Free DNS Spoofing Scanners?

Discussion in 'other security issues & news' started by BlitzenZeus, Sep 8, 2003.

Thread Status:
Not open for further replies.
  1. BlitzenZeus

    BlitzenZeus Security Expert

    Joined:
    Feb 11, 2002
    Posts:
    451
    Location:
    Oregon, USA
    I've done some searching, and I have only found one that does some dns spoofing so far, you also have to be a paid member. If your not following what I'm talking about, in loose dns configurations your firewall might let these packets bypass your firewall. One thing I should say is I haven't seen this used in the wild, but who's the say that it hasn't been used against others? Think of how many more computers would be infected, even possibly through hardware firewalls if the rpc worm always used udp: 53 for the remote listening connection.

    Examples:
    If it wasn't restricted by locals ports, and remote addresses it could contact any udp port(0-65535!) on your computer just by using a certain port on their end. If your firewall leaks this much then it sucks, or its not configured correctly. Its usually the latter...
    UDP Site.Scan: 53 -> Your.IP: 135 Allowed - INFECTED w/out patch
    UDP Site.Scan: 53 -> Your.IP: 1027 Allowed - Possible messenger spam
    UDP Dns.Srv: 53 -> Your.IP: 1031 Allowed - Normal DNS traffic

    Lets say they restrict it to the common local ports, but not by ip address still. They can now scan the udp range of 1024-5000. This would likely be your standard application based firewall.
    UDP Site.Scan: 53 -> Your.IP: 135 Blocked
    UDP Site.Scan: 53 -> Your.IP: 1027 Allowed - Possible messenger spam
    UDP Dns.Srv: 53 -> Your.IP: 1031 Allowed - Normal DNS traffic

    Now you finally restrict it to the local port range, and your dns servers.
    UDP Site.Scan: 53 -> Your.IP: 135 Blocked
    UDP Site.Scan: 53 -> Your.IP: 1027 Blocked
    UDP Dns.Srv: 53 -> Your.IP: 1031 Allowed - Normal DNS traffic


    Some have stated that they have gotten messenger spam from any listening port of svchost.exe including the ports in the local range, but don't dwell on that please. I'm only stating what I have read elsewhere...

    If anyone knows of any free online scanners that will use dns spoofing that would be great since I'm having trouble finding any to prove to others how their simple application based software firewall is leaking.

    This is something that has been known for a long time, and I'm willing to bet that many simple configuration firewalls, even many user configurations won't pass this test. The 1024-5000 range isn't as dangerious as what could be listening on the lower ports like 135, but its still possible it could be used in some way through a listening program.
     
  2. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    You won’t find any sites using DNS Spoofing Technology to bypass people’s Software Firewalls, if you want to prove to these people it’s possible you need to use Spoofing Software on you’re Local Machine or r00ted boxes… ;)
     
  3. BlitzenZeus

    BlitzenZeus Security Expert

    Joined:
    Feb 11, 2002
    Posts:
    451
    Location:
    Oregon, USA
    Well I already said I found one, but it only scans a few lower ports while being a paid member of the site. Its DSL/Broadband Reports(DSLR/BBR), and its the udp scan in the full scan section.
    http://www.broadbandreports.com/secureme

    I could download nmap if that would work, but I'm afraid that even after a person concented to the scan they would still report the logs.
     
  4. Rickster

    Rickster Guest

    I don't get it...the link is just another test scan. There's plenty of free, more comprehesive tests out there. What was that again? I read it twice and must just be getting tired or something, a spoofed DNS defeats a firewall?

    Regards, Rick
     
  5. BlitzenZeus

    BlitzenZeus Security Expert

    Joined:
    Feb 11, 2002
    Posts:
    451
    Location:
    Oregon, USA
    Rick, I doubt you even understand how dns communications really work, and the fact that you said that about the scan just means you don't have access to the advanced options which are much more intensive than free scanners. Its not an advertised part of the scan, it set off my rules which prevented dns spoofing.
     
  6. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    BlitzenZeus are you saying the Online Scanning Systems Spoofs itself into the Targets Primary and Secondary … DNS Addresses? If not this is irreverent Scan… ;)
     
  7. BlitzenZeus

    BlitzenZeus Security Expert

    Joined:
    Feb 11, 2002
    Posts:
    451
    Location:
    Oregon, USA
    Phatom, why are you missing the point, and even confusing yourself by addiing information that has nothing to do with it?

    The site scans from udp 53 for a few packets, the logs show they come from the scanning site. Is that hard to understand? Does it not follow my above example of dns spoofing, but only targeting different ports? Unless something acts as a dns server, it can be used for dns spoofing against other targets since all it has to do is use their local udp port 53 to scan the entire udp range.

    The first two logs show that the same server is scaning to attempt dns spoofing.
    Blocked Incoming 02/Sep/2003 03:56:39 Packet to unopened port received TCP 209.191.132.40 35118 BlitzenZeus 1018 no owner
    Blocked Incoming 02/Sep/2003 03:56:39 Packet to unopened port received TCP 209.191.132.40 35117 BlitzenZeus 703 no owner
    Blocked Incoming 02/Sep/2003 03:56:37 DNS Alert (Log, Alert) UDP 209.191.132.40 53 BlitzenZeus 5 no owner
    Blocked Incoming 02/Sep/2003 03:56:37 DNS Alert (Log, Alert) UDP 209.191.132.40 53 BlitzenZeus 11 no owner
    Blocked Incoming 02/Sep/2003 03:56:37 DNS Alert (Log, Alert) UDP 209.191.132.40 53 BlitzenZeus 9 no owner
    Blocked Incoming 02/Sep/2003 03:56:37 DNS Alert (Log, Alert) UDP 209.191.132.40 53 BlitzenZeus 14 no owner
    Blocked Incoming 02/Sep/2003 03:56:37 DNS Alert (Log, Alert) UDP 209.191.132.40 53 BlitzenZeus 7 no owner
    Blocked Incoming 02/Sep/2003 03:56:37 DNS Alert (Log, Alert) UDP 209.191.132.40 53 BlitzenZeus 1 no owner


    The address 209.191.132.140 is the scanner...

    Pinging bronze.dslreports.com [209.191.132.40] with 32 bytes of data

    Reply from 209.191.132.40: bytes=32 time=167ms TTL=242
    Reply from 209.191.132.40: bytes=32 time=154ms TTL=242
    Reply from 209.191.132.40: bytes=32 time=153ms TTL=242
    Reply from 209.191.132.40: bytes=32 time=153ms TTL=242

    Ping statistics for 209.191.132.40:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
    Approximate round trip times in milli-seconds:
    Minimum = 153ms, Maximum = 167ms, Average = 156ms
     
  8. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    Hmmm how’s this DNS Spoofing?

     
  9. BlitzenZeus

    BlitzenZeus Security Expert

    Joined:
    Feb 11, 2002
    Posts:
    451
    Location:
    Oregon, USA
    Call it an open DNS configuration Exploit if you like, but in this mannor it appears to be faking dns traffic to possibly bypass a firewall configuration. You didn't argue what I called it when I started the thread, and mentioned that this method mght allow others to connect to your computer through your firewall with this method which would indicate that there was no ip spoofing involved, as ip spoofing is one way.
     
  10. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    You use topic title “DNS Spoofing Scanners” but in contents its discussion totally don’t corresponds with it…

     
  11. Detox

    Detox Retired Moderator

    Joined:
    Feb 9, 2002
    Posts:
    8,507
    Location:
    Texas, USA
    Come on guys if you both know what the other is talking about there's really no point to arguing the formalities of the terms, right?

    If I had any idea what BZ is talking about/looking for I'd just tell him if I knew of any such site but it's all over my caveza ffs
     
  12. BlitzenZeus

    BlitzenZeus Security Expert

    Joined:
    Feb 11, 2002
    Posts:
    451
    Location:
    Oregon, USA
    Thank you...

    I didn't reply to the last response on purpose, and he is stuck on an issue of his own creation, he can't get over that I used some terminology in another way than he doesn't agree with. I think he just likes to argue until people leave him alone, or agree with his point of view. :cool:

    What I'm asking for is something I don't expect to be free unfortunately. Its a udp port scanner that scans from udp port 53 to make the appearance it could be dns communications. Many simple configurations allow any address to contact udp ports 1024-5000, or their entire udp port range just by using the remote port 53 which might allow scanners to bypass your fiewall.
     
  13. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    Hey BlitzenZeus

    I apologize for being crude; I simply couldn’t interpret your posts with all those inconsistencies, but now I understand fully what you are wanting... ;)

    Regards,

     
  14. Rickster

    Rickster Guest

    Hi BlitzenZeus, Sorry - you're right. When ever I say something stupid, a simple "move aside sonny, you're in over your head" will do fine. But did find some info the the subject.

    http://www.securesphere.net/download/papers/dnsspoof.htm

    Now guys, this link is only for dummies like me who are curious, so all savvy people just ignore this post. If you can get by the author's typos, deplorable sentence structure and grammer - he does however, painfully get the "novice's" point across. DNS udp port 53 is toward the end. More advanced pubs at CNET, Securty Focus, etc and effective filtering strategies are certainly out there. Interesting stuff.

    P.S. First few months I had my system, after crafting security from contributors here, I paid around $450 to Security Focus and other firms to attack my system in ways that claim to be more advanced than free sources - passed them all, but never recalled a test for this threat.

    Best Regards, Rick
     
Loading...
Thread Status:
Not open for further replies.