mailing list archives
From: Alexander Sotirov <asotirov () determina com>
Date: Mon, 14 Aug 2006 00:50:05 -0700
H D Moore wrote:
1) Create a metasploit payload for communicating with shell/meterpreter
via DNS queries and replies. This will not be a 'small' payload by any
means, but should be feasible for all DCERPC and browser bug exploits.
2) Develop a custom DNS server for *.msf.metasploit.com
3) Provide a registration page where you can request a username/password
How about a custom DNS server that takes queries like
*.18.104.22.168.msf.metasploit.com and returns a SOA that points to the 22.214.171.124 IP
address? This will force the client to contact the name server at 126.96.36.199
directly, avoiding the need for registration.
The problems with this are:
* Privacy concerns regarding the initial DNS request to msf.metasploit.com
for the NS record of the attacker. Technically, this could violate a NDA
if used on a penetration test.
The domain name in the payload will be configurable, so you can set it to
myowndomain.com instead of msf.metasploit.com. If you are a pentester, you can
probably afford to run your own nameserver.
* The framework console would need to bind to port 53 (r00t on unix) and
be accessible from the internet.
The same is true for all browser exploits in the framework.
* It may not be that useful, but it does seem like a fun hack. With any
luck, this can be accomplished using the built-in name resolution API in
I think DNSAPI.DLL has all the functionality you need for the payload. Look at
WinDNS.h in the Platform SDK, specifically the DnsQuery() function. I just spent
an entire weekend reversing this dll, so I know it pretty well by now :-)
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/