MODO INDICATIVO PRESENTE DE INDICATIVO
PRETÉRITO IMPERFECTO DE INDICATIVO 1 Transforme las frases:
Along with scanning ports, there are other ways to gather information on the target’s net- work. One easy way to accomplish this is to find the DNS servers. DNS servers are a very common and hackable target. Depending on the network’s configuration, they can provide an excellent doorway into the network for MITM attacks.You can use a couple of tools that are on most systems. For Windows, the common tool is NSLOOKUP; for the Linux/Unix world, the command dig is the preferred tool. Both tools are explained here.
In this example of the dig command (shown in Figure B.16), we started with: dig @<ipaddress or domain name of dns server>
Figure B.16
Starting DiG on a Name ServerThis command gave us is the contents of a DNS server. What we need is the DNS of a particular domain. So we modify the dig command a bit, as shown in Figure B.17.
Figure B.17
Querying the DNS for a Certain DNS Server IP AddressWe can see in Figure B.17 that when we run the query asking for the name servers (NS) of comsun.com, the public DNS server gives up its entries about comsun.com’s name servers. We now have the IP addresses of comsun.com.To carry this a bit further, when we run the same query but with the argument any instead of ns, we get a listing of all matching items to comsun.com in the DNS server.This means that if there are any mail servers in the DNS zone, we will get that information also. Now we can run the query against
comsun.com directly and see if we can get a zone transfer from comsun.com to us. If you know how to “dig,” you can gather a lot of information about the network and its DNS infrastructure. Now that we have looked at what we can work with, let’s start to formulate an attack on this host. Figure B.18 shows a zone transfer from this DNS host.
You might be asking what good a zone transfer does us.The answer is that many DNS servers contain a great deal of good information—things like other name servers, e-mail records, Web servers, possible firewall listings, servers, and sometimes even workstations. This information can help you to build your network map of the target. Furthermore, it’s not just a map of the network; we might get information on the operating system of a box at a cer- tain IP address. Often there are entries like ntserver1 or myxpbox and so on. Now we have a better idea of what OS is on a certain IP address on the target network.
The last command we discuss that provides useful information is that if the DNS server is the Berkeley Internet Name Domain (BIND), we can get the version of the server. We can dig again and find this information pretty quickly, as shown in Figure B.19.This infor- mation is useful because, depending on the version of BIND, exploits could be associated with that particular version if it’s not patched.
Figure B.19
Using dig to Get the Version of BINDWhy do we care about the version of BIND? Because certain exploits work on different versions of BIND.The earlier versions are not very secure, and the BIND process runs as ROOT. So if you can gain access to the process, you can gain control of the BIND server as root. Let’s take a closer look at BIND.
N
OTEThere are two papers on the Internet (one for BIND 8 and one for 9) that out- line standard procedures for BIND, how to lock it down, common exploits, and so on. You can see them here:
■ www.boran.com/security/sp/bind_hardening8.html ■ www.boran.com/security/sp/bind9_20010430.html
Here you’ll find another general paper that presents in detail everything about BIND: www.linuxjournal.com/node/1000048
The BIND package is the most widely used implementation of DNS today, with over a 70 percent share. BIND allows you to locate a server on the Internet (or a local network) by using a hostname without having to know its specific IP address. The concepts of DNS should be mastered if you are going to be a DMZ architect or a security analyst responsible for DNS security, especially in the DMZ. Before we get into the issues directly related to DNS, you should know how DNS might sit in the DMZ. Figure B.20 shows you a clear map of where DNS can sit in your organization.
Consider the following: If you were a hacker, your intention would be to pollute the DNS on the internal LAN.This can be done by wreaking havoc with the DNS server on the DMZ, which is most likely a real name server, whereas the internal DNS server is most likely using an internal namespace with a forwarder out to the DMZ. We look more deeply into the attack in a moment, but you should be familiar with the placement of the DNS servers here and now. It is also important to note (since we are talking about BIND) that Unix/Linux-based DNS servers are commonly used on the Internet, and if you are hosting your own name server, it’s very likely that your DNS server on your DMZ will also be using BIND. So why is DNS such a massive target on your DMZ? There are many immediate answers, but here are some that you might not be aware of:
■ If you take out a company’s DNS server, you paralyze the organization’s way of
resolving IP to hostnames.This can take out just about every device on the net- work that uses DNS to communicate.
■ You can pollute a company’s DNS server with fake or incorrect information to
either cause havoc or redirect users to look-alike sites where private information can be captured by an attacker. DNS cache poisoning is what it is called when a hacker replaces your “a” records with bogus information.
■ If you are the administrator, you might not be aware of the myriad security
upgrades available for your systems that are running the BIND daemon (called
named). Hackers know that without the proper service pack levels of security fixes
installed, you could be susceptible to a large number of attacks, buffer overflows, exploitations, and so on.
■ You could be open to a DoS attack from Trojan implantations, unnecessary ser-
vices, or configuration files. Hackers know that your DNS server is there because they did a lookup on it, they know its BIND, and they know they might be able to Telnet from that server to another.
■ Not only could a compromised machine provide information about the organiza-
tion to the attacker; it can also be used as a springboard for other attacks.
N
OTEThe newest and most common BIND attacks are:
■ BIND : Self Check Failing 1/25/2005 An incorrect assumption in the
validator (authvalidated) can result in a REQUIRE (internal consistency) test failing and named exiting. This was fixed in version 9.3.1.
■ A DoS, 1/25/2005 It is possible to overrun the q_usedns array, which is
used to track nameservers and addresses that have been queried. This problem affected only versions 8.4.4 and 8.4.5.
Now that you are comfortable with the attack patterns, the reason the attacks might take place, and what to look out for in your DMZ, let’s take a look at more details of DNS secu- rity in and around the DMZ.