Re: Detecting DNS Servers

From: johnny cyberpunk (johncybpkat_private)
Date: Fri Jul 11 2003 - 10:25:34 PDT

Next message: Michael Thumann: "Re: Detecting DNS Servers"

Previous message: Michael Thumann: "Re: Detecting DNS Servers"
In reply to: Rodrigo Ramos: "Detecting DNS Servers"
Next in thread: Michael Thumann: "Re: Detecting DNS Servers"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

below is an old windows code from me, which tries to detect the versions of
bind,
even if the banner is faked it get's the info, if it is bind 8 or 9.
note that this only works for bind servers. other servers i know, don't give
you a banner,
such like ms dns or djbdns.

cheers,
johnny cyberpunk/thc

// compile with Visual C++ : cl dnsinfo.c /link ws2_32.lib
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <winsock2.h>

#define TIMEOUT 5
#define errno WSAGetLastError()

#define STATUS_FAILED 0xFFFF

void usage();

main(int argc,char **argv)
{
  struct sockaddr_in myudp;
  struct hostent * hp;
  SOCKET udpsock;
  unsigned short port=53;
  unsigned int addr=0;
  fd_set r;
  struct timeval mytimeout;

  char data[30]=
{0x00,0x06,0x01,0x00,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x07,0x76,0x65,
0x72,0x73,0x69,0x6f,0x6e,0x04,0x62,0x69,0x6e,0x64,0x00,0x00,0x10,0x00,0x03};
  unsigned char *dataout;
  unsigned int error, open;

  WSADATA wsaData;

  printf("\n----------------------------------------\n");
  printf("DNS Version Query for BIND 8+9 Servers\n");
  printf("coding jcyberpunkat_private\n");
  printf("----------------------------------------\n\n");

  if(argc != 2)
  {
   usage();
   exit(-1);
  }

  if (WSAStartup(MAKEWORD(2,1),&wsaData) != 0)
  {
   fprintf(stderr,"WSAStartup failed: %d\n",GetLastError());
   ExitProcess(STATUS_FAILED);
  }

  memset(&myudp,0,sizeof(myudp));

  hp = gethostbyname(argv[1]);

  if (!hp){
   addr = inet_addr(argv[1]);
  }
  if ((!hp)  && (addr == INADDR_NONE) )
  {
   fprintf(stderr,"Unable to resolve %s\n",argv[1]);
   ExitProcess(STATUS_FAILED);
  }

  if (hp != NULL)
   memcpy(&(myudp.sin_addr),hp->h_addr,hp->h_length);
  else
   myudp.sin_addr.s_addr = addr;

  if (hp)
   myudp.sin_family = hp->h_addrtype;
  else
   myudp.sin_family = AF_INET;

  printf("Query for : %s in progress...pleaze
wait!\n\n",inet_ntoa(myudp.sin_addr));

  dataout=(char*)malloc(100);
  memset(dataout,0,sizeof(*dataout));


  mytimeout.tv_sec = TIMEOUT;
  mytimeout.tv_usec = 0;

   myudp.sin_port = htons(port);

   if ((udpsock = socket (PF_INET, SOCK_DGRAM, IPPROTO_UDP)) == -1)
   {
     printf("error binding socket!\n");
  exit(0);
   }

   if (connect (udpsock, (struct sockaddr *) &myudp, sizeof (
         struct sockaddr_in)) == 0)
   {

      FD_ZERO (&r);
      FD_SET (udpsock, &r);
   mytimeout.tv_sec = TIMEOUT;
   mytimeout.tv_usec = 0;

      send (udpsock, data, sizeof data, 0);
   error = select ((udpsock + 1), &r, NULL, NULL, &mytimeout);

     if (error==-1)
     {
        printf("select error : %d\n",errno);
        exit(-1);
     }

      open = recv(udpsock, dataout, 100, 0);
      if (open==-1)
   {
     printf("sorry, no nameserver running :(\n");
  exit(-1);
   }

   dataout[open]=0;
      if ((dataout[3]&127)==0)
   {
   if(dataout[30]==192)
   {
    printf ("ahh...that must be a bind 9...trying to get more
details...\n\n");
    printf ("DNS Version : %s\n",dataout+43);
   }
   else
   {
    printf ("ahh...that must be a bind 8...trying to get more
details...\n\n");
          printf("DNS Version : %s\n",dataout+55);
   }
   }
      else
         printf("DNS Version : unknown\n");

    shutdown(udpsock,1);
    closesocket(udpsock);
   }

   else
    printf("connect () error : %d\n",errno);

   free(dataout);

  exit(0);
}

void usage()
{
 printf("Gimme <Hostname|IP-Address>\n");
 exit(-1);
}


----- Original Message ----- 
From: "Rodrigo Ramos" <rodrigo.ramosat_private>
To: <pen-testat_private>
Sent: Friday, July 11, 2003 3:22 PM
Subject: Detecting DNS Servers


> Hi,
>
>
> I need a help from the community.
> At this moment I am reading papers from NIST and ISECOM (osstmm2.0).
> I need to know the very best way to discover the versions of DNS
> servers.
> I need to write a paper about it.I all ready wrote something, but I need
> to hear from everybody.
>
>
>
> Best Regards,
> Rodrigo Ramos
> http://www.spytket.com.br
>
>
>
> --------------------------------------------------------------------------
-
> The Lightning Console aggregates IDS events, correlates them with
> vulnerability info, reduces false positives with the click of a button,
anddistributes this information to hundreds of users.
>
> Visit Tenable Network Security at http://www.tenablesecurity.com to learn
> more.
> --------------------------------------------------------------------------
--
>


---------------------------------------------------------------------------
The Lightning Console aggregates IDS events, correlates them with 
vulnerability info, reduces false positives with the click of a button, anddistributes this information to hundreds of users.

Visit Tenable Network Security at http://www.tenablesecurity.com to learn 
more.
----------------------------------------------------------------------------

Next message: Michael Thumann: "Re: Detecting DNS Servers"
Previous message: Michael Thumann: "Re: Detecting DNS Servers"
In reply to: Rodrigo Ramos: "Detecting DNS Servers"
Next in thread: Michael Thumann: "Re: Detecting DNS Servers"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Jul 11 2003 - 10:58:39 PDT