Thursday, July 24, 2008

Kaminsky DNS Cache Poisoning PoC Exploit in Metasploit SVN

Looks like Druid and HDM have release a proof of concept exploit in Metasploit to attack nameserver's using Kaminsky's now leaked vulnerability. This is huge because not only is the attack unbelievably easy execute, 95% of the Internet is still vulnerable!

This is a historical moment in IT Security and will be a very, very busy day for those of us on the defense side.

Exploit Code:

http://www.caughq.org/exploits/CAU-EX-2008-0002.txt

http://www.caughq.org/exploits/CAU-EX-2008-0003.txt

Or simply grab the latest metasploit:

svn co http://metasploit.com/svn/framework3/trunk/

Snort signatures I wrote for Emerging Threats:

alert udp any 53 -> $HOME_NET any (msg:"ET CURRENT_EVENTS DNS Query Responses with 3 RR's set (50+ in 2 seconds) - possible NS RR Cache Poisoning Attempt"; content: "|85 00 00 01 00 01 00 01|"; offset: 2; within: 8; threshold: type both, track by_src,count 50, seconds 2; classtype:bad-unknown; reference:url,infosec20.blogspot.com/2008/07/kaminsky-dns-cache-poisoning-poc.html; sid:2008447; rev:10;)

alert udp any 53 -> $HOME_NET any (msg:"ET CURRENT_EVENTS DNS Query Responses with 3 RR's set (50+ in 2 seconds) - possible A RR Cache Poisoning Attempt"; content: "|81 80 00 01 00 01 00 01|"; offset: 2; within: 8; threshold: type both, track by_src, count 50, seconds 2; classtype:bad-unknown; reference:url,infosec20.blogspot.com/2008/07/kaminsky-dns-cache-poisoning-poc.html; sid:2008457; rev:10;)


*** Update ***
New metasploit module out this morning which allows you to overwrite cache poisoning the NS record for an entire domain. This means if you have evil NS server to take requests you mass own entire domains such as google, microsoft, etc. Scary stuff.

http://blog.wired.com/27bstroke6/2008/07/dns-exploit-in.html

No comments: