search

rapid7 / metasploit-framework

Metasploit Framework
https://www.metasploit.com/
Other
33.79k stars 13.9k forks source link

auxiliary/gather/enum_dns ignores specified NS on AXFR #14236

Closed digininja closed 3 years ago

digininja commented 3 years ago

Steps to reproduce

How'd you do it?

  1. use auxiliary/gather/enum_dns.rb
  2. set NS 127.0.0.1
  3. set ENUM_AXFR true
  4. set DOMAIN mytest.com
  5. set ENUM_A false
  6. set ENUM_BRT false
  7. set ENUM_MX false
  8. set ENUM_SOA false
  9. set ENUM_SRV false
  10. set ENUM_TXT false
  11. set ENUM_CNAME false
  12. set ENUM_NS false
  13. run

The local Bind9 server is setup to allow zone transfers. The IP addresses in it aren't setup to point to anything valid, including the NS records.

Were you following a specific guide/tutorial or reading documentation?

n/a

Expected behavior

AXFR should be attempted against the NS specified.

Maybe have an option to also test the NS records set for the domain, but that could create unexpected traffic so it shouldn't be on by default. Target may notice and log an AXFR attempt against the NS.

Current behavior

I'm guessing that the NS returned by the SOA request is chosen rather than the NS specified in the options, or it may just pick the first NS entry from doing an NS lookup. As the NS doesn't resolve, the AXFR fails with an error.

msf6 auxiliary(gather/enum_dns) > run

[*] Querying DNS NS records for mytest.com
[+] witrap.com NS: ns1.mytest.com
[+] witrap.com NS: ns1.mytest.com
[+] witrap.com NS: ns3.mytest.com
[*] Attempting DNS AXFR for mytest.com from ns1.mytest.com
[-] AXFR failed: getaddrinfo: Name or service not known
[*] Auxiliary module execution completed

Metasploit version

d0778c7a547a0f49fdea54463862306764675090 (HEAD, upstream/master) Land #14228, Increase operations per run

Additional Information

Found this during building a lab, I don't own the Bind config files but may be able to share them if needed.

Theivaraj1211 commented 3 years ago

Sir can u teach me hacking Bro

On Thu 8 Oct, 2020, 2:24 PM Robin Wood, notifications@github.com wrote:

Steps to reproduce

How'd you do it?

  1. use auxiliary/gather/enum_dns.rb
  2. set NS 127.0.0.1
  3. set ENUM_AXFR true
  4. set DOMAIN mytest.com
  5. set ENUM_A false
  6. set ENUM_BRT false
  7. set ENUM_MX false
  8. set ENUM_SOA false
  9. set ENUM_SRV false
  10. set ENUM_TXT false
  11. set ENUM_CNAME false
  12. set ENUM_NS false
  13. run

The local Bind9 server is setup to allow zone transfers. The IP addresses in it aren't setup to point to anything valid, including the NS records. Were you following a specific guide/tutorial or reading documentation?

n/a Expected behavior

AXFR should be attempted against the NS specified.

Maybe have an option to also test the NS records set for the domain, but that could create unexpected traffic so it shouldn't be on by default. Target may notice and log an AXFR attempt against the NS. Current behavior

I'm guessing that the NS returned by the SOA request is chosen rather than the NS specified in the options, or it may just pick the first NS entry from doing an NS lookup. As the NS doesn't resolve, the AXFR fails with an error.

msf6 auxiliary(gather/enum_dns) > run

[] Querying DNS NS records for mytest.com [+] witrap.com NS: ns1.mytest.com [+] witrap.com NS: ns1.mytest.com [+] witrap.com NS: ns3.mytest.com [] Attempting DNS AXFR for mytest.com from ns1.mytest.com [-] AXFR failed: getaddrinfo: Name or service not known [*] Auxiliary module execution completed

Metasploit version

d0778c7a547a0f49fdea54463862306764675090 (HEAD, upstream/master) Land #14228, Increase operations per run

Additional Information

Found this during building a lab, I don't own the Bind config files but may be able to share them if needed.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/rapid7/metasploit-framework/issues/14236, or unsubscribe https://github.com/notifications/unsubscribe-auth/ARG5CBO4VZVCJ64XURB6BI3SJV443ANCNFSM4SIOXL7A .

digininja commented 3 years ago

Ignoring the hacking request, it looks like it is just pulling back the NS records not the SOA, if I run it a couple of times it switches between ns1 and ns3 but would stick on ns1 if it were using the SOA.

zeroSteiner commented 3 years ago

Marking this as a dup of #14321, if that's incorrect just let me know.

digininja commented 3 years ago

It is a duplicate, I thought I'd raised it in the past but I completely failed to find this in the issue list.