|Main Archive Page > Month Archives > full-disclosure-uk archives|
On Fri, Jul 25, 2008 at 3:38 PM, H D Moore <email@example.com> wrote:
> On Friday 25 July 2008, tixxDZ wrote:
>> I do not want to offend anyone (Metasploit people), this is a simple
>> joke: can you share with us all the logs of the vulnerable servers ?
>> ;) , the exploit will use the Metasploit service to verify
>> exploitability. ex checking my Opendns:
> The exploit needs a service to determine the source port used by the
> target name server. The 'check' command will do this and could probably
> use a better warning about information disclosure. The exploit itself
> will also query the Metasploit service if you set SRCPORT to 0. While
> this means we *could* capture a list of vulnerable nameservers which
> query this service, honestly we don't care and aren't logging it. There
> are much more effective ways to scan for exploitable cache servers :-)
> The source code for the helper service is also a Metasploit module and can
> be found under modules/auxiliary/server/dns/spoofhelper.rb
> If you want to use your own server for this, just change
> *.red.metasploit.com to be a domain handled by your own copy of the
> spoofhelper module. In the future, we will add an option to specify a the
> nameserver used for this check.
> To clarify:
> - Nothing is sent to metasploit.com unless SRCPORT is manually set to '0'
> or the check command is run (non-standard for aux modules).
> - The only information we receive is the IP and source port of the tested
> nameserver. No information is sent about the user's system or their own
> IP address.
> - Even though this information could be logged and sorted and whatnot, we
> honestly don't care and just added it as a convenience feature. We dont
> keep records of the queries hitting the server and have no plans to start
> doing so.
> - If you don't like it, don't run 'check' and don't set SRCPORT to '0'
> for automatic mode. It won't hurt our feelings and you are free to modify
> the module to point at your own helper service.
> PS. You can use the service outside of the module to check various
> servers. For example:
> while true; do dig +short -t TXT `date +%s`.red.metasploit.com @22.214.171.124;
> sleep 1; done
> "126.96.36.199:33165 1217014609.red.metasploit.com"
> "188.8.131.52:32728 1217014610.red.metasploit.com"
> "184.108.40.206:29607 1217014611.red.metasploit.com"
> "220.127.116.11:28032 1217014612.red.metasploit.com"
> "18.104.22.168:25992 1217014613.red.metasploit.com"
> "22.214.171.124:31301 1217014614.red.metasploit.com"
> "126.96.36.199:22884 1217014615.red.metasploit.com"
> "188.8.131.52:33722 1217014616.red.metasploit.com"
> ^- changing ports means the box is patched.
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/