Home page logo
/

basics logo Security Basics mailing list archives

Re: Is The RPC a Protocol or a winXP-Service?
From: "Alexander Lukyanenko" <sashman () ua fm>
Date: Thu, 27 Nov 2003 02:05:11 +0200

Hello,
Sunday, November 23, 2003, 8:45:54 PM, you wrote:

MBM> www.Rabertgraham.com in its FireWall-FAQ  says these lines:

MBM> [""Various errors with 127.0.0.1 :
MBM> Some servers are misconfigured to map this address.
MBM> On the other hand, it is also a hacker technique
MBM> to cause names within the hacker domain to resolve
MBM> to addresses within a company (including localhost/127.0.0.1).""]

MBM> And my question is :
MBM> How do they (Crackers) do that ?

[the question is not related to RPC, so I answer it in another post]

That is fairly simple, as since the crackers can have their own
domain, they  also can have their own nameserver for that domain, and
they can do arbitrary things with that NS.

Lets presume we have a domain crackers.must.die, whose root nameserver
(the server to which all the name resolution requests for that domain
are sent) is ns.crackers.must.die. Lets also presume the attacks comes
from foo.crackers.must.die.
If an application being hacked uses domain names for logging, it would
most probably log foo.crackers.must.die. In order to resolve a
hostname to an IP address, the attacked party must contact the server,
in this example, ns.crackers.must.die... and that machine may be
configured to return 127.0.0.1 or any other (fake or otherwise) IP
address in response to the lookup request, so it will seem that an
attack came from the local (or any other) machine.
However, this does not impose a major threat as most systems use IP
addresses for identification and logging, or can be configured to do
so.

Regards
-- 
* * * * * * * * * * * * * * *
* Alexander V. Lukyanenko   *
* mailto: sashman () ua fm     *
* ICQ#  : 86195208          *
* Phone : +380 44 458 07 23 *
* GSM   : +380 50 9 522 533 *
* OpenPGP key ID: 75EC057C  *
* NIC   : SASH4-UANIC       *
* * * * * * * * * * * * * * *

Attachment: _bin
Description:


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault