Home page logo

nmap-dev logo Nmap Development mailing list archives

Re: DNSSEC nsec3 enumeration script
From: David Fifield <david () bamsoftware com>
Date: Fri, 8 Jun 2012 13:59:32 -0700

On Wed, Jun 06, 2012 at 12:16:58PM +0200, Aleksandar Nikolic wrote:
I've just finished most of the work on dns-nsec3-enum script.

How this works:
When DNSSEC nsec3 capable server is asked for a non existant domain
it replies with something like:
There are no domains who's names' hashes are between HASH_A nad HASH_B.

That single reply gives us some information.
First, it gives us two domain hashes,  salt and number of iterations
used to hash the names.
Second, it tells us which other ranges we should check for more hashes.

By doing a search and keeping track of ranges we can pretty quickly
exhaust all the ranges
and conclude that we know all the hashes for which the server is responsible.

Once we get the hashes, the salt and number of iterations, we can
proceed to crack them offline.

With all this, we can sort of do a zone transfer and reveal all domains.

This is great work, Aleksandar. Did you test the script with subdomains?
For example the @output of dns-nsec-enum has names like
|     dugtrio.example.com
|     www.dugtrio.example.com
|     gyarados.example.com
|       johto.example.com
|       blue.johto.example.com
|       green.johto.example.com
|       ns.johto.example.com
|       red.johto.example.com

You might consider, rather than generating a random string each time
using Lua's built-in generator, instead initializing a large counter
(where a "counter" is going over the possible domain name characters)
and then just incrementing it. So for example you first guess might be
FvNssgHPeEQy0RgQ and your next
FvNssgHPeEQy0RgR and your next
FvNssgHPeEQy0RgS and so on.

David Fifield
Sent through the nmap-dev mailing list
Archived at http://seclists.org/nmap-dev/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]