below is an old windows code from me, which tries to detect the versions of bind, even if the banner is faked it get's the info, if it is bind 8 or 9. note that this only works for bind servers. other servers i know, don't give you a banner, such like ms dns or djbdns. cheers, johnny cyberpunk/thc // compile with Visual C++ : cl dnsinfo.c /link ws2_32.lib #include <stdlib.h> #include <stdio.h> #include <string.h> #include <winsock2.h> #define TIMEOUT 5 #define errno WSAGetLastError() #define STATUS_FAILED 0xFFFF void usage(); main(int argc,char **argv) { struct sockaddr_in myudp; struct hostent * hp; SOCKET udpsock; unsigned short port=53; unsigned int addr=0; fd_set r; struct timeval mytimeout; char data[30]= {0x00,0x06,0x01,0x00,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x07,0x76,0x65, 0x72,0x73,0x69,0x6f,0x6e,0x04,0x62,0x69,0x6e,0x64,0x00,0x00,0x10,0x00,0x03}; unsigned char *dataout; unsigned int error, open; WSADATA wsaData; printf("\n----------------------------------------\n"); printf("DNS Version Query for BIND 8+9 Servers\n"); printf("coding jcyberpunkat_private\n"); printf("----------------------------------------\n\n"); if(argc != 2) { usage(); exit(-1); } if (WSAStartup(MAKEWORD(2,1),&wsaData) != 0) { fprintf(stderr,"WSAStartup failed: %d\n",GetLastError()); ExitProcess(STATUS_FAILED); } memset(&myudp,0,sizeof(myudp)); hp = gethostbyname(argv[1]); if (!hp){ addr = inet_addr(argv[1]); } if ((!hp) && (addr == INADDR_NONE) ) { fprintf(stderr,"Unable to resolve %s\n",argv[1]); ExitProcess(STATUS_FAILED); } if (hp != NULL) memcpy(&(myudp.sin_addr),hp->h_addr,hp->h_length); else myudp.sin_addr.s_addr = addr; if (hp) myudp.sin_family = hp->h_addrtype; else myudp.sin_family = AF_INET; printf("Query for : %s in progress...pleaze wait!\n\n",inet_ntoa(myudp.sin_addr)); dataout=(char*)malloc(100); memset(dataout,0,sizeof(*dataout)); mytimeout.tv_sec = TIMEOUT; mytimeout.tv_usec = 0; myudp.sin_port = htons(port); if ((udpsock = socket (PF_INET, SOCK_DGRAM, IPPROTO_UDP)) == -1) { printf("error binding socket!\n"); exit(0); } if (connect (udpsock, (struct sockaddr *) &myudp, sizeof ( struct sockaddr_in)) == 0) { FD_ZERO (&r); FD_SET (udpsock, &r); mytimeout.tv_sec = TIMEOUT; mytimeout.tv_usec = 0; send (udpsock, data, sizeof data, 0); error = select ((udpsock + 1), &r, NULL, NULL, &mytimeout); if (error==-1) { printf("select error : %d\n",errno); exit(-1); } open = recv(udpsock, dataout, 100, 0); if (open==-1) { printf("sorry, no nameserver running :(\n"); exit(-1); } dataout[open]=0; if ((dataout[3]&127)==0) { if(dataout[30]==192) { printf ("ahh...that must be a bind 9...trying to get more details...\n\n"); printf ("DNS Version : %s\n",dataout+43); } else { printf ("ahh...that must be a bind 8...trying to get more details...\n\n"); printf("DNS Version : %s\n",dataout+55); } } else printf("DNS Version : unknown\n"); shutdown(udpsock,1); closesocket(udpsock); } else printf("connect () error : %d\n",errno); free(dataout); exit(0); } void usage() { printf("Gimme <Hostname|IP-Address>\n"); exit(-1); } ----- Original Message ----- From: "Rodrigo Ramos" <rodrigo.ramosat_private> To: <pen-testat_private> Sent: Friday, July 11, 2003 3:22 PM Subject: Detecting DNS Servers > Hi, > > > I need a help from the community. > At this moment I am reading papers from NIST and ISECOM (osstmm2.0). > I need to know the very best way to discover the versions of DNS > servers. > I need to write a paper about it.I all ready wrote something, but I need > to hear from everybody. > > > > Best Regards, > Rodrigo Ramos > http://www.spytket.com.br > > > > -------------------------------------------------------------------------- - > The Lightning Console aggregates IDS events, correlates them with > vulnerability info, reduces false positives with the click of a button, anddistributes this information to hundreds of users. > > Visit Tenable Network Security at http://www.tenablesecurity.com to learn > more. > -------------------------------------------------------------------------- -- > --------------------------------------------------------------------------- The Lightning Console aggregates IDS events, correlates them with vulnerability info, reduces false positives with the click of a button, anddistributes this information to hundreds of users. Visit Tenable Network Security at http://www.tenablesecurity.com to learn more. ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Fri Jul 11 2003 - 10:58:39 PDT