Re: Re : CAU-EX-2008-0002: Kaminsky DNS Cache Poisoning Flaw Exploit

[Ureleet <ureleet () gmail com>]

noice!!!

On Fri, Jul 25, 2008 at 3:38 PM, H D Moore <fdlist () digitaloffense net> wrote:
> On Friday 25 July 2008, tixxDZ wrote:
> > I do not want to offend anyone (Metasploit people), this is a simple
> > joke: can you share with us all the logs of the vulnerable servers ?
> > ;) , the exploit will use the Metasploit service to verify
> > exploitability. ex checking my Opendns:
>
> The exploit needs a service to determine the source port used by the
> target name server. The 'check' command will do this and could probably
> use a better warning about information disclosure. The exploit itself
> will also query the Metasploit service if you set SRCPORT to 0. While
> this means we *could* capture a list of vulnerable nameservers which
> query this service, honestly we don't care and aren't logging it. There
> are much more effective ways to scan for exploitable cache servers :-)
>
> The source code for the helper service is also a Metasploit module and can
> be found under modules/auxiliary/server/dns/spoofhelper.rb
>
> If you want to use your own server for this, just change
> *.red.metasploit.com to be a domain handled by your own copy of the
> spoofhelper module. In the future, we will add an option to specify a the
> nameserver used for this check.
>
> To clarify:
>
>  - Nothing is sent to metasploit.com unless SRCPORT is manually set to '0'
> or the check command is run (non-standard for aux modules).
>
>  - The only information we receive is the IP and source port of the tested
> nameserver. No information is sent about the user's system or their own
> IP address.
>
>  - Even though this information could be logged and sorted and whatnot, we
> honestly don't care and just added it as a convenience feature. We dont
> keep records of the queries hitting the server and have no plans to start
> doing so.
>
>  - If you don't like it, don't run 'check' and don't set SRCPORT to '0'
> for automatic mode. It won't hurt our feelings and you are free to modify
> the module to point at your own helper service.
>
> Cheers,
>
> -HD
>
>
> PS. You can use the service outside of the module to check various
> servers. For example:
>
> while true; do dig +short -t TXT `date +%s`.red.metasploit.com @4.2.2.3;
> sleep 1; done
> "209.244.4.227:33165 1217014609.red.metasploit.com"
> "209.244.4.227:32728 1217014610.red.metasploit.com"
> "209.244.4.227:29607 1217014611.red.metasploit.com"
> "209.244.4.227:28032 1217014612.red.metasploit.com"
> "209.244.4.227:25992 1217014613.red.metasploit.com"
> "209.244.4.227:31301 1217014614.red.metasploit.com"
> "209.244.4.227:22884 1217014615.red.metasploit.com"
> "209.244.4.227:33722 1217014616.red.metasploit.com"
>
> ^- changing ports means the box is patched.
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/