From: David F. Skoll [dfs@ROARINGPENGUIN.COM]
Sent: Monday, December 11, 2000 9:09 AM
To: BUGTRAQ@SECURITYFOCUS.COM
Subject: Weakness in Windows NT reverse-DNS lookups

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

After seeing a lot of NetBIOS node-status probes in my firewall logs,
I discovered that many NT servers apparently do a reverse DNS lookup
by sending a NetBIOS node-status query.  This is documented at:

	http://support.microsoft.com/support/kb/articles/Q154/5/53.ASP

It seems to me that it's much easier to spoof an answer to a NetBIOS
node-status request than to tamper with the actual DNS system.  The Web
page says this is only used for WINS lookups, but I see a lot of these
probes coming from machines across the Internet.

Essentially, NT believes *the system it is querying* rather than a DNS
server.  It is (presumably) easier to take control of a system you own
rather than a DNS server over which you do not have administrative control.

The people who helped me discover this wish to remain anonymous, but
thanks, guys -- you know who you are.

- --
David F. Skoll
Roaring Penguin Software Inc. | http://www.roaringpenguin.com
GPG fingerprint: 50B4 FA66 CE95 E456 CD8F  96C9 E64D 185C 6646 68E0
GPG public key:  http://www.roaringpenguin.com/dskoll-key.txt
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: pgpenvelope 2.9.0 - http://pgpenvelope.sourceforge.net/

iD8DBQE6NOAe5k0YXGZGaOARAnSZAKDp96KbjS9axmra2Lc41V8nwNUx/QCfSNRl
uMyNyvGX9RmklndFpDYh0So=
=+VSz
-----END PGP SIGNATURE-----