Penetration Testing mailing list archives
Re: question regarding nessus plug-in 10595 DNS AXFR
From: Travis Schack <Travis () Vitalisec com>
Date: 25 Feb 2004 14:36:37 -0000
In-Reply-To: <002401c3fab2$109db700$0301a8c0@strizbert>
Dear all In one of my scans, nessus reported a vulnerability allowing DNS zone transfers (see below). I have tried to verify this vulnerability manually with nslookup and other tools. Apparently a manual DNS zone transfer did not work! So I am just wondering if anybody knows what this plug-in is exactly doing. I am not yet familiar with the scripting language used. I would appreciate if anybody could tell how the plug-in could perform a zone transfer.
Hello I looked at the NASL script for this and it is performing a standard zone transfer. Here is the packet being built: ### Packet Header pass_da_zone = raw_string( 0x68, 0xB3, # ID 0x00, 0x00, # QR|OC|AA|TC|RD|RA|Z|RCODE 0x00, 0x01, # QDCOUNT 0x00, 0x00, #ANCOUNT 0x00, 0x00, #NSCOUNT 0x00, 0x00); #ARCOUNT ### AXFR request pass_da_zone = pass_da_zone + raw_string (0x00, #NULL Terminator 0x00, 0xFC, # QTYPE=252=ZoneTransfer 0x00, 0x01); # QCLASS=1=Internet I have a couple of questions for you. 1) Is DNS running on the scanned host? 2) What types of tools/techniques are you using to verify? I would recommend trying several techniques and watch the results through tcpdump/ethereal. 1) nslookup technique 2) host technique 3) dig @server <domain name> axfr 4) axfr tool 5) Enable the DNS AXFR check only in Nessus and run again This could be a false postive from Nessus. If you follow the above recommendations, you should be able to verify the output of the tools/techniques and confirm the finding. Travis Schack Vitalisec Inc. --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- question regarding nessus plug-in 10595 DNS AXFR cissper (Feb 24)
- Re: question regarding nessus plug-in 10595 DNS AXFR Mike Hoskins (Feb 25)
- Re: question regarding nessus plug-in 10595 DNS AXFR Ariel Martinez (Feb 25)
- Re: question regarding nessus plug-in 10595 DNS AXFR Pedro Andujar (Feb 25)
- <Possible follow-ups>
- Re: question regarding nessus plug-in 10595 DNS AXFR Travis Schack (Feb 25)