c0 0c 00 01   gle.com.........
00 01 00 00 00 7a 00 04 ac d9 0f 6e c0 0c 00 02   .....z.....n....
00 01 00 00 40 b5 00 06 03 6e 73 32 c0 0c c0 0c   ....@....ns2....
00 02 00 01 00 00 40 b5 00 06 03 6e 73 31 c0 0c   ......@....ns1..
c0 0c 00 02 00 01 00 00 40 b5 00 06 03 6e 73 33   ........@....ns3
c0 0c c0 0c 00 02 00 01 00 00 40 b5 00 06 03 6e   ..........@....n
73 34 c0 0c                                       s4..
[+] Spoofed records for google.com to 192.168.250.134:39435
[+] Sent packet with header:
--EthHeader-----------------------------------
  eth_dst   50:eb:71:1a:59:8c PacketFu::EthMac
  eth_src   36:a6:88:92:60:5b PacketFu::EthMac
  eth_proto 0x0800            StructFu::Int16 
--IPHeader------------------------------------
  ip_v      4                 Integer         
  ip_hl     5                 Integer         
  ip_tos    0                 StructFu::Int8  
  ip_len    96                StructFu::Int16 
  ip_id     0x2ff2            StructFu::Int16 
  ip_frag   0                 StructFu::Int16 
  ip_ttl    64                StructFu::Int8  
  ip_proto  17                StructFu::Int8  
  ip_sum    0xd422            StructFu::Int16 
  ip_src    192.168.250.160   PacketFu::Octets
  ip_dst    192.168.250.134   PacketFu::Octets
--UDPHeader-----------------------------------
  udp_src   53                StructFu::Int16 
  udp_dst   38058             StructFu::Int16 
  udp_len   76                StructFu::Int16 
  udp_sum   0x00ab            StructFu::Int16 
------------------------------------------------------------------
00-01-02-03-04-05-06-07-08-09-0a-0b-0c-0d-0e-0f---0123456789abcdef
------------------------------------------------------------------
33 c8 81 20 00 01 00 01 00 00 00 01 07 65 78 61   3.. .........exa
6d 70 6c 65 03 63 6f 6d 00 00 01 00 01 c0 0c 00   mple.com........
01 00 01 00 00 00 00 00 04 01 02 03 04 00 00 29   ...............)
10 00 00 00 00 00 00 0c 00 0a 00 08 6f 59 ce 04   ............oY..
8e 13 7b 7d                                       ..{}
[+] Spoofed records for example.com to 192.168.250.134:38058

[github-actions]

Thanks for your pull request! Before this can be merged, we need the following documentation for your module:

• Writing Module Documentation
• Template
• Examples

[sempervictus]

Thank you @zeroSteiner. I was just this week reminded that we're not on Net::DNS style interfaces anymore in another PR, completely forgot to update this module.

[space-r7]

Confirmed the fix:

Output for fix

msf6 auxiliary(spoof/dns/native_spoofer) > 
[+] Sent packet with header:
--EthHeader-----------------------------------
  eth_dst   00:50:56:c0:00:08 PacketFu::EthMac
  eth_src   00:0c:29:30:b9:76 PacketFu::EthMac
  eth_proto 0x0800            StructFu::Int16 
--IPHeader------------------------------------
  ip_v      4                 Integer         
  ip_hl     5                 Integer         
  ip_tos    0                 StructFu::Int8  
  ip_len    84                StructFu::Int16 
  ip_id     0x23e8            StructFu::Int16 
  ip_frag   0                 StructFu::Int16 
  ip_ttl    64                StructFu::Int8  
  ip_proto  17                StructFu::Int8  
  ip_sum    0xbcdb            StructFu::Int16 
  ip_src    192.168.140.131   PacketFu::Octets
  ip_dst    192.168.140.1     PacketFu::Octets
--UDPHeader-----------------------------------
  udp_src   53                StructFu::Int16 
  udp_dst   57454             StructFu::Int16 
  udp_len   64                StructFu::Int16 
  udp_sum   0xe6b6            StructFu::Int16 
------------------------------------------------------------------
00-01-02-03-04-05-06-07-08-09-0a-0b-0c-0d-0e-0f---0123456789abcdef
------------------------------------------------------------------
25 c0 81 20 00 01 00 01 00 00 00 01 07 65 78 61   %.. .........exa
6d 70 6c 65 03 63 6f 6d 00 00 01 00 01 c0 0c 00   mple.com........
01 00 01 00 00 00 00 00 04 01 02 03 04 00 00 29   ...............)
10 00 00 00 00 00 00 00                           ........
[+] Spoofed records for example.com to 192.168.140.1:57454

Output prior to fix

[-] Auxiliary failed: NoMethodError undefined method `ip_daddr' for #<Rex::Proto::DNS::Server::MockDnsClient:0x00005583d9466c68>
[-] Call stack:
[-]   /home/space/metasploit-framework/modules/auxiliary/spoof/dns/native_spoofer.rb:110:in `on_dispatch_request'
[-]   /home/space/metasploit-framework/lib/msf/core/exploit/remote/dns/server.rb:119:in `block in start_service'
[-]   /home/space/metasploit-framework/lib/rex/proto/dns/server.rb:274:in `dispatch_request'
[-]   /home/space/metasploit-framework/lib/rex/proto/dns/server.rb:350:in `monitor_listener'
[-]   /home/space/metasploit-framework/lib/rex/proto/dns/server.rb:231:in `block in start'
[-]   /home/space/metasploit-framework/lib/rex/thread_factory.rb:22:in `block in spawn'
[-]   /home/space/metasploit-framework/lib/msf/core/thread_manager.rb:105:in `block in spawn'
[-]   /var/lib/gems/2.7.0/gems/logging-2.3.0/lib/logging/diagnostic_context.rb:474:in `block in create_with_logging_context'
[*] Server stopped.

[space-r7]

Release Notes

This adds a fix for a crash in auxiliary/spoof/dns/native_spoofer and adds documentation for the module.