full-disclosure-uk August 2008 archive
Main Archive Page > Month Archives  > full-disclosure-uk archives
full-disclosure-uk: Re: [Full-disclosure] Re : CAU-EX-2008-0002:

Re: [Full-disclosure] Re : CAU-EX-2008-0002: Kaminsky DNS Cache Poisoning Flaw Exploit

From: Ureleet <ureleet_at_nospam>
Date: Wed Aug 06 2008 - 00:21:21 GMT
To: "H D Moore" <fdlist@digitaloffense.net>


noice!!!

On Fri, Jul 25, 2008 at 3:38 PM, H D Moore <fdlist@digitaloffense.net> wrote:
> On Friday 25 July 2008, tixxDZ wrote:
>> I do not want to offend anyone (Metasploit people), this is a simple
>> joke: can you share with us all the logs of the vulnerable servers ?
>> ;) , the exploit will use the Metasploit service to verify
>> exploitability. ex checking my Opendns:
>
> The exploit needs a service to determine the source port used by the
> target name server. The 'check' command will do this and could probably
> use a better warning about information disclosure. The exploit itself
> will also query the Metasploit service if you set SRCPORT to 0. While
> this means we *could* capture a list of vulnerable nameservers which
> query this service, honestly we don't care and aren't logging it. There
> are much more effective ways to scan for exploitable cache servers :-)
>
> The source code for the helper service is also a Metasploit module and can
> be found under modules/auxiliary/server/dns/spoofhelper.rb
>
> If you want to use your own server for this, just change
> *.red.metasploit.com to be a domain handled by your own copy of the
> spoofhelper module. In the future, we will add an option to specify a the
> nameserver used for this check.
>
> To clarify:
>
> - Nothing is sent to metasploit.com unless SRCPORT is manually set to '0'
> or the check command is run (non-standard for aux modules).
>
> - The only information we receive is the IP and source port of the tested
> nameserver. No information is sent about the user's system or their own
> IP address.
>
> - Even though this information could be logged and sorted and whatnot, we
> honestly don't care and just added it as a convenience feature. We dont
> keep records of the queries hitting the server and have no plans to start
> doing so.
>
> - If you don't like it, don't run 'check' and don't set SRCPORT to '0'
> for automatic mode. It won't hurt our feelings and you are free to modify
> the module to point at your own helper service.
>
> Cheers,
>
> -HD
>
>
> PS. You can use the service outside of the module to check various
> servers. For example:
>
> while true; do dig +short -t TXT `date +%s`.red.metasploit.com @4.2.2.3;
> sleep 1; done
> "209.244.4.227:33165 1217014609.red.metasploit.com"
> "209.244.4.227:32728 1217014610.red.metasploit.com"
> "209.244.4.227:29607 1217014611.red.metasploit.com"
> "209.244.4.227:28032 1217014612.red.metasploit.com"
> "209.244.4.227:25992 1217014613.red.metasploit.com"
> "209.244.4.227:31301 1217014614.red.metasploit.com"
> "209.244.4.227:22884 1217014615.red.metasploit.com"
> "209.244.4.227:33722 1217014616.red.metasploit.com"
>
> ^- changing ports means the box is patched.
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>



Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/