carnal0wnage [Shared Reader]

Wednesday, July 4, 2007

Fingerprinting DNS servers

sometimes nmap just wont give you good results with a -sV, a good example of this is trying to get versions of domain name servers.

SegFault:~/fpdns-0.9.1 cg$ nmap -sV 24.93.41.125 -p 53

Starting Nmap 4.20 ( http://insecure.org ) at 2007-07-04 13:54 MST
Interesting ports on dns-cac-lb-01.texas.rr.com (24.93.41.125):
PORT STATE SERVICE VERSION
53/tcp open domain

SegFault:~/fpdns-0.9.1 cg$ nmap -sV 24.93.41.126 -p 53

Starting Nmap 4.20 ( http://insecure.org ) at 2007-07-04 13:55 MST
Interesting ports on dns-cac-lb-02.texas.rr.com (24.93.41.126):
PORT STATE SERVICE VERSION
53/tcp filtered domain

thats no good :-(

Let's see if we can get better results using "fpdns" http://www.rfc.se/fpdns

SegFault:~/fpdns-0.9.1 cg$ ./fpdns.pl 24.93.41.125
fingerprint (24.93.41.125, 24.93.41.125): BIND 9.2.3rc1 -- 9.4.0a0 [recursion enabled]

SegFault:~/fpdns-0.9.1 cg$ ./fpdns.pl 24.93.41.126
fingerprint (24.93.41.126, 24.93.41.126): BIND 9.2.3rc1 -- 9.4.0a0 [recursion enabled]

SegFault:~/fpdns-0.9.1 cg$ ./fpdns.pl www.learnsecurityonline.com
fingerprint (www.learnsecurityonline.com, 216.83.24.173): BIND 9.2.3rc1 -- 9.4.0a0 [recursion enabled]

SegFault:~/fpdns-0.9.1 cg$ ./fpdns.pl 192.168.0.109
fingerprint (192.168.0.109, 192.168.0.109): Microsoft Windows 2003

SegFault:~/fpdns-0.9.1 cg$ ./fpdns.pl 192.168.0.104
fingerprint (192.168.0.104, 192.168.0.104): Microsoft Windows 2000

I have mixed feelings on how accurate this is, i think it hasnt been updated in awhile and perhaps BIND 9.2.3rc1 -- 9.4.0a0 is the last fingerprint they had for bind, the current version is 9.4.1

i was a bit disheartened by it, then i found this survey from 2004 that said that BIND has 70% of the market of DNS, thats quite a bit, so my limited testing of about 50 sites that all came up as BIND 9.2.3rc1 -- 9.4.0a0 is probably right.

**I checked the file, BIND 9.2.3rc1 -- 9.4.0a0 is the latest fingerprint and there are several ways you can get that for a result so that probably explains why i kept getting that answer. Jury is still out on the effectiveness and i'm not sure i am motivated enough to install some of these crazy DNS servers just to check. if someone knows of some sites running some obscure DNS let me know so i can scan it and check.

-CG

2 comments:

Anonymous said...

$ dig @learnsecurityonline.com version.bind chaos txt | grep vers>
; <<>> DiG 9.3.0 <<>> @learnsecurityonline.com version.bind chaos txt
;version.bind. CH TXT
version.bind. 0 CH TXT "9.3.1"
version.bind. 0 CH NS version.bind.

CG said...

cool, thanks for the comment.

this is what i get when i run that:

SegFault:~/sqlninja-0.1.2 cg$ dig @learnsecurityonline.com version.bind chaos txt | grep vers
; <<>> DiG 9.3.4 <<>> @learnsecurityonline.com version.bind chaos txt
;version.bind. CH TXT
version.bind. 0 CH TXT "Surely, you jest..."
version.bind. 0 CH NS version.bind.

dig versions???