|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Weakness in Windows NT reverse-DNS lookups
From: David F. Skoll (dfs
ROARINGPENGUIN.COM)Date: Mon Dec 11 2000 - 08:09:29 CST
- Next message: Maceo: "Re: CmdAsp.asp - What's your exposure?"
- Previous message: Elias Levy: "Administrivia: Vacation"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
After seeing a lot of NetBIOS node-status probes in my firewall logs,
I discovered that many NT servers apparently do a reverse DNS lookup
by sending a NetBIOS node-status query. This is documented at:
http://support.microsoft.com/support/kb/articles/Q154/5/53.ASP
It seems to me that it's much easier to spoof an answer to a NetBIOS
node-status request than to tamper with the actual DNS system. The Web
page says this is only used for WINS lookups, but I see a lot of these
probes coming from machines across the Internet.
Essentially, NT believes *the system it is querying* rather than a DNS
server. It is (presumably) easier to take control of a system you own
rather than a DNS server over which you do not have administrative control.
The people who helped me discover this wish to remain anonymous, but
thanks, guys -- you know who you are.
- --
David F. Skoll
Roaring Penguin Software Inc. | http://www.roaringpenguin.com
GPG fingerprint: 50B4 FA66 CE95 E456 CD8F 96C9 E64D 185C 6646 68E0
GPG public key: http://www.roaringpenguin.com/dskoll-key.txt
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: pgpenvelope 2.9.0 - http://pgpenvelope.sourceforge.net/
iD8DBQE6NOAe5k0YXGZGaOARAnSZAKDp96KbjS9axmra2Lc41V8nwNUx/QCfSNRl
uMyNyvGX9RmklndFpDYh0So=
=+VSz
-----END PGP SIGNATURE-----
- Next message: Maceo: "Re: CmdAsp.asp - What's your exposure?"
- Previous message: Elias Levy: "Administrivia: Vacation"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]