Native DNS Server (Example) - Metasploit
This page contains detailed information about how to use the auxiliary/server/dns/native_server metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.
Module Overview
Name: Native DNS Server (Example)
Module: auxiliary/server/dns/native_server
Source code: modules/auxiliary/server/dns/native_server.rb
Disclosure date: -
Last modification time: 2020-09-22 02:56:51 +0000
Supported architecture(s): -
Supported platform(s): -
Target service / protocol: dns
Target network port(s): 53
List of CVEs: -
This module provides a Rex based DNS service which can store static entries, resolve names over pivots, and serve DNS requests across routed session comms. DNS tunnels can operate across the the Rex switchboard, and DNS other modules can use this as a template. Setting static records via hostfile allows for DNS spoofing attacks without direct traffic manipulation at the handlers. handlers for requests and responses provided here mimic the internal Rex functionality, but utilize methods within this module's namespace to output content processed in the Proc contexts via vprint_status.
Module Ranking and Traits
Module Ranking:
- normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.
Basic Usage
msf > use auxiliary/server/dns/native_server
msf auxiliary(native_server) > show targets
... a list of targets ...
msf auxiliary(native_server) > set TARGET target-id
msf auxiliary(native_server) > show options
... show and set options ...
msf auxiliary(native_server) > exploit
Go back to menu.
Msfconsole Usage
Here is how the server/dns/native_server auxiliary module looks in the msfconsole:
msf6 > use auxiliary/server/dns/native_server
msf6 auxiliary(server/dns/native_server) > show info
Name: Native DNS Server (Example)
Module: auxiliary/server/dns/native_server
License: Metasploit Framework License (BSD)
Rank: Normal
Provided by:
RageLtMan <rageltman@sempervictus>
Check supported:
No
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
DISABLE_NS_CACHE false no Disable DNS response caching
DISABLE_RESOLVER false no Disable DNS request forwarding
DOMAIN no The target domain name
NS no Specify the nameservers to use for queries, space separated
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RPORT 53 yes The target port (TCP)
SEARCHLIST no DNS domain search list, comma separated
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
SRVPORT 53 yes The local port to listen on.
STATIC_ENTRIES no DNS domain search list (hosts file or space/semicolon separate entries)
THREADS 1 yes Number of threads to use in threaded queries
Description:
This module provides a Rex based DNS service which can store static
entries, resolve names over pivots, and serve DNS requests across
routed session comms. DNS tunnels can operate across the the Rex
switchboard, and DNS other modules can use this as a template.
Setting static records via hostfile allows for DNS spoofing attacks
without direct traffic manipulation at the handlers. handlers for
requests and responses provided here mimic the internal Rex
functionality, but utilize methods within this module's namespace to
output content processed in the Proc contexts via vprint_status.
Module Options
This is a complete list of options available in the server/dns/native_server auxiliary module:
msf6 auxiliary(server/dns/native_server) > show options
Module options (auxiliary/server/dns/native_server):
Name Current Setting Required Description
---- --------------- -------- -----------
DISABLE_NS_CACHE false no Disable DNS response caching
DISABLE_RESOLVER false no Disable DNS request forwarding
DOMAIN no The target domain name
NS no Specify the nameservers to use for queries, space separated
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RPORT 53 yes The target port (TCP)
SEARCHLIST no DNS domain search list, comma separated
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
SRVPORT 53 yes The local port to listen on.
STATIC_ENTRIES no DNS domain search list (hosts file or space/semicolon separate entries)
THREADS 1 yes Number of threads to use in threaded queries
Advanced Options
Here is a complete list of advanced options supported by the server/dns/native_server auxiliary module:
msf6 auxiliary(server/dns/native_server) > show advanced
Module advanced options (auxiliary/server/dns/native_server):
Name Current Setting Required Description
---- --------------- -------- -----------
CHOST no The local client address
CPORT no The local client port
ConnectTimeout 10 yes Maximum number of seconds to establish a TCP connection
DnsClientDefaultNS 8.8.8.8 8.8.4.4 no Specify the default to use for queries, space separated
DnsClientRVLExistingOnly true no Only perform lookups on hosts in DB
DnsClientReportARecords true no Add hosts found via BRT and RVL to DB
DnsClientResolvconf /dev/null yes Resolvconf formatted configuration file to use for Resolver
DnsClientRetry 2 no Number of times to try to resolve a record if no response is received
DnsClientRetryInterval 2 no Number of seconds to wait before doing a retry
DnsClientTcpDns false no Run queries over TCP
DnsServerTcp false yes Serve TCP DNS requests
DnsServerUdp true yes Serve UDP DNS requests
ListenerComm no The specific communication channel to use for this service
SSL false no Negotiate SSL/TLS for outgoing connections
SSLCipher no String for SSL cipher - "DHE-RSA-AES256-SHA" or "ADH"
SSLVerifyMode PEER no SSL verification method (Accepted: CLIENT_ONCE, FAIL_IF_NO_PEER_CERT, NONE, PEER)
SSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2)
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
Auxiliary Actions
This is a list of all auxiliary actions that the server/dns/native_server module can do:
msf6 auxiliary(server/dns/native_server) > show actions
Auxiliary actions:
Name Description
---- -----------
Evasion Options
Here is the full list of possible evasion options supported by the server/dns/native_server auxiliary module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):
msf6 auxiliary(server/dns/native_server) > show evasion
Module evasion options:
Name Current Setting Required Description
---- --------------- -------- -----------
TCP::max_send_size 0 no Maxiumum tcp segment size. (0 = disable)
TCP::send_delay 0 no Delays inserted before every send. (0 = disable)
Go back to menu.
Error Messages
This module may fail with the following error messages:
Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.
Failed to bind to port <RPORT>: <E.MESSAGE>
Here is a relevant code snippet related to the "Failed to bind to port <RPORT>: <E.MESSAGE>" error message:
34: def run
35: begin
36: start_service
37: service.wait
38: rescue Rex::BindFailed => e
39: print_error "Failed to bind to port #{datastore['RPORT']}: #{e.message}"
40: ensure
41: stop_service(true)
42: end
43: end
44:
Go back to menu.
Related Pull Requests
- #14202 Merged Pull Request: Implement the zeitwerk autoloader within lib/msf/core
- #12205 Merged Pull Request: Update module and generate splats from http:// to https://
- #6611 Merged Pull Request: Implement native DNS for Msf Namespace
Go back to menu.
See Also
Check also the following modules related to this module:
- auxiliary/admin/natpmp/natpmp_map
- auxiliary/admin/vmware/terminate_esx_sessions
- auxiliary/bnat/bnat_router
- auxiliary/bnat/bnat_scan
- auxiliary/gather/impersonate_ssl
- auxiliary/gather/natpmp_external_address
- auxiliary/parser/unattend
- auxiliary/scanner/http/linknat_vos_traversal
- auxiliary/scanner/natpmp/natpmp_portscan
- auxiliary/server/netbios_spoof_nat
- auxiliary/spoof/dns/native_spoofer
- exploit/linux/misc/mongod_native_helper
- exploit/multi/http/phpmyadmin_null_termination_exec
- exploit/windows/browser/indusoft_issymbol_internationalseparator
- exploit/windows/local/bits_ntlm_token_impersonation
- post/windows/gather/enum_unattend
- post/windows/manage/rollback_defender_signatures
- auxiliary/server/dns/spoofhelper
- exploit/linux/local/libuser_roothelper_priv_esc
- exploit/linux/local/ptrace_traceme_pkexec_helper
- exploit/windows/browser/ms13_090_cardspacesigninhelper
- exploit/windows/http/adobe_robohelper_authbypass
- exploit/windows/local/bypassuac_fodhelper
- auxiliary/scanner/http/f5_bigip_virtual_server
- auxiliary/scanner/misc/java_jmx_server
- auxiliary/scanner/misc/java_rmi_server
- auxiliary/scanner/redis/redis_server
- auxiliary/server/regsvr32_command_delivery_server
Authors
RageLtMan <rageltman[at]sempervictus>
Version
This page has been produced using Metasploit Framework version 6.1.27-dev. For more modules, visit the Metasploit Module Library.
Go back to menu.
