Home page logo
/

nmap-dev logo Nmap Development mailing list archives

Re: NSEC Enumeration script
From: John Bond <john.r.bond () gmail com>
Date: Wed, 9 Mar 2011 22:59:03 +0100

On 1 March 2011 01:15, David Fifield <david () bamsoftware com> wrote:

Thanks, I tried the domain you gave me and got an infinite loop on a
wildcard too. I edited the script to check for a NSEC record before
checking whether the query succeeded, and also made it use the
lower-level retPkt structures to get at the extra information we need.
It stopped the loop in this case, at least. Please give r22408 in
/nmap-exp/david/nmap-nsec.
Ok finally got round to looking at this and definitely looks better
using raw packets however i came across a few issues in the latest
version.

The first issue was if the NSEC records come in an order that is
unexpected i.e. the first record in the response is z.example.com and
the second is a.example.com.  The way the script was written meant it
always used the last NSEC record.   i dont think NSEC records
necessarily need to be served in lexicographic order and i have come
across situations were they dont.

The second was if the script came across a sub domain that wasn't
signed.  This cause the script to exit at that point instead of
bumping the domain.

I think the attache patch should resolve these.

Also in relation to the edns im not sure i responded to that but edns
allows you to specify extra options not specified in the original
dnsspec.  one option is to enable DNSSEC but another option you can
specify is how much data you can receive.  DNS is normally restricted
to 512 bytes over udp. ends allows you to specify a larger packet
size.  to add edns to a  query advertising  a larger window of 4096
bytes use

addEdns(pkt, dname, dtype, false) [or addEdns(pkt, false)  after the patch]

if the last parameter is true it will also request DNSSEC and looking
at the function i am pretty sure dname and dtype ar superfluous so i
have added a patch to remove them as well

This will add an OPT packet to the additional section of the query
packet conforming to (i hope :S) rfc2671

johnd bond

_now all i have to to is get a better router so it dosn't crash
everytime i run the script ;)_

Attachment: dns-nsec-enum.nse.patch
Description:

Attachment: dns.lua.patch
Description:

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]