[UPDATE 6/28/2011] vSploit Modules will be released at DEFCON
This is a follow-up post for vSploit - Virtualizing Intrusion & Exploitation Attributes with Metasploit Framework about using Metasploit as a way to test network infrastructure countermeasures and coverage. I mentioned obtaining list of suspicious domains to use for testing organization's networking intelligence. Simply put, let's create suspicious traffic to see how organizations respond.
In that post and accompanying video, I used the Metasploit vSploit DNS Beaconing module to emulate suspicious DNS traffic. One response I received was, "Where can I get a list of suspicious domains?" Generally, the best place is probably the SANS Institute Suspicious Domains page.
However, in this post I'll concentrate on Abuse.ch's ZeuS Tracker, which has lists of suspicious IP Address and Domain Names. Out of the offered blocklists, we'll be using the ZeuS domain one, which we can use as input for the Metasploit vSploit DNS Beaconing Module. Download this list, remove comments and whitespace, then save it as a text file. At the time of this post the list contained 651 suspicious domains, which of course change from time to time.
First, confirm that the suspicious domain list is in place:
After starting up Metasploit "use auxiliary/vsploit/dns/dns_beacon" and then enter "set DOMAINS file:/tmp/domains.txt":
Now type "run" to start the queries:
This is great to test your ability to monitor suspicious domain queries in your organization, without actually infecting real hosts.
If you'd like to learn more about the new vSploit modules to test your network security infrastructure, join me in tomorrow's webinar Identifying Infrastructure Blindspots with Metasploit Framework for a live demo.