DNSSEC nsec3 enumeration script

[Aleksandar Nikolic <nikolic.alek () gmail com>]

Hi all,

I've just finished most of the work on dns-nsec3-enum script.

How this works:
When DNSSEC nsec3 capable server is asked for a non existant domain
it replies with something like:
There are no domains who's names' hashes are between HASH_A nad HASH_B.

That single reply gives us some information.
First, it gives us two domain hashes,  salt and number of iterations
used to hash the names.
Second, it tells us which other ranges we should check for more hashes.

By doing a search and keeping track of ranges we can pretty quickly
exhaust all the ranges
and conclude that we know all the hashes for which the server is responsible.

Once we get the hashes, the salt and number of iterations, we can
proceed to crack them offline.

With all this, we can sort of do a zone transfer and reveal all domains.

Script is based on work by D. J. Bernstein.
To actually crack the hashes, you need to use external tool. Namely
"unhash" script that comes
with djb's nsec3walker (http://dnscurve.org/nsec3walker.html).

Now, here's how to actually test the script:

1. Setup a DNSSEC server
You can follow David's guide here http://seclists.org/nmap-dev/2011/q1/624
but change the relevant commands to use nsec3 , for example:
#dnssec-keygen -r /dev/urandom -a NSEC3RSASHA1 -b 4096 -n ZONE example.com
#dnssec-keygen -r /dev/urandom -a NSEC3RSASHA1 -b 4096 -n ZONE -f KSK
example.com

and

#dnssec-signzone -P -3 123456 -o example.com db.example.com
Where 123456 is your hashing salt.

The rest is the same as in David's guide.
You can test your server with for example:
#dig +dnssec asdasd.example.com @192.168.159.128


Now you can actually run the script against the server:
$ ./nmap.exe  -sU -p 53 192.168.159.128 --script=dns-nsec3-enum
--script-args dns-nsec3-enum.domains=example.com

Starting Nmap 6.01 ( http://nmap.org ) at 2012-06-06 11:27 Central
Europe Daylight Time
Nmap scan report for 192.168.159.128
Host is up (0.016s latency).
PORT   STATE SERVICE
53/udp open  domain
| dns-nsec3-enum:
|   domain example.com
|   salt 123456
|   iterations 10
|   nexthash d1427bj0ahqnpi4t0t0aaun18oqpgcda vhnelm23s1m3japt7gohc82hgr9un2at
|   nexthash k7i4ekvi22ebrim5b6celtaniknd6ilj prv54a3cr1tbcvqslrb7bftf5ji5l0p8
|   nexthash 9ool6bk7r2diaiu81ctiemmb6n961mph nm7v0ig7h9c0agaedc901kojfj9bgabj
|   nexthash 430456af8svfvl98l66shhrgucoip7mi mges520acstgaviekurg3oksh9u31bmb
|_  Total hashes found: 8
MAC Address: 00:0C:29:8F:7C:81 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 10.58 seconds


Output of the script is using the same format as "unhash" script from
nsec3walker.

Save the output to a file example_hashes.txt
domain example.com
salt 123456
iterations 10
nexthash d1427bj0ahqnpi4t0t0aaun18oqpgcda vhnelm23s1m3japt7gohc82hgr9un2at
nexthash k7i4ekvi22ebrim5b6celtaniknd6ilj prv54a3cr1tbcvqslrb7bftf5ji5l0p8
nexthash 9ool6bk7r2diaiu81ctiemmb6n961mph nm7v0ig7h9c0agaedc901kojfj9bgabj
nexthash 430456af8svfvl98l66shhrgucoip7mi mges520acstgaviekurg3oksh9u31bmb

and run the unhasher :

ea@cruncher:~/nsec3walker-20101223$ ./unhash < nmaphashes.txt

Which should pretty quickly output some cracked hashes like:

names: 8
d1427bj0ahqnpi4t0t0aaun18oqpgcda ns.example.com.
found 1 private NSEC3 names (12%) using 235451 hash computations


To actually test the script , you will need the base32.lua lib, as
well as a patch to dns.lua.
Both have been attached. Today I'd want to test other dns scripts to
make sure I didn't mess something up.

One more thing. As  the script is somewhat non-deterministic, there is
a slight chance that it might
run forever, so I've added a time limit argument which defaults to 30 minutes.
What do you think would be the sane value here? 30 minutes are
probably too much.
If you test a script against a DNS server with about one thousand
domains , it finds them all in about 10 minutes
and quits as it has exhausted all the search ranges.

If you have any ideas or comments, please tell me.


Aleksandar

Attachment: dns-nsec3-enum.nse
Description:

Attachment: base32.lua
Description:

Attachment: dns.patch
Description:

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/