As many of you already know this DNS vulnerability has taken the community as a whole by storm. For you snort guys out there, here is the latest DNS signature that may help you detect such activity. Props to alexkirk from the #snort channel for hooking us up!
Implement at your own risk! Simply cut and paste as it looks pretty nasty below:
alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:”DNS large number of NXDOMAIN replies - possible DNS cache poisoning”; byte_test:1,&,3,3; classtype:misc-attack; reference:cve,2008-0087; reference:url,www.microsoft.com/technet/security/bulletin/MS08-020.mspx; reference:cve,2008-1447;
reference:url,www.microsoft.com/technet/security/bulletin/MS08-037.mspx; threshold: type threshold, track by_src, count 1000, seconds 30;)
So unless you’ve been living under a rock for the past couple of years, you should be quite familiar with the term “rainbow tables” and know how unbelievably awesome these are. A fellow colleague and I were in a pinch the other day and had no way of cracking an md5 hashed password as we simply didn’t have access to a set of rainbow tables, nor did we have time to wait for 0phcrack and JTR to brute force it. So we stumbled across a free site that has over 1.6 million known hashes available.
The site is called Hash Mash and it simply allows you to plug in the md5 and just hit decrypt or create an md5 using the encrypt tab. Rainbow tables work unbelievably fast and has helped many people in my situation as well as the forensics field. However be aware that if the password is encrypted then you will run into some issues that will require a higher level of understanding in order to break the encryption, for starters, knowing the original encryption algorithm being used. Be sure to check this site out for all of your “ethical” cracking needs.
**If you are in the position to download rainbow tables for offline use then you can visit the Shmoo Group and download them there too. Happy cracking [|:) <-my interpretation of a white hat.
