Exploit for Kaminsky DNS Bug Goes Wild

There has been a lot of hype about this one, but this flaw is a real threat and the working exploits are now available in the wild.

To top that, they have already been ported into Metasploit!

I hope all the major ISPs are in a patching frenzy right now and not thinking to themselves that there is no danger..

When Dan Kaminsky disclosed a critical flaw in the net’s address lookup system earlier this month, he said it was crucial internet service providers and other organizations install patches immediately. He wasn’t kidding.

Security researchers have developed two working exploits that poison vulnerable domain name system servers, allowing attackers to redirect unwitting end users to impostor sites. What’s more, the attack code has been added to Metasploit, a penetration testing tool used to test the security of computers and networks. The program, which is maintained by HD Moore, makes it easy for white hats and black hats alike to exploit vulnerable servers.

It’ll be interesting to see the aftermath of this rapid disclosure, these serious flaws don’t usually come out so fast – well not a working exploit and definitely not coded into an easy to use tool like Metasploit!

I wonder how many name servers are currently owned and serving up the wrong records? This could be a boon for phishers.

Some people have complained that Kaminsky’s bug has been shamelessly hyped. We disagree. Should there be widespread exploitation of the flaw, the result would be chaos. Attackers could taint the machines relied on by millions of people. When they typed bankofamerica.com into their browser, they’d have no way of knowing whether they were being directed to the real site or one designed to steal their money. Trust on the internet, as flawed as it may be now, would completely break down.

Currently, the exploits work only on caching servers used by ISPs and other large organizations, but Moore said they could be modified to work against client-side resolvers, which are used on desktop machines. Earlier this month, Microsoft issued an update patching the vulnerability. It was unclear if other OSes are vulnerable.

This is really serious, such DNS caching servers are used by pretty much every single large ISP and large corporate entity.

Better watch where you are surfing…but don’t worry this is the real https://www.darknet.org.uk!

The actual exploits themselves are available here:

CAU-EX-2008-0002.txt & CAU-EX-2008-0003.txt

Source: The Register

Posted in: Exploits/Vulnerabilities, Networking Hacking Tools, Web Hacking

, , , , , , , ,

Latest Posts:

Socialscan - Command-Line Tool To Check For Email And Social Media Username Usage Socialscan – Command-Line Tool To Check For Email And Social Media Username Usage
socialscan is an accurate command-line tool to check For email and social media username usage on online platforms, given an email address or username,
CFRipper - CloudFormation Security Scanning & Audit Tool CFRipper – CloudFormation Security Scanning & Audit Tool
CFRipper is a Python-based Library and CLI security analyzer that functions as an AWS CloudFormation security scanning and audit tool
CredNinja - Test Credential Validity of Dumped Credentials or Hashes CredNinja – Test Credential Validity of Dumped Credentials or Hashes
CredNinja is a tool to quickly test credential validity of dumped credentials (or hashes) across an entire network or domain very efficiently.
assetfinder - Find Related Domains and Subdomains assetfinder – Find Related Domains and Subdomains
assetfinder is a Go-based tool to find related domains and subdomains that are related to a given domain from a variety of sources including Facebook and more.
Karkinos - Beginner Friendly Penetration Testing Tool Karkinos – Beginner Friendly Penetration Testing Tool
Karkinos is a light-weight Beginner Friendly Penetration Testing Tool, which is basically a 'Swiss Army Knife' for pen-testing and/or hacking CTF's.
Aclpwn.Py - Exploit ACL Based Privilege Escalation Paths in Active Directory Aclpwn.Py – Exploit ACL Based Privilege Escalation Paths in Active Directory
Aclpwn.py is a tool that interacts with BloodHound< to identify and exploit ACL based privilege escalation paths.

25 Responses to Exploit for Kaminsky DNS Bug Goes Wild

  1. cheetz July 25, 2008 at 2:48 pm #

    Tested this in the lab and this is real. The only thing lacking in the metasploit exploits is that it relies on the fact that the DNS server doesn’t use randomized source ports, but this isn’t hard to fix… this could get ugly.

  2. Navin July 25, 2008 at 5:07 pm #

    Its seriously something that most people overlook….atmost (for security) they look at the address bar to ensure they are on the right site. Its really critical that these errors are patched up….or else who knows……even typing in a valid web address may not take you to the required destination!!

    @ cheetz, not all DNS servers use randomized source ports you know…..so evn metasploit will come to the aid of hackers!!

    Just one thing, perhaps an expert on the topic could answer it for me….how exactly does server identification work in DNS? Let me explain….When they typed bankofamerica.com into their browser….and with this flaw lets consider 2 servers, one in the US (legitimate bank site) and another in (lets randomly say) China. Probability wise, what’ll be the possiblility of a BoA acount user in the US of getting onto the legitimate site?? 50% or even more considering that the servers are closer to the location of the user (the server ping reaches the BoA server faster….by milliseconds I guess)

  3. sids911 July 26, 2008 at 10:30 am #

    Hi Navin,

    The downstream DNS servers of ISP’s take into account the authorization which comes from upstream (or even root) DNS servers. Thats how they maintain the integrity of critical entries.
    That said, the incorrect web caches propagating around is a serious issue, and Kaminsky and a few organizations made sure that this vulnerability is known to vendors before it was announced (inadvertently maybe!).
    Dan Bernstein and other vendors (like M$) have issued solutions/patches, and its upto internet security teams now that these patches are deployed ASAP. Lets wait and watch!

  4. Navin July 26, 2008 at 11:55 am #

    OK, so you’re saying that major ISP’s already know about the flaw and have had quite a bit of time to fix these major gaps….in that case consider this situation.

    Some bloke has his service provided by a isp which “unfortunately” has not patched the flaw in the DNS system. If the bloke gets phished through a site which is welldesigned and exploits this flaw, then will he be able to sue the ISP for his financial losses?? After all, it was the ISP’s fault for not having fixed the DNS error right?

  5. razta July 26, 2008 at 3:26 pm #

    Check to see if your DNS server is sitll vulnerable:


    Click on “Check my DNS”

  6. Navin July 26, 2008 at 4:04 pm #

    @ razta thanks for the link man.

    My results
    Your name server, at xxx.xxx.xxx.xxx, appears vulnerable to DNS Cache Poisoning.

    Due to events outside our control, details of the vulnerability have been leaked. Please consider using a safe DNS server, such as OpenDNS. Note: Comcast users should not worry.

    Aaaaaaaaaaaaaaaaaaaaaaaaaaaaahhhhhhh!! Damn you ISP’s!!

  7. zupakomputer July 26, 2008 at 5:29 pm #

    Mine comes up the same when I check it there at doxpara.

    How exactly does the exploit work though – does it display the URL of what you wanted in your browser, but instead of going to that URL it went to another one?

    I know that, well it should do this anyway, when you first lookup a website it should check the domain name with one of the (12? or are the more now?) root DNS servers, and thereafter it may indeed rely on other servers or your browser cache.

    Not more than one registration of the same domain name can exist, hence why when you buy a domain you have to check what ones are available first – so how is the exploit changing what IP matches to what domain name? What I mean is: say you suspect you’re at a site that is a fake, so if you run something like nslookup or traceroute or anything that resolves a domain name to an IP address (and vice versa) – will the exploit have actually changed those records on the whole internet?

  8. Navin July 26, 2008 at 6:47 pm #

    Yawn….nearing midnight here…..
    @zupakomputer (U really gotta get a shorter screenname that I can type quickly!! ;))
    Firstly, from Wikipedia
    There are thirteen root servers that are authoritative for queries to the global DNS root zone.The number has been limited to 13, because a single IP packet can only be guaranteed to be unfragmented to a limit of 576 bytes (in IPv4). While it is possible to fit 15 entries into a packet of this size, 13 was chosen as a reliable limit.

    Secondly, from http://www.caughq.org/exploits/CAU-EX-2008-0002.txt (Exploit No.1, which is expected to be more widely used by phishers)
    This exploit targets a fairly ubiquitous flaw in DNS implementations
    which allow the insertion of malicious DNS records into the cache of the target nameserver. This exploit caches a single malicious host entry into the target nameserver. By causing the target nameserver to query for random hostnames at the target domain, the attacker can spoof a response to the target server including an answer for the query, an authority server record, and an additional record for that server, causing target nameserver to insert the additional record into the cache.

    From http://www.caughq.org/exploits/CAU-EX-2008-0003.txt (Exploit No.2….more dangerous, in my opinion (read last line))
    This exploit caches a single malicious nameserver
    entry into the target nameserver which replaces the legitimate
    nameservers for the target domain. By causing the target nameserver to query for random hostnames at the target domain, the attacker can spoof a response to the target server including an answer for the query, an authority server record, and an additional record for that server,causing target nameserver to insert the additional record into the cache. This insertion completely replaces the original nameserver records for the target domain.

    Hope that answers your questions

    Good Night!!

    BTW: I mistyped zupakomputer’s name in the moocherhunter article so I apologise….I’m just bad at such spellings computer is spelled with a “c”. I won my state spelling bee you know……

  9. grav July 26, 2008 at 10:28 pm #

    Only on a hacking website…
    Here’s the exploit, it’s dangerous!!! It could bring worldwide confusion and panic. By the way, download it here:


    Ironic isn’t it?

  10. Navin July 27, 2008 at 11:46 am #

    agreed but from sids911’s comment its pretty clear that major ISP’s have had more than enough time to patch the holes in the domain name server systems. And rather than the exploits being leaked online by some sneaky darkhatter, isn’t it better that Dan gets to hog the limelight?? C’mon, perhaps these exploits are just two of 10-15 that all isp’s already know about…..we’ll just have to wait and watch!!

  11. zupakomputer July 28, 2008 at 4:22 pm #

    Just use ‘zupa’ that’s what most folk do!

    Cheers for all that info, but I’m still wondering – does a successful exploit display the correct (real website) URL (or URI depending on who you ask / what you read / what fake parallel universe you woke up in ) in the address bar?

  12. sids911 July 29, 2008 at 8:05 am #

    @Zupa, for a DNS cache poisoning…Yes. For a redirection…No.

  13. zupakomputer July 29, 2008 at 2:20 pm #

    Well, that is a problem then. Maybe they should have the root name servers do automatic periodic updates and refreshes to ensure the right domain names to IPs are being served downtheways. Or more realistically, that should become a feature that the domains / servers themselves do (at whatever intervals).
    It wouldn’t cure it entirely, as in theory there’d still be time gaps when an exploit could be run (if it were refreshed daily for example) but it’d certainly identify what servers and IPs and so forth were spoofing the real versions much more often, meaning they can be locked out or similar more easily.
    Or perhaps they could use a process like any old free e-mail etc does to verify a password change: ie not let a domain name to IP be altered unless it’s verified by the account holder that set it up.

    To be honest, the fact that such things aren’t being refreshed regularly is a really shoddy design fault. I mean hell it’s computers and all automated anyway, it wouldn’t take long to include a little script like that and send some traffic from the roots to the other name server levels, and back again.

    Reminds me again of that computer factory I worked at – there were two main builds handled, and one was a bigger pain to deal with than the other. Someone mentioned one day about the covers being a design fault (following vast amounts of complaints that they just didn’t fit / got stuck / sliced your fingers), and the reply back was “that whole machine is a design fault”.
    I can still hear the computers laughing; the only comforting part about it.

  14. Navin July 29, 2008 at 5:44 pm #

    From what I have understood, even if it is updated at a quick rate, the root server will detect no error cause the server depends on its cache to detect if the data requested is the same as data recieved……atleast that is how i think a root server functions

    i might be wrong….do correct me if I am

  15. sids911 July 31, 2008 at 8:06 am #

    @zupa and @Navin – The root servers are what their name suggests. They are like the roots of a tree, they are THE resolvers. They dont take updates from just about anyone. There is a method in this chaos, the delegated root zone file is published ONLY via ICANN. The Top Level Domain (TLD) DNS servers are usually the ones which service the DNS requests and exceptional cases go to the roots.
    BTW, I am seeing frames in my google results page, sign of things to come!??

  16. zupakomputer July 31, 2008 at 1:25 pm #

    Right – so, as should have been part of the default design in the first place, ANY nameserver that holds information on what domains are linked to what IPs should ENSURE that their information held matches the ICANN data on the root servers. They should be checking that.

    That doesn’t mean anyone with an IP won’t be able to host their own services from home and would have to register a domain or anything, but it does mean that if you do register a domain and redirects, then there’s zero possibility of your domains being linked to IPs that are not your IPs.

  17. Morgan Storey July 31, 2008 at 2:56 pm #

    eeeep. Well all my companies DNS servers and NAT devices are already patched, thanks to my incessant rss reading.
    So now it is in metaslpoit, DNS behind nat, that just increments the number by one is going to be pwned, awesome, note to router vendors, release a patch.

  18. Navin July 31, 2008 at 4:07 pm #

    Offtopic:Hey I might have just figured it out……I mean the reason why all of us are constantly getting this WS-Spamfree error page while posting comments. Get ready for this…….Its because we use Firefox. i know this may sound absolutely unbelievable and probably wrong (coz I dunno what browser U guys use) but this actually worked for me. I tried commenting with firefox on four different articles on darknet and another wordpress blog which uses the same spam filter multiple times and everytime I reached the Javascript/cookies appears to be turned on page. Then I copied my comments ont notepad and then tried posting them with Internet exploDer explorer and guess what…. all of them got posted without any problems whatsoever!! Try it and tell me if I’m right please. If this posts successfully the first time, it’ll be the 6th consecutive comment (both blogs combined) which has een passed by WP-Spamfree as non-spam. Hmm….. Darknet’s been anti IE for as long as I can remember and its ironic tht something like this happens on this very blog…hehe :)

  19. Navin July 31, 2008 at 4:48 pm #

    @ darknet, a follow up perhaps to the kaminsky story.

    “HD Moore has been pwned. That’s hacker talk, meaning that Moore, the creator of the popular Metasploit hacking toolkit, has become the victim of a computer attack.It happened on Tuesday morning, when Moore’s company, BreakingPoint, had some of its Internet traffic redirected to a fake Google page that was being run by a scammer. According to Moore, the hacker was able to do this by launching what’s known as a cache poisoning attack on a DNS server on AT&T’s network that was serving the Austin, Texas, area. One of BreakingPoint’s servers was forwarding DNS (Domain Name System) traffic to the AT&T server, so when it was compromised, so was HD Moore’s company.When Moore tried to visit Google.com, he was actually redirected to a fake page that served up a Google page in one HTML frame along with three other pages designed to automatically click on advertisements.

    No BreakingPoint computer was actually compromised by the incident, but it was still pretty annoying.In early July, computer security experts began warning this type of cache poisoning attack could be pulled off much more easily than previously thought, thanks to a new technique. Early last week, technical details of this attack were leaked to the Internet, and HD Moore’s Metasploit project quickly released the first software that exploited this tactic.

    Now he’s one of the first victims of such an attack. “It’s funny,” he joked, “I got owned.”Things may not be so funny to ISPs who are scrambling to roll out patches to their DNS software before these attacks become more widespread.”

    Read More at the link below

  20. zupakomputer July 31, 2008 at 4:58 pm #

    I haven’t had an updated IE online for ages so I can’t test that out; I’m using Seamonkey here.

    Mine is back to normal – now it justs prevents comments going through if I’ve been typing on the page so long that its timed-out.

  21. zupakomputer July 31, 2008 at 5:00 pm #

    You know, this whole topic isn’t much different from all the claims that various officials are replaced with lookalikes and then some. Sometimes at their own behest, no less.

  22. Navin July 31, 2008 at 5:06 pm #

    First of all…..huh?? and secondly, sids911 said -I am seeing frames in my google results page, sign of things to come?

    watch out mate, you may be a victim of a similar attack!

  23. zupakomputer July 31, 2008 at 5:21 pm #

    It’s nothing new (the idea of original people being replaced) – the same soap operas of the gods and illuminati are described in the Vedas etc also.

    =And so-and-so redirected his rival and nemesis to the honeytrap he had lain out, and lo it was so sticky that they became trapped for generations in which time so-and-so sired 20 children with thingys wife whilst pretending to be thingy

    until an angel / root server did notice this transgression, and appeared to thingys wife in a dream / automatic update=

    ……..the usual.

  24. Morgan Storey August 1, 2008 at 8:28 am #

    @navin: it would be hard to be Moore, metasploit would constantly being scanned, prodded and probed, any weakness would be exploited quicker than it took you to read this.
    On the posting issue, I am no longer getting the issue in Firefox, but I can confirm that when I was getting it in Firefox I tried IE on another computer on my lan and had the same issue, so I don’t think it is just Firefox.

    ONTOPIC: Metasploit is really a damn good framework, I really must play with it more.

  25. Morgan Storey August 27, 2008 at 10:02 am #

    Just thought I’d let everyone know the video is now available on Dans talk, having listend to the audio, it was very interesting to hear all the players sides of things, a bit light on the detail but ah well.