Nmap Development mailing list archives

Re: DNS fuzzer'

From: David Fifield <david () bamsoftware com>
Date: Sat, 3 Apr 2010 14:00:57 -0600

On Sat, Apr 03, 2010 at 03:09:49AM -0400, Michael Pattrick wrote:

On Fri, Apr 2, 2010 at 11:34 PM, David Fifield <david () bamsoftware com> wrote:

I have to apologize; looking at my Bash history I was running against
the wrong IP address. The one I ran against didn't have a DNS server
running. But the results are the same with the correct IP address.

[snip]

I'm actually surprised you got that far, I discovered a bug in the
recursive only support after more thorough testing. I hate flooding
the list with tiny increments of the same script, but this bug can
cause crashes. With a few different DNS server configurations I see
that it's probably best to keep the recursive option for now, at the
very least it's the only way I can figure out how to guarantee that a
DNS server will respond.


I did run into a problem with it. The detection wasn't working and I had
to set recursiveOnly to true manually. Then I had to change host host.ip
and port to port.number in the call to dns.query.

Here's how it's working now with a timelimit of 10 seconds. Against the
ISP nameserver:

PORT   STATE SERVICE REASON
53/udp open  domain  script-set
|_dns-fuzz-4: The server seems impervious to our assault.

Against dproxy:

PORT   STATE         SERVICE REASON
53/udp open|filtered domain  no-response
|_dns-fuzz-4: Server didn't response to our probe, can't fuzz

I want you to commit the script with one change. Just add a default
timelimit of 10 minutes if no script argument is given. Fyodor's right
that we should have a general-purpose function like unpwdb.timelimit. We
can tackle that problem separately after the script is committed.

One other thing: would you add a short description of the fuzzer
category to scripting.xml? It's the part that corresponds to
http://nmap.org/book/nse-usage.html#nse-categories.


Patch attached.


That looks good. You can commit it, except leave out the part that says
dns-fuzz is the only script in the category. It's to be hoped that we
get more of this type of script, and then it's one more thing to
remember to update.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Current thread:

Re: DNS fuzzer, (continued)
- - Re: DNS fuzzer Fyodor (Apr 02)
    - parse_timespec function David Fifield (Apr 05)
    - Re: parse_timespec function Michael Pattrick (Apr 06)
    - Re: parse_timespec function Fyodor (Apr 07)
    - Re: parse_timespec function David Fifield (Apr 08)
    - Re: parse_timespec function Fyodor (Apr 08)
    - Re: parse_timespec function David Fifield (Apr 15)
    - Re: parse_timespec function David Fifield (Apr 13)
  - Re: DNS fuzzer David Fifield (Apr 02)
    - Re: DNS fuzzer Michael Pattrick (Apr 03)
    - Re: DNS fuzzer' David Fifield (Apr 03)
- Re: DNS fuzzer Michael Pattrick (Apr 02)
  - Re: DNS fuzzer David Fifield (Apr 02)