[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
- read forum
- new topic
- search

- meetings list
- recent additions
- add your info
 top 100 sites
- visit top sites
- sign up now
- members

- add your url
- add domain
- search box
- link to us

- our projects
- free email
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : Weakness in Windows NT reverse-DNS lookups

Title: Weakness in Windows NT reverse-DNS lookups
Released by: David F. Skoll
Date: 13th December 2000
Printable version: Click here

Hash: SHA1

After seeing a lot of NetBIOS node-status probes in my firewall logs,

I discovered that many NT servers apparently do a reverse DNS lookup

by sending a NetBIOS node-status query.  This is documented at:


It seems to me that it's much easier to spoof an answer to a NetBIOS

node-status request than to tamper with the actual DNS system.  The Web

page says this is only used for WINS lookups, but I see a lot of these

probes coming from machines across the Internet.

Essentially, NT believes *the system it is querying* rather than a DNS

server.  It is (presumably) easier to take control of a system you own

rather than a DNS server over which you do not have administrative control.

The people who helped me discover this wish to remain anonymous, but

thanks, guys -- you know who you are.

- --

David F. Skoll

Roaring Penguin Software Inc. | http://www.roaringpenguin.com

GPG fingerprint: 50B4 FA66 CE95 E456 CD8F  96C9 E64D 185C 6646 68E0

GPG public key:  http://www.roaringpenguin.com/dskoll-key.txt


Version: GnuPG v1.0.4 (GNU/Linux)

Comment: pgpenvelope 2.9.0 - http://pgpenvelope.sourceforge.net/





(C) 1999-2000 All rights reserved.