Dns enum threaded bf #852

Closed
wants to merge 11 commits into
from

Conversation

Projects
None yet
8 participants
@sempervictus
Contributor

sempervictus commented Oct 3, 2012

Allow threading DNS brute force attempts, logging found hosts, and ignoring wildcard results in brute force.

RageLtMan added some commits Oct 2, 2012

RageLtMan
Add multi-threaded bruteforce mode and reporting
This commit allows splitting the DNS brute force process into
separate threads each running against a segment of the wordlist.
The wildcard method was modified to return the wildcard address if
one is found in order to exclude it from the brute force results.
Lastly, hosts found via brute force can be reported as new targets.
RageLtMan
Only perform reverse lookups against DB hosts
This commit adds a boolean option to limit reverse lookups to
existing hosts. Reverse lookups are threaded anyway, and this
helps all the more with quick name lookups for known IPs.

Testing: populate DB with some hosts, run reverse lookup with
IPRANGE set to 0.0.0.0/0.
RageLtMan
Module cleanup and additions
Allow reporting of found A records
Proper handling of brute forced domains (AAAA converted to A)
RVL call cleanup
@brandonprry

This comment has been minimized.

Show comment Hide comment
@brandonprry

brandonprry Jan 11, 2013

Contributor

Hey, I know this has been open a while. I will test this this weekend. Sorry for the delay.

Contributor

brandonprry commented Jan 11, 2013

Hey, I know this has been open a while. I will test this this weekend. Sorry for the delay.

@wvu-r7

This comment has been minimized.

Show comment Hide comment
@wvu-r7

wvu-r7 Jun 19, 2013

Contributor

@brandonprry: You gonna test this? :P

Contributor

wvu-r7 commented Jun 19, 2013

@brandonprry: You gonna test this? :P

@todb-r7 todb-r7 referenced this pull request in sempervictus/metasploit-framework Sep 5, 2013

Merged

Retab/pr/852 #17

+ # Do not let module finish while threads exist
+ while not @dns_enum_threads.empty? do
+ vprint_status("Waiting on #{@dns_enum_threads.length} threads to finish")
+ Rex::ThreadSafe.sleep(10)

This comment has been minimized.

Show comment Hide comment
@jvazquez-r7

jvazquez-r7 Nov 19, 2013

Contributor

oumgh really :? isn't there any other way of synchronization?

@jvazquez-r7

jvazquez-r7 Nov 19, 2013

Contributor

oumgh really :? isn't there any other way of synchronization?

This comment has been minimized.

Show comment Hide comment
@jvazquez-r7

jvazquez-r7 Nov 19, 2013

Contributor

just asking

@jvazquez-r7

jvazquez-r7 Nov 19, 2013

Contributor

just asking

+ while !words.empty? do
+ if @dns_enum_threads.length < @threadnum
+ chunk = words.pop
+ @dns_enum_threads << Rex::ThreadFactory.spawn("DNS Brute Force #{target} #{@dns_enum_threads.length + 1}", false) do

This comment has been minimized.

Show comment Hide comment
@jvazquez-r7

jvazquez-r7 Nov 19, 2013

Contributor

I've the feeling these threads should be handled from the framework instance's thread manager

@jvazquez-r7

jvazquez-r7 Nov 19, 2013

Contributor

I've the feeling these threads should be handled from the framework instance's thread manager

end
end
+ else
+ Rex::ThreadSafe.sleep(5)

This comment has been minimized.

Show comment Hide comment
@jvazquez-r7

jvazquez-r7 Nov 19, 2013

Contributor

really, why :? if it is for sync purposes, can't it be done in another way?

@jvazquez-r7

jvazquez-r7 Nov 19, 2013

Contributor

really, why :? if it is for sync purposes, can't it be done in another way?

+ end
+
+ #-------------------------------------------------------------------------------
+ def dnsbrute(target, wordlist, nssrv, wldcrd = nil)

This comment has been minimized.

Show comment Hide comment
@jvazquez-r7

jvazquez-r7 Nov 19, 2013

Contributor

Honestly, if code complexity could be reduced on dnsbrute and bruteipv6 it would help review a lot! Indeed would help a lot with code readability :)

@jvazquez-r7

jvazquez-r7 Nov 19, 2013

Contributor

Honestly, if code complexity could be reduced on dnsbrute and bruteipv6 it would help review a lot! Indeed would help a lot with code readability :)

@sempervictus

This comment has been minimized.

Show comment Hide comment
@sempervictus

sempervictus Nov 20, 2013

Contributor

@jvazquez-r7:
Msf overrides some of Rex' internals when it boots, see https://github.com/rapid7/metasploit-framework/blob/master/lib/msf/core/framework.rb#L91.
https://github.com/rapid7/metasploit-framework/blob/master/lib/rex.rb#L97 covers the sleep bit as well (see below for select). Overloading those at the Kernel makes msf look a lot more threadsafe than it is, and with the GIL it works the vast majority of the time.
Will try to clean up redundant code, but from a functional standpoint i use this daily so it does work...

Contributor

sempervictus commented Nov 20, 2013

@jvazquez-r7:
Msf overrides some of Rex' internals when it boots, see https://github.com/rapid7/metasploit-framework/blob/master/lib/msf/core/framework.rb#L91.
https://github.com/rapid7/metasploit-framework/blob/master/lib/rex.rb#L97 covers the sleep bit as well (see below for select). Overloading those at the Kernel makes msf look a lot more threadsafe than it is, and with the GIL it works the vast majority of the time.
Will try to clean up redundant code, but from a functional standpoint i use this daily so it does work...

@todb-r7

This comment has been minimized.

Show comment Hide comment
@todb-r7

todb-r7 Jan 24, 2014

Contributor

So, since this is the oldest living PR, I'd love to save it. Looks like @jvazquez-r7 had a bunch of comments, @sempervictus do you plan to address? If not we can shuffle this off to the unstable retirement home.

Contributor

todb-r7 commented Jan 24, 2014

So, since this is the oldest living PR, I'd love to save it. Looks like @jvazquez-r7 had a bunch of comments, @sempervictus do you plan to address? If not we can shuffle this off to the unstable retirement home.

@darkoperator

This comment has been minimized.

Show comment Hide comment
@darkoperator

darkoperator Jan 24, 2014

Contributor

in fact I migrated all functionality to individual modules except the AXFR function by request of Jcran back then. This module can be retired, only thing missing is AXFR as a individual module.

Contributor

darkoperator commented Jan 24, 2014

in fact I migrated all functionality to individual modules except the AXFR function by request of Jcran back then. This module can be retired, only thing missing is AXFR as a individual module.

@todb-r7

This comment has been minimized.

Show comment Hide comment
@todb-r7

todb-r7 Apr 5, 2014

Contributor

Retiring per request.

Contributor

todb-r7 commented Apr 5, 2014

Retiring per request.

@todb-r7 todb-r7 closed this Apr 5, 2014

@mubix

This comment has been minimized.

Show comment Hide comment
@mubix

mubix Apr 5, 2014

Contributor
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment