Nmap Development mailing list archives
Re: NSEC Enumeration script
From: John Bond <john.r.bond () gmail com>
Date: Sat, 26 Feb 2011 13:11:34 +0100
On 26 February 2011 10:27, David Fifield <david () bamsoftware com> wrote:
On Thu, Feb 24, 2011 at 09:48:54PM +0100, John Bond wrote:Updated script which fixes a few issues which where occurring due to bad error handeling, flawed logic and laziness. if anyone needs a copy of my dns.lua file or a patch file just let me knowI like the idea and capabilities of this script a lot. I've been working on it to make it better fit the style of other scripts and hopefully be easier to understand. Please get the latest revision from svn co --username guest --password "" svn://svn.insecure.org/nmap-exp/david/nmap-nsec In this version I purposely removed some advanced features like secondary resolution of names. My idea is to get a simple version of the script debugged so it can be merged, and after that add more features.
To be honest I had stopped using that feature because the performance was pretty bad and i think the whole bit needed rewriting. i was thinking it might be better to just add discovered hosts to the scan list like dns-zone-transfer. it would probably be a good idea to also run dns-zone-transfer first and if this is successful scipt dns-nsec-enum as a zone transfer should giv more info. but not sure how to do this yet
I also removed anything I was unsure was necessary, again with the goal of having a simpler script. For example, I removed the special wildcard detection because I wasn't having a problem without it and I suspected it may have been necessary because of a bug elsewhere. It's possible I'm wrong about this, so please test it with the environment that was giving you trouble before.
I am still having problems with this, ill send you the domain im using of list. once i have digested all your changes ill try adding a better fix like i said in the comments the detection i added was only a hack so i will try and adapt the dns library. however the change i suggested would requiere returning part of the additional section on a success. which starts to move the dnssec_query function further away from the query function. I keep on thinking it would be easier to just ask the dns library to return the raw paket and use that in dnssec enum. Or possibly add dnssec functionality to the query function and then write a wrapper nsec_query which wrappes around query
The script and the library hanges are getting closer to being accepted. I still have doubts about the interface of dns.dnssec_query. In the first place, it would be better if the DNSSEC queries could be made using the same top-level function as other DNS queries--is DNSSEC really so different that it needs a different interface? > I don't mind having a convenience wrapper for DNSSEC, but it should call the same underlying function as other queries.
not at all, i originally added all of this functionality to the normal query fuction but i started to worry it might make other scripts incompatible. the main difference is dnssec_query has an extra return 'rPkt.dnssec' which indicates if the server responded with dnssec. I also use the host.ip instead of trying to use the system however this is probably because of what im trying to do and could be set else where. edns is on by default but i think this should also be an option for the query function. Finnaly you would need another option in query to request dnssec and that might be it.
Second, I tried disabling one of the recursive calls that dnssec_query makes, which was triggering the "IF YOU SEE THIS MESSAGE" message. I'm not sure what that was all about, but we should decide if we want the library making recursive calls like that, and if so, what the return value should be.
looking at the copy of dns.lua in your svn it looks the same as mine so its possible i already removed it. i did do some tiding up there myself. A lot of this was coded late at night after beer :)
There are a lot of incorrect copy-pasted comments in the new answerFetchers in dns.lua.
yes well as you will have noticed and probably in anger, sorry, my commenting skills are lacking. ill ensure i do proper comments in future
Let me know if this version of the script works for you, and when you make changes, make them starting from the Subversion branch. I'll keep it up to date with any of your changes and it will be easier than tracking many patches through the mailing list.
Btw I love the changes you have made to the script makes things so much easy to read and gives me a better idea of how to use lua effectively thank you one miner thing i noticed in your comments you referenced the rfc for domain labels but you missed one, not sure if this is the best text to quote though RFC 2782 Service The symbolic name of the desired service, as defined in Assigned Numbers [STD 2] or locally. An underscore (_) is prepended to the service identifier to avoid collisions with DNS labels that occur in nature. _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Re: NSEC Enumeration script, (continued)
- Re: NSEC Enumeration script John Bond (Feb 07)
- Re: NSEC Enumeration script John Bond (Feb 08)
- Re: NSEC Enumeration script John Bond (Feb 09)
- Re: NSEC Enumeration script Patrik Karlsson (Feb 09)
- Re: NSEC Enumeration script John Bond (Feb 09)
- Re: NSEC Enumeration script John Bond (Feb 10)
- Re: NSEC Enumeration script Patrik Karlsson (Feb 10)
- Re: NSEC Enumeration script John Bond (Feb 15)
- Re: NSEC Enumeration script John Bond (Feb 24)
- Re: NSEC Enumeration script David Fifield (Feb 26)
- Re: NSEC Enumeration script John Bond (Feb 26)
- Re: NSEC Enumeration script John Bond (Feb 26)
- Re: NSEC Enumeration script David Fifield (Feb 26)
- Re: NSEC Enumeration script David Fifield (Feb 26)
- Re: NSEC Enumeration script John Bond (Feb 26)
- Re: NSEC Enumeration script John Bond (Feb 26)
- Re: NSEC Enumeration script David Fifield (Feb 26)
- Re: NSEC Enumeration script John Bond (Feb 07)
- Re: NSEC Enumeration script David Fifield (Feb 28)
- Re: NSEC Enumeration script John Bond (Mar 09)
- Re: NSEC Enumeration script David Fifield (Mar 14)
- Re: NSEC Enumeration script Patrik Karlsson (Mar 15)