|
|
Home : Advisories : Weakness in Windows NT reverse-DNS lookups
| Title: |
Weakness in Windows NT reverse-DNS lookups |
| Released by: |
David F. Skoll |
| Date: |
13th December 2000 |
| Printable version: |
Click here |
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
After seeing a lot of NetBIOS node-status probes in my firewall logs,
I discovered that many NT servers apparently do a reverse DNS lookup
by sending a NetBIOS node-status query. This is documented at:
http://support.microsoft.com/support/kb/articles/Q154/5/53.ASP
It seems to me that it's much easier to spoof an answer to a NetBIOS
node-status request than to tamper with the actual DNS system. The Web
page says this is only used for WINS lookups, but I see a lot of these
probes coming from machines across the Internet.
Essentially, NT believes *the system it is querying* rather than a DNS
server. It is (presumably) easier to take control of a system you own
rather than a DNS server over which you do not have administrative control.
The people who helped me discover this wish to remain anonymous, but
thanks, guys -- you know who you are.
- --
David F. Skoll
Roaring Penguin Software Inc. | http://www.roaringpenguin.com
GPG fingerprint: 50B4 FA66 CE95 E456 CD8F 96C9 E64D 185C 6646 68E0
GPG public key: http://www.roaringpenguin.com/dskoll-key.txt
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: pgpenvelope 2.9.0 - http://pgpenvelope.sourceforge.net/
iD8DBQE6NOAe5k0YXGZGaOARAnSZAKDp96KbjS9axmra2Lc41V8nwNUx/QCfSNRl
uMyNyvGX9RmklndFpDYh0So=
=+VSz
-----END PGP SIGNATURE-----
|
