Nmap Development mailing list archives

Re: DNS cache snooping script

From: David Fifield <david () bamsoftware com>
Date: Fri, 11 Jun 2010 20:28:48 -0600

On Sat, May 15, 2010 at 08:42:24AM -0600, David Fifield wrote:

On Sat, May 15, 2010 at 07:42:03AM -0600, Eugene Alexeev wrote:

David,

I agree with you.  I'm also thinking of including the option of reading the
site list over HTTP.  It would be limited to consuming one line at a time,
but would let the user leverage sites like the zeus tracker.  How do you
want to go about creating the site list to be distributed with the script?


Let's start with the top 50 sites from
http://s3.amazonaws.com/alexa-static/top-1m.csv.zip. That will already
get most of the important social sites. Then add in other sites that you
think are relevant, with comments explaining why they are. Keep these
separated in the source file so they can be managed.

There are a few other changes I want you to make. Accept qualified
synonyms for the script arguments, like dns-cache-snoop.snoop_mode.
Think of a name for the default non-timed mode and make that a possible
value of snoop_mode. For the host list, I would like to see arguments
dns-cache-snoop.hosts with a literal list of hostnames, and
dns-cache-snoop.hostfile with the name of a file containing hostnames.
I don't see people using the snoop_multiplier, so I think you should
take it out. If you wish, you can replace it with a confidence argument
that takes a number like 0.95 and automatically calculates the
multiplier for you. (What is the confidence level of the default
multiplier of 1.0?) Factor out the timed and non-timed modes of
operation into separate functions instead of a big if/else in the
action. Remove the "-->" from the output.


I have committed your script, after reworking it to do the things I
asked in the paragraph above. (Except the script argument for reading a
list of domains from a file, which someone can add if they want.) I used
the top 50 Alexa sites from today, which grow to 100 when they have
"www." added. I think we can do much better than that for a default
domain list, so I ask people who have ideas for interesting sites to
submit them here with a rationale of why they should be included.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Current thread:

DNS cache snooping script Eugene Alexeev (Apr 12)
- Re: DNS cache snooping script Ron (Apr 12)
  - Re: DNS cache snooping script Eugene Alexeev (Apr 12)
    - Re: DNS cache snooping script Ron (Apr 12)
    - Re: DNS cache snooping script Eugene Alexeev (Apr 12)
    - Re: DNS cache snooping script David Fifield (May 14)
    - Re: DNS cache snooping script Eugene Alexeev (May 15)
    - Re: DNS cache snooping script David Fifield (May 15)
    - Re: DNS cache snooping script David Fifield (Jun 11)
    - Re: DNS cache snooping script Martin Holst Swende (Jun 12)
    - Re: DNS cache snooping script David Fifield (Jun 12)
  - Re: DNS cache snooping script Patrik Karlsson (Apr 12)
    - Re: DNS cache snooping script Eugene Alexeev (Apr 12)