 |
| Source: http://www.fbi.gov/news/stories/2011/november/malware_110911/image/dns-malware-graphic |
First, find a machine that you know is configured correctly for DNS for the network you're wanting to search. If you're at that machine's console, open a DOS prompt and run the following command (mind the linewraps):
reg query hklm\system\currentcontrolset\services\tcpip\parameters /s |
The result should look something like this:find "NameServer"
NameServer REG_SZ
DhcpNameServer REG_SZ 192.168.2.1 192.168.1.1 192.168.253.1
Obviously you may have different IP addresses for your name servers. Verify that the information is correct. Highlight the line in the response that is correct and paste it to your clipboard.
Because my environment uses DHCP just about everywhere and DHCP assigns name server information, I highlight only that line and use a loop as shown below to scan multiple hosts:
for /L %i in (2, 1, 254) do
reg query \\192.168.n.%i\hklm\system\currentcontrolset\services\tcpip\parameters /s |
find "DhcpNameServer" | find /V
Note that the second "find" statement in the command above will only pull out lines that don't match the supplied string. The output from this command will be written to files named for the IP addresses of the devices you are querying, those files that are not zero length, indicate systems that have some DNS setting that doesn't match what you know to be a good configuration. You may have to tweak this a bit for your situation, but you get the general idea." DhcpNameServer REG_SZ 192.168.1.1 192.168.1.2 192.168.253.1" > 192.168.n.%i
Several people sent me information on IP address for known rogue DNS servers, according to the (unsigned) FBI document here, the rogue DNS servers fall into the following IP ranges:
| start range | end range |
|---|---|
| 85.255.112.0 | 85.255.127.255 |
| 67.210.0.0 | 67.210.15.255 |
| 93.188.160.0 | 93.188.167.255 |
| 77.67.83.0 | 77.67.83.255 |
| 213.109.64.0 | 213.109.79.255 |
| 64.28.176.0 | 64.28.191.255 |
Feedback appreciated.
No comments:
Post a Comment