Re: question regarding nessus plug-in 10595 DNS AXFR

["Pedro Andujar" <crg () digitalsec net>]

dig @nameserver domain.com AXFR

Visual Example

[crg@core]$ host -t ns l33tsecurity.com
l33tsecurity.com name server ns2.nichtsecurity.com.
l33tsecurity.com name server ns1.nichtsecurity.com.
[crg@core]$ dig @ns2.nichtsecurity.com l33tsecurity.com AXFR

; <<>> DiG 9.2.2-P3 <<>> @ns2.nichtsecurity.com l33tsecurity.com AXFR
;; global options:  printcmd
l33tsecurity.com. 3600  IN SOA  ns1.nichtsecurity.com.
unter.nichtsecurity.com. 2004020900 10800 3600 604800 3600
www.l33tsecurity.com. 3600 IN A 198.247.231.211
l33tsecurity.com. 3600  IN A 198.247.231.211
l33tsecurity.com. 3600  IN MX 10 l33tsec.no-ip.org.
l33tsecurity.com. 3600  IN MX 100 smtp-relay.swbell.net.
team.l33tsecurity.com.  3600 IN AAAA  3ffe:bc0:35b:1::3
xor.l33tsecurity.com. 3600 IN AAAA  3ffe:bc0:35b:1::2
unpack.l33tsecurity.com. 3600 IN  A 198.247.231.211
l33tsecurity.com. 3600  IN NS NS1.NICHTSECURITY.COM.
l33tsecurity.com. 3600  IN NS NS2.NICHTSECURITY.COM.
codes.l33tsecurity.com. 3600 IN A 66.163.242.186
l33tsecurity.com. 3600  IN SOA  ns1.nichtsecurity.com.
unter.nichtsecurity.com. 2004020900 10800 3600 604800 3600
;; Query time: 644 msec
;; SERVER: 198.247.231.232#53(ns2.nichtsecurity.com)
;; WHEN: Wed Feb 25 00:58:31 2004
;; XFR size: 13 records

Regards

Pedro Andújar (Crg)
!dSR - Digital Security Research
http://www.digitalsec.net

 "!dSR... when security is not your beretta"

----- Original Message ----- 
From: "cissper" <cissper () yahoo com au>
To: <pen-test () securityfocus com>
Sent: Tuesday, February 24, 2004 9:41 AM
Subject: question regarding nessus plug-in 10595 DNS AXFR


> Dear all
>
> In one of my scans, nessus reported a vulnerability allowing DNS zone
> transfers (see below).
> I have tried to verify this vulnerability manually with nslookup and
> other tools. Apparently
> a manual DNS zone transfer did not work! So I am just wondering if
> anybody knows what this plug-in
> is exactly doing. I am not yet familiar with the scripting language
> used.
> I would appreciate if anybody could tell how the plug-in could perform a
> zone transfer.
>
> Thank you guys!!
>
> --------------------------------------------
> nessus message:
> The remote name server allows DNS zone transfers to be performed.
> A zone transfer will allow the remote attacker to instantly populate
> a list of potential targets. In addition, companies often use a naming
> convention which can give hints as to a servers primary application
> (for instance, proxy.company.com, payroll.company.com, b2b.company.com,
> etc.).
>
> As such, this information is of great use to an attacker who may use it
> to gain information about the topology of your network and spot new
> targets.
>
> Solution: Restrict DNS zone transfers to only the servers that
> absolutely
> need it.
>
> Risk factor : Medium
> ID: 10595
> --------------------------------------------
>
>
>
>
>
> --------------------------------------------------------------------------
-
> Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection
>
> Protect your network with the comprehensive security solution that
> integrates six applications for ease of use and lower TCO.
>
> Firewall - Virus protection - Spam protection - URL blocking - VPN
> - Wireless security.
>
> Download 30-day evaluation at:
> http://www.securityfocus.com/sponsor/Astaro_pen-test_040219
> --------------------------------------------------------------------------
--
>


---------------------------------------------------------------------------
----------------------------------------------------------------------------