Part of our normal pen test process, when performing an external assessment, is running a Nessus scan against the in-scope IP range(s) provided by our customer. We usually have this running in the background while carrying out our own analysis against the IP ranges. On a past assessment, we started with this same process. After some time went by, I checked our scan results that we had so far, and found an interesting vulnerability listed. Specifically, Nessus plugin 35372:
Looking at the finding details, Nessus also provided the DNS zone that is vulnerable to modification. However, one thing that I didn’t see was an existing tool that allowed me to perform the record injection attack (see note below). I have only seen a finding similar to this on an internal assessment, and in that case I used dnsfun. However, I wasn’t sure dnsfun would work in this case, and I wanted to learn how to write a script that would perform this attack myself, so I decided to do just that.
I started off by checking out RFC 2136, and learned that I’m going to need to specify the zone that I want to modify (add/remove) a record for and the resource record itself that will be modified, while being sure to set the DNS packet’s opcode to 5 (Update). This is something that could be easily done with scapy.
The great thing about scapy, is you can define any specific packet attribute values that you wish (ttl, record type, etc.), and the attributes that aren’t specified are automatically populated by scapy with their proper values. The above code states that I want to send a packet to a specific destination, it’s a DNS UDP packet, with the opcode set to 5 (update), and the DNS specific information is set by the command line options provided by the user. And… that’s it!
I wrapped this up into a script that lets you either add or delete A records on a vulnerable name server pretty easily. It’s called, simply, DNSInject.
To add a record with DNSInject.py, just specify the add action, provide the vulnerable name server, the A record you wish to create, and the IP it will point to. Your command should look similar to the following:
./DNSInject.py --add -ns 192.168.23.1 -d thisisa.test.local -ip 192.168.23.5
To delete a record, you only need to provide the vulnerable name server, and the record to delete. Again, your command could look similar to the following:
./DNSInject.py --delete -ns 192.168.23.1 -d thisisa.test.local
To get and use DNSInject, just clone the following github repo – https://github.com/ChrisTruncer/PenTestScripts
Hope this helps, and if you have any questions, feel free to ask!
Note: Of course, after completing writing this script, I discovered two other options which can help carry out this attack, so I wanted to be sure to mention them. Scapy has a built in function to both add and delete records, and you could also use nsupdate. Definitely be sure to check out those options as well!