{"id":59369,"date":"2024-09-01T21:29:55","date_gmt":"2024-09-01T18:29:55","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/181220\/dns_amp.rb.txt"},"modified":"2024-09-01T21:29:55","modified_gmt":"2024-09-01T18:29:55","slug":"dns-amplification-scanner","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/dns-amplification-scanner\/","title":{"rendered":"DNS Amplification Scanner"},"content":{"rendered":"

##
# This module requires Metasploit: https:\/\/metasploit.com\/download
# Current source: https:\/\/github.com\/rapid7\/metasploit-framework
##<\/p>\n

class MetasploitModule < Msf::Auxiliary
include Msf::Auxiliary::Report
include Msf::Exploit::Capture
include Msf::Auxiliary::UDPScanner
include Msf::Auxiliary::DRDoS<\/p>\n

def initialize
super(
‘Name’ => ‘DNS Amplification Scanner’,
‘Description’ => %q{
This module can be used to discover DNS servers which expose recursive
name lookups which can be used in an amplification attack against a
third party.
},
‘Author’ => [ ‘xistence <xistence[at]0x90.nl>’], # Original scanner module
‘License’ => MSF_LICENSE,
‘References’ =>
[
[‘CVE’, ‘2006-0987’],
[‘CVE’, ‘2006-0988’],
])<\/p>\n

register_options( [
Opt::RPORT(53),
OptString.new(‘DOMAINNAME’, [true, ‘Domain to use for the DNS request’, ‘isc.org’ ]),
OptString.new(‘QUERYTYPE’, [true, ‘Query type(A, NS, SOA, MX, TXT, AAAA, RRSIG, DNSKEY, ANY)’, ‘ANY’ ]),
])
end<\/p>\n

def rport
datastore[‘RPORT’]end<\/p>\n

def setup
super<\/p>\n

# Check for DNS query types byte
case datastore[‘QUERYTYPE’]when ‘A’
querypacket=”\\x01″
when ‘NS’
querypacket=”\\x02″
when ‘SOA’
querypacket=”\\x06″
when ‘MX’
querypacket=”\\x0f”
when ‘TXT’
querypacket=”\\x10″
when ‘AAAA’
querypacket=”\\x1c”
when ‘RRSIG’
querypacket=”\\x2e”
when ‘DNSKEY’
querypacket=”\\x30″
when ‘ANY’
querypacket=”\\xff”
else
print_error(“Invalid query type!”)
return
end<\/p>\n

targdomainpacket = []# Before every part of the domainname there should be the length of that part (instead of a “.”)
# So isc.org divided is 3isc3org
datastore[‘DOMAINNAME’].split(‘.’).each do |domainpart|
# The length of the domain part in hex
domainpartlength = “%02x” % domainpart.length
# Convert the name part to a hex string
domainpart = domainpart.each_byte.map { |b| b.to_s(16) }.join()
# Combine the length of the name part and the name part
targdomainpacket.push(domainpartlength + domainpart)
end
# Convert the targdomainpacket to a string
targdomainpacket = targdomainpacket.join.to_s
# Create a correct hex character string to be used in the packet
targdomainpacket = targdomainpacket.scan(\/..\/).map { |x| x.hex.chr }.join
# DNS Packet including our target domain and query type
@msearch_probe = “\\x09\\x8d\\x01\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00” + targdomainpacket + “\\x00\\x00” + querypacket + “\\x00\\x01”
end<\/p>\n

def scanner_prescan(batch)
print_status(“Sending DNS probes to #{batch[0]}->#{batch[-1]} (#{batch.length} hosts)”)
# Standard packet is 60 bytes. Add the domain size to this
sendpacketsize = 60 + datastore[‘DOMAINNAME’].length
print_status(“Sending #{sendpacketsize} bytes to each host using the IN #{datastore[‘QUERYTYPE’]} #{datastore[‘DOMAINNAME’]} request”)
@results = {}
end<\/p>\n

def scan_host(ip)
if spoofed?
datastore[‘ScannerRecvWindow’] = 0
scanner_spoof_send(@msearch_probe, ip, datastore[‘RPORT’], datastore[‘SRCIP’], datastore[‘NUM_REQUESTS’])
else
scanner_send(@msearch_probe, ip, datastore[‘RPORT’])
end
end<\/p>\n

def scanner_process(data, shost, sport)<\/p>\n

# Check the response data for \\x09\\x8d and the next 2 bytes, which contain our DNS flags
if data =~\/\\x09\\x8d(..)\/
flags = $1
flags = flags.unpack(‘B*’)[0].scan(\/.\/)
# Query Response
qr = flags[0]# Recursion Available
ra = flags[8]# Response Code
rcode = flags[12] + flags[13] + flags[14] + flags[15]\n

# If these flags are set, we get a valid response
# don’t test recursion available if correct answer received
# at least the case with bind and “additional-from-cache no” or version < 9.5+
if qr == “1” and rcode == “0000”
sendlength = 60 + datastore[‘DOMAINNAME’].length
receivelength = 42 + data.length
amp = receivelength \/ sendlength.to_f
print_good(“#{shost}:#{datastore[‘RPORT’]} – Response is #{receivelength} bytes [#{amp.round(2)}x Amplification]”)
report_service(:host => shost, :port => datastore[‘RPORT’], :proto => ‘udp’, :name => “dns”)
report_vuln(
:host => shost,
:port => datastore[‘RPORT’],
:proto => ‘udp’, :name => “DNS”,
:info => “DNS amplification – #{data.length} bytes [#{amp.round(2)}x Amplification]”,
:refs => self.references)
end<\/p>\n

# If these flags are set, we get a valid response but recursion is not available
if qr == “1” and ra == “0” and rcode == “0101”
print_status(“#{shost}:#{datastore[‘RPORT’]} – Recursion not allowed”)
report_service(:host => shost, :port => datastore[‘RPORT’], :proto => ‘udp’, :name => “dns”)
end
end
end
end<\/p>\n","protected":false},"excerpt":{"rendered":"

### This module requires Metasploit: https:\/\/metasploit.com\/download# Current source: https:\/\/github.com\/rapid7\/metasploit-framework## class MetasploitModule < Msf::Auxiliaryinclude Msf::Auxiliary::Reportinclude Msf::Exploit::Captureinclude Msf::Auxiliary::UDPScannerinclude Msf::Auxiliary::DRDoS def initializesuper(‘Name’ => ‘DNS Amplification Scanner’,‘Description’ => %q{This module can be used to discover DNS servers which expose recursivename lookups which can be used in an amplification attack against athird party.},‘Author’ => [ ‘xistence <xistence[at]0x90.nl>’], # Original scanner …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-59369","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/59369","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=59369"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/59369\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=59369"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=59369"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=59369"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}