H D Moore wrote: > 1) Create a metasploit payload for communicating with shell/meterpreter > via DNS queries and replies. This will not be a 'small' payload by any > means, but should be feasible for all DCERPC and browser bug exploits. > > 2) Develop a custom DNS server for *.msf.metasploit.com > > 3) Provide a registration page where you can request a username/password
How about a custom DNS server that takes queries like *.1.2.3.4.msf.metasploit.com and returns a SOA that points to the 1.2.3.4 IP address? This will force the client to contact the name server at 1.2.3.4 directly, avoiding the need for registration. > The problems with this are: > > * Privacy concerns regarding the initial DNS request to msf.metasploit.com > for the NS record of the attacker. Technically, this could violate a NDA > if used on a penetration test. The domain name in the payload will be configurable, so you can set it to myowndomain.com instead of msf.metasploit.com. If you are a pentester, you can probably afford to run your own nameserver. > * The framework console would need to bind to port 53 (r00t on unix) and > be accessible from the internet. The same is true for all browser exploits in the framework. > * It may not be that useful, but it does seem like a fun hack. With any > luck, this can be accomplished using the built-in name resolution API in > windows/unix/etc. I think DNSAPI.DLL has all the functionality you need for the payload. Look at WinDNS.h in the Platform SDK, specifically the DnsQuery() function. I just spent an entire weekend reversing this dll, so I know it pretty well by now :-) Alex _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
