Home page logo
/

nmap-dev logo Nmap Development mailing list archives

Re: NSEC Enumeration script
From: John Bond <john.r.bond () gmail com>
Date: Mon, 7 Feb 2011 21:19:26 +0100

On 7 February 2011 19:18, David Fifield <david () bamsoftware com> wrote:
On Mon, Feb 07, 2011 at 10:12:23AM -0800, David Fifield wrote:
Thanks, John, I'm excited about this script. I and others would like to
test it. Did you set up a DNSSEC server to test it, or did you use a
public one? Can you give a brief guide on how to reproduce your results?

And ane question: What version of Nmap did you derive your dnsseclib.lua
from? It's missing some changes that were made more recently in dns.lua.
If you know the original version then it's not too hard to make a diff
and apply it to the newest source.

David Fifield
Hi Dave,

Thanks for the response, in relation to the version i worked on im not
sure i think it was 5.21 installed via ports on mac and im a bit new
to mac.  anyway i have attached a patch file using the latest svn.  i
have had to add the old sendPackets functions as i couldn't get things
working in  5 minutes and there were a few other bits and bobs that
need tweaking.

in relation to NSEC3 not sure what will happen here, i hope it will
fail quietly however it wont be difficult to add a handler  for nsec3
and intend to.  the difficulty is in the enumeration. with nsec you
say do you have b and the server goes no i dont have any records
between a and c.  so the next question you ask is ok do you have c- (-
being the alphabetically lowest character).  with nsec3 you need to
change the way you enum things.  however AFAIK nsec3 still works the
same way but instead of saying i dont have anything between a and c
they say i dont have anything between hash(a) and hash(b).  so it will
be possible to build some logic where you can do a light weight brute
force* to get all hashes.  i was thinking of using the nse thread
library for this and starting one thread for each valid dns host
character

Finally with the server i used a public one.  i could produce a valid
ish zone to put on scanme.nmap.org but i am not sure my home adsl line
could take all the nmap-dev testers :)


*the type of thing im thinking of with a light wait brute force is to
do something lie request a and b if the hashes returned are the same
then there are no records between and an b else check a and ak etc etc

Attachment: dns.lua.patch
Description:

Attachment: dns-nsec-enum.nse
Description:

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]