Using an automated script to hack every DNS Server and use it to attack a target
I regularly receive reader mail that presents some interesting problems and solutions. Many articles, and consequently scripts, focus on automating the setup and configuration of Microsoft Internet Information Services (IIS) 5.0 Web sites. I’ve written many such articles and scripts and even shown readers how to use Windows Management Instrumentation (WMI) to set up and configure IIS 5.0 remotely. (The WMI Web-exclusive article and code are available at http://www.winnetmag.com, InstantDoc ID 9100.)
By creating a script to automate the DNS setup and configuration, Adam has saved himself a lot of time in the routine process of creating new Web sites. Let’s look at the inner workings of the script so that you can use it in your own shop. You can download the code from http://www.winscriptingsolutions.com, InstantDoc ID 37719. For an alternative approach that uses WMI, see the sidebar “Using WMI to Automatically Configure DNS,” page 2.
Deconstructing DNS To learn the DNS structure, Adam used the Microsoft Management Console (MMC) ADSI Edit snap-in from the Microsoft Internet Information Server Resource Kit**. ADSI Edit lets you view all the attributes for each DNS object and, in turn, look up each DNS object on the Microsoft Developer Network (MSDN). For example, you can find the Dns-Node attributes listed at http://msdn.microsoft.com/library/default.asp? url=/library/en-us/adschema/ad/win2k_c_dnsnode.asp. (Dns-Nodes are the Active Directory—AD—components that store the DNS resource records for each host.) After Adam identified the DNS structure, all he had to do was look at the values for each attribute and determine how to write the new values. However, determining the new values isn’t as simple as it might seem.**
Microsoft stores all DNS data in Octet-string format, which might be a “hangover” from UNIX because no other data in the Microsoft platform is persisted in structured storage in Octet format. Using Active Directory Service Interfaces (ADSI) to query the data is simple, but the data is virtually unreadable in Octet format. Fortunately, a COM component known as ArrayConvert, which is available at http://support.microsoft.com/?kbid=250344, lets you convert Octet data to hexadecimal data and vice versa. After the data is in hex format, converting it to decimal is a simple process.
Ads.dll, the library file containing the ArrayConvert function, is easy to install. You must first download the executable that contains the COM component and run the file to extract the necessary files to a specified location. To use the functions within the COM component from VBScript, you register the ads.dll COM component by clicking Start, Run and typing
where path is the location in which you saved the extracted files.
After Adam converted the DNS data from Octet format to hex format and then converted the hex format to decimal format, the data was readable and, consequently, easier to work with. Most DNS zones have a host (A) record that adds the www prefix to the domain. The only coded information in the data for this type of entry is the IP address and the serial number. The name of the record provides the www prefix. So, for example, the DNS zone for VisitCancun.com has a host (A) record named www that maps to the IP address 22.214.171.124. This mapping lets a user type www.VisitCancun.com into a browser. If the name of the host (A) record were different (e.g., www3), the user would need to type www3.VisitCancun.com to return the mapped IP address.
The rest of the data contains values that remain the same on different servers and different domains, so the decimals wouldn’t change. Rather, they appear to identify the record as a host (A) record. For Adam’s purposes, the DNS zone also required an MX record, which tells querying computers where to look for that domain’s mail. The data for these records was stored in Octet format, but the values were much longer than the host (A) records’ and took more time and patience to figure out.
Many of the decimals were related to the mail server’s name: Some were the ASCII representation of its letters, others represented the number of characters in each segment (not including the decimals because they segment the name), and one represented the overall length of the mail server’s name. Other decimals stood for the serial number, the mail server priority, and the IP address, and some decimals never change. Adam identified all the decimals by comparing different hex strings and through simple trial and error. He simplified the entire process by adding a section of variables at the top of the script that you can easily modify to meet your needs.
Dns.vbs The dns.vbs script opens a connection directly into Microsoft DNS and creates all the information necessary for a new Web site, including a new DNS forward lookup zone, an MX record, and four hosts. Each host links a name to an IP address. The script defaults to setting up a parent host named foo.com, a WWW host named www.foo.com, a MAIL host named mail.foo.com, a WEBMAIL host named webmail.foo.com, and an FTP host named ftp.foo.com. (You can customize each host name and IP address in the script.)
Dns.vbs starts by dimensioning variables. Next, as the code at callout A in Listing 1 shows, the script gives you an “opt out” choice with a message box so that you don’t accidentally run the script. The script then instantiates ads.dll, the MSDN conversion utility. After completing this process, the script assigns values (i.e., names and IP addresses) to variables for later use. This part of the script is the only section you need to edit for your needs. The code at callout B contains several sample values and descriptions.
At this point, the script uses the user-defined DNS variables to do calculations, string manipulations, and parsing and converts some of the data to hex format. After the initial calculations are complete, the script connects to AD and creates DNS objects. As the code at callout C shows, the script creates the objects for the DNS zone first. Notice that the script releases COM objects from memory by setting them to Nothing. Because COM components consume large amounts of memory, cleaning up after them is good programming practice.
Next, the script creates the MX record and parent host after performing some complicated computations. Because these two values are saved in the same attribute, the script creates an array and saves the values, as the code at callout D shows.
After creating the MX record and parent host (A) record, the script creates the remaining hosts: WWW, MAIL, and WEBMAIL. The code at callout E shows how the WWW record is created. Finally, if you set FTP to “YES” in the variables section at the beginning of the script, the script creates the FTP host (A) record, as the code at callout F shows.
To run the script, use cscript.exe. From the command line, navigate to the folder in which you placed the dns.vbs script, then type
You must log on with domain administrator permissions to run the script. Figure 1 shows dns.vbs running. Notice that appropriate screen I/O appears onscreen to alert the user where the dns.vbs script is in the process of running. The script runs quickly (i.e., in a few seconds), depending on your network configuration.
After the script finishes running, you can check the resulting configurations in DNS. Launch the MMC DNS server snap-in (go to Start, Programs, Administrative Tools, then select DNS). Expand the Forward Lookup Zones folder to see the DNS configuration you’ve automated. Figure 2 shows the resulting DNS configuration of foo.com that the script created using the sample values provided.
IT expert with more than 20 years experience in Multiple OS, Security, Data & Internet ,
Interests include AI and Big Data, Internet and multimedia. An experienced Real Estate agent, Insurance agent, and a Futures trader. I am capable of finding any answers in the world you want as long as there are reports available online for me to do my own research to bring you closest to all the unsolved mysteries in this world, because I can find all the paths to the Truth, and what the Future holds. All I need is to observe, test and probe to research on anything I want, what you need to do will take months to achieve, all I need is a few hours.
View all posts by Gilbert Tan TS