Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Re : CAU-EX-2008-0002: Kaminsky DNS Cache Poisoning Flaw Exploit
From: H D Moore <fdlist () digitaloffense net>
Date: Fri, 25 Jul 2008 14:38:20 -0500

On Friday 25 July 2008, tixxDZ wrote:
I do not want to offend anyone (Metasploit people), this is a simple
joke: can you share with us all the logs of the vulnerable servers ?
;) , the exploit will use the Metasploit service to verify
exploitability. ex checking my Opendns:

The exploit needs a service to determine the source port used by the 
target name server. The 'check' command will do this and could probably 
use a better warning about information disclosure. The exploit itself 
will also query the Metasploit service if you set SRCPORT to 0. While 
this means we *could* capture a list of vulnerable nameservers which 
query this service, honestly we don't care and aren't logging it. There 
are much more effective ways to scan for exploitable cache servers :-)

The source code for the helper service is also a Metasploit module and can 
be found under modules/auxiliary/server/dns/spoofhelper.rb

If you want to use your own server for this, just change 
*.red.metasploit.com to be a domain handled by your own copy of the 
spoofhelper module. In the future, we will add an option to specify a the 
nameserver used for this check.

To clarify:

 - Nothing is sent to metasploit.com unless SRCPORT is manually set to '0' 
or the check command is run (non-standard for aux modules).

 - The only information we receive is the IP and source port of the tested 
nameserver. No information is sent about the user's system or their own 
IP address.

 - Even though this information could be logged and sorted and whatnot, we 
honestly don't care and just added it as a convenience feature. We dont 
keep records of the queries hitting the server and have no plans to start 
doing so.

 - If you don't like it, don't run 'check' and don't set SRCPORT to '0' 
for automatic mode. It won't hurt our feelings and you are free to modify 
the module to point at your own helper service.



PS. You can use the service outside of the module to check various 
servers. For example:

while true; do dig +short -t TXT `date +%s`.red.metasploit.com @; 
sleep 1; done
" 1217014609.red.metasploit.com"
" 1217014610.red.metasploit.com"
" 1217014611.red.metasploit.com"
" 1217014612.red.metasploit.com"
" 1217014613.red.metasploit.com"
" 1217014614.red.metasploit.com"
" 1217014615.red.metasploit.com"
" 1217014616.red.metasploit.com"

^- changing ports means the box is patched.

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]