Home page logo

nmap-dev logo Nmap Development mailing list archives

Re: NSEC Enumeration script
From: David Fifield <david () bamsoftware com>
Date: Mon, 7 Feb 2011 10:12:23 -0800

On Fri, Feb 04, 2011 at 10:56:51AM +0100, John Bond wrote:
Hi All,

I wanted to get to know dnssec and nse  a bit more so decided to write
an nse script to enumerate NSEC records.  unfortunately the dns.lua
library that comes as standard (using mac ports) dose not have support
for dnssec or edns.  so in order to produce my script i have had to
hack about with the dns library a little.

As this is my first experience with lua i thought it would be best to
take a copy of dns.lua and hack that instead of trying to provide a
patch.  i have tried to make my additions compatible with the original
library and would be interested to know how other scripts which use
the dns library work with my additions.  The things i have added are
below and the library name i have used in the dns-nsec-enum script is

Library will recognise and decode the following RR types
   * DS
   * RRSIG
   * NSEC
   * OPT
The library also has the ability to add an EDNS (OPT) packet setting the
   * Senders payload size
   * z bit 1 to indicate DNSSEC capabilities

Here is the script info

description = [[
This script takes an argument for a zone and attempt to enumerate all
dns records avalible in this zone.  for this script to work DNSEC and
NSEC must be avalible.

-- @args dns-nsec-enum.domains- the dns-nsec-enum.domains name to
attemp to enumarate, default is the dns-nsec-enum.domainsname of the
target been scanned
-- @usage
-- nmap --script dnssecenum [--script-args
dns-nsec-enum.domains=example.com] <target>
-- @output
-- | dns-nsec-enum:     hosts for www.example.com
-- |    ftp.example.com:A:NS:SOA:TXT:AAAA:RRSIG:NSEC:DNSKEY
-- |    http.example.com:CNAME:RRSIG:NSEC
-- |    www.example.com:A:AAAA:RRSIG:NSEC
-- |    example.com:CNAME:RRSIG:NSEC

Thanks, John, I'm excited about this script. I and others would like to
test it. Did you set up a DNSSEC server to test it, or did you use a
public one? Can you give a brief guide on how to reproduce your results?

This might be a dumb question, but does it work with NSEC3 servers? I
guess the the only way to do that is to guess names from a dictionary?

David Fifield
Sent through the nmap-dev mailing list
Archived at http://seclists.org/nmap-dev/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]