Re: Scanning for name based sites

Sun, 23 Sep 2001 17:01:24 -0700 

Hi Chang,
    We just had a situation where we had a name server failure. It first
appeared to be an attack, later it was discovered to be the result of an
erroneous command issued by an operator.
    I'm not sure I understand exactly your question. If you're asking "how
would someone compromise a name server?" then the answer is simple. Most
name servers are simply Unix systems running specialized server software.
For the most part they are vulnerable to the same network attacks that any
other Unix server is vulnerable to.
    If you're asking "what would an attacker gain by compromising a name
server?" then the answer is a little less simple. If you could control a
name server, you could make your own pirate site that replaces the official
site. This could be quite embarrassing to various government agencies, large
corporations, etc. For sites like Yahoo! and eBay, it would also result in
some incredible financial losses as well.
    Even more concerning is that if you could substitute your page for
someone else's, you could act as a "man in the middle" for various attacks
on SSL and HTTPS protocols. This would allow an attacker to intercept SSL
traffic at will..
    There is a thing called Secure DNS that's been in the works for quite
some time, but it doesn't appear to have received wide support just yet...


-- 
Matthew S. Hamrick      *       Managing Partner      *      Meson Group
[EMAIL PROTECTED]                        http://www.mesongroup.com
555 Bryant St., Suite 465                           (voice) 650.796.5657
Palo Alto, CA 94301                        (fax/voice mail) 650.323.2856


Alzo Spracht Chang Kim:
> 
> What are some of the different ways NameServers are compromised?
> 
> There are many levels of scanning from simple reverse lookups to nmap,
> I have not seen anything in terms of
> some way of scanning for virtually hosted/name based sites (on a simple
> IP).
> 
> This is asked as there are a lot of name based sites and if there is a
> way of finding out what domains are on a
> single server, you have an easier entry into a server then say if you
> were trying to go in as root/admin on a
> server.
> 
> This is also curiousity based on  something I read "Strategic Scanning
> and Assessment of Remote Hosts"
> http://www.attrition.org/security/newbie/pen/ssarh.html

Reply via email to