HackNotes Windows Security Portable Reference phần 3 ppsx

6 Part I: Hacking Fundamentals

HackNote / HackNotes Windows Security Portable Reference / O’Dea / 222785-0 / Chapter 1

Here we see the (fictitious) nameserver ns1.targetdom.com for (ficti￾tious) domain hacknotes.com dutifully delivering all the address infor￾mation it has available. This isn’t a tremendous find, but it does tell us

the IP address for the web server http://www.hacknotes.com, as well

as the mail exchanger (MX) mail.hacknotes.com. We can also tell that

the mail server and the web server are on two separate networks.

Zone transfer attempts will succeed only against a name server that

is considered to be authoritative for the domain that you want to list. We

don’t need another tool to find the authoritative server; nslookup con￾tinues to be our one-stop shop:

> set type=any

> hacknotes.com

Server: testlab.a&p.com

Address: 192.168.32.1

Non-authoritative answer:

hacknotes.com MX preference = 30, mail exchanger = mail.hacknotes.com

hacknotes.com

primary name server = ns1.targetdom.com

responsible mail addr = admin.ns1.targetdom.com

serial = 2003032521

refresh = 10800 (3 hours)

retry = 3600 (1 hour)

expire = 604800 (7 days)

default TTL = 300 (5 mins)

hacknotes.com Internet address = 10.19.89.130

hacknotes.com nameserver = ns1.targetdom.com

hacknotes.com nameserver = ns1.targetdom.com

mail.hacknotes.com Internet address = 192.168.169.99

>

If you’re more comfortable with GUI-based tools, Sam Spade for

Windows (http://www.samspade.org/ssw/) is a powerful footprinting

tool, with an emphasis on spam tracing. Zone transfers are disabled by

default, but can be activated by toggling an option under Edit | Options |

Advanced. Once enabled, zone transfers are simply a matter of supplying

the domain name and the authoritative server, as shown in Figure 1-1.

Sam Spade also has a “dig” function that will return the authoritative

nameserver for whatever domain name you specify—one-click

footprinting.

Restrict Zone Transfers

The simplest way to prevent attackers from obtaining zone transfer data

from your servers is to block TCP/53 at your firewall or border router.

Normal DNS lookups are conducted over UDP, so it is not necessary to

permit TCP/53 from any systems other than those that require zone

P:\010Comp\HackNote\785-0\ch01.vp

Friday, June 13, 2003 7:50:55 AM

Color profile: Generic CMYK printer profile

Composite Default screen

Chapter 1: Footprinting: Knowing Where to Look 7

HackNote / HackNotes Windows Security Portable Reference / O’Dea / 222785-0 / Chapter 1 Footprinting Explained

transfers from your DNS server. This will prevent unauthorized parties

from outside the organization from accessing the zone data regardless

of the configuration of the DNS server itself.

Stopping outsiders from enumerating your domain is a good start,

but you may still be vulnerable to curious insiders. In later chapters,

we’ll discuss the advanced IP filtering capabilities available in Win￾dows 2000 and Windows 2003, which you can use to create a local

firewall restricting access to TCP/53 only to authorized hosts. Aside

from filtering, you can make use of the security features within your

DNS server software to limit the hosts that are permitted to query zone

data for your domain. Following are the steps to configure zone transfer

permissions for a Windows 2003 Server, which defaults to no zone

transfers when new zones are created:

1. Open the DNS Management console by selecting Start |

Administrative Tools | DNS.

2. Select the Lookup Zone to change zone transfer settings.

3. Right-click the Lookup Zone and select Properties.

4. Select the Zone Transfers tab.

Figure 1-1. Using Sam Spade to execute a DNS Zone Transfer

P:\010Comp\HackNote\785-0\ch01.vp

Friday, June 13, 2003 7:50:56 AM

Color profile: Generic CMYK printer profile

Composite Default screen

8 Part I: Hacking Fundamentals

HackNote / HackNotes Windows Security Portable Reference / O’Dea / 222785-0 / Chapter 1

From this tab (see Figure 1-2), you can enable or disable zone transfers

for this domain or restrict zone transfers to a limited set of servers. Try en￾abling zone transfers to any server and using nslookup as described ear￾lier to obtain a listing of your domains using the ls –d command.

Disabling zone transfers for other DNS servers is done in a similar

fashion. For the Internet Software Consortium’s BIND (Berkeley Internet

Name Domain) software, access control lists can be defined in the

named.conf file, and the allow-transfer directive names the access con￾trol lists that can request zone transfers for the specific domain. Refer to

the documentation for your DNS server for exact details; the adminis￾trator’s manual for ISC’s BIND 9 server can be found at http://

www.nominum.com/content/documents/bind9arm.pdf.

Figure 1-2. Windows 2003 Server Zone Transfer configuration tab. Here the

administrator has enabled zone transfers with no restrictions.

P:\010Comp\HackNote\785-0\ch01.vp

Friday, June 13, 2003 7:50:56 AM

Color profile: Generic CMYK printer profile

Composite Default screen