-
Notifications
You must be signed in to change notification settings - Fork 13.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Implement native DNS for Msf Namespace #6611
Conversation
Here's a basic RC script for others wishing to test functionality:
It uses block binding functionality in the RC handler to carry the method defined from the beginning, in case anyone missed that feature.
|
@hdm: i've addressed some of the concerns you brought up regarding interface and caller convention. Procs are sane now, and comm and context should be getting properly interpreted. SocketServer mixin seems a healthy way to address the Msf::Exploit side of things (thoughts welcome). I am having trouble mapping the sockets to a remote host though - have a system meterp shell on a 2k8r2 host and i can't seem to bind either by setting the ListenerComm or by adding an explicit route and trying to let the switchboard figure it out. Could use a few more eyeballs on the parts of the code handling that. Here's what i'm seeing now:
In pry:
|
lib/rex/proto/dns/server.rb
Outdated
raise ::EOFError if data.empty? | ||
from = [cli.peerhost, cli.peerport] | ||
dispatch_request(cli, data) | ||
rescue EOFError => e |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The main purpose of handling EOFError is to close the client? Would this be better?
ensure
close_client(cli) if cli
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, its actually self.tcp_sock.close_client(cli) if cli, addressing.
while !queries.empty? | ||
domain, type = queries.shift | ||
running << framework.threads.spawn("Module(#{self.refname})-#{domain} #{type}", false) do |qat| | ||
if block |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is there ever a reason to run async without a block? Maybe if you just want to populate the cache?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Exactly, lots of queries can be issued, and since the cache, server, and resolver components can all be shimmed to do "other things," its useful to have the async behavior in each tier.
a6108df
to
c050fc0
Compare
Rebased off current master for ease of testing. A bit confused about what CI wants from me, the prior fail said:
and accordingly, i changed the class name to Metasploit. |
Msftidy error message was broken, should be fixed now. |
You might want to pull again, the msftidy message was fixed in master a few hours ago. |
3eeb0fa
to
cf309f5
Compare
Rolled back to pre-msftidy commit, rebased, repushed. |
In order to handle TCP and UDP clients in a common manner, the DNS server created a Rex::Socket::Udp object to represent the client object allowing for a client.write(response) approach to returning results for both TCP and UDP clients. During work on the common socket abstractions (rapid7#6692) it became apparent that remote pivoted sockets cannot be created with the same exact param set used on the server socket - sockets dont reuse with localhost and localport params being the same, an exception is raised from the Windows side of the pivot abstraction. Creating a new socket for every request is also needless overhead and noise. Create the MockDnsClient class to consume peerhost, peerport, and the DNS server's UDP socket as arguments in order to execute a sendto() from the existing socket when sending a response. A write method is provided in the class for common interface between the UDP and TCP request handlers. This has been tested in conjunction with rapid7#6692 and shown to be successful as serving remote requests from the IO.select polled pivot socket running on a Windows host via Meterpreter.
Add convenience method for using the @dns_resolver instance var via call to :client, which also performs resolver setup if none exists when called.
Import PCAP-based DNS spoofing server module: This module uses the Capture mixin to sniff and parse packets off the wire, then match answers to sniffed requests from static entries in the server's cache. If answers are found, they are appended to a cloned packet with reverse saddr/daddr pairs at layers 2-4, the qr bit is set, and it is injected back into the interface from where it came. Minor cleanup in the Rex::Proto::DNS::Server::Cache class to allow multiple address->name pairs and fix issues when adding multiple static entries.
Allow retrieval of '*' from stored static entries for spoofing all domains to any IP using wildcard names. Replace the wildcard response with the name submitted to the search in the response. Fix improper checks in DNS::Packet for Resolv objects from decode to encode. Misc cleanup for records not responding to :address, convenience methods, and packet structure.
Move all output lines out of the execution path in order to reduce execution time and help win the race against the real response. Update the IP header ID for responses so as not to return the sent header value on the wire and alert clever IDS.
DNS spoofing module should be feature complete, with forwarding of requests which do not have cached answers (can be disabled same as the native server module), empty replies to reduce client wait on outstanding DNS requests, and post-send output in verbose mode to reduce garbage and execution time in the critical/racy path. This module is best used in conditions where MITM is achieved by way of MAC spoofing, route interception, or compromise of an inline host on the datapath. The attacker should avoid forwarding original requests to the intended destination, or if this is not possible, prevent replies from traversing the MITM space in order to avoid race conditions between the spoofer and victim. Example iptables configuration on MITM host: iptables -t nat -A POSTROUTING -o eth0 -p udp ! --dport 53 -j ... Testing: Internal testing in Virtualbox local network, atop 802.11, and mostly in Neutron (with port security disabled on the VIFs) atop OpenStack Liberty ML2+OVS.
f9e13d8
to
e1e159f
Compare
Conversion between packet formats can create empty additional answers fields, which net-dns cannot handle. Update net-dns' packet parser to be able to deal with empty arrays such that it doesn't try to call :data on a nil, which is the only element of an empty array. Props to mubix for identifying this issues.
Rex' sockets gem now includes the methods used in this PR for determining if a string represents an IP address, whether it's v4 or 6. Bump the version contained in Gemfile.lock to permit more testing
Just leaving this here...... rapid7/metasploit-payloads@master...defcon-russia:master |
Sorry, should have updated this. I'm already working on the handler in a private branch. Got diverted by an ids project... Will be back on this asap.
|
Dnsruby provides advanced options like DNSSEC in its data format and is a current and well supported library. The infrastructure services - resolver, server, etc, were designed for a standalone configuration, and carry entirely too much weight and redundancy to implement for this context. Instead of porting over their native resolver, update the Net::DNS subclassed Rex Resolver to use Dnsruby data formats and method calls. Update the Msf namespace infrastructure mixins and native server module with new method calls and workarounds for some instance variables having only readers without writers. Implement the Rex ServerManager to start and stop the DNS service adding relevant alias methods to the Rex::Proto::DNS::Server class. Rex services are designed to be modular and lightweight, as well as implement the sockets, threads, and other low-level interfaces. Dnsruby's operations classes implement their own threading and socket semantics, and do not fit with the modular mixin workflow used throughout Framework. So while the updated resolver can be seen as adding rubber to the tire fire, converting to dnsruby's native classes for resolvers, servers, and caches, would be more like adding oxy acetylene and heavy metals. Testing: Internal tests for resolution of different record types locally and over pivot sessions.
@bwatters-r7: could you take another look at this? Probably added some corner case breakage, but it's dnsruby now (data fmt only). |
Did Travis give up on me, or is this just old enough that its config laughs and ignores the updates? |
Looks like you simply have gemfile conflicts |
Release NotesNative DNS support is now available as a Rex protocol library that proxies for the dnsruby gem, module mixins, and a pair of sample auxiliary modules. You can store static entries, resolve names over pivots, serve DNS requests across routed session comms, and perform DNS spoofing attacks. |
Thanks @sempervictus! |
Its like watching your kids go off to college. Thanks for getting this in. |
Built atop the Rex::Proto::DNS work to implement mixins for client
and server functionality, providing common interfaces for querying
domain name servers, and providing domain name services to clients
across Rex sockets. Fully functional native DNS server module is
included to demonstrate functionality, serve as a spoofing DNS
server, a collecting proxy, or any other number of DNS functions.
At the core of this work is a Rex::Proto::DNS::Resolver object
descended from Net::DNS::Resolver with overrides and alterations
for using Rex sockets. The sockets implementation has been in use
internally for a number of years and is well tested. Changes have
been made to provider better interface for higher level components.
The resolver provides forward lookup capability for the server
(Rex::Proto::DNS::Server) which also implements a self-pruning
Cache subclass capable of holding static entries. The server can
operate in TCP or UDP mode, and provides a common abstraction for
addressing TCP and UDP clients by passing a Rex::Socket::Udp
mock client around with the data object to higher level consumers.
Finally, as is standard practice when building full service objects
from Rex to Msf, the server allows consumers to efficiently take
execution control at the request and response handlers by passing
Procs into the constructor (or manually assigning at runtime) for
execution instead of the default call chain.
The service, lookup, and caching functionality is encapsulated and
stands on its own to be used by consumers other than the standard
Msf::Exploit::Remote namespaces. It is intended to serve as the
driver and transport handler for pending DNS tunnel transports,
and can be used by exploit and auxiliary modules directly.
The Msf::Exploit::Remote namespace receives DNS, DNS::Client, and
DNS::Server mixins providing common interfaces for Rex::Proto::DNS
objects. These mixins create convenience methods for executing
queries, serving requests, and configuring the Rex providers.
DNS::Client mixin attempts to "intelligently" configure the client
resolver's name servers and options from the data store. Accessor,
query, and configuration methods are provided in this mixin. Of
note are the wildcard and switchdns methods which were adapted
from prior work by others (likely Carlos Perez) which can be used
by numerous consumer modules. Consumers should use setup_client
during their run call to ensure the resolver is appropriately
configured.
DNS::Server mixin creates common service wrappers for modules to
utilize along with a configuration mechanism analagous to the
one used by the Client mixin, called setup_server, and calling
the setup_client method if present. Note that when setup_server
is called, the consumer does not need to call setup_resolver.
At the framework module level, a native dns server is provided
to showcase the mixin functionality and provide everything from
normal DNS services, to tunneling proxies (with cache disabled),
spoofing services, and MITM functionality via the handler Procs
for requests and responses.
Use auxiliary/server/dns/native_server to get started.
Testing:
Basic local testing completed.
Needs to be checked for info leaks - we used to leak a lot.
Needs to be checked for functionality under varying configs.
Notes:
We have a serious problem with the datastore somewhere in the
Msf namespace. Datastore options must be validated with
options.validate(datastore) or they are all Strings, which
completely destroys any type-dependent logic consuming
datastore values. This must be addressed separately and all
calls to options.validate(datastore) should be removed (other
work has included such calls as well, this just proved that
the problem exists upstream).
Future work:
Implement sessions transports atop the DNS infrastructure in
order to provide native DNS tunneling.