-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Wed, 16 Jul 2008 22:41:48 +0000 or thereabouts Brandon Enright
<
bmenrigh@...> wrote:
> Fellow developers;
>
> As everyone knows at this point, Dan Kaminsky found a serious flaw in
> DNS and a bunch of vendors have patched their implementation to try to
> work around the problem.
>
> Duane Wessels of OARC setup a great service at porttest.dns-oarc.net
> to help you audit your DNS servers. This is a NSE script (attached)
> to help automate that checking.
>
Hi folks,
After a heck of a lot of testing and debugging I have improved this
script. The script now better understands how to parse DNS and handles
edge-cases better. I also added output for various errors if you turn
on debugging or verbose (level 2 to see everything).
I'd say this script is "well tested" now and should up to the task of
auditing your organization.
The only trouble I've had with this version of the script is that if
you turn Nmap's parallelism up too much with --min-parallelism NSE
becomes sad and starts to reduce accuracy.
I haven't heard back from Duane yet though so the sharing restrictions
listed in my previous email and in the script still stand for now.
Brandon
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)
iEYEARECAAYFAkiNSc0ACgkQqaGPzAsl94JwWQCdFefx293g0tdyYc70Qvi6qKp8
TMEAnizqcBfMZv/GyhdUZSL5CSuKM/uv
=PHKI
-----END PGP SIGNATURE-----
id = "Unspecified DNS vulnerabilities (CVE-2008-1447, CVE-2008-1454)"
description = "Queries porttest.dns-oarc.net to check for DNS recursion vulnerability"
license = "Not to be distributed beyond nmap-dev or included in Nmap without consent of Duane Wessels and OARC"
author = "Brandon Enright <
bmenrigh@...>"
-- This script uses Duane Wessels's porttest.dns-oarc.net service
-- which should not be abused. I do not have permission from Duane
-- to distribute this script although porttest.dns-oarc.net is something
-- of a public service. Do not abuse or distribute this script without
-- first checking with Duane/OARC to see if it is okay.
-- If Duane and OARC are okay with distribution/inclusion with Nmap I am too.
categories = {"intrusive"}
require "bit"
require "comm"
require "shortport"
portrule = shortport.portnumber(53, "udp")
action = function(host, port)
-- TXID: 0xbeef
-- Flags: 0x0100
-- Questions: 1
-- Answer RRs: 0
-- Authority RRs: 0
-- Additional RRs: 0
-- Query:
-- Name: porttest, dns-oarc, net
-- Type: TXT (0x0010)
-- Class: IN (0x0001)
local query = string.char( 0xbe, 0xef, -- TXID
0x01, 0x00, -- Flags
0x00, 0x01, -- Questions
0x00, 0x00, -- Answer RRs
0x00, 0x00, -- Authority RRs
0x00, 0x00, -- Additional RRs
0x08) .. "porttest" ..
string.char( 0x08) .. "dns-oarc" ..
string.char( 0x03) .. "net" ..
string.char( 0x00, -- Name terminator
0x00, 0x10, -- Type (TXT)
0x00, 0x01) -- Class (IN)
-- This doesn't work without the bytes= setting...
local status, result = comm.exchange(host, port, query, {proto="udp",
bytes=1,
timeout=20000})
-- Fail gracefully
if not status then
if (nmap.verbosity() >= 2 or nmap.debugging() >= 1) then
return "ERROR: TIMEOUT"
else
return
end
end
-- Update the port
nmap.set_port_state(host, port, "open")
-- Now we need to "parse" the results to check to see if they are good
-- We need a minimum of 5 bytes...
if (string.len(result) < 5) then
if (nmap.verbosity() >= 2 or nmap.debugging() >= 1) then
return "ERROR: Malformed response"
else
return
end
end
-- Check TXID
if (string.byte(result, 1) ~= 0xbe
or string.byte(result, 2) ~= 0xef) then
if (nmap.verbosity() >= 2 or nmap.debugging() >= 1) then
return "ERROR: Invalid Transaction ID"
else
return
end
end
-- Check response flag and recursion
if not (bit.band(string.byte(result, 3), 0x80) == 0x80
and bit.band(string.byte(result, 4), 0x80) == 0x80) then
if (nmap.verbosity() >= 1 or nmap.debugging() >= 1) then
return "ERROR: Server refused recursion"
else
return
end
end
-- Check error flag
if (bit.band(string.byte(result, 4), 0x0F) ~= 0x00) then
if (nmap.verbosity() >= 1 or nmap.debugging() >= 1) then
return "ERROR: Server failure"
else
return
end
end
-- Check for two Answer RRs and 1 Authority RR
if (string.byte(result, 5) ~= 0x00
or string.byte(result, 6) ~= 0x01
or string.byte(result, 7) ~= 0x00
or string.byte(result, 8) ~= 0x02) then
if (nmap.verbosity() >= 2 or nmap.debugging() >= 1) then
return "ERROR: Response did not include expected answers"
else
return
end
end
-- We need a minimum of 122 bytes...
if (string.len(result) < 122) then
if (nmap.verbosity() >= 2 or nmap.debugging() >= 1) then
return "ERROR: Truncated response"
else
return
end
end
-- Check for two Answer RRs and 1 Authority RR
-- Here is the really fragile part. If the DNS response changes
-- in any way, this won't work and will fail silently.
-- Jump to second answer and check to see that it is TXT, IN
-- then grab the length and display that text...
-- Check for TXT
if (string.byte(result, 111) ~= 0x00
or string.byte(result, 112) ~= 0x10)
then
if (nmap.verbosity() >= 2 or nmap.debugging() >= 1) then
return "ERROR: Answer record not of type TXT"
else
return
end
end
-- Check for IN
if (string.byte(result, 113) ~= 0x00
or string.byte(result, 114) ~= 0x01) then
if (nmap.verbosity() >= 2 or nmap.debugging() >= 1) then
return "ERROR: Answer record not of type IN"
else
return
end
end
-- Get TXT length
local txtlen = string.byte(result, 121)
-- We now need a minimum of 121 + txtlen bytes + 1...
if (string.len(result) < 121 + txtlen) then
if (nmap.verbosity() >= 2 or nmap.debugging() >= 1) then
return "ERROR: Truncated response"
else
return
end
end
-- GET TXT record
local txtrd = string.sub(result, 122, 121 + txtlen)
return txtrd
end
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-devArchived at
http://SecLists.Org
dns-safe-recursion.nse (4K) 