0

I'm trying to do two things here. The first is poison the cache of a target DNS server. A scan has suggested the network I'm attacking is vulnerable to CVE-1999-0024. My understanding of this vulnerability is that it allows me to to 'tell' the DNS server on the target network that: myevilsite1.com = 1.2.3.4 and that as a result any clients internally requesting the site myevilsite1.com from the internal side of the DNS server will receive whatever IP I tell the DNS server to cache. I don't understand exactly how this attack works and i'd like to also test it (and validate it if below is a suitable test). Could someone please explain how i can conduct an attack like this?

The second is to confirm that it has worked by using DNS Server Cache Snooping: To do this i'm using the following command in nmap (I just want to double check this is a valid way to test):

nmap -sU -p 53 --script dns-cache-snoop.nse --script-args 'dns-cache-snoop.mode=timed,dns-cache-snoop.domains={myevilsite1.com,google.com,bing.com}' 1.2.3.4

Hope someone can help! Thanks!

Improve this question

1 Answer 1

Reset to default
2

The nmap plugin that you are using only tests against snooping, you can see if a user (using this DNS server) has performed a DNS request.

This is tested, using nmap, in 2 possible scnearios:

  • Timed: it will measure the time difference between a cached request (faster), compared to a normal DNS request (slower). This way, it knows if the domain has been cached and thus "visited" before.
  • Recursive: If your DNS support this, a DNS request with the RD flag set to 0 will only be responded to if the domain is cached on your DNS server (and thus, visited before).

The best test is to test against domains that are probably used by the target domain. Nmap by default tries the top 50 most popular domains, so that might be a good bet.

From a command point of view, the map page says that the timed attack can only work once reliably, since it inserts data into the DNS cache. I'd say try with the default settings

nmap -sU -p 53 --script dns-cache-snoop.nse --script-args 'dns-cache-snoop.mode=nonrecursive' 1.2.3.4

Hope this helps!

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.