Full Disclosure mailing list archives
Re: Re : CAU-EX-2008-0002: Kaminsky DNS Cache Poisoning Flaw Exploit
From: Ureleet <ureleet () gmail com>
Date: Tue, 5 Aug 2008 20:21:21 -0400
noice!!! On Fri, Jul 25, 2008 at 3:38 PM, H D Moore <fdlist () digitaloffense net> wrote:
On Friday 25 July 2008, tixxDZ wrote:I do not want to offend anyone (Metasploit people), this is a simple joke: can you share with us all the logs of the vulnerable servers ? ;) , the exploit will use the Metasploit service to verify exploitability. ex checking my Opendns:The exploit needs a service to determine the source port used by the target name server. The 'check' command will do this and could probably use a better warning about information disclosure. The exploit itself will also query the Metasploit service if you set SRCPORT to 0. While this means we *could* capture a list of vulnerable nameservers which query this service, honestly we don't care and aren't logging it. There are much more effective ways to scan for exploitable cache servers :-) The source code for the helper service is also a Metasploit module and can be found under modules/auxiliary/server/dns/spoofhelper.rb If you want to use your own server for this, just change *.red.metasploit.com to be a domain handled by your own copy of the spoofhelper module. In the future, we will add an option to specify a the nameserver used for this check. To clarify: - Nothing is sent to metasploit.com unless SRCPORT is manually set to '0' or the check command is run (non-standard for aux modules). - The only information we receive is the IP and source port of the tested nameserver. No information is sent about the user's system or their own IP address. - Even though this information could be logged and sorted and whatnot, we honestly don't care and just added it as a convenience feature. We dont keep records of the queries hitting the server and have no plans to start doing so. - If you don't like it, don't run 'check' and don't set SRCPORT to '0' for automatic mode. It won't hurt our feelings and you are free to modify the module to point at your own helper service. Cheers, -HD PS. You can use the service outside of the module to check various servers. For example: while true; do dig +short -t TXT `date +%s`.red.metasploit.com @4.2.2.3; sleep 1; done "209.244.4.227:33165 1217014609.red.metasploit.com" "209.244.4.227:32728 1217014610.red.metasploit.com" "209.244.4.227:29607 1217014611.red.metasploit.com" "209.244.4.227:28032 1217014612.red.metasploit.com" "209.244.4.227:25992 1217014613.red.metasploit.com" "209.244.4.227:31301 1217014614.red.metasploit.com" "209.244.4.227:22884 1217014615.red.metasploit.com" "209.244.4.227:33722 1217014616.red.metasploit.com" ^- changing ports means the box is patched. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Re : CAU-EX-2008-0002: Kaminsky DNS Cache Poisoning Flaw Exploit Ureleet (Aug 05)