Nmap Development mailing list archives

NSEC Enumeration script

From: John Bond <john.r.bond () gmail com>
Date: Fri, 4 Feb 2011 10:56:51 +0100

Hi All,

I wanted to get to know dnssec and nse  a bit more so decided to write
an nse script to enumerate NSEC records.  unfortunately the dns.lua
library that comes as standard (using mac ports) dose not have support
for dnssec or edns.  so in order to produce my script i have had to
hack about with the dns library a little.

As this is my first experience with lua i thought it would be best to
take a copy of dns.lua and hack that instead of trying to provide a
patch.  i have tried to make my additions compatible with the original
library and would be interested to know how other scripts which use
the dns library work with my additions.  The things i have added are
below and the library name i have used in the dns-nsec-enum script is
dnsseclib

Library will recognise and decode the following RR types
   * DS
   * DNSKEY
   * RRSIG
   * NSEC
   * OPT
The library also has the ability to add an EDNS (OPT) packet setting the
   * Senders payload size
   * z bit 1 to indicate DNSSEC capabilities

Here is the script info

description = [[
This script takes an argument for a zone and attempt to enumerate all
dns records avalible in this zone.  for this script to work DNSEC and
NSEC must be avalible.
]]


---
-- @args dns-nsec-enum.domains- the dns-nsec-enum.domains name to
attemp to enumarate, default is the dns-nsec-enum.domainsname of the
target been scanned
-- @usage
-- nmap --script dnssecenum [--script-args
dns-nsec-enum.domains=example.com] <target>
-- @output
-- | dns-nsec-enum:     hosts for www.example.com
-- |    ftp.example.com:A:NS:SOA:TXT:AAAA:RRSIG:NSEC:DNSKEY
-- |    http.example.com:CNAME:RRSIG:NSEC
-- |    www.example.com:A:AAAA:RRSIG:NSEC
-- |    example.com:CNAME:RRSIG:NSEC

To give an idea of the speed of the script i enumerated 1817 NSEC
recordes  with the following

time sudo nmap -sU -p53   --script ./dns-nsec-enum.nse   --script-args
dns-nsec-enum.domains=example.com 1.2.3.4 -PN
real    0m10.299s
user    0m3.012s
sys     0m0.266s

As i mentioned i am new to LUA so please let me know were my mistakes
are.  Also the enumeration function is a little bit lax on the checks
it dose so that the script runs faster.  If this proves to be a
problem ill change this

Let me know how you get on

Cheers john

Attachment: dns-nsec-enum.nse
Description:

Attachment: dnsseclib.lua
Description:

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Current thread:

NSEC Enumeration script John Bond (Feb 04)
- Re: NSEC Enumeration script David Fifield (Feb 07)
  - Re: NSEC Enumeration script David Fifield (Feb 07)
    - Re: NSEC Enumeration script John Bond (Feb 07)
  - Re: NSEC Enumeration script John Bond (Feb 07)
    - Re: NSEC Enumeration script John Bond (Feb 08)
    - Re: NSEC Enumeration script John Bond (Feb 09)
    - Re: NSEC Enumeration script Patrik Karlsson (Feb 09)
    - Re: NSEC Enumeration script John Bond (Feb 09)
    - Re: NSEC Enumeration script John Bond (Feb 10)
    - Re: NSEC Enumeration script Patrik Karlsson (Feb 10)

(Thread continues...)