Re: DNS fuzzer

[Michael Pattrick <mpattrick () rhinovirus org>]

On Fri, Apr 2, 2010 at 11:34 PM, David Fifield <david () bamsoftware com> wrote:
> I have to apologize; looking at my Bash history I was running against
> the wrong IP address. The one I ran against didn't have a DNS server
> running. But the results are the same with the correct IP address.
[snip]

I'm actually surprised you got that far, I discovered a bug in the
recursive only support after more thorough testing. I hate flooding
the list with tiny increments of the same script, but this bug can
cause crashes. With a few different DNS server configurations I see
that it's probably best to keep the recursive option for now, at the
very least it's the only way I can figure out how to guarantee that a
DNS server will respond.

> Running the script seven times, I only got the offending packet once.
> The other times it was "Server is not a DNS server". I'm starting to
> think it's just this proxy being weird. With Wireshark I saw that I had
> to increase the timeout to 5 seconds to get a server failure. If I run
> directly against my ISP's DNS server, it's
>
> PORT   STATE         SERVICE REASON
> 53/udp open|filtered domain  no-response
> | dns-fuzz-3: Server stopped responding... He's dead, Jim.
> |_Offending packet: 
> 0x7811000040020000000020000770626d7173696d0e7a6e78636a68076d69716c6477690000010001057966616c670568776f746dc00c00050001
>
> But here it's different; the server is sending a response to the
> pingServer query (server status), but later sends of the same query
> don't get a response. It looks like the server is rate-limiting. I
> thought it was because of the constant transaction IDs, but I randomized
> them and it didn't make a difference.

Hrm, I didn't think of checking the transaction ID in dns.nse, that
should probably be randomized...

> The dproxy server is finicky; I can't get it to respond to server status
> every time, only sometimes. It's too bad, because it would be a good
> fuzzer target. There's a remote root exploit in a version recent enough
> to be on my router: http://seclists.org/fulldisclosure/2007/Mar/552.

That's an interesting bug, but if I understand how it works right I
don't think my fuzzer would catch it. I would need to integrate more
compression pointers. Something for another week I guess.

> One other thing: would you add a short description of the fuzzer
> category to scripting.xml? It's the part that corresponds to
> http://nmap.org/book/nse-usage.html#nse-categories.

Patch attached.

-M

Attachment: dns-fuzz.nse
Description:

Attachment: scripting.xml.patch
Description:

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/