From: johnny cyberpunk (johncybpk@gmx.net)
Date: Fri Jul 11 2003 - 13:25:34 EDT
below is an old windows code from me, which tries to detect the versions of
bind,
even if the banner is faked it get's the info, if it is bind 8 or 9.
note that this only works for bind servers. other servers i know, don't give
you a banner,
such like ms dns or djbdns.
cheers,
johnny cyberpunk/thc
// compile with Visual C++ : cl dnsinfo.c /link ws2_32.lib
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <winsock2.h>
#define TIMEOUT 5
#define errno WSAGetLastError()
#define STATUS_FAILED 0xFFFF
void usage();
main(int argc,char **argv)
{
struct sockaddr_in myudp;
struct hostent * hp;
SOCKET udpsock;
unsigned short port=53;
unsigned int addr=0;
fd_set r;
struct timeval mytimeout;
char data[30]=
{0x00,0x06,0x01,0x00,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x07,0x76,0x65,
0x72,0x73,0x69,0x6f,0x6e,0x04,0x62,0x69,0x6e,0x64,0x00,0x00,0x10,0x00,0x03};
unsigned char *dataout;
unsigned int error, open;
WSADATA wsaData;
printf("\n----------------------------------------\n");
printf("DNS Version Query for BIND 8+9 Servers\n");
printf("coding jcyberpunk@thc.org\n");
printf("----------------------------------------\n\n");
if(argc != 2)
{
usage();
exit(-1);
}
if (WSAStartup(MAKEWORD(2,1),&wsaData) != 0)
{
fprintf(stderr,"WSAStartup failed: %d\n",GetLastError());
ExitProcess(STATUS_FAILED);
}
memset(&myudp,0,sizeof(myudp));
hp = gethostbyname(argv[1]);
if (!hp){
addr = inet_addr(argv[1]);
}
if ((!hp) && (addr == INADDR_NONE) )
{
fprintf(stderr,"Unable to resolve %s\n",argv[1]);
ExitProcess(STATUS_FAILED);
}
if (hp != NULL)
memcpy(&(myudp.sin_addr),hp->h_addr,hp->h_length);
else
myudp.sin_addr.s_addr = addr;
if (hp)
myudp.sin_family = hp->h_addrtype;
else
myudp.sin_family = AF_INET;
printf("Query for : %s in progress...pleaze
wait!\n\n",inet_ntoa(myudp.sin_addr));
dataout=(char*)malloc(100);
memset(dataout,0,sizeof(*dataout));
mytimeout.tv_sec = TIMEOUT;
mytimeout.tv_usec = 0;
myudp.sin_port = htons(port);
if ((udpsock = socket (PF_INET, SOCK_DGRAM, IPPROTO_UDP)) == -1)
{
printf("error binding socket!\n");
exit(0);
}
if (connect (udpsock, (struct sockaddr *) &myudp, sizeof (
struct sockaddr_in)) == 0)
{
FD_ZERO (&r);
FD_SET (udpsock, &r);
mytimeout.tv_sec = TIMEOUT;
mytimeout.tv_usec = 0;
send (udpsock, data, sizeof data, 0);
error = select ((udpsock + 1), &r, NULL, NULL, &mytimeout);
if (error==-1)
{
printf("select error : %d\n",errno);
exit(-1);
}
open = recv(udpsock, dataout, 100, 0);
if (open==-1)
{
printf("sorry, no nameserver running :(\n");
exit(-1);
}
dataout[open]=0;
if ((dataout[3]&127)==0)
{
if(dataout[30]==192)
{
printf ("ahh...that must be a bind 9...trying to get more
details...\n\n");
printf ("DNS Version : %s\n",dataout+43);
}
else
{
printf ("ahh...that must be a bind 8...trying to get more
details...\n\n");
printf("DNS Version : %s\n",dataout+55);
}
}
else
printf("DNS Version : unknown\n");
shutdown(udpsock,1);
closesocket(udpsock);
}
else
printf("connect () error : %d\n",errno);
free(dataout);
exit(0);
}
void usage()
{
printf("Gimme <Hostname|IP-Address>\n");
exit(-1);
}
----- Original Message -----
From: "Rodrigo Ramos" <rodrigo.ramos@ipad.com.br>
To: <pen-test@securityfocus.com>
Sent: Friday, July 11, 2003 3:22 PM
Subject: Detecting DNS Servers
> Hi,
>
>
> I need a help from the community.
> At this moment I am reading papers from NIST and ISECOM (osstmm2.0).
> I need to know the very best way to discover the versions of DNS
> servers.
> I need to write a paper about it.I all ready wrote something, but I need
> to hear from everybody.
>
>
>
> Best Regards,
> Rodrigo Ramos
> http://www.spytket.com.br
>
>
>
> --------------------------------------------------------------------------
-
> The Lightning Console aggregates IDS events, correlates them with
> vulnerability info, reduces false positives with the click of a button,
anddistributes this information to hundreds of users.
>
> Visit Tenable Network Security at http://www.tenablesecurity.com to learn
> more.
> --------------------------------------------------------------------------
-- > --------------------------------------------------------------------------- The Lightning Console aggregates IDS events, correlates them with vulnerability info, reduces false positives with the click of a button, anddistributes this information to hundreds of users. Visit Tenable Network Security at http://www.tenablesecurity.com to learn more. ----------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:36 EDT