Metasploit Dns And Dhcp Exhaustion

[digininja]

I've just updated my Metasploit DHCP and DNS server modules on my site. You can get them, and more information on how to use them, from:

http://www.digininja.org/metasploit/dns_dhcp_beta.php

As a bonus I've also updated my sound plug-in so that it now reads the IP address and port number of the victim who connected to you.

http://www.digininja.org/metasploit/session_created.php

Enjoy.

[zerox123]

i try this and this is what i get step by step:

With DHCP exhaustion


msf > use auxiliary/digininja/dhcp_exhaustion/exhaust 
msf auxiliary(exhaust) > set


Global
======

No entries in data store.

Module: digininja/dhcp_exhaustion/exhaust
=========================================

  Name        Value
  ----        -----
  DHCPSERVER  255.255.255.255
  NETMASK     24
  SNAPLEN     65535
  TIMEOUT     10
  UDP_SECRET  1297303091

msf auxiliary(exhaust) > run
[-] Auxiliary failed: Msf::OptionValidateError The following options failed to validate: RHOST.

and with DNS MiTM

msf auxiliary(exhaust) > use auxiliary/digininja/dns_mitm/dns_mitm 
msf auxiliary(dns_mitm) > set

Global
======

No entries in data store.

Module: digininja/dns_mitm/dns_mitm
===================================

  Name     Value
  ----     -----
  RELOAD   digininja.reload
  SRVHOST  0.0.0.0
  SRVPORT  53

msf auxiliary(dns_mitm) > run
[-] Auxiliary failed: Msf::OptionValidateError The following options failed to validate: REALDNS, FILENAME.

msf auxiliary(dns_mitm) > set iary(dns_mitm) > set FILENAME /usr/scr/metasploit/auxiliary/dns_mitm/dns.txt 
FILENAME => /usr/scr/metasploit/auxiliary/dns_mitm/dns.txt

msf auxiliary(dns_mitm) > set REALDNS 192.168.0.8
REALDNS => 192.168.0.8

msf auxiliary(dns_mitm) > set

Global
======

No entries in data store.

Module: digininja/dns_mitm/dns_mitm
===================================

  Name      Value
  ----      -----
  FILENAME  /usr/scr/metasploit/auxiliary/dns_mitm/dns.txt
  REALDNS   192.168.0.8
  RELOAD    digininja.reload
  SRVHOST   0.0.0.0
  SRVPORT   53

msf auxiliary(dns_mitm) > run
[*] Auxiliary module execution completed
msf auxiliary(dns_mitm) > 
[*] Loading hosts file
[*] Could not open /usr/scr/metasploit/auxiliary/dns_mitm/dns.txt for reading. Quitting.

any help will be sweet.

thanks

[Bercik]

You probably did not unpack all required files.

try this:

#!/bin/bash
mkdir stuff
cd stuff
wget http://www.metasploit.com/releases/framework-3.3.3.tar.bz2
wget http://www.digininja.org/files/msf_dns_dhcp.tar.bz2
tar -xf framework-3.3.3.tar.bz2
tar -C msf3 -xf msf_dns_dhcp.tar.bz2
ifconfig eth0 promisc
echo "/******************/"
echo "/        E   N  D            */"
echo "/  go to stuff/msf3    */"
echo "/  and run msfconsol */"
echo "/******************/"

/edit

I see there is little problem with text formatting ;p but it works fine for me

Edited March 21, 2010 by Bercik

[digininja]

If you read the error message then you can see what is going on:

line 77 [*] Could not open /usr/scr/metasploit/auxiliary/dns_mitm/dns.txt for reading. Quitting.

And is 192.168.0.8 your real dns server?

[lief480]

hi i got everthing installed i think but im getting alittle error

any help appreciated

[*] DHCP attack started
[*] DHCP offer of address: 192.168.1.112
Timeout waiting for ACK
[*] Error: return can't jump across threads
(eval):171:in `run'
/opt/metasploit3/msf3/lib/msf/base/simple/auxiliary.rb:94:in `job_run_proc'
/opt/metasploit3/msf3/lib/msf/base/simple/auxiliary.rb:73:in `run_simple'
/opt/metasploit3/msf3/lib/msf/base/simple/auxiliary.rb:82:in `run_simple'
/opt/metasploit3/msf3/lib/msf/ui/console/command_dispatcher/auxiliary.rb:143:in `cmd_run'
/opt/metasploit3/msf3/lib/rex/ui/text/dispatcher_shell.rb:239:in `send'
/opt/metasploit3/msf3/lib/rex/ui/text/dispatcher_shell.rb:239:in `run_command'
/opt/metasploit3/msf3/lib/rex/ui/text/dispatcher_shell.rb:201:in `run_single'
/opt/metasploit3/msf3/lib/rex/ui/text/dispatcher_shell.rb:195:in `each'
/opt/metasploit3/msf3/lib/rex/ui/text/dispatcher_shell.rb:195:in `run_single'
/opt/metasploit3/msf3/lib/rex/ui/text/shell.rb:144:in `run'
./msfconsole:93

[digininja]

Ye, the DHCP attack doesn't work with ruby 1.9 due to a change they made to jumping around. I'm not sure how to fix it and at the moment a bit too busy. Best solution is to install the rvm gem and roll back to a 1.8 release to use this attack.

I've added a note to my site about this.

[lief480]

Hey robin i checked my version of ruby and im running ruby 1.8.7 so i dont think thats the problem. Any other suggestions?

[digininja]

Going to be a pain here and say, are you sure? I'm on 1.8.7 and it works fine, if I roll forward to 1.9.x then it fails with that error. Everyone else who has reported that error is also on 1.9.

Some distros allow multiple versions of ruby. A way to check from within metasploit is to start an irb shell:

msf auxiliary(exhaust) > irb
[*] Starting IRB shell...
>> RUBY_VERSION
=> "1.8.7"

[lief480]

When i put it in this is what i get.

msf auxiliary(exhaust) > irb
[*] Starting IRB shell...

/usr/lib/ruby/1.8/i486-linux/readline.so: warning: already initialized constant HISTORY
/usr/lib/ruby/1.8/i486-linux/readline.so: warning: already initialized constant FILENAME_COMPLETION_PROC
/usr/lib/ruby/1.8/i486-linux/readline.so: warning: already initialized constant USERNAME_COMPLETION_PROC
/usr/lib/ruby/1.8/i486-linux/readline.so: warning: already initialized constant VERSION
>>

edit** BTW im running Backtrack 4 Final

also when i run rvm list i get this

root@bt:/pentest/exploits/framework3# rvm list

rvm Rubies

   ruby-1.8.7-p249 [ i386 ]

System Ruby

   system [ ]

root@bt:/pentest/exploits/framework3#

Edited March 25, 2010 by lief480

[digininja]

That definitely looks like a 1.8 release, in which case I've no idea what is going on every 1.8 machine I've ran it on has worked.

The bug needs fixing so I'll look at it at some point but over the next few days I know I'm busy so it could be a while.

[lief480]

Thanks man, im looking forward to trying it out

[lief480]

i just decided to try doing it on my eth0 instead of wlan0 and i didnt get any of the errors.

Then i went back to wlan0 and tried it again. I got the errors but it seems like it still exhausted the dhcp server.

[digininja]

Thats good, despite the bug it still works!

[lief480]

The only problem is when im running with wireless and get the errors, it is very slow. Without the errors it was very quick.

[digininja]

ye, the jump is to get out of a loop, because of the error it can't so things will slow down

[Oni]

Arg! I get the RHOST error as well. Im working with the SVN version of metasploit. I believe there are two dirs within the zip; a lib and modules dir. I've copied these into my metasploit dir and although msf picks them up, I still get this little error. Im new to metasploit so its likely something i've4 missed. Running Ruby 1.8.7 atm

[digininja]

And so do I!

Looks like it is a new mandatory field, I'll have an ask on the Metasploit mail list and see what they say about how to fix it. I'll report back as soon as I have news.

[digininja]

For now just do

set RHOST 0.0.0.0

and that will let it run. Just wiped out my DHCP range with it.

[Oni]

Arg! I get the RHOST error as well. Im working with the SVN version of metasploit. I believe there are two dirs within the zip; a lib and modules dir. I've copied these into my metasploit dir and although msf picks them up, I still get this little error. Im new to metasploit so its likely something i've4 missed. Running Ruby 1.8.7 atm

Ok sorry, jumped too soon. Set the RHOST and started attack. Not sure on exact settings TBH. I had to install pcaprub with gem and then set INTERFACE to wlan0 as well as setting the RHOST. Not sure what the RHOSTvariable does in the exhaustion attack. Sadly it seems that no packets are being sent out the router/dns server as wireshark isnt showing any :(

msf auxiliary(exhaust) > set

Global

======

No entries in data store.

Module: digininja/dhcp_exhaustion/exhaust

=========================================

Name Value

---- -----

DEVICE wlan0

DHCPSERVER 192.168.1.254

INTERFACE wlan0

NETMASK 24

RHOST 192.168.1.254

SNAPLEN 65535

TIMEOUT 10

UDP_SECRET 1297303091

Edited April 5, 2010 by Oni

[digininja]

You shouldn't have to set it and actually it isn't used so I'll find a way to either remove it or at least remove the mandatory setting.

[Oni]

Actually, I should stop lying. Im seeing something going on with wireshark nowz. Will investigate after more sleep

final thoughts:

msf auxiliary(exhaust) > run

[*] DHCP attack started

[*] Timeout waiting for OFFER

[*] returning

[*] Got a timeout, assuming DHCP exhausted. You Win

[*] Finished

[*] Auxiliary module execution completed

msf auxiliary(exhaust) > use auxiliary/digininja/dns_mitm/dns_mitm

nslookups on local machine work as planned. Will test with other laptops tomorrow and see how things progress :D

Edited April 5, 2010 by Oni

[joker]

[*] WARNING! The following modules could not be loaded!

/opt/metasploit3/msf3/modules/auxiliary/digininja/dhcp_exhaustion/exhaust.rb: /opt/metasploit3/msf3/modules/auxiliary/digininja/dhcp_exhaustion/exhaust.rb: MissingSourceFile no such file to load -- lib/dhcp

_ _ _ _

| | | | (_) |

_ __ ___ ___| |_ __ _ ___ _ __ | | ___ _| |_

| '_ ` _ \ / _ \ __/ _` / __| '_ \| |/ _ \| | __|

| | | | | | __/ || (_| \__ \ |_) | | (_) | | |_

|_| |_| |_|\___|\__\__,_|___/ .__/|_|\___/|_|\__|

| |

|_|

=[ metasploit v3.4.0-dev [core:3.4 api:1.0]

+ -- --=[ 546 exploits - 260 auxiliary

+ -- --=[ 208 payloads - 23 encoders - 8 nops

=[ svn r9185 updated today (2010.05.01)

msf >

u said DHCP attack won't work under Ruby 1.9

but i am running ruby 1.9.2dev (2010-05-01 trunk 27570)

so thats above 1.9

[digininja]

The error message looks like you didn't unpack the tarball correctly so the module can't find the library it needs.

Running under 1.9 means running with or in not greater/less than

[joker]

The error message looks like you didn't unpack the tarball correctly so the module can't find the library it needs.

Running under 1.9 means running with or in not greater/less than

no its all there i checked, in ruby 1.9.1 it just gave error when running (run) but now in 1.9.2 it cant even load

what can i do to make it more verbose

[digininja]

It will not run in any version of ruby from 1.9 onwards, 1.9.1, 1.9.2 and beyond it will fail. It only runs in 1.8.x, as far as I know 1.8.7