Nmap Development mailing list archives
DNSSEC nsec3 enumeration script
From: Aleksandar Nikolic <nikolic.alek () gmail com>
Date: Wed, 6 Jun 2012 12:16:58 +0200
Hi all, I've just finished most of the work on dns-nsec3-enum script. How this works: When DNSSEC nsec3 capable server is asked for a non existant domain it replies with something like: There are no domains who's names' hashes are between HASH_A nad HASH_B. That single reply gives us some information. First, it gives us two domain hashes, salt and number of iterations used to hash the names. Second, it tells us which other ranges we should check for more hashes. By doing a search and keeping track of ranges we can pretty quickly exhaust all the ranges and conclude that we know all the hashes for which the server is responsible. Once we get the hashes, the salt and number of iterations, we can proceed to crack them offline. With all this, we can sort of do a zone transfer and reveal all domains. Script is based on work by D. J. Bernstein. To actually crack the hashes, you need to use external tool. Namely "unhash" script that comes with djb's nsec3walker (http://dnscurve.org/nsec3walker.html). Now, here's how to actually test the script: 1. Setup a DNSSEC server You can follow David's guide here http://seclists.org/nmap-dev/2011/q1/624 but change the relevant commands to use nsec3 , for example: #dnssec-keygen -r /dev/urandom -a NSEC3RSASHA1 -b 4096 -n ZONE example.com #dnssec-keygen -r /dev/urandom -a NSEC3RSASHA1 -b 4096 -n ZONE -f KSK example.com and #dnssec-signzone -P -3 123456 -o example.com db.example.com Where 123456 is your hashing salt. The rest is the same as in David's guide. You can test your server with for example: #dig +dnssec asdasd.example.com @192.168.159.128 Now you can actually run the script against the server: $ ./nmap.exe -sU -p 53 192.168.159.128 --script=dns-nsec3-enum --script-args dns-nsec3-enum.domains=example.com Starting Nmap 6.01 ( http://nmap.org ) at 2012-06-06 11:27 Central Europe Daylight Time Nmap scan report for 192.168.159.128 Host is up (0.016s latency). PORT STATE SERVICE 53/udp open domain | dns-nsec3-enum: | domain example.com | salt 123456 | iterations 10 | nexthash d1427bj0ahqnpi4t0t0aaun18oqpgcda vhnelm23s1m3japt7gohc82hgr9un2at | nexthash k7i4ekvi22ebrim5b6celtaniknd6ilj prv54a3cr1tbcvqslrb7bftf5ji5l0p8 | nexthash 9ool6bk7r2diaiu81ctiemmb6n961mph nm7v0ig7h9c0agaedc901kojfj9bgabj | nexthash 430456af8svfvl98l66shhrgucoip7mi mges520acstgaviekurg3oksh9u31bmb |_ Total hashes found: 8 MAC Address: 00:0C:29:8F:7C:81 (VMware) Nmap done: 1 IP address (1 host up) scanned in 10.58 seconds Output of the script is using the same format as "unhash" script from nsec3walker. Save the output to a file example_hashes.txt domain example.com salt 123456 iterations 10 nexthash d1427bj0ahqnpi4t0t0aaun18oqpgcda vhnelm23s1m3japt7gohc82hgr9un2at nexthash k7i4ekvi22ebrim5b6celtaniknd6ilj prv54a3cr1tbcvqslrb7bftf5ji5l0p8 nexthash 9ool6bk7r2diaiu81ctiemmb6n961mph nm7v0ig7h9c0agaedc901kojfj9bgabj nexthash 430456af8svfvl98l66shhrgucoip7mi mges520acstgaviekurg3oksh9u31bmb and run the unhasher : ea@cruncher:~/nsec3walker-20101223$ ./unhash < nmaphashes.txt Which should pretty quickly output some cracked hashes like: names: 8 d1427bj0ahqnpi4t0t0aaun18oqpgcda ns.example.com. found 1 private NSEC3 names (12%) using 235451 hash computations To actually test the script , you will need the base32.lua lib, as well as a patch to dns.lua. Both have been attached. Today I'd want to test other dns scripts to make sure I didn't mess something up. One more thing. As the script is somewhat non-deterministic, there is a slight chance that it might run forever, so I've added a time limit argument which defaults to 30 minutes. What do you think would be the sane value here? 30 minutes are probably too much. If you test a script against a DNS server with about one thousand domains , it finds them all in about 10 minutes and quits as it has exhausted all the search ranges. If you have any ideas or comments, please tell me. Aleksandar
Attachment:
dns-nsec3-enum.nse
Description:
Attachment:
base32.lua
Description:
Attachment:
dns.patch
Description:
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- DNSSEC nsec3 enumeration script Aleksandar Nikolic (Jun 06)
- Re: DNSSEC nsec3 enumeration script David Fifield (Jun 08)
- Re: DNSSEC nsec3 enumeration script Aleksandar Nikolic (Jun 08)
- Re: DNSSEC nsec3 enumeration script Aleksandar Nikolic (Jun 09)
- Re: DNSSEC nsec3 enumeration script David Fifield (Jun 08)