Jump to content

Metasploit Dns And Dhcp Exhaustion


digininja

Recommended Posts

I've just updated my Metasploit DHCP and DNS server modules on my site. You can get them, and more information on how to use them, from:

http://www.digininja.org/metasploit/dns_dhcp_beta.php

As a bonus I've also updated my sound plug-in so that it now reads the IP address and port number of the victim who connected to you.

http://www.digininja.org/metasploit/session_created.php

Enjoy.

Link to comment
Share on other sites

  • 3 weeks later...
  • Replies 63
  • Created
  • Last Reply

Top Posters In This Topic

i try this and this is what i get step by step:

With DHCP exhaustion


msf > use auxiliary/digininja/dhcp_exhaustion/exhaust 
msf auxiliary(exhaust) > set


Global
======

No entries in data store.

Module: digininja/dhcp_exhaustion/exhaust
=========================================

  Name        Value
  ----        -----
  DHCPSERVER  255.255.255.255
  NETMASK     24
  SNAPLEN     65535
  TIMEOUT     10
  UDP_SECRET  1297303091

msf auxiliary(exhaust) > run
[-] Auxiliary failed: Msf::OptionValidateError The following options failed to validate: RHOST.

and with DNS MiTM

msf auxiliary(exhaust) > use auxiliary/digininja/dns_mitm/dns_mitm 
msf auxiliary(dns_mitm) > set

Global
======

No entries in data store.

Module: digininja/dns_mitm/dns_mitm
===================================

  Name     Value
  ----     -----
  RELOAD   digininja.reload
  SRVHOST  0.0.0.0
  SRVPORT  53

msf auxiliary(dns_mitm) > run
[-] Auxiliary failed: Msf::OptionValidateError The following options failed to validate: REALDNS, FILENAME.

msf auxiliary(dns_mitm) > set iary(dns_mitm) > set FILENAME /usr/scr/metasploit/auxiliary/dns_mitm/dns.txt 
FILENAME => /usr/scr/metasploit/auxiliary/dns_mitm/dns.txt

msf auxiliary(dns_mitm) > set REALDNS 192.168.0.8
REALDNS => 192.168.0.8

msf auxiliary(dns_mitm) > set

Global
======

No entries in data store.

Module: digininja/dns_mitm/dns_mitm
===================================

  Name      Value
  ----      -----
  FILENAME  /usr/scr/metasploit/auxiliary/dns_mitm/dns.txt
  REALDNS   192.168.0.8
  RELOAD    digininja.reload
  SRVHOST   0.0.0.0
  SRVPORT   53

msf auxiliary(dns_mitm) > run
[*] Auxiliary module execution completed
msf auxiliary(dns_mitm) > 
[*] Loading hosts file
[*] Could not open /usr/scr/metasploit/auxiliary/dns_mitm/dns.txt for reading. Quitting.

any help will be sweet.

thanks

Link to comment
Share on other sites

You probably did not unpack all required files.

try this:

#!/bin/bash
mkdir stuff
cd stuff
wget http://www.metasploit.com/releases/framework-3.3.3.tar.bz2
wget http://www.digininja.org/files/msf_dns_dhcp.tar.bz2
tar -xf framework-3.3.3.tar.bz2
tar -C msf3 -xf msf_dns_dhcp.tar.bz2
ifconfig eth0 promisc
echo "/******************/"
echo "/        E   N  D            */"
echo "/  go to stuff/msf3    */"
echo "/  and run msfconsol */"
echo "/******************/"

/edit

I see there is little problem with text formatting ;p but it works fine for me

Edited by Bercik
Link to comment
Share on other sites

If you read the error message then you can see what is going on:

line 77 [*] Could not open /usr/scr/metasploit/auxiliary/dns_mitm/dns.txt for reading. Quitting.

And is 192.168.0.8 your real dns server?

Link to comment
Share on other sites

hi i got everthing installed i think but im getting alittle error

any help appreciated

[*] DHCP attack started
[*] DHCP offer of address: 192.168.1.112
Timeout waiting for ACK
[*] Error: return can't jump across threads
(eval):171:in `run'
/opt/metasploit3/msf3/lib/msf/base/simple/auxiliary.rb:94:in `job_run_proc'
/opt/metasploit3/msf3/lib/msf/base/simple/auxiliary.rb:73:in `run_simple'
/opt/metasploit3/msf3/lib/msf/base/simple/auxiliary.rb:82:in `run_simple'
/opt/metasploit3/msf3/lib/msf/ui/console/command_dispatcher/auxiliary.rb:143:in `cmd_run'
/opt/metasploit3/msf3/lib/rex/ui/text/dispatcher_shell.rb:239:in `send'
/opt/metasploit3/msf3/lib/rex/ui/text/dispatcher_shell.rb:239:in `run_command'
/opt/metasploit3/msf3/lib/rex/ui/text/dispatcher_shell.rb:201:in `run_single'
/opt/metasploit3/msf3/lib/rex/ui/text/dispatcher_shell.rb:195:in `each'
/opt/metasploit3/msf3/lib/rex/ui/text/dispatcher_shell.rb:195:in `run_single'
/opt/metasploit3/msf3/lib/rex/ui/text/shell.rb:144:in `run'
./msfconsole:93

Link to comment
Share on other sites

Ye, the DHCP attack doesn't work with ruby 1.9 due to a change they made to jumping around. I'm not sure how to fix it and at the moment a bit too busy. Best solution is to install the rvm gem and roll back to a 1.8 release to use this attack.

I've added a note to my site about this.

Link to comment
Share on other sites

Going to be a pain here and say, are you sure? I'm on 1.8.7 and it works fine, if I roll forward to 1.9.x then it fails with that error. Everyone else who has reported that error is also on 1.9.

Some distros allow multiple versions of ruby. A way to check from within metasploit is to start an irb shell:

msf auxiliary(exhaust) > irb
[*] Starting IRB shell...
>> RUBY_VERSION
=> "1.8.7"

Link to comment
Share on other sites

When i put it in this is what i get.

msf auxiliary(exhaust) > irb
[*] Starting IRB shell...

/usr/lib/ruby/1.8/i486-linux/readline.so: warning: already initialized constant HISTORY
/usr/lib/ruby/1.8/i486-linux/readline.so: warning: already initialized constant FILENAME_COMPLETION_PROC
/usr/lib/ruby/1.8/i486-linux/readline.so: warning: already initialized constant USERNAME_COMPLETION_PROC
/usr/lib/ruby/1.8/i486-linux/readline.so: warning: already initialized constant VERSION
>>

edit** BTW im running Backtrack 4 Final

also when i run rvm list i get this

root@bt:/pentest/exploits/framework3# rvm list

rvm Rubies

   ruby-1.8.7-p249 [ i386 ]

System Ruby

   system [ ]

root@bt:/pentest/exploits/framework3#

Edited by lief480
Link to comment
Share on other sites

That definitely looks like a 1.8 release, in which case I've no idea what is going on every 1.8 machine I've ran it on has worked.

The bug needs fixing so I'll look at it at some point but over the next few days I know I'm busy so it could be a while.

Link to comment
Share on other sites

Arg! I get the RHOST error as well. Im working with the SVN version of metasploit. I believe there are two dirs within the zip; a lib and modules dir. I've copied these into my metasploit dir and although msf picks them up, I still get this little error. Im new to metasploit so its likely something i've4 missed. Running Ruby 1.8.7 atm

Link to comment
Share on other sites

And so do I!

Looks like it is a new mandatory field, I'll have an ask on the Metasploit mail list and see what they say about how to fix it. I'll report back as soon as I have news.

Link to comment
Share on other sites

Arg! I get the RHOST error as well. Im working with the SVN version of metasploit. I believe there are two dirs within the zip; a lib and modules dir. I've copied these into my metasploit dir and although msf picks them up, I still get this little error. Im new to metasploit so its likely something i've4 missed. Running Ruby 1.8.7 atm

Ok sorry, jumped too soon. Set the RHOST and started attack. Not sure on exact settings TBH. I had to install pcaprub with gem and then set INTERFACE to wlan0 as well as setting the RHOST. Not sure what the RHOSTvariable does in the exhaustion attack. Sadly it seems that no packets are being sent out the router/dns server as wireshark isnt showing any :(

msf auxiliary(exhaust) > set

Global

======

No entries in data store.

Module: digininja/dhcp_exhaustion/exhaust

=========================================

Name Value

---- -----

DEVICE wlan0

DHCPSERVER 192.168.1.254

INTERFACE wlan0

NETMASK 24

RHOST 192.168.1.254

SNAPLEN 65535

TIMEOUT 10

UDP_SECRET 1297303091

Edited by Oni
Link to comment
Share on other sites

Actually, I should stop lying. Im seeing something going on with wireshark nowz. Will investigate after more sleep

final thoughts:

msf auxiliary(exhaust) > run

[*] DHCP attack started

[*] Timeout waiting for OFFER

[*] returning

[*] Got a timeout, assuming DHCP exhausted. You Win

[*] Finished

[*] Auxiliary module execution completed

msf auxiliary(exhaust) > use auxiliary/digininja/dns_mitm/dns_mitm

nslookups on local machine work as planned. Will test with other laptops tomorrow and see how things progress :D

Edited by Oni
Link to comment
Share on other sites

  • 4 weeks later...

[*] WARNING! The following modules could not be loaded!

/opt/metasploit3/msf3/modules/auxiliary/digininja/dhcp_exhaustion/exhaust.rb: /opt/metasploit3/msf3/modules/auxiliary/digininja/dhcp_exhaustion/exhaust.rb: MissingSourceFile no such file to load -- lib/dhcp

_ _ _ _

| | | | (_) |

_ __ ___ ___| |_ __ _ ___ _ __ | | ___ _| |_

| '_ ` _ \ / _ \ __/ _` / __| '_ \| |/ _ \| | __|

| | | | | | __/ || (_| \__ \ |_) | | (_) | | |_

|_| |_| |_|\___|\__\__,_|___/ .__/|_|\___/|_|\__|

| |

|_|

=[ metasploit v3.4.0-dev [core:3.4 api:1.0]

+ -- --=[ 546 exploits - 260 auxiliary

+ -- --=[ 208 payloads - 23 encoders - 8 nops

=[ svn r9185 updated today (2010.05.01)

msf >

u said DHCP attack won't work under Ruby 1.9

but i am running ruby 1.9.2dev (2010-05-01 trunk 27570)

so thats above 1.9

Link to comment
Share on other sites

The error message looks like you didn't unpack the tarball correctly so the module can't find the library it needs.

Running under 1.9 means running with or in not greater/less than

Link to comment
Share on other sites

The error message looks like you didn't unpack the tarball correctly so the module can't find the library it needs.

Running under 1.9 means running with or in not greater/less than

no its all there i checked, in ruby 1.9.1 it just gave error when running (run) but now in 1.9.2 it cant even load

what can i do to make it more verbose

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.

×
×
  • Create New...