noice!!! On Fri, Jul 25, 2008 at 3:38 PM, H D Moore <[EMAIL PROTECTED]> wrote: > On Friday 25 July 2008, tixxDZ wrote: >> I do not want to offend anyone (Metasploit people), this is a simple >> joke: can you share with us all the logs of the vulnerable servers ? >> ;) , the exploit will use the Metasploit service to verify >> exploitability. ex checking my Opendns: > > The exploit needs a service to determine the source port used by the > target name server. The 'check' command will do this and could probably > use a better warning about information disclosure. The exploit itself > will also query the Metasploit service if you set SRCPORT to 0. While > this means we *could* capture a list of vulnerable nameservers which > query this service, honestly we don't care and aren't logging it. There > are much more effective ways to scan for exploitable cache servers :-) > > The source code for the helper service is also a Metasploit module and can > be found under modules/auxiliary/server/dns/spoofhelper.rb > > If you want to use your own server for this, just change > *.red.metasploit.com to be a domain handled by your own copy of the > spoofhelper module. In the future, we will add an option to specify a the > nameserver used for this check. > > To clarify: > > - Nothing is sent to metasploit.com unless SRCPORT is manually set to '0' > or the check command is run (non-standard for aux modules). > > - The only information we receive is the IP and source port of the tested > nameserver. No information is sent about the user's system or their own > IP address. > > - Even though this information could be logged and sorted and whatnot, we > honestly don't care and just added it as a convenience feature. We dont > keep records of the queries hitting the server and have no plans to start > doing so. > > - If you don't like it, don't run 'check' and don't set SRCPORT to '0' > for automatic mode. It won't hurt our feelings and you are free to modify > the module to point at your own helper service. > > Cheers, > > -HD > > > PS. You can use the service outside of the module to check various > servers. For example: > > while true; do dig +short -t TXT `date +%s`.red.metasploit.com @4.2.2.3; > sleep 1; done > "209.244.4.227:33165 1217014609.red.metasploit.com" > "209.244.4.227:32728 1217014610.red.metasploit.com" > "209.244.4.227:29607 1217014611.red.metasploit.com" > "209.244.4.227:28032 1217014612.red.metasploit.com" > "209.244.4.227:25992 1217014613.red.metasploit.com" > "209.244.4.227:31301 1217014614.red.metasploit.com" > "209.244.4.227:22884 1217014615.red.metasploit.com" > "209.244.4.227:33722 1217014616.red.metasploit.com" > > ^- changing ports means the box is patched. > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
