From: Travis Schack (Travis@Vitalisec.com)
Date: Wed Feb 25 2004 - 09:36:37 EST
>Dear all
>
>In one of my scans, nessus reported a vulnerability allowing DNS zone
>transfers (see below).
>I have tried to verify this vulnerability manually with nslookup and
>other tools. Apparently
>a manual DNS zone transfer did not work! So I am just wondering if
>anybody knows what this plug-in
>is exactly doing. I am not yet familiar with the scripting language
>used.
>I would appreciate if anybody could tell how the plug-in could perform a
>zone transfer.
>
Hello
I looked at the NASL script for this and it is performing a standard zone transfer. Here is the packet being built:
### Packet Header
pass_da_zone = raw_string(
0x68, 0xB3, # ID
0x00, 0x00, # QR|OC|AA|TC|RD|RA|Z|RCODE
0x00, 0x01, # QDCOUNT
0x00, 0x00, #ANCOUNT
0x00, 0x00, #NSCOUNT
0x00, 0x00); #ARCOUNT
### AXFR request
pass_da_zone = pass_da_zone + raw_string (0x00, #NULL Terminator
0x00, 0xFC, # QTYPE=252=ZoneTransfer
0x00, 0x01); # QCLASS=1=Internet
I have a couple of questions for you.
1) Is DNS running on the scanned host?
2) What types of tools/techniques are you using to verify?
I would recommend trying several techniques and watch the results through tcpdump/ethereal.
1) nslookup technique
2) host technique
3) dig @server <domain name> axfr
4) axfr tool
5) Enable the DNS AXFR check only in Nessus and run again
This could be a false postive from Nessus. If you follow the above recommendations, you should be able to verify the output of the tools/techniques and confirm the finding.
Travis Schack
Vitalisec Inc.
---------------------------------------------------------------------------
----------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:49 EDT