DNS Amplification Scanner

2014-01-29T07:21:21
ID MSF:AUXILIARY/SCANNER/DNS/DNS_AMP
Type metasploit
Reporter Rapid7
Modified 2017-08-27T01:01:10

Description

This module can be used to discover DNS servers which expose recursive name lookups which can be used in an amplification attack against a third party.

                                        
                                            ##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
  include Msf::Auxiliary::Report
  include Msf::Exploit::Capture
  include Msf::Auxiliary::UDPScanner
  include Msf::Auxiliary::DRDoS

  def initialize
    super(
      'Name'        => 'DNS Amplification Scanner',
      'Description' => %q{
          This module can be used to discover DNS servers which expose recursive
          name lookups which can be used in an amplification attack against a
          third party.
      },
      'Author'      => [ 'xistence <xistence[at]0x90.nl>'], # Original scanner module
      'License'     => MSF_LICENSE,
      'References'  =>
          [
              ['CVE', '2006-0987'],
              ['CVE', '2006-0988'],
          ]
    )

    register_options( [
      Opt::RPORT(53),
      OptString.new('DOMAINNAME', [true, 'Domain to use for the DNS request', 'isc.org' ]),
      OptString.new('QUERYTYPE', [true, 'Query type(A, NS, SOA, MX, TXT, AAAA, RRSIG, DNSKEY, ANY)', 'ANY' ]),
    ])
  end

  def rport
    datastore['RPORT']
  end

  def setup
    super

    # Check for DNS query types byte
    case datastore['QUERYTYPE']
    when 'A'
      querypacket="\x01"
    when 'NS'
      querypacket="\x02"
    when 'SOA'
      querypacket="\x06"
    when 'MX'
      querypacket="\x0f"
    when 'TXT'
      querypacket="\x10"
    when 'AAAA'
      querypacket="\x1c"
    when 'RRSIG'
      querypacket="\x2e"
    when 'DNSKEY'
      querypacket="\x30"
    when 'ANY'
      querypacket="\xff"
    else
      print_error("Invalid query type!")
      return
    end

    targdomainpacket = []
    # Before every part of the domainname there should be the length of that part (instead of a ".")
    # So isc.org divided is 3isc3org
    datastore['DOMAINNAME'].split('.').each do |domainpart|
      # The length of the domain part in hex
      domainpartlength =  "%02x" % domainpart.length
      # Convert the name part to a hex string
      domainpart = domainpart.each_byte.map { |b| b.to_s(16) }.join()
      # Combine the length of the name part and the name part
      targdomainpacket.push(domainpartlength + domainpart)
    end
    # Convert the targdomainpacket to a string
    targdomainpacket = targdomainpacket.join.to_s
    # Create a correct hex character string to be used in the packet
    targdomainpacket = targdomainpacket.scan(/../).map { |x| x.hex.chr }.join
    # DNS Packet including our target domain and query type
    @msearch_probe = "\x09\x8d\x01\x00\x00\x01\x00\x00\x00\x00\x00\x00" + targdomainpacket + "\x00\x00" + querypacket + "\x00\x01"
  end

  def scanner_prescan(batch)
    print_status("Sending DNS probes to #{batch[0]}->#{batch[-1]} (#{batch.length} hosts)")
    # Standard packet is 60 bytes. Add the domain size to this
    sendpacketsize = 60 + datastore['DOMAINNAME'].length
    print_status("Sending #{sendpacketsize} bytes to each host using the IN #{datastore['QUERYTYPE']} #{datastore['DOMAINNAME']} request")
    @results = {}
  end

  def scan_host(ip)
    if spoofed?
      datastore['ScannerRecvWindow'] = 0
      scanner_spoof_send(@msearch_probe, ip, datastore['RPORT'], datastore['SRCIP'], datastore['NUM_REQUESTS'])
    else
      scanner_send(@msearch_probe, ip, datastore['RPORT'])
    end
  end

  def scanner_process(data, shost, sport)

    # Check the response data for \x09\x8d and the next 2 bytes, which contain our DNS flags
    if data =~/\x09\x8d(..)/
      flags = $1
      flags = flags.unpack('B*')[0].scan(/./)
      # Query Response
      qr = flags[0]
      # Recursion Available
      ra = flags[8]
      # Response Code
      rcode = flags[12] + flags[13] + flags[14] + flags[15]

      # If these flags are set, we get a valid response
      # don't test recursion available if correct answer received
      # at least the case with bind and "additional-from-cache no" or version < 9.5+
      if qr == "1" and rcode == "0000"
        sendlength = 60 + datastore['DOMAINNAME'].length
        receivelength = 42 + data.length
        amp = receivelength / sendlength.to_f
        print_good("#{shost}:#{datastore['RPORT']} - Response is #{receivelength} bytes [#{amp.round(2)}x Amplification]")
        report_service(:host => shost, :port => datastore['RPORT'], :proto => 'udp', :name => "dns")
        report_vuln(
          :host => shost,
          :port => datastore['RPORT'],
          :proto => 'udp', :name => "DNS",
          :info => "DNS amplification -  #{data.length} bytes [#{amp.round(2)}x Amplification]",
          :refs => self.references)
      end

      # If these flags are set, we get a valid response but recursion is not available
      if qr == "1" and ra == "0" and rcode == "0101"
        print_status("#{shost}:#{datastore['RPORT']} - Recursion not allowed")
        report_service(:host => shost, :port => datastore['RPORT'], :proto => 'udp', :name => "dns")
      end
    end
  end
end