Building.Open.Source.Network.Security.Tools.Components.And.Techniques [Electronic resources] نسخه متنی

Sample Program–Sift

Sift, as shown in Figure 10.2, is a small tool that demonstrates the vulnerability scanning attack and penetration technique. It is a vulnerability scanner that scans a series of hosts, querying them for their DNS server version. Based on the version string returned, the user can determine whether the DNS server in question is vulnerable to a particular attack. DNS is an integral part of the Internet infrastructure to such a large extent that the Internet could not function without it. There are two main qualities of DNS that make it such an attractive target for attackers: the fact that it must be a publicly facing service that cannot be filtered and that it is ubiquitously deployed all over the Internet. The Internet Software Consortium's BIND DNS software package, historically known for containing more than its fair share of vulnerabilities, is the most widely used implementation of DNS.

Figure 10.2: Sift DNS vulnerability scanner.

By specifying the -h argument or invoking it with no arguments, Sift dumps its usage as such:

tradecraft: ~# ./sift
Sift 1.0 [DNS Version scanning tool]
usage ./sift [options] host_file
-h                  this blurb you see right here
-i device           specify a device
-r count            number of times to retry the query
-t timeout          seconds to wait for a response

As always, the -i switch enables the user to specify a specific device to use. The -r option enables the user to specify a redundancy count that causes Sift to resend queries that time out. The -t option controls the timeout interval. The host file should be a newline-delimited list of DNS servers to query.

Sift works by constructing and sending Chaos class query requests to a DNS server then setting a timer and waiting for a response. If a given DNS server understands, implements, and is configured to respond to Chaos class queries, it will return a response that Sift will read. By default, all BIND DNS servers will respond to Chaos class queries with their version (and probably others, as well). It is, however, trivial to reconfigure a DNS server to either ignore the request or report false information, as we will see.

A sample invocation of Sift against a small sampling of DNS servers is as follows:

tradecraft: ~# ./sift -r2 sample-hostfile.txt
Sift 1.0 [DNS Version scanning tool]
<ctrl-c> to quit
Chaos class query to 172.16.10.1:        9.2.1rc2
Chaos class query to 172.30.107.254:     server failed
Chaos class query to 172.30.89.132:      not implemented
Chaos class query to 172.22.89.134:      not implemented
Chaos class query to 172.17.52.3:        BINDS.1.2
Chaos class query to 172.17.52.6:        BINDS.1.2
Chaos class query to 172.17.55.125:      BINDS.1.2
Chaos class query to 172.16.112.2:       9.1.0
Chaos class query to 172.16.216.5:       surelyyoujest
Chaos class query to 172.16.216.6:       *
Chaos class query to 172.16.216.6:       *
Chaos class query to 172.19.230.1:       not implemented
Chaos class query to 172.20.16.3:        8.2.5-REL
Chaos class query to 172.20.16.4:        8.2.3-REL
Chaos class query to 172.21.244.231:     9.1.3
Chaos class query to 172.21.244.232:     9.1.3
Chaos class query to 172.21.32.200:      not implemented
Chaos class query to 172.21.32.201:      *
Chaos class query to 172.21.32.201:      *
Chaos class query to 172.21.32.70:       *
Chaos class query to 172.21.32.70:       *
Chaos class query to 172.21.32.71:       *
Chaos class query to 172.21.32.71:       4.9.8
Chaos class query to 172.21.76.13:       BINDS.1.2
Chaos class query to 172.21.76.14:       BINDS.1.2
Chaos class query to 172.16.198.2:       8.2.3-REL
Chaos class query to 172.16.25.51:       not implemented
Sift statistics:
total queries sent:               27
total responses received:         20
total valid responses received:   12
total timeouts:                    7
total timeouts resolving:          0
total not implemented:             5
total server failed:               1
total format errors:               0

Sift sent a total of 27 queries to 23 different hosts. The queries that timed out were sent again, and it paid off for the query to host 172.21.32.71, which responded after the second query was sent. The interesting responses to note are the servers that are woefully out of date with patchlevels and version updates. Five machines were found to be running BIND 8.1.2, which is known to be vulnerable to the inioleek, tdmax, solinger, maxdname, and naptr bugs. Some of these bugs are serious DoS bugs that can be trivially triggered to wreck havoc on the machines and networks in question.

While the previous limited invocation of Sift is interesting to see on a small scale, it is more important to understand current vulnerability trends and posture across the Internet. To accomplish this task, Sift was run against a host file consisting of 15,659 Internet DNS servers. These servers represent a large constituency of the Internet's DNS framework and provide a firm basis for assessing the overall DNS-related security of the Internet.

Sift was invoked as follows:

tradecraft: ~# ./sift -tl masterlist.txt
Sift 1.0 [DNS Version scanning tool]
<ctrl-c> to quit
...
Sift statistics:
total queries sent:                15298
total responses received:          12025
total valid responses received:     8577
total timeouts:                     3273
total timeouts resolving:            361
total not implemented:              2625
total server failed:                 723
total format errors:                 100

The entire scan took about four hours, and while we will not show the raw data in detail, the statistical results are more interesting. We noted the following:

A total of 75 percent (12,025) DNS servers responded. There are several possible reasons why 3273 requests timed out, including network congestion, prohibitive edge filtering, or downed machines. Two percent (361) failed to reverse resolve, which could also be due to any of these reasons (including invalid zone files).

A total of 56 percent (8577) DNS servers responded with an actual version string. Some of this information, as noted earlier, is false data designed to frustrate would-be attackers.

A total of 22 percent (3448) DNS servers did not implement the Chaos class, failed when trying to parse the query, or did not like the format of the request. Let's hope that they handle the Internet class better.

Sixty-three percent (5473) of those DNS servers that did respond appeared to be running some version of BEND.

Thirty-seven percent (3171) of those DNS servers that did respond were running versions of BIND (known to be vulnerable). This list includes versions of BIND from 4.8 to 8.2.2p7.

Six percent (482) of those DNS servers that did respond were running 4.x versions of BIND, including some that stamped the compilation date of the server inside the version string, which was dated November 1996.

Twenty-seven servers responded with "8.2.2-P5+Fix_for_CERT_till_01_30_01", announcing that they are vulnerable to several attacks (including infoleek, tsig, srv, sigdivO, and zxfr). The tsig is the most severe, because it enables attackers to gain remote privileged access to vulnerable machines.

Another 15 servers were running BIND 8.2.1, which is widely considered to be the most vulnerable version of DNS in existence.

Do not take my word for it, however. Compile the code and run it against your favorite DNS server today.