lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <200608121241.09601.fdlist@digitaloffense.net>
Date: Sat, 12 Aug 2006 12:41:09 -0500
From: H D Moore <fdlist@...italoffense.net>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: Re[2]: JavaScript get Internal Address (thanks
	to DanBUK)

On Saturday 12 August 2006 12:16, Thierry Zoller wrote:
> OHoh, when can we expect a DNS tunnel, tunneling a shell through your
> DNS requests and DNS answers ? :) A nice remote shell thorugh dns
> tunnel over XSS. LOL :)

Heh. I actually have a plan for doing that :-)

1) Create a metasploit payload for communicating with shell/meterpreter 
via DNS queries and replies. This will not be a 'small' payload by any 
means, but should be feasible for all DCERPC and browser bug exploits.

2) Develop a custom DNS server for *.msf.metasploit.com

3) Provide a registration page where you can request a username/password

4) Provide a DNS sub-domain server in metaspoit 3.0. This attacker will 
connect to the metasploit.com web site, post the user/pass, and ask for a 
unique sub-domain that points back it its own address. This can be 
automated by the payload handler.

5) Select a DNS payload, select an exploit, exploit the target system. The 
payload is configured to "talk" to *.uniqueId.msf.metasploit.com, which 
actually runs on the system running the metasploit console.

6) The payload runs, the client resolves the NS record from our server, 
gets redirected to the attacking metasploit console, and communication 
starts.

7) Profit!


The problems with this are:

* Privacy concerns regarding the initial DNS request to msf.metasploit.com 
for the NS record of the attacker. Technically, this could violate a NDA 
if used on a penetration test.

* The framework console would need to bind to port 53 (r00t on unix) and 
be accessible from the internet.

* Need to develop a DNS service running in Ruby. Another time requirement.

* It may not be that useful, but it does seem like a fun hack. With any 
luck, this can be accomplished using the built-in name resolution API in 
windows/unix/etc.

* Really easy to signature if it always uses *.metasploit.com requests.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ