martes, 30 de mayo de 2006

Utilidades de proxy para tcp/udp.

Leido en pen-test:

martes, 16 de mayo de 2006

Bind 8 - Bind 9

Otra cosa interesante que me he encontrado hoy es fingerprint en bind9:

The BIND 9.1.0beta releases and now BIND 9.1.0 include another hard coded
chaos record called "authors". So now even if an admin changes or
suppresses their version reply string, a remote user can still determine
whether the server is running BIND 9.x. With the recent discovery of the
tsig bug in BIND there will probably be a huge rise in version
queries. Some attackers may remove ambiguity by skipping servers that
reply to authors.bind (inferring that it's bind 9.1.0 and not vulnerable).

% dig authors.bind chaos txt


% nslookup -q=txt -class=CHAOS authors.bind.

authors.bind text = "Bob Halley"
authors.bind text = "Mark Andrews"
authors.bind text = "James Brister"
authors.bind text = "Michael Graff"
authors.bind text = "David Lawrence"
authors.bind text = "Michael Sawyer"
authors.bind text = "Brian Wellington"
authors.bind text = "Andreas Gustafsson"

The following Snort signature will detect these probes:
alert UDP $EXTERNAL any -> $INTERNAL 53 (msg: "IDS480/named-probe-authors";
content: "|07|authors|04|bind"; depth: 32; offset: 12; nocase;)