1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Post
7

8
  def initialize(info = {})
9
    super(
10
      update_info(
11
        info,
12
        'Name' => 'Multi Gather DNS Forward Lookup Bruteforce',
13
        'Description' => %q{
14
          Brute force subdomains and hostnames via wordlist.
15
        },
16
        'License' => MSF_LICENSE,
17
        'Author' => [ 'Carlos Perez <carlos_perez[at]darkoperator.com>'],
18
        'Platform' => %w[bsd linux osx solaris win],
19
        'SessionTypes' => [ 'meterpreter', 'shell' ],
20
        'Notes' => {
21
          'Stability' => [CRASH_SAFE],
22
          'SideEffects' => [],
23
          'Reliability' => []
24
        }
25
      )
26
    )
27
    register_options(
28
      [
29
        OptString.new('DOMAIN', [true, 'Domain to do a forward lookup bruteforce against.']),
30
        OptPath.new('NAMELIST', [
31
          true, 'List of hostnames or subdomains to use.',
32
          ::File.join(Msf::Config.data_directory, 'wordlists', 'namelist.txt')
33
        ])
34
      ]
35
    )
36
  end
37

38
  # Run Method for when run command is issued
39
  def run
40
    domain = datastore['DOMAIN']
41
    hostlst = datastore['NAMELIST']
42
    a = []
43

44
    print_status("Performing DNS Forward Lookup Bruteforce for Domain #{domain}")
45

46
    name_list = []
47
    if ::File.exist?(hostlst)
48
      ::File.open(hostlst).each do |n|
49
        name_list << n
50
      end
51
    end
52

53
    case session.platform
54
    when 'windows'
55
      cmd = 'nslookup'
56
    when 'solaris'
57
      cmd = '/usr/sbin/host '
58
    else
59
      cmd = '/usr/bin/host '
60
    end
61

62
    while !name_list.nil? && !name_list.empty?
63
      1.upto session.max_threads do
64
        a << framework.threads.spawn("Module(#{refname})", false, name_list.shift) do |n|
65
          next if n.nil?
66

67
          vprint_status("Trying #{n.strip}.#{domain}")
68
          r = cmd_exec(cmd, "#{n.strip}.#{domain}")
69

70
          case session.platform
71
          when 'windows'
72
            proccess_win(r, "#{n.strip}.#{domain}")
73
          else
74
            process_nix(r, "#{n.strip}.#{domain}")
75
          end
76
        end
77
        a.map(&:join)
78
      end
79
    end
80
  end
81

82
  # Process the data returned by nslookup
83
  def proccess_win(data, ns_opt)
84
    if data =~ /Name/
85
      # Remove unnecessary data and get the section with the addresses
86
      returned_data = data.split(/Name:/)[1]
87
      # check each element of the array to see if they are IP
88
      returned_data.gsub(/\r\n\t |\r\n|Aliases:|Addresses:/, ' ').split(' ').each do |e|
89
        if Rex::Socket.dotted_ip?(e)
90
          print_good("#{ns_opt} #{e}")
91
          report_host(host: e, name: ns_opt.strip)
92
        end
93
      end
94
    end
95
  end
96

97
  # Process the data returned by the host command
98
  def process_nix(data, ns_opt)
99
    data.each_line do |line|
100
      dns_data = line.scan(/(\S*) has address (\S*)$/)
101
      next if dns_data.empty?
102

103
      dns_data.each do |e|
104
        print_good("#{ns_opt} #{e[1]}")
105
        report_host(host: e[1], name: ns_opt.strip)
106
      end
107
    end
108
  end
109
end
110

111