Home page logo

nmap-dev logo Nmap Development mailing list archives

Re: NSEC Enumeration script
From: David Fifield <david () bamsoftware com>
Date: Sat, 26 Feb 2011 01:27:17 -0800

On Thu, Feb 24, 2011 at 09:48:54PM +0100, John Bond wrote:
Updated script which fixes a few issues which where occurring due to
bad error handeling, flawed logic and laziness.  if anyone needs a
copy of my dns.lua file or a patch file just let me know

I like the idea and capabilities of this script a lot. I've been working
on it to make it better fit the style of other scripts and hopefully be
easier to understand. Please get the latest revision from

svn co --username guest --password "" svn://svn.insecure.org/nmap-exp/david/nmap-nsec

In this version I purposely removed some advanced features like
secondary resolution of names. My idea is to get a simple version of the
script debugged so it can be merged, and after that add more features. I
also removed anything I was unsure was necessary, again with the goal of
having a simpler script. For example, I removed the special wildcard
detection because I wasn't having a problem without it and I suspected
it may have been necessary because of a bug elsewhere. It's possible I'm
wrong about this, so please test it with the environment that was giving
you trouble before.

The script and the library changes are getting closer to being accepted.
I still have doubts about the interface of dns.dnssec_query. In the
first place, it would be better if the DNSSEC queries could be made
using the same top-level function as other DNS queries--is DNSSEC really
so different that it needs a different interface? I don't mind having a
convenience wrapper for DNSSEC, but it should call the same underlying
function as other queries. Second, I tried disabling one of the
recursive calls that dnssec_query makes, which was triggering the "IF
YOU SEE THIS MESSAGE" message. I'm not sure what that was all about, but
we should decide if we want the library making recursive calls like
that, and if so, what the return value should be.

There are a lot of incorrect copy-pasted comments in the new
answerFetchers in dns.lua.

Let me know if this version of the script works for you, and when you
make changes, make them starting from the Subversion branch. I'll keep
it up to date with any of your changes and it will be easier than
tracking many patches through the mailing list.

David Fifield
Sent through the nmap-dev mailing list
Archived at http://seclists.org/nmap-dev/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]