Home page logo
/

nmap-dev logo Nmap Development mailing list archives

DNSSEC NSEC howto
From: David Fifield <david () bamsoftware com>
Date: Thu, 24 Feb 2011 20:31:22 -0800

I wanted to try out John's NSEC enumeration scritp without abusing
public servers. Here's a quick howto on setting up BIND to serve NSEC
records locally on Debian.

# apt-get install bind9 bind9utils ldnsutils

bind9utils contains the dnssec-keygen and dnssec-signzone utilities.
ldnsutils contains the drill command that is like dig with easy DNSSEC
queries. ldnsutils also has ldns-walk which does the same job as this
script.

# cd /etc/bind
# dnssec-keygen -r /dev/urandom -a RSASHA1 -b 4096 -n ZONE example.com
# dnssec-keygen -r /dev/urandom -a RSASHA1 -b 4096 -n ZONE -f KSK example.com

Write the file db.example.com:

$ORIGIN example.com.
$TTL 1h
example.com.    IN      SOA ns.example.com. bind.example.com. (
                1 1d 2h 4w 1h
                )
example.com.    NS      ns
example.com.    A       123.123.123.1
charmander      A       123.123.123.2
bulbasaur       A       123.123.123.3
gyarados        A       123.123.123.4
snorlax         A       123.123.123.5
vulpix          A       123.123.123.6
dugtrio         A       123.123.123.7
ns              A       123.123.123.100
$INCLUDE /etc/bind/Kexample.com.+005+03702.key
$INCLUDE /etc/bind/Kexample.com.+005+36802.key

# dnssec-signzone -o example.com db.example.com

Add to named.conf:

zone "example.com" {
        type master;
        file "/etc/bind/db.example.com.signed";
};

# /etc/init.d/bind9 restart

At this point you can enumerate the domain with ldns-walk:

$ ldns-walk example.com @localhost
example.com.    example.com. A NS SOA RRSIG NSEC DNSKEY
bulbasaur.example.com. A RRSIG NSEC
charmander.example.com. A RRSIG NSEC
dugtrio.example.com. A RRSIG NSEC
gyarados.example.com. A RRSIG NSEC
ns.example.com. A RRSIG NSEC
snorlax.example.com. A RRSIG NSEC
vulpix.example.com. A RRSIG NSEC

And with the new script:

$ sudo ./nmap --datadir . -sS localhost -p53 --script=dns-nsec-enum --script-args dns-nsec-enum.domains={example.com}   
                   
PORT   STATE SERVICE
53/tcp open  domain
| dns-nsec-enum:
|       hosts for example.com:
|
|       bulbasaur.example.com:example.com:A:NS:SOA:RRSIG:NSEC:DNSKEY
|       charmander.example.com:bulbasaur.example.com:A:RRSIG:NSEC
|       dugtrio.example.com:charmander.example.com:A:RRSIG:NSEC
|       gyarados.example.com:dugtrio.example.com:A:RRSIG:NSEC
|       ns.example.com:gyarados.example.com:A:RRSIG:NSEC
|       snorlax.example.com:ns.example.com:A:RRSIG:NSEC
|_      vulpix.example.com:snorlax.example.com:A:RRSIG:NSEC

To query an existent or nonexistent name individually:

$ drill -D name.example.com. @localhost

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]