Nmap Development mailing list archives
Re: [NSE] New script dns-blacklist
From: Patrik Karlsson <patrik () cqure net>
Date: Sun, 15 Jan 2012 12:40:10 +0100
On Sun, Jan 8, 2012 at 2:43 PM, Duarte Silva <duarte.silva () serializing me>wrote:
On Sunday 08 January 2012 10:24:37 Patrik Karlsson wrote:On Sun, Jan 8, 2012 at 4:05 AM, David Fifield <david () bamsoftware com>wrote:On Mon, Jan 02, 2012 at 11:31:09AM +0000, Duarte Silva wrote:Hi Patrik, I added two new DNSBL providers, one for TOR nodes [1] [1] https://www.dan.me.uk/dnsblFor Tor, let's see if we can use the Tor Project's exit list directly, rather than some third party that is just querying them anyway. https://www.torproject.org/projects/tordnsel.htmlI don't think they are only querying TorDNSEL. I'm pretty sure they're using the servers descriptors directory directly [1][2] (that's what I would).The main difference is whether an address can be considered an exitnodedepends on the address and port you are relaying to, so those are part of the query. Apparently TorDNSEL also does active probing to find out if relays' behaviour actually matches their stated exit policy.From the documentation of the service: "Previous DNSELs scraped Tor's network directory for exit node IP addresses, but this method fails to list nodes that don't advertise their exit address in the directory. TorDNSEL actively tests through these nodes to provide a more accurate list." I think it's quite uninformative service compared to the third party one, even though, it does actually check if the relay is a exit node and it may be able to find nodes that aren't listed.As far as I can tell the first service also allows us to query for entry nodes. I'm not sure what we want/need and leave that up to the Torexperts.If we only want exit nodes, the official Tor Project service isobviously abetter source.It depends on what you want. If you want to know, "my corporate <insert resource name here> was attacked, should I have blocked that IP address?", then the exit nodes, is in part only what you want to know. If you want to perform deeper investigations, then it might also be interesting to check for relays.Another possibly more efficient way is to download the whole relay list once, and then compare each target address against the list. This also has the advantage of not needing to disclose the target's address totheexit list operator.https://check.torproject.org/cgi-bin/TorBulkExitList.py?ip=74.207.254.18 You are disclosing the target IP address in all the DNSBL's. If one cares about it, then he really shouldn't be using the script =PDavid FIfieldWhile I agree with it being more efficient it should probably go intoit'sown script as it's not DNSBL?I agree.Cheers, PatrikIn the attachments follows a patch with some minor changes/fixes and the added TorDNSEL provider has specified in [3]. [1] https://www.torproject.org/docs/tor-doc-relay.html.en#check [2] http://194.109.206.212/tor/status-vote/current/consensus [3] https://www.torproject.org/projects/tordnsel.html.en Regards, Duarte Silva
I've applied this patch and another one that I was working on. Thanks for the contribution! The change I made was to change the library to use a worker thread for each provider which increased speed a lot. Cheers, Patrik -- Patrik Karlsson http://www.cqure.net http://twitter.com/nevdull77 _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Re: [NSE] New script dns-blacklist, (continued)
- Re: [NSE] New script dns-blacklist Duarte Silva (Jan 02)
- Re: [NSE] New script dns-blacklist Patrik Karlsson (Jan 02)
- Re: [NSE] New script dns-blacklist Duarte Silva (Jan 03)
- Re: [NSE] New script dns-blacklist Duarte Silva (Jan 06)
- Re: [NSE] New script dns-blacklist Duarte Silva (Jan 06)
- Re: [NSE] New script dns-blacklist Duarte Silva (Jan 02)
- Re: [NSE] New script dns-blacklist Arne Martin Wandsvig (Jan 07)
- Re: [NSE] New script dns-blacklist Patrik Karlsson (Jan 08)
- Re: [NSE] New script dns-blacklist Patrik Karlsson (Jan 08)
- Re: [NSE] New script dns-blacklist Duarte Silva (Jan 08)
- Re: [NSE] New script dns-blacklist Patrik Karlsson (Jan 15)