[PATCH] zoneTrans.nse domain script argument

[Kris Katterjohn <katterjohn () gmail com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hey everyone,

I've attached a patch to allow for specifying the domain to try to transfer in
zoneTrans.nse.

The script now takes a "domain" argument.  It can currently be "scoped" using
the --script-args syntax "zoneTrans={domain=xxx}".

Fyodor gave me a host that allows zone transfers, but I'm getting "Not
Authoritative" for domains other than the server's root name (although it
seemed to work for him before).  I've scanned for other hosts that allow
transferring other domains, but I can't find any.

However, even though I can't get positive results from testing, everything
seems to work fine from what I've seen through Wireshark.

So, I need someone to verify the patch really works, and I'll need to see
about responses to [1] for the "scoping" syntax.  If IDs are still the way to
go, what should "zone-transfer" be changed to?  "zonetransfer"?  "zoneTrans"?

Thanks,
Kris Katterjohn

[1] http://seclists.org/nmap-dev/2008/q2/0564.html

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQIVAwUBSENDsf9K37xXYl36AQLEVA/+J4oq+IRhV8x/U8H19MzzhmiiNV5g0tIR
XzHJQwqYX/tNMY/MSdWBzzIqxV+2Ri5LLdDlmBo7Pm1zeoue+R41qrOUVzhNSJ8/
ssahel6owZH06dMwqTvbkGmjIFfNcKuBnh8aqhGmj+GLO7Ge0Wm1rF0+8pDpwkNE
YGodVM6bLW/1IbB7s288nrOj4wJsYOKyuVkNcniio8eRycvE+Ghhnrmffz6RSHei
bGyKT53tE1mZH16UO+sOzCQRQKBLB90ScyNMGbeTrjx1WK6GCUpiZ1hiS2C3aQco
4qQPydQfzlCn0aHDxuobbkcmjdINauorJB4LpERYolcAwqB4Ck3QiHlRLtyIB52Q
0mDe9d7UpcOeLH+JDqkro7NeuW2XqG7q52VaFqervidzcCaLCPstOZpeFyAg9GRB
EdKKofj+g15vSbe0mW5PmVu/L7h/iQPC/afpTJDWVSEn8g5km9OOOFWlhfksY1N7
wt0q6+XcvLZuafIQryPzv0vQhC2klnu1XzVDiBkZmnCcjO+11e+8KpgNFlxOK9eL
JvvgVADGA6ETn01fIjsRbY1ihTF1iHXdBzXntDjkSFa0vOk/oFo5KJK5EVwnJmNb
88TpLKiSQUckqiD1p94CnKw4jfisIL4uR306NyNOLA3qXJavXoscHBf+rriUDI1m
MR6HE+uqqp4=
=ykKj
-----END PGP SIGNATURE-----

Index: scripts/zoneTrans.nse
===================================================================
--- scripts/zoneTrans.nse       (revision 7856)
+++ scripts/zoneTrans.nse       (working copy)
@@ -1,9 +1,10 @@
 --[[
 
 Send axfr queries to DNS servers. The domain to query is determined 
-by examining the domain servers hostname. If the query is successful 
-all domains and domain types are returned along with common type 
-specific data (SOA/MX/NS/PTR/A)
+by examining the domain servers hostname, or it can be specified with
+the "domain" script argument. If the query is successful all domains
+and domain types are returned along with common type specific data
+(SOA/MX/NS/PTR/A)
 
 constraints
 -----------
@@ -263,17 +264,30 @@
        local catch = function() soc:close() end
        local try = nmap.new_try(catch)
        
-       -- can't do anything without a hostname
-       if host.name == "" then return nil end
+       local domain = nil
+       local args = nmap.registry.args
 
+       if args.zoneTrans and args.zoneTrans.domain then
+               domain = args.zoneTrans.domain
+       elseif args.domain then
+               domain = args.domain
+       elseif host.name ~= "" then
+               domain = host.name
+       else
+               -- can't do anything without a hostname
+               return
+       end
+
+       assert(domain)
+
        soc = nmap.new_socket()
        soc:set_timeout(4000)
        try(soc:connect(host.ip, port.number))
-       
+
        local req_id = '\222\173'
        local table = tab.new(3)
        local offset = 1 
-       local name = build_domain(string.lower(host.name))
+       local name = build_domain(string.lower(domain))
        local pkt_len = string.len(name) + 16
 
        -- build axfr request


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org