mailing list archives
Re: DNSSEC nsec3 enumeration script
From: Aleksandar Nikolic <nikolic.alek () gmail com>
Date: Sat, 9 Jun 2012 20:47:35 +0200
I have tested the script against "subsubdomains" and, for example, it finds
both "foundation" and "ea.foundation" of a "ea.foundation.example.com".
So , as that part works, I was free to commit this to the trunk
On Fri, Jun 8, 2012 at 10:59 PM, David Fifield <david () bamsoftware com> wrote:
On Wed, Jun 06, 2012 at 12:16:58PM +0200, Aleksandar Nikolic wrote:
I've just finished most of the work on dns-nsec3-enum script.
How this works:
When DNSSEC nsec3 capable server is asked for a non existant domain
it replies with something like:
There are no domains who's names' hashes are between HASH_A nad HASH_B.
That single reply gives us some information.
First, it gives us two domain hashes, salt and number of iterations
used to hash the names.
Second, it tells us which other ranges we should check for more hashes.
By doing a search and keeping track of ranges we can pretty quickly
exhaust all the ranges
and conclude that we know all the hashes for which the server is responsible.
Once we get the hashes, the salt and number of iterations, we can
proceed to crack them offline.
With all this, we can sort of do a zone transfer and reveal all domains.
This is great work, Aleksandar. Did you test the script with subdomains?
For example the @output of dns-nsec-enum has names like
You might consider, rather than generating a random string each time
using Lua's built-in generator, instead initializing a large counter
(where a "counter" is going over the possible domain name characters)
and then just incrementing it. So for example you first guess might be
FvNssgHPeEQy0RgQ and your next
FvNssgHPeEQy0RgR and your next
FvNssgHPeEQy0RgS and so on.
Sent through the nmap-dev mailing list
Archived at http://seclists.org/nmap-dev/