Home page logo

nmap-dev logo Nmap Development mailing list archives

Re: NSEC Enumeration script
From: John Bond <john.r.bond () gmail com>
Date: Sat, 26 Feb 2011 13:11:34 +0100

On 26 February 2011 10:27, David Fifield <david () bamsoftware com> wrote:
On Thu, Feb 24, 2011 at 09:48:54PM +0100, John Bond wrote:
Updated script which fixes a few issues which where occurring due to
bad error handeling, flawed logic and laziness.  if anyone needs a
copy of my dns.lua file or a patch file just let me know

I like the idea and capabilities of this script a lot. I've been working
on it to make it better fit the style of other scripts and hopefully be
easier to understand. Please get the latest revision from

svn co --username guest --password "" svn://svn.insecure.org/nmap-exp/david/nmap-nsec

In this version I purposely removed some advanced features like
secondary resolution of names. My idea is to get a simple version of the
script debugged so it can be merged, and after that add more features.
To be honest I had stopped using that feature because the performance
was pretty bad and i think the whole bit needed rewriting.  i was
thinking it might be better to just add discovered hosts to the scan
list like dns-zone-transfer.  it would probably be a good idea to also
run dns-zone-transfer first and if this is successful scipt
dns-nsec-enum as a zone transfer should giv more info.  but not sure
how to do this yet

also removed anything I was unsure was necessary, again with the goal of
having a simpler script. For example, I removed the special wildcard
detection because I wasn't having a problem without it and I suspected
it may have been necessary because of a bug elsewhere. It's possible I'm
wrong about this, so please test it with the environment that was giving
you trouble before.
I am still having problems with this, ill send you the domain im using
of list.  once i have digested all your changes ill try adding a
better fix like i said in the comments the detection i added was only
a hack so i will try and adapt the dns library.  however the change i
suggested would requiere returning part of the additional section on a
success.  which starts to move the dnssec_query function further away
from the query function.  I keep on thinking it would be easier to
just ask the dns library to return the raw paket and use that in
dnssec enum.  Or possibly add dnssec functionality to the query
function and then write a wrapper nsec_query which wrappes around

The script and the library hanges are getting closer to being accepted.
I still have doubts about the interface of dns.dnssec_query. In the
first place, it would be better if the DNSSEC queries could be made
using the same top-level function as other DNS queries--is DNSSEC really
so different that it needs a different interface? > I don't mind having a
convenience wrapper for DNSSEC, but it should call the same underlying
function as other queries.
not at all, i originally added all of this functionality to the normal
query fuction but i started to worry it might make other scripts
incompatible.  the main difference is dnssec_query has an extra return
'rPkt.dnssec' which indicates if the server responded with dnssec.  I
also use the host.ip instead of trying to use the system however this
is probably because of what im trying to do and could be set else
where.  edns is on by default but i think this should also be an
option for the query function.  Finnaly you would need another option
in query to request dnssec and that might be it.

Second, I tried disabling one of the
recursive calls that dnssec_query makes, which was triggering the "IF
 I'm not sure what that was all about, but
we should decide if we want the library making recursive calls like
that, and if so, what the return value should be.
looking at the copy of dns.lua in your svn it looks the same as mine
so its possible i already removed it.  i did do some tiding up there
myself.  A lot of this was coded late at night after beer :)

There are a lot of incorrect copy-pasted comments in the new
answerFetchers in dns.lua.
yes well as you will have noticed and probably in anger, sorry, my
commenting skills are lacking.  ill ensure i do proper comments in

Let me know if this version of the script works for you, and when you
make changes, make them starting from the Subversion branch. I'll keep
it up to date with any of your changes and it will be easier than
tracking many patches through the mailing list.
Btw I love the changes you have made to the script makes things so
much easy to read and gives me a better idea of how to use lua
effectively thank you

one miner thing i noticed in your comments you referenced the rfc for
domain labels but you missed one, not sure if this is the best text to
quote though
RFC 2782
        The symbolic name of the desired service, as defined in Assigned
        Numbers [STD 2] or locally.  An underscore (_) is prepended to
        the service identifier to avoid collisions with DNS labels that
        occur in nature.
Sent through the nmap-dev mailing list
Archived at http://seclists.org/nmap-dev/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]