Native DNS Spoofer (Example) - Metasploit
This page contains detailed information about how to use the auxiliary/spoof/dns/native_spoofer metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.
Module Overview
Name: Native DNS Spoofer (Example)
Module: auxiliary/spoof/dns/native_spoofer
Source code: modules/auxiliary/spoof/dns/native_spoofer.rb
Disclosure date: -
Last modification time: 2020-09-22 02:56:51 +0000
Supported architecture(s): -
Supported platform(s): -
Target service / protocol: dns
Target network port(s): 53
List of CVEs: -
This module provides a Rex based DNS service to resolve queries intercepted via the capture mixin. Configure STATIC_ENTRIES to contain host-name mappings desired for spoofing using a hostsfile or space/semicolon separated entries. In default configuration, the service operates as a normal native DNS server with the exception of consuming from and writing to the wire as opposed to a listening socket. Best when compromising routers or spoofing L2 in order to prevent return of the real reply which causes a race condition. The method by which replies are filtered is up to the user (though iptables works fine).
Module Ranking and Traits
Module Ranking:
- normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.
Basic Usage
msf > use auxiliary/spoof/dns/native_spoofer
msf auxiliary(native_spoofer) > show targets
... a list of targets ...
msf auxiliary(native_spoofer) > set TARGET target-id
msf auxiliary(native_spoofer) > show options
... show and set options ...
msf auxiliary(native_spoofer) > exploit
Go back to menu.
Msfconsole Usage
Here is how the spoof/dns/native_spoofer auxiliary module looks in the msfconsole:
msf6 > use auxiliary/spoof/dns/native_spoofer
msf6 auxiliary(spoof/dns/native_spoofer) > show info
Name: Native DNS Spoofer (Example)
Module: auxiliary/spoof/dns/native_spoofer
License: Metasploit Framework License (BSD)
Rank: Normal
Provided by:
RageLtMan <rageltman@sempervictus>
Check supported:
No
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
DISABLE_NS_CACHE false no Disable DNS response caching
DISABLE_RESOLVER false no Disable DNS request forwarding
DOMAIN no The target domain name
FILTER dst port 53 no The filter string for capturing traffic
INTERFACE no The name of the interface
NS no Specify the nameservers to use for queries, space separated
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RPORT 53 yes The target port (TCP)
SEARCHLIST no DNS domain search list, comma separated
SNAPLEN 65535 yes The number of bytes to capture
SRVHOST 127.0.2.2 yes The local host to listen on for DNS services.
SRVPORT 53 yes The local port to listen on.
STATIC_ENTRIES no DNS domain search list (hosts file or space/semicolon separate entries)
THREADS 1 yes Number of threads to use in threaded queries
TIMEOUT 500 yes The number of seconds to wait for new data
Description:
This module provides a Rex based DNS service to resolve queries
intercepted via the capture mixin. Configure STATIC_ENTRIES to
contain host-name mappings desired for spoofing using a hostsfile or
space/semicolon separated entries. In default configuration, the
service operates as a normal native DNS server with the exception of
consuming from and writing to the wire as opposed to a listening
socket. Best when compromising routers or spoofing L2 in order to
prevent return of the real reply which causes a race condition. The
method by which replies are filtered is up to the user (though
iptables works fine).
Module Options
This is a complete list of options available in the spoof/dns/native_spoofer auxiliary module:
msf6 auxiliary(spoof/dns/native_spoofer) > show options
Module options (auxiliary/spoof/dns/native_spoofer):
Name Current Setting Required Description
---- --------------- -------- -----------
DISABLE_NS_CACHE false no Disable DNS response caching
DISABLE_RESOLVER false no Disable DNS request forwarding
DOMAIN no The target domain name
FILTER dst port 53 no The filter string for capturing traffic
INTERFACE no The name of the interface
NS no Specify the nameservers to use for queries, space separated
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RPORT 53 yes The target port (TCP)
SEARCHLIST no DNS domain search list, comma separated
SNAPLEN 65535 yes The number of bytes to capture
SRVHOST 127.0.2.2 yes The local host to listen on for DNS services.
SRVPORT 53 yes The local port to listen on.
STATIC_ENTRIES no DNS domain search list (hosts file or space/semicolon separate entries)
THREADS 1 yes Number of threads to use in threaded queries
TIMEOUT 500 yes The number of seconds to wait for new data
Advanced Options
Here is a complete list of advanced options supported by the spoof/dns/native_spoofer auxiliary module:
msf6 auxiliary(spoof/dns/native_spoofer) > show advanced
Module advanced options (auxiliary/spoof/dns/native_spoofer):
Name Current Setting Required Description
---- --------------- -------- -----------
CHOST no The local client address
CPORT no The local client port
ConnectTimeout 10 yes Maximum number of seconds to establish a TCP connection
DnsClientDefaultNS 8.8.8.8 8.8.4.4 no Specify the default to use for queries, space separated
DnsClientRVLExistingOnly true no Only perform lookups on hosts in DB
DnsClientReportARecords true no Add hosts found via BRT and RVL to DB
DnsClientResolvconf /dev/null yes Resolvconf formatted configuration file to use for Resolver
DnsClientRetry 2 no Number of times to try to resolve a record if no response is received
DnsClientRetryInterval 2 no Number of seconds to wait before doing a retry
DnsClientTcpDns false no Run queries over TCP
DnsServerTcp false yes Serve TCP DNS requests
DnsServerUdp true yes Serve UDP DNS requests
GATEWAY_PROBE_HOST 8.8.8.8 yes Send a TTL=1 random UDP datagram to this host to discover the default gateway's MAC
GATEWAY_PROBE_PORT no The port on GATEWAY_PROBE_HOST to send a random UDP probe to (random if 0 or unset)
ListenerComm no The specific communication channel to use for this service
SECRET 1297303073 yes A 32-bit cookie for probe requests.
SSL false no Negotiate SSL/TLS for outgoing connections
SSLCipher no String for SSL cipher - "DHE-RSA-AES256-SHA" or "ADH"
SSLVerifyMode PEER no SSL verification method (Accepted: CLIENT_ONCE, FAIL_IF_NO_PEER_CERT, NONE, PEER)
SSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2)
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
Auxiliary Actions
This is a list of all auxiliary actions that the spoof/dns/native_spoofer module can do:
msf6 auxiliary(spoof/dns/native_spoofer) > show actions
Auxiliary actions:
Name Description
---- -----------
Evasion Options
Here is the full list of possible evasion options supported by the spoof/dns/native_spoofer auxiliary module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):
msf6 auxiliary(spoof/dns/native_spoofer) > show evasion
Module evasion options:
Name Current Setting Required Description
---- --------------- -------- -----------
TCP::max_send_size 0 no Maxiumum tcp segment size. (0 = disable)
TCP::send_delay 0 no Delays inserted before every send. (0 = disable)
Go back to menu.
Error Messages
This module may fail with the following error messages:
Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.
Failed to bind to port <RPORT>: <E.MESSAGE>
Here is a relevant code snippet related to the "Failed to bind to port <RPORT>: <E.MESSAGE>" error message:
44: begin
45: start_service
46: capture_traffic
47: service.wait
48: rescue Rex::BindFailed => e
49: print_error "Failed to bind to port #{datastore['RPORT']}: #{e.message}"
50: ensure
51: @capture_thread.kill if @capture_thread
52: close_pcap
53: stop_service(true)
54: end
PacketFu could not parse captured packet
Here is a relevant code snippet related to the "PacketFu could not parse captured packet" error message:
83: begin
84: parsed = PacketFu::Packet.parse(pack)
85: reply = reply_packet(parsed)
86: service.dispatch_request(reply, parsed.payload)
87: rescue => e
88: vprint_status("PacketFu could not parse captured packet")
89: dlog(e.backtrace)
90: end
91: end
92: end
93: end
Could not decode payload segment of packet from <PEER>, check log
Here is a relevant code snippet related to the "Could not decode payload segment of packet from <PEER>, check log" error message:
99: peer = "#{cli.ip_daddr}:" << (cli.is_udp? ? "#{cli.udp_dst}" : "#{cli.tcp_dst}")
100: # Deal with non DNS traffic
101: begin
102: req = Packet.encode_drb(data)
103: rescue => e
104: print_error("Could not decode payload segment of packet from #{peer}, check log")
105: dlog e.backtrace
106: return
107: end
108: answered = []
109: # Find cached items, remove request from forwarded packet
Go back to menu.
Related Pull Requests
- #14202 Merged Pull Request: Implement the zeitwerk autoloader within lib/msf/core
- #12205 Merged Pull Request: Update module and generate splats from http:// to https://
- #9481 Merged Pull Request: Update native DNS spoofer for Dnsruby
- #6611 Merged Pull Request: Implement native DNS for Msf Namespace
Go back to menu.
See Also
Check also the following modules related to this module:
- auxiliary/admin/netbios/netbios_spoof
- auxiliary/server/dns/spoofhelper
- auxiliary/server/netbios_spoof_nat
- auxiliary/spoof/arp/arp_poisoning
- auxiliary/spoof/cisco/cdp
- auxiliary/spoof/cisco/dtp
- auxiliary/spoof/dns/bailiwicked_domain
- auxiliary/spoof/dns/bailiwicked_host
- auxiliary/spoof/dns/compare_results
- auxiliary/spoof/llmnr/llmnr_response
- auxiliary/spoof/mdns/mdns_response
- auxiliary/spoof/nbns/nbns_response
- auxiliary/spoof/replay/pcap_replay
- auxiliary/voip/sip_invite_spoof
- exploit/windows/fileformat/winrar_name_spoofing
- post/linux/manage/dns_spoofing
- post/osx/gather/password_prompt_spoof
- auxiliary/server/dns/native_server
- exploit/linux/misc/mongod_native_helper
- auxiliary/admin/dns/dyn_dns_update
- auxiliary/dos/dns/bind_tkey
- auxiliary/dos/dns/bind_tsig
- auxiliary/dos/dns/bind_tsig_badtime
- auxiliary/fuzzers/dns/dns_fuzzer
- auxiliary/scanner/dns/dns_amp
- auxiliary/vsploit/malware/dns/dns_mariposa
- auxiliary/vsploit/malware/dns/dns_query
- auxiliary/vsploit/malware/dns/dns_zeus
- auxiliary/dos/mdns/avahi_portzero
- auxiliary/scanner/mdns/query
- exploit/osx/mdns/upnp_location
Authors
RageLtMan <rageltman[at]sempervictus>
Version
This page has been produced using Metasploit Framework version 6.1.24-dev. For more modules, visit the Metasploit Module Library.
Go back to menu.
