Javier Fernandez-Sanguino <[EMAIL PROTECTED]> writes:
> How about a plugin that detects specifically this banner and warns
> about it? As some people have pointed out in other mailing lists,
> Verising mail server does not comply with any kind of standards (it
> justs answers, regardless of what it is feed to, it several 220
> responses and then a 500 reject).
And also removes mistyped hostname from the list by declaring thme as
"dead". See attachment. Should it make its way to the CVS repository?
I imagine an improvement to this script, but we need to add a
"resolver" function in libnasl. We can write a portable script with
defined_func
Something like:
--------
if (defined_func("dns_resolve") {
hn = rand_str() + get_host_name();
ip_l = dns_resolve(hn); # May return several IP
my_ip = get_host_ip();
foreach i (ip_l) {
if (i == my_yp) { declare_the_host_as_dead; }
}
}
--------
There are other "top level domain wildcards" by the way:
Cf. http://www.imperialviolet.org/dnsfix.html
# This script was written by Michel Arboi <[EMAIL PROTECTED]>
#
# Released under GPLv2
#
# Known top level domain wildcards, from http://www.imperialviolet.org/dnsfix.html
#
# .COM and .NET 64.94.110.11 (and possibly others in AS30060)
# .NU 64.55.105.9 212.181.91.6
# .TK 195.20.32.83 195.20.32.86
# .CC 206.253.214.102
# .MP 202.128.12.163
# .AC 194.205.62.122
# .CC 194.205.62.122 (206.253.214.102 also reported, but cannot confirm)
# .CX 219.88.106.80
# .MUSEUM 195.7.77.20
# .PH 203.119.4.6
# .SH 194.205.62.62
# .TM 194.205.62.42 (194.205.62.62 also reported, but cannot confirm)
# .WS 216.35.187.246
#
if(description)
{
script_id(11840);
script_version ("$Revision: 1.6 $");
name["english"] = "Exclude toplevel domain wildcard host";
script_name(english:name["english"]);
desc["english"] = "
The host you were trying to scan is blacklisted.
You probably mistyped its name.
Risk factor : None";
script_description(english:desc["english"]);
summary["english"] = "Exclude some IPs from scan";
script_summary(english:summary["english"]);
script_category(ACT_SCANNER);
script_copyright(english:"This script is Copyright (C) 2003 by Michel Arboi");
family["english"] = "Port scanners";
script_family(english:family["english"]);
exit(0);
}
#
excluded["64.94.110.11"] = 1;
excluded["64.55.105.9"] = 1;
excluded["212.181.91.6"] = 1;
excluded["195.20.32.83"] = 1;
excluded["195.20.32.86"] = 1;
excluded["206.253.214.102"] = 1;
excluded["202.128.12.163"] = 1;
excluded["194.205.62.122"] = 1;
excluded["219.88.106.80"] = 1;
excluded["195.7.77.20"] = 1;
excluded["203.119.4.6"] = 1;
excluded["194.205.62.62"] = 1;
excluded["194.205.62.42"] = 1;
excluded["216.35.187.246"] = 1;
target = get_host_ip();
if (excluded[target])
{
##display(target, " is in IP blacklist\n");
set_kb_item(name: "Host/dead", value: TRUE);
security_note(port: 0);
exit(0);
}
soc = open_sock_tcp(25);
if (!soc) exit(0);
r = recv(socket: soc, length: 256);
if (r =~ '^220 +.*Snubby Mail Rejector')
{
##display(target, " looks like Verisign snubby mail server\n");
set_kb_item(name: "Host/dead", value: TRUE);
security_note(port: 0);
}
close(soc);
