Home page logo

bugtraq logo Bugtraq mailing list archives

fingerprinting BIND 9.1.0
From: Max Vision <vision () WHITEHATS COM>
Date: Mon, 29 Jan 2001 15:50:31 -0800


The BIND 9.1.0beta releases and now BIND 9.1.0 include another hard coded
chaos record called "authors".  So now even if an admin changes or
suppresses their version reply string, a remote user can still determine
whether the server is running BIND 9.x.  With the recent discovery of the
tsig bug in BIND there will probably be a huge rise in version
queries.  Some attackers may remove ambiguity by skipping servers that
reply to authors.bind (inferring that it's bind 9.1.0 and not vulnerable).

% dig @ns.example.com authors.bind chaos txt


% nslookup -q=txt -class=CHAOS authors.bind. ns.example.com
Server:  ns.example.com

authors.bind    text = "Bob Halley"
authors.bind    text = "Mark Andrews"
authors.bind    text = "James Brister"
authors.bind    text = "Michael Graff"
authors.bind    text = "David Lawrence"
authors.bind    text = "Michael Sawyer"
authors.bind    text = "Brian Wellington"
authors.bind    text = "Andreas Gustafsson"

The following Snort signature will detect these probes:
alert UDP $EXTERNAL any -> $INTERNAL 53 (msg: "IDS480/named-probe-authors";
content: "|07|authors|04|bind"; depth: 32; offset: 12; nocase;)


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]