Home page logo

pen-test logo Penetration Testing mailing list archives

Re: question regarding nessus plug-in 10595 DNS AXFR
From: Travis Schack <Travis () Vitalisec com>
Date: 25 Feb 2004 14:36:37 -0000

In-Reply-To: <002401c3fab2$109db700$0301a8c0 () strizbert>

Dear all

In one of my scans, nessus reported a vulnerability allowing DNS zone
transfers (see below). 
I have tried to verify this vulnerability manually with nslookup and
other tools. Apparently 
a manual DNS zone transfer did not work! So I am just wondering if
anybody knows what this plug-in
is exactly doing. I am not yet familiar with the scripting language
I would appreciate if anybody could tell how the plug-in could perform a
zone transfer.


I looked at the NASL script for this and it is performing a standard zone transfer.  Here is the packet being built:

### Packet Header
pass_da_zone = raw_string(
                          0x68, 0xB3,   # ID
                          0x00, 0x00,   # QR|OC|AA|TC|RD|RA|Z|RCODE
                                                  0x00, 0x01,   # QDCOUNT
                                                  0x00, 0x00,   #ANCOUNT
                                                  0x00, 0x00,   #NSCOUNT
                                                  0x00, 0x00);  #ARCOUNT

### AXFR request
pass_da_zone = pass_da_zone + raw_string (0x00,         #NULL Terminator
                                          0x00, 0xFC,   # QTYPE=252=ZoneTransfer
                                          0x00, 0x01);  # QCLASS=1=Internet

I have a couple of questions for you.

1) Is DNS running on the scanned host?
2) What types of tools/techniques are you using to verify?

I would recommend trying several techniques and watch the results through tcpdump/ethereal.

1) nslookup technique 
2) host technique
3) dig @server <domain name> axfr
4) axfr tool
5) Enable the DNS AXFR check only in Nessus and run again

This could be a false postive from Nessus.  If you follow the above recommendations, you should be able to verify the 
output of the tools/techniques and confirm the finding.

Travis Schack
Vitalisec Inc.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]