subject:"fingerprinting BIND 9.1.0"

Re: fingerprinting BIND 9.1.0

2001-02-02 Thread Cy Schubert - ITSD Open Systems Group


In message <[EMAIL PROTECTED]>, Hendy * writes:
> On Wed, Jan 31, 2001 at 02:13:07PM -0500, Lucas Holt wrote:
> > Hiding a version number does not someone who knows what they are doing, but
>  it
> > does stop script kiddies out there.  If a 14 year old kid can not figure ou
> t what
> > they are dealing with, they will move on to easier targets.
>
> agreed, but it won't just stop kiddies, but more important, massowns,
> which take place e.g. to build up distributed flood networks, won't attack
> your host, if you changed the version string.
>
> on the other hand, a changed version string could also ''attract'' hackers,
> who want to break into that host.
>
> i am pretty sure bind fingerprinting tools will shop up when people will
> remove/change their named's version strings.

Changing the version string on a 8.2.3 or 9.1.0 server to report 4.9.5
would be a better solution.  Script kiddies and more experienced
crackers will attempt BIND4 exploits on your BIND8 or 9 server and
confuse them for a while.  Hopefully by then you would have noticed the
activity.  Automated notification to one's pager will help.


Regards, Phone:  (250)387-8437
Cy SchubertFax:  (250)387-5766
Team Leader, Sun/Alpha Team   Internet:  [EMAIL PROTECTED]
Open Systems Group, ITSD, ISTA
Province of BC

Re: fingerprinting BIND 9.1.0

2001-02-01 Thread Russell Fulton

On Wed, 31 Jan 2001 08:15:01 -0700 "William D. Colburn (aka Schlake)"
<[EMAIL PROTECTED]> wrote:

> The FAQ file that comes with the distribution already covers all this.
> While it used to seem like a good idea to obfuscate version numbers,
> things like nmap can be written for just about any internet service
> which would make version obfuscation just a false sense of security.
> Even if your version is obscured, a known exploit will still work
> against it if someone tries.  I agree with the BIND people that there
> isn't much point in hiding that information.
>

Me too.

Obfuscated version numbers also make internal auditing much more
difficult.

I see many automated attacks (particularly against ftp) which make no
effort to work out which software is running and what hardware it is
running on.

Kiddies don't look and professionals won't be fooled, you will only
fool a few in the middle.

Russell Fulton, Computer and Network Security Officer
The University of Auckland,  New Zealand

Re: fingerprinting BIND 9.1.0

2001-02-01 Thread Hendy *

On Wed, Jan 31, 2001 at 02:13:07PM -0500, Lucas Holt wrote:
> Hiding a version number does not someone who knows what they are doing, but it
> does stop script kiddies out there.  If a 14 year old kid can not figure out what
> they are dealing with, they will move on to easier targets.

agreed, but it won't just stop kiddies, but more important, massowns,
which take place e.g. to build up distributed flood networks, won't attack
your host, if you changed the version string.

on the other hand, a changed version string could also ''attract'' hackers,
who want to break into that host.

i am pretty sure bind fingerprinting tools will shop up when people will
remove/change their named's version strings.

take care,

-hendy

--
.,!.. _ ___ ___ __ _  .
,j't.  [EMAIL PROTECTED] [TESO]   or   [EMAIL PROTECTED] [HOME]
 K=-=:: -=->   fax & vbox: +49-2561-959-55697  gsm/sms: [EMAIL PROTECTED]
  "=i.: [-'PGP: ``finger [EMAIL PROTECTED]''[www.team-teso.net/hendy]
   /;:":.\ PGP Fprint:   5AAE 5111 2C39 5E86 9D45  70C3 CA8F 0C20 EF27 264A
. ;}'   '(, . _ ___  . :wq!

Re: fingerprinting BIND 9.1.0

2001-02-01 Thread Lucas Holt

Hiding a version number does not someone who knows what they are doing, but it
does stop script kiddies out there.  If a 14 year old kid can not figure out what
they are dealing with, they will move on to easier targets.

"William D. Colburn (aka Schlake)" wrote:

> The FAQ file that comes with the distribution already covers all this.
> While it used to seem like a good idea to obfuscate version numbers,
> things like nmap can be written for just about any internet service
> which would make version obfuscation just a false sense of security.
> Even if your version is obscured, a known exploit will still work
> against it if someone tries.  I agree with the BIND people that there
> isn't much point in hiding that information.
>
>

--

Lucas Holt
[EMAIL PROTECTED]
___
http://www.foolishgames.com

"The Macintosh software might have become the successor to MS-DOS.
OS/2 or UNIX might have.  As it happened, MS-DOS was succeeded by Windows..."
--Bill Gates, The Road Ahead

If Windows never happened, what would be on your desktop?

Re: fingerprinting BIND 9.1.0

2001-01-31 Thread William D. Colburn (aka Schlake)

The FAQ file that comes with the distribution already covers all this.
While it used to seem like a good idea to obfuscate version numbers,
things like nmap can be written for just about any internet service
which would make version obfuscation just a false sense of security.
Even if your version is obscured, a known exploit will still work
against it if someone tries.  I agree with the BIND people that there
isn't much point in hiding that information.

FAQ>Q: How do I restrict people from looking up the server version?
FAQ>
FAQ>A: Put a "version" option containing something other than the real
FAQ>version in the "options" section of named.conf.  Note doing this will
FAQ>not prevent attacks and may impede people trying to diagnose problems
FAQ>with your server.  Also it is possible to "fingerprint" nameservers to
FAQ>determine their version.
FAQ>
FAQ>Q: How do I restrict only remote users from looking up the server
FAQ>version?
FAQ>
FAQ>A: The following view statement will intercept lookups as the internal
FAQ>view that holds the version information will be matched last.  The
FAQ>caveats of the previous answer still apply, of course.
FAQ>
FAQ>  view "chaos" chaos {
FAQ>  match-clients { ; };
FAQ>  allow-query { none; };
FAQ>  zone "." {
FAQ>  type hint;
FAQ>  file "/dev/null";  // or any empty file
FAQ>  };
FAQ>  };

On Tue, Jan 30, 2001 at 07:14:20PM -0600, [EMAIL PROTECTED] wrote:
> Date: Tue, 30 Jan 2001 19:14:20 -0600
> From: [EMAIL PROTECTED]
> Subject:  Re: fingerprinting BIND 9.1.0
> To: [EMAIL PROTECTED]
>
> In message <[EMAIL PROTECTED]>
> Max Vision writes:
>
> > The BIND 9.1.0beta releases and now BIND 9.1.0 include another hard coded
> > chaos record called "authors".
>
>[ snip ]
>
> > % dig @ns.example.com authors.bind chaos txt
>
> I've been playing some with BIND 9.1.0, and have found that queries
> like this can be suppressed using the new "view" capability. I now
> have in my named.conf, the following:
>
>view "external-chaos" chaos {
> match-clients { any; };
> recursion no;
> zone "." {
> type hint ;
> file "/dev/null";
> };
> };
>
> and a similar entry for hesiod records. Queries then against either
> chaos or hesiod records will come back as "servfail".
>
> Alternatively, creating your own "bind." domain with CH, rather than
> IN, records for SOA and TXT data will override hardcoded values. I've
> also got a "bind." domain that has this record:
>
>version.bind.0ch   txt "Who knows"
>
> so that if I don't use a "view" to block chaos records, then at least
> I give out only information that I want to give out.
>
> --
> Randall Raemon
> shikahr.com.inter.net, email to rlr

--
William Colburn, "Sysprog" <[EMAIL PROTECTED]>
Computer Center, New Mexico Institute of Mining and Technology
http://www.nmt.edu/tcc/ http://www.nmt.edu/~wcolburn

Re: fingerprinting BIND 9.1.0

2001-01-30 Thread Eric Limpens


On Mon, Jan 29, 2001 at 03:50:31PM -0800, Max Vision wrote:
> Hi,
>
> The BIND 9.1.0beta releases and now BIND 9.1.0 include another hard coded
> chaos record called "authors".  So now even if an admin changes or
> suppresses their version reply string, a remote user can still determine
> whether the server is running BIND 9.x.  With the recent discovery of the
> tsig bug in BIND there will probably be a huge rise in version
> queries.  Some attackers may remove ambiguity by skipping servers that
> reply to authors.bind (inferring that it's bind 9.1.0 and not vulnerable).
>
> % dig @ns.example.com authors.bind chaos txt
>

For the absolute paranoid (all of us I guess), this patch will disable at
least that fingerprinting.

Eric

>8 cut here 8<---
--- server.c.orgTue Jan 30 20:25:57 2001
+++ server.cTue Jan 30 20:23:03 2001
@@ -1667,7 +1667,7 @@
CHECK(create_bind_view(&view));
ISC_LIST_APPEND(lctx.viewlist, view, link);
CHECK(create_version_zone(cctx, server->zonemgr, view));
-   CHECK(create_authors_zone(server->zonemgr, view));
+/* CHECK(create_authors_zone(server->zonemgr, view));*/
dns_view_freeze(view);
view = NULL;
>8 cut here 8<---

--
GIT$ d+ s+:- !a C+++ UL P+++ L+++ E--- W+ N++ o K+ w--
O- M- V- PS PE Y+ PGP++ t 5 X R- tv+ b++ DI++ D
G e h+ r y?

Re: fingerprinting BIND 9.1.0

2001-01-30 Thread buglist

In message <[EMAIL PROTECTED]>
Max Vision writes:

> The BIND 9.1.0beta releases and now BIND 9.1.0 include another hard coded
> chaos record called "authors".

   [ snip ]

> % dig @ns.example.com authors.bind chaos txt

I've been playing some with BIND 9.1.0, and have found that queries
like this can be suppressed using the new "view" capability. I now
have in my named.conf, the following:

   view "external-chaos" chaos {
match-clients { any; };
recursion no;
zone "." {
type hint ;
file "/dev/null";
};
};

and a similar entry for hesiod records. Queries then against either
chaos or hesiod records will come back as "servfail".

Alternatively, creating your own "bind." domain with CH, rather than
IN, records for SOA and TXT data will override hardcoded values. I've
also got a "bind." domain that has this record:

   version.bind.0ch   txt "Who knows"

so that if I don't use a "view" to block chaos records, then at least
I give out only information that I want to give out.

--
Randall Raemon
shikahr.com.inter.net, email to rlr

fingerprinting BIND 9.1.0

2001-01-30 Thread Max Vision


Hi,

The BIND 9.1.0beta releases and now BIND 9.1.0 include another hard coded
chaos record called "authors".  So now even if an admin changes or
suppresses their version reply string, a remote user can still determine
whether the server is running BIND 9.x.  With the recent discovery of the
tsig bug in BIND there will probably be a huge rise in version
queries.  Some attackers may remove ambiguity by skipping servers that
reply to authors.bind (inferring that it's bind 9.1.0 and not vulnerable).

% dig @ns.example.com authors.bind chaos txt

or

% nslookup -q=txt -class=CHAOS authors.bind. ns.example.com
Server:  ns.example.com
Address:  23.23.23.23

authors.bindtext = "Bob Halley"
authors.bindtext = "Mark Andrews"
authors.bindtext = "James Brister"
authors.bindtext = "Michael Graff"
authors.bindtext = "David Lawrence"
authors.bindtext = "Michael Sawyer"
authors.bindtext = "Brian Wellington"
authors.bindtext = "Andreas Gustafsson"

The following Snort signature will detect these probes:
alert UDP $EXTERNAL any -> $INTERNAL 53 (msg: "IDS480/named-probe-authors";
content: "|07|authors|04|bind"; depth: 32; offset: 12; nocase;)
http://whitehats.com/info/IDS480

Max

Re: fingerprinting BIND 9.1.0

Re: fingerprinting BIND 9.1.0

Re: fingerprinting BIND 9.1.0

Re: fingerprinting BIND 9.1.0

Re: fingerprinting BIND 9.1.0

Re: fingerprinting BIND 9.1.0

Re: fingerprinting BIND 9.1.0

fingerprinting BIND 9.1.0

8 matches

Site Navigation

Mail list logo

Footer information