Home page logo
/

nmap-dev logo Nmap Development mailing list archives

Re: NSEC Enumeration script
From: Patrik Karlsson <patrik () cqure net>
Date: Tue, 15 Mar 2011 08:16:53 +0100



Den 2011-03-15 07.27 skrev David Fifield <david () bamsoftware com>:

On Wed, Mar 09, 2011 at 10:59:03PM +0100, John Bond wrote:
On 1 March 2011 01:15, David Fifield <david () bamsoftware com> wrote:

Thanks, I tried the domain you gave me and got an infinite loop on a
wildcard too. I edited the script to check for a NSEC record before
checking whether the query succeeded, and also made it use the
lower-level retPkt structures to get at the extra information we need.
It stopped the loop in this case, at least. Please give r22408 in
/nmap-exp/david/nmap-nsec.
Ok finally got round to looking at this and definitely looks better
using raw packets however i came across a few issues in the latest
version.

The first issue was if the NSEC records come in an order that is
unexpected i.e. the first record in the response is z.example.com and
the second is a.example.com.  The way the script was written meant it
always used the last NSEC record.   i dont think NSEC records
necessarily need to be served in lexicographic order and i have come
across situations were they dont.

The second was if the script came across a sub domain that wasn't
signed.  This cause the script to exit at that point instead of
bumping the domain.

I think the attache patch should resolve these.

Thanks for testing it and for this new patch. I tried it, but I hit an
infinite loop on the very last name. I think it's because the last NSEC
record points backwards to the first name in the subzone. In r22589 I
changed get_next_nsec to look for an NSEC record that brackets a given
domain name, with the dname on the left and name on the right. It works
for me, but please give it a try.

This is looking really good! I think it's almost ready to merge. The
last thing is I'd like the library interface to be cleaned up. In
particular, I want dnssec_query to be removed or made a wrapper around a
more fundamental function. Could some NSE library experts maybe make
comments on how best to do this? The changes so far to the library are

svn diff -r 22369:22589
svn://svn.insecure.org/nmap-exp/david/nmap-nsec/nselib | less

A quick glance at the dnssec_query function suggest that it shares a lot
of code with the query function. It could make sense to extend that
function to handle dnssec. It would probably involve adding an value to
the option parameter. Also, in my opinion, the code should be changed so
that it returns the status as the first return value, rather than how it's
being done at the moment.

In essence, I think that the following change should be performed:
- return rPkt.dnssec,true, rPkt
+ return true, rPkt

This way it's more standardized and does not return redundant information.


Also, this is minor, but please fix the errors from a search and replace
of "ds". The word "records" got turned into e.g. "recornsec3" and
"recordnskey".

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

//Patrik



_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]