Security Basics mailing list archives

RE: Sign:Re: Is there such a thing as DNS Network Mapper type application

From: David Burt <uncue75 () yahoo com>
Date: Tue, 9 Sep 2003 06:14:26 -0700 (PDT)

This is exactly the information that I am looking for
however, doing a zone transfer would certainly show up
as a snort/IDS alert.  Someone off list suggested
scanning the subnet and doing a DNS reverse lookup. 
This too I would this cause a snort/IDS alert.  I'm
looking for something a little less intrusive.  In the
same email, this person suggested that I could write a
perl script to use nslookup to query common names like
the ones I listed.  This is exactly what I am looking
for, however perl and I don't get along very well.  I
could probably do this, it would just take some time. 
Then I would have to come up with my own list of
common host names, which is another reason I was
hopping someone had already been down this road.


Thanks for the responses...

David


-----Original Message-----
From: Kilian CAVALOTTI
[mailto:kilian.cavalotti () crans org]
Sent: Monday, September 08, 2003 4:21 PM
To: David Burt
Cc: security-basics () securityfocus com
Subject: Sign:Re: Is there such a thing as DNS Network
Mapper type
application


David Burt wrote:

To give you an example, you tell it the ip or name

of

the name server you would like to use, then it does
many lookups trying to find IPs based on the names.

You get this idea...


Something like an AXFR transfer on a DNS zone ?

[22:18] me@host % host -l nic.fr
nic.fr.                 NS      ns.ripe.net.
nic.fr.                 NS      dns.inria.fr.
nic.fr.                 NS      ns0.oleane.net.
nic.fr.                 NS      ns1.nic.fr.
nic.fr.                 NS      ns1.oleane.net.
nic.fr.                 NS      ns2.nic.fr.
nic.fr.                 NS      ns3.nic.fr.
alarch.nic.fr.          A       192.134.4.166
alpha.nic.fr.           A       192.134.4.16
ambre.nic.fr.           A       192.134.4.162
archipel.nic.fr.        A       192.134.4.245
astrid1.nic.fr.         A       192.134.4.136
astrid2.nic.fr.         A       192.134.4.2
axelle.nic.fr.          A       192.134.4.123
barbapapa.nic.fr.       A       192.134.4.95
[...]

-- 
Kilian CAVALOTTI | GPGKeyId: 0xD657340C
BOFH excuse #214:
Flourescent lights are generating negative ions. If
turning them off
doesn't work, take them out and put tin foil on the
ends. 


---------------------------------------------------------------------------
Captus Networks 
Are you prepared for the next Sobig & Blaster? 
 - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans

 - Precisely Define and Implement Network Security 
 - Automatically Control P2P, IM and Spam Traffic 
FIND OUT NOW -  FREE Vulnerability Assessment Toolkit 
http://www.captusnetworks.com/ads/42.htm
----------------------------------------------------------------------------


__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com

---------------------------------------------------------------------------
Captus Networks 
Are you prepared for the next Sobig & Blaster? 
 - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans 
 - Precisely Define and Implement Network Security 
 - Automatically Control P2P, IM and Spam Traffic 
FIND OUT NOW -  FREE Vulnerability Assessment Toolkit 
http://www.captusnetworks.com/ads/42.htm
----------------------------------------------------------------------------

Current thread:

RE: Sign:Re: Is there such a thing as DNS Network Mapper type application David Burt (Sep 09)