 |
|
|
 Welcome to the Virus.Org Mailing List Archive |
||
 |
||
|
||
|
In-Reply-To: <[EMAIL PROTECTED]>
>Dear all
>
>In one of my scans, nessus reported a vulnerability allowing DNS zone
>transfers (see below).
>I have tried to verify this vulnerability manually with nslookup and
>other tools. Apparently
>a manual DNS zone transfer did not work! So I am just wondering if
>anybody knows what this plug-in
>is exactly doing. I am not yet familiar with the scripting language
>used.
>I would appreciate if anybody could tell how the plug-in could perform a
>zone transfer.
>
Hello
I looked at the NASL script for this and it is performing a standard zone transfer. Here is the packet being built:
### Packet Header
pass_da_zone = raw_string(
0x68, 0xB3, # ID
0x00, 0x00, # QR|OC|AA|TC|RD|RA|Z|RCODE
0x00, 0x01, # QDCOUNT
0x00, 0x00, #ANCOUNT
0x00, 0x00, #NSCOUNT
0x00, 0x00); #ARCOUNT
### AXFR request
pass_da_zone = pass_da_zone + raw_string (0x00, #NULL Terminator
0x00, 0xFC, # QTYPE=252=ZoneTransfer
0x00, 0x01); # QCLASS=1=Internet
I have a couple of questions for you.
1) Is DNS running on the scanned host?
2) What types of tools/techniques are you using to verify?
I would recommend trying several techniques and watch the results through tcpdump/ethereal.
1) nslookup technique
2) host technique
3) dig @server <domain name> axfr
4) axfr tool
5) Enable the DNS AXFR check only in Nessus and run again
This could be a false postive from Nessus. If you follow the above recommendations, you should be able to verify the output of the tools/techniques and confirm the finding.
Travis Schack
Vitalisec Inc.
---------------------------------------------------------------------------
----------------------------------------------------------------------------
|
All Trademarks Acknowledged.
Please view our Terms and Conditions and our Privacy Policy.