Home page logo

nmap-dev logo Nmap Development mailing list archives

dns-fuzz script is not working with example usage command
From: Fabian Bräunlein <fabian.braeunlein () gmail com>
Date: Mon, 27 Jan 2014 17:23:22 +0100


while doing some research on DNS, I was trying to make use of the dns-fuzz
script (http://nmap.org/nsedoc/scripts/dns-fuzz.html).
I executed the example usage command against a DNS server I set up, which
failed quite silently. (debug output below)

I figured out that the rule for this script is:
portrule = shortport.portnumber(53, "udp")
which only takes UDP into account. However, the example usage command
solely performs a TCP scan, so the script's action will never be executed.
Nevertheless, the DNS standard also requires TCP support (
http://tools.ietf.org/search/rfc5966) for large messages and zone
transfers, so it may be good to run the script likewise when an open
TCP-port 53 was encountered.

I think, there are a few options to resolve this issue:
- by updating the doc page (+ comments in the script)
- e.g. changing the example usage command to something like nmap -sU -p53
--script dns-fuzz --script-args timelimit=2h <target>
- clarify, that an UDP scan on port 53 is necessary
- by updating just the portrule ( portrule = shortport.portnumber(53,
{"tcp", "udp"}) )
- makes the assumption, that DNS is also listening on port 53 UDP, when the
corresponding TCP port is scanned and open
- by changing small portions of the script (especially line 76 and 266) to
make it work with both protocols
- script has to decide which protocol to use
- maybe some more..
 I'm not sure, which one of these proposed solutions fits best into nmap's
"policies", so I wrote to the list instead of just requesting a pull.

Furthermore, the script could update it's status accordingly (
(elapsed/timelimit)% ) and some minor mistakes in the comments could be
fixed (e.g. line 98, 205).
Is it desirable for this script to have a more verbose output in the case
of failing?
If I get some feedback regarding the udp/tcp issue, I could fix this stuff.

Fabian Bräunlein

root () kali:/usr/share/nmap/scripts# nmap --script dns-fuzz --script-args
timelimit=2h -d

Starting Nmap 6.40 ( http://nmap.org ) at 2014-01-24 18:44 CET
PORTS: Using top 1000 ports found open (TCP:1000, UDP:0, SCTP:0)
--------------- Timing report ---------------
  hostgroups: min 1, max 100000
  rtt-timeouts: init 1000, min 100, max 10000
  max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
  parallelism: min 0, max 0
  max-retries: 10, host-timeout: 0
  min-rate: 0, max-rate: 0
NSE: Using Lua 5.2.
NSE: Script Arguments seen from CLI: timelimit=2h
NSE: Loaded 1 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 1) scan.
Initiating ARP Ping Scan at 18:44
Scanning [1 port]
Packet capture filter (device eth0): arp and arp[18:4] = 0x000C2905 and
arp[22:2] = 0x57E5
Completed ARP Ping Scan at 18:44, 0.01s elapsed (1 total hosts)
Overall sending rates: 114.85 packets / s, 4823.71 bytes / s.
mass_rdns: Using DNS server
mass_rdns: Using DNS server
Initiating Parallel DNS resolution of 1 host. at 18:44
mass_rdns: 0.02s 0/1 [#: 2, OK: 0, NX: 0, DR: 0, SF: 0, TR: 1]
Completed Parallel DNS resolution of 1 host. at 18:44, 0.02s elapsed
DNS resolution of 1 IPs took 0.02s. Mode: Async [#: 2, OK: 0, NX: 1, DR: 0,
SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 18:44
Scanning [1000 ports]
Packet capture filter (device eth0): dst host and (icmp or
icmp6 or ((tcp or udp or sctp) and (src host
Discovered open port 22/tcp on
Discovered open port 53/tcp on
Completed SYN Stealth Scan at 18:44, 0.04s elapsed (1000 total ports)
Overall sending rates: 26565.36 packets / s, 1168876.02 bytes / s.
NSE: Script scanning
NSE: Starting runlevel 1 (of 1) scan.
Nmap scan report for
Host is up, received arp-response (0.00030s latency).
Scanned at 2014-01-24 18:44:48 CET for 0s
Not shown: 998 closed ports
Reason: 998 resets
22/tcp open  ssh     syn-ack
53/tcp open  domain  syn-ack
MAC Address: 00:0C:29:7B:5E:8E (VMware)
Final times for host: srtt: 299 rttvar: 23  to: 100000

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 1) scan.
Read from /usr/bin/../share/nmap: nmap-mac-prefixes nmap-payloads
Nmap done: 1 IP address (1 host up) scanned in 0.15 seconds
           Raw packets sent: 1001 (44.028KB) | Rcvd: 1001 (40.036KB)
Sent through the dev mailing list
Archived at http://seclists.org/nmap-dev/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]