Full Disclosure mailing list archives
RE: Mystery DNS Changes
From: Andre Ludwig <ALudwig () Calfingroup com>
Date: Wed, 1 Oct 2003 20:41:39 -0700
Somewhat off topic, but a killer dhcp toolset that i have played with a bit is Gobbler from www.networkpenetration.com . Might give some people who don't understand the whole DHCP vulnerability thing a bit of an education. Andre Ludwig http://www.networkpenetration.com/downloads.html -----Original Message----- From: hobbit () avian org [mailto:hobbit () avian org] Sent: Wednesday, October 01, 2003 1:11 PM To: full-disclosure () lists netsys com Subject: Re: [Full-disclosure] Mystery DNS Changes ... DHCP enabled workstations have had their DNS reconfigured to point to two of the three addresses User-driven trojan or not, machines running DHCP can pretty much be told by a DHCP server that their leases are up and it's time to renumber, and then that their new DNS servers are X Y and maybe Z. This is part of the protocol, astoundingly enough, but spells "attack vector" any way *I* look at it. This would probably work on most cable-modem infrastructures, at least where the provider hasn't done anything about the fact that any customer [i.e. customer's box, forget the human] can become a rogue DHCP server. Within a soft chewy corporate net, a rogue server probably presents an even higher risk cuz *none* of the end user boxes would have the benefit of a somewhat protective device [cable modem with clueful config] in between it and the rogue. Expect it. Script your bootup to nuke dhclient/dhcpcd/whatever after it's gotten an address, and sanity-check what you get back. DHCP clients, at least in the unix world, generally run OUTSIDE your filters, as ROOT. Windows users, you're probably just hosed, because if you stop "DHCP client" you release your address. _H* _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: Mystery DNS Changes, (continued)
- RE: Mystery DNS Changes David Vincent (Oct 01)
- RE: Mystery DNS Changes tom_gordon (Oct 01)
- RE: Mystery DNS Changes Harris, Michael C. (Oct 01)
- Re: Mystery DNS Changes Paul Tinsley (Oct 01)
- Re: [Snort-sigs] Re: Mystery DNS Changes Paul Tinsley (Oct 02)
- Re: [Snort-sigs] Re: Mystery DNS Changes Paul Schmehl (Oct 03)
- Re: [Snort-sigs] Re: Mystery DNS Changes Paul Tinsley (Oct 03)
- Re: [Snort-sigs] Re: Mystery DNS Changes Paul Schmehl (Oct 03)
- Re: Mystery DNS Changes Paul Tinsley (Oct 01)
- RE: Mystery DNS Changes Kurt (Oct 02)
- Re: Mystery DNS Changes Joe Stewart (Oct 02)
- Re: Mystery DNS Changes Paul Tinsley (Oct 02)
- Re: Mystery DNS Changes KF (Oct 02)
- RE: Mystery DNS Changes Paul Schmehl (Oct 03)
- RE: Mystery DNS Changes Nick FitzGerald (Oct 03)