Browse Exploit & Auxiliary Modules

The Metasploit Project hosts the world's largest database of quality assured exploits, including hundreds of remote exploits, auxiliary modules, and payloads. You can even review the Metasploit Framework source code of any module - or write your own.

Search for modules

Open Source Vulnerability DataBase ID
Bugtraq ID
Full Text Search
Common Vulnerabilities Exposures ID
Microsoft Security Bulletin ID
 
Search Modules

DNS BailiWicked Domain Attack

This exploit attacks a fairly ubiquitous flaw in DNS implementations which Dan Kaminsky found and disclosed ~Jul 2008. This exploit replaces the target domains nameserver entries in a vulnerable DNS cache server. This attack works by sending random hostname queries to the target DNS server coupled with spoofed replies to those queries from the authoritative nameservers for that domain. Eventually, a guessed ID will match, the spoofed packet will get accepted, and the nameserver entries for the target domain will be replaced by the server specified in the NEWDNS option of this exploit.


Rank


Authors


References


Development


Similar Modules


Usage Information

$ msfconsole

                ##                          ###           ##    ##
 ##  ##  #### ###### ####  #####   #####    ##    ####        ######
####### ##  ##  ##  ##         ## ##  ##    ##   ##  ##   ###   ##
####### ######  ##  #####   ####  ##  ##    ##   ##  ##   ##    ##
## # ##     ##  ##  ##  ## ##      #####    ##   ##  ##   ##    ##
##   ##  #### ###   #####   #####     ##   ####   ####   #### ###
                                      ##

msf > use auxiliary/spoof/dns/bailiwicked_domain
msf auxiliary(bailiwicked_domain) > set NEWDNS [STRING]
msf auxiliary(bailiwicked_domain) > set RHOST [TARGET IP]
msf auxiliary(bailiwicked_domain) > set SRCPORT [PORT]
msf auxiliary(bailiwicked_domain) > run


Module Options

DOMAIN The domain to hijack (default: example.com)
INTERFACE The name of the interface
NEWDNS The hostname of the replacement DNS server
RECONS The nameserver used for reconnaissance (default: 208.67.222.222)
RHOST The target address
SNAPLEN The number of bytes to capture (default: 65535)
SRCADDR The source address to use for sending the queries (accepted: Real, Random) (default: Real)
SRCPORT The target server's source query port (0 for automatic)
TIMEOUT The number of seconds to wait for new data (default: 500)
TTL The TTL for the malicious host entry (default: 34720)
XIDS The number of XIDs to try for each query (0 for automatic) (default: 0)
GATEWAY The gateway IP address. This will be used rather than a random remote address for the UDP probe, if set.
NETMASK The local network mask. This is used to decide if an address is in the local network.
UDP_SECRET The 32-bit cookie for UDP probe requests.
VERBOSE Enable detailed status messages
WORKSPACE Specify the workspace for this module