Re: question regarding nessus plug-in 10595 DNS AXFR

[Travis Schack <Travis () Vitalisec com>]

In-Reply-To: <002401c3fab2$109db700$0301a8c0@strizbert>

> Dear all
>
> In one of my scans, nessus reported a vulnerability allowing DNS zone
> transfers (see below). 
> I have tried to verify this vulnerability manually with nslookup and
> other tools. Apparently 
> a manual DNS zone transfer did not work! So I am just wondering if
> anybody knows what this plug-in
> is exactly doing. I am not yet familiar with the scripting language
> used.
> I would appreciate if anybody could tell how the plug-in could perform a
> zone transfer.

Hello

I looked at the NASL script for this and it is performing a standard zone transfer.  Here is the packet being built:

### Packet Header
pass_da_zone = raw_string(
                          0x68, 0xB3,   # ID
                          0x00, 0x00,   # QR|OC|AA|TC|RD|RA|Z|RCODE
                                                  0x00, 0x01,   # QDCOUNT
                                                  0x00, 0x00,   #ANCOUNT
                                                  0x00, 0x00,   #NSCOUNT
                                                  0x00, 0x00);  #ARCOUNT

### AXFR request
pass_da_zone = pass_da_zone + raw_string (0x00,         #NULL Terminator
                                          0x00, 0xFC,   # QTYPE=252=ZoneTransfer
                                          0x00, 0x01);  # QCLASS=1=Internet

I have a couple of questions for you.

1) Is DNS running on the scanned host?
2) What types of tools/techniques are you using to verify?

I would recommend trying several techniques and watch the results through tcpdump/ethereal.

1) nslookup technique 
2) host technique
3) dig @server <domain name> axfr
4) axfr tool
5) Enable the DNS AXFR check only in Nessus and run again

This could be a false postive from Nessus.  If you follow the above recommendations, you should be able to verify the 
output of the tools/techniques and confirm the finding.

Travis Schack
Vitalisec Inc.


---------------------------------------------------------------------------
----------------------------------------------------------------------------