search

rapid7 / metasploit-framework

Metasploit Framework
https://www.metasploit.com/
Other
34.14k stars 13.97k forks source link

auxiliary/gather/enum_dns ignores specified NS #14321

Closed digininja closed 4 years ago

digininja commented 4 years ago

I thought I'd raised this along with the last ticket but I can't find it now so maybe I forgot to click submit. If it is a duplicate, just bin it.

Steps to reproduce

How'd you do it?

  1. use auxiliary/gather/enum_dns.rb
  2. set NS 127.0.0.1
  3. set ENUM_AXFR true
  4. set DOMAIN mytest.com
  5. set ENUM_A false
  6. set ENUM_BRT false
  7. set ENUM_MX false
  8. set ENUM_SOA false
  9. set ENUM_SRV false
  10. set ENUM_TXT false
  11. set ENUM_CNAME false
  12. set ENUM_NS false
  13. run

Setup a zone transfer with an NS which is not the authoritative one for the domain

Were you following a specific guide/tutorial or reading documentation?

n/a

Expected behaviour

AXFR should be ran against the specified NS. I may have found an NS that I know is vulnerable or I may want to try some alternatives just in case.

I've see companies outsource their DNS and have the NS records point to those, but run the master server themselves and forget to lock down who can transfer from them.

Current behaviour

It pulls the NS records for the domain and uses those.

msf6 auxiliary(gather/enum_dns) > show options

Module options (auxiliary/gather/enum_dns):

   Name         Current Setting  Required  Description
   ----         ---------------  --------  -----------
   DOMAIN       zonetransfer.me  yes       The target domain
   ENUM_A       false            yes       Enumerate DNS A record
   ENUM_AXFR    true             yes       Initiate a zone transfer against each NS record
   ENUM_BRT     false            yes       Brute force subdomains and hostnames via the supplied wordlist
   ENUM_CNAME   false            yes       Enumerate DNS CNAME record
   ENUM_MX      false            yes       Enumerate DNS MX record
   ENUM_NS      false            yes       Enumerate DNS NS record
   ENUM_RVL     false            yes       Reverse lookup a range of IP addresses
   ENUM_SOA     false            yes       Enumerate DNS SOA record
   ENUM_SRV     false            yes       Enumerate the most common SRV records
   ENUM_TLD     false            yes       Perform a TLD expansion by replacing the TLD with the IANA TLD list
   ENUM_TXT     false            yes       Enumerate DNS TXT record
   IPRANGE                       no        The target address range or CIDR identifier
   NS           127.0.0.1        no        Specify the nameservers to use for queries, space separated
   Proxies                       no        A proxy chain of format type:host:port[,type:host:port][...]
   RPORT        53               yes       The target port (TCP)
   SEARCHLIST                    no        DNS domain search list, comma separated
   STOP_WLDCRD  false            yes       Stops bruteforce enumeration if wildcard resolution is detected
   THREADS      1                no        Threads for ENUM_BRT
   WORDLIST     x                no        Wordlist of subdomains

msf6 auxiliary(gather/enum_dns) > run

[*] Querying DNS NS records for zonetransfer.me
[+] zonetransfer.me NS: nsztm2.digi.ninja
[+] zonetransfer.me NS: nsztm1.digi.ninja
[*] Attempting DNS AXFR for zonetransfer.me from nsztm2.digi.ninja

Metasploit version

msf6 auxiliary(gather/enum_dns) > version
Framework: 6.0.14-dev-854c1905ca
Console  : 6.0.14-dev-854c1905ca

Additional Information

zeroSteiner commented 4 years ago

Fix proposed in #14323 thanks for reporting this!