below is an old windows code from me, which tries to detect the versions of
bind,
even if the banner is faked it get's the info, if it is bind 8 or 9.
note that this only works for bind servers. other servers i know, don't give
you a banner,
such like ms dns or djbdns.
cheers,
johnny cyberpunk/thc
// compile with Visual C++ : cl dnsinfo.c /link ws2_32.lib
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <winsock2.h>
#define TIMEOUT 5
#define errno WSAGetLastError()
#define STATUS_FAILED 0xFFFF
void usage();
main(int argc,char **argv)
{
struct sockaddr_in myudp;
struct hostent * hp;
SOCKET udpsock;
unsigned short port=53;
unsigned int addr=0;
fd_set r;
struct timeval mytimeout;
char data[30]=
{0x00,0x06,0x01,0x00,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x07,0x76,0x65,
0x72,0x73,0x69,0x6f,0x6e,0x04,0x62,0x69,0x6e,0x64,0x00,0x00,0x10,0x00,0x03};
unsigned char *dataout;
unsigned int error, open;
WSADATA wsaData;
printf("\n----------------------------------------\n");
printf("DNS Version Query for BIND 8+9 Servers\n");
printf("coding [EMAIL PROTECTED]");
printf("----------------------------------------\n\n");
if(argc != 2)
{
usage();
exit(-1);
}
if (WSAStartup(MAKEWORD(2,1),&wsaData) != 0)
{
fprintf(stderr,"WSAStartup failed: %d\n",GetLastError());
ExitProcess(STATUS_FAILED);
}
memset(&myudp,0,sizeof(myudp));
hp = gethostbyname(argv[1]);
if (!hp){
addr = inet_addr(argv[1]);
}
if ((!hp) && (addr == INADDR_NONE) )
{
fprintf(stderr,"Unable to resolve %s\n",argv[1]);
ExitProcess(STATUS_FAILED);
}
if (hp != NULL)
memcpy(&(myudp.sin_addr),hp->h_addr,hp->h_length);
else
myudp.sin_addr.s_addr = addr;
if (hp)
myudp.sin_family = hp->h_addrtype;
else
myudp.sin_family = AF_INET;
printf("Query for : %s in progress...pleaze
wait!\n\n",inet_ntoa(myudp.sin_addr));
dataout=(char*)malloc(100);
memset(dataout,0,sizeof(*dataout));
mytimeout.tv_sec = TIMEOUT;
mytimeout.tv_usec = 0;
myudp.sin_port = htons(port);
if ((udpsock = socket (PF_INET, SOCK_DGRAM, IPPROTO_UDP)) == -1)
{
printf("error binding socket!\n");
exit(0);
}
if (connect (udpsock, (struct sockaddr *) &myudp, sizeof (
struct sockaddr_in)) == 0)
{
FD_ZERO (&r);
FD_SET (udpsock, &r);
mytimeout.tv_sec = TIMEOUT;
mytimeout.tv_usec = 0;
send (udpsock, data, sizeof data, 0);
error = select ((udpsock + 1), &r, NULL, NULL, &mytimeout);
if (error==-1)
{
printf("select error : %d\n",errno);
exit(-1);
}
open = recv(udpsock, dataout, 100, 0);
if (open==-1)
{
printf("sorry, no nameserver running :(\n");
exit(-1);
}
dataout[open]=0;
if ((dataout[3]&127)==0)
{
if(dataout[30]==192)
{
printf ("ahh...that must be a bind 9...trying to get more
details...\n\n");
printf ("DNS Version : %s\n",dataout+43);
}
else
{
printf ("ahh...that must be a bind 8...trying to get more
details...\n\n");
printf("DNS Version : %s\n",dataout+55);
}
}
else
printf("DNS Version : unknown\n");
shutdown(udpsock,1);
closesocket(udpsock);
}
else
printf("connect () error : %d\n",errno);
free(dataout);
exit(0);
}
void usage()
{
printf("Gimme <Hostname|IP-Address>\n");
exit(-1);
}
----- Original Message -----
From: "Rodrigo Ramos" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, July 11, 2003 3:22 PM
Subject: Detecting DNS Servers
> Hi,
>
>
> I need a help from the community.
> At this moment I am reading papers from NIST and ISECOM (osstmm2.0).
> I need to know the very best way to discover the versions of DNS
> servers.
> I need to write a paper about it.I all ready wrote something, but I need
> to hear from everybody.
>
>
>
> Best Regards,
> Rodrigo Ramos
> http://www.spytket.com.br
>
>
>
> --------------------------------------------------------------------------
-
> The Lightning Console aggregates IDS events, correlates them with
> vulnerability info, reduces false positives with the click of a button,
anddistributes this information to hundreds of users.
>
> Visit Tenable Network Security at http://www.tenablesecurity.com to learn
> more.
> --------------------------------------------------------------------------
--
>
---------------------------------------------------------------------------
The Lightning Console aggregates IDS events, correlates them with
vulnerability info, reduces false positives with the click of a button, anddistributes
this information to hundreds of users.
Visit Tenable Network Security at http://www.tenablesecurity.com to learn
more.
----------------------------------------------------------------------------
