Nmap Development mailing list archives
Re: DNS fuzzer
From: Michael Pattrick <mpattrick () rhinovirus org>
Date: Sat, 3 Apr 2010 03:09:49 -0400
On Fri, Apr 2, 2010 at 11:34 PM, David Fifield <david () bamsoftware com> wrote:
I have to apologize; looking at my Bash history I was running against the wrong IP address. The one I ran against didn't have a DNS server running. But the results are the same with the correct IP address.
[snip] I'm actually surprised you got that far, I discovered a bug in the recursive only support after more thorough testing. I hate flooding the list with tiny increments of the same script, but this bug can cause crashes. With a few different DNS server configurations I see that it's probably best to keep the recursive option for now, at the very least it's the only way I can figure out how to guarantee that a DNS server will respond.
Running the script seven times, I only got the offending packet once. The other times it was "Server is not a DNS server". I'm starting to think it's just this proxy being weird. With Wireshark I saw that I had to increase the timeout to 5 seconds to get a server failure. If I run directly against my ISP's DNS server, it's PORT STATE SERVICE REASON 53/udp open|filtered domain no-response | dns-fuzz-3: Server stopped responding... He's dead, Jim. |_Offending packet: 0x7811000040020000000020000770626d7173696d0e7a6e78636a68076d69716c6477690000010001057966616c670568776f746dc00c00050001 But here it's different; the server is sending a response to the pingServer query (server status), but later sends of the same query don't get a response. It looks like the server is rate-limiting. I thought it was because of the constant transaction IDs, but I randomized them and it didn't make a difference.
Hrm, I didn't think of checking the transaction ID in dns.nse, that should probably be randomized...
The dproxy server is finicky; I can't get it to respond to server status every time, only sometimes. It's too bad, because it would be a good fuzzer target. There's a remote root exploit in a version recent enough to be on my router: http://seclists.org/fulldisclosure/2007/Mar/552.
That's an interesting bug, but if I understand how it works right I don't think my fuzzer would catch it. I would need to integrate more compression pointers. Something for another week I guess.
One other thing: would you add a short description of the fuzzer category to scripting.xml? It's the part that corresponds to http://nmap.org/book/nse-usage.html#nse-categories.
Patch attached. -M
Attachment:
dns-fuzz.nse
Description:
Attachment:
scripting.xml.patch
Description:
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Re: DNS fuzzer, (continued)
- Re: DNS fuzzer Michael Pattrick (Apr 02)
- Re: DNS fuzzer Fyodor (Apr 02)
- parse_timespec function David Fifield (Apr 05)
- Re: parse_timespec function Michael Pattrick (Apr 06)
- Re: parse_timespec function Fyodor (Apr 07)
- Re: parse_timespec function David Fifield (Apr 08)
- Re: parse_timespec function Fyodor (Apr 08)
- Re: parse_timespec function David Fifield (Apr 15)
- Re: parse_timespec function David Fifield (Apr 13)
- Re: DNS fuzzer Fyodor (Apr 02)
- Re: DNS fuzzer Michael Pattrick (Apr 02)
- Re: DNS fuzzer Michael Pattrick (Apr 03)
- Re: DNS fuzzer' David Fifield (Apr 03)
- Re: DNS fuzzer David Fifield (Apr 02)