Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-Microsoft
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Question on IIS servers and reverse lookup

from [Matt Ostiguy] Network Security [Permanent Link]
Subject: Re: Question on IIS servers and reverse lookup
Date: Thu, 10 Mar 2005 16:34:01 -0500 

I remember that nslookup() function of NT kernel
uses netbios if DNS doesnt reply anything
(correct me if i'm wrong).



This is roughly it (I cannot swear to the implementation details, only
the real world results). Just one of my mailservers have generated
1824 blocked outbound requests to port 137 so far today. A cursory
check shows that they are going to hosts with no reverse dns records.
When there are none, windows will issue a direct netbios name query.

A nbtstat -A x.x.x.x creates the same results - issue a direct netbios
name query to the remote host.

I don't have a pure IIS machine handy to confirm if it is the IIS
reverse logging setting that is specifically generating those name
resolution packets, but my logs indicate that my www log crunching
correlates highly with the generation of such packets - every hour
something calls the windows name resolution API, and it cycles through
the various methods, generating them.


Matt Ostiguy

---------------------------------------------------------------------------
---------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Basic question, Craig, Tobin (OIG)
Next by Date:  RE: Basic question, dave kleiman
Previous by Thread:  Question on IIS servers and reverse lookup, Maxime Ducharme
Next by Thread:  Re: Question on IIS servers and reverse lookup, Miroslaw Slawek Chorazy
Indexes:  [Date] [Thread] [Top] [All Lists]