title: Metasploit and the Kaminsky DNS exploit link: https://onemoretech.wordpress.com/2008/08/16/metasploit-and-the-kaminsky-dns-exploit/ author: lembobro description: post_id: 472 created: 2008/08/16 06:10:02 created_gmt: 2008/08/16 06:10:02 comment_status: open post_name: metasploit-and-the-kaminsky-dns-exploit status: publish post_type: post

Metasploit and the Kaminsky DNS exploit

As you may have heard elsewhere, Kaminsky’s DNS exploit has been added to the modules available in the latest build of Metasploit.

Don’t bother downloading the tarfile for this, it’s not up to date. What you need to do is use subversion to check out the latest code.

First, create a directory and permission it appropriately. In my case I created a user named metasploit with a home directory of /opt/metasploit, who is part of my standard staff group.

Then I logged in as metasploit and cd’d to ~/ to run the following command:

svn co http://metasploit.com/svn/framework3/trunk

This created /opt/metasploit/trunk. I renamed to /opt/metasploit/framework using mv and then added this path to $PATH metasploit’s .bash_profile for good measure.

The relevant modules are under the auxiliary branch, as follows:

spoof/dns/bailiwicked_domain
spoof/dns/bailiwicked_host
spoof/dns/compare_results

The Metasploit Blog has some articles covering these, starting with this.

Running these auxiliary modules for the first time was quite an experience. Documentation isn’t just sparse, it’s nonexistent. After guessing at a couple of the input parameters I got the domain and host exploits to work. Of course they failed to compromise the name server I pointed them at, both because it’s been patched and has been configured with a particular directive in named.conf that I have the luxury of running in my small home environment. Still, it was useful to see the tool actually work through the attempt.

Note that because these DNS exploits use raw sockets, you’ll have to run metasploit as root and not your special system user.

Copyright 2004-2019 Phil Lembo