Re: NSEC Enumeration script

[John Bond <john.r.bond () gmail com>]

On 7 February 2011 19:18, David Fifield <david () bamsoftware com> wrote:
> On Mon, Feb 07, 2011 at 10:12:23AM -0800, David Fifield wrote:
> > Thanks, John, I'm excited about this script. I and others would like to
> > test it. Did you set up a DNSSEC server to test it, or did you use a
> > public one? Can you give a brief guide on how to reproduce your results?
>
> And ane question: What version of Nmap did you derive your dnsseclib.lua
> from? It's missing some changes that were made more recently in dns.lua.
> If you know the original version then it's not too hard to make a diff
> and apply it to the newest source.
>
> David Fifield
Hi Dave,

Thanks for the response, in relation to the version i worked on im not
sure i think it was 5.21 installed via ports on mac and im a bit new
to mac.  anyway i have attached a patch file using the latest svn.  i
have had to add the old sendPackets functions as i couldn't get things
working in  5 minutes and there were a few other bits and bobs that
need tweaking.

in relation to NSEC3 not sure what will happen here, i hope it will
fail quietly however it wont be difficult to add a handler  for nsec3
and intend to.  the difficulty is in the enumeration. with nsec you
say do you have b and the server goes no i dont have any records
between a and c.  so the next question you ask is ok do you have c- (-
being the alphabetically lowest character).  with nsec3 you need to
change the way you enum things.  however AFAIK nsec3 still works the
same way but instead of saying i dont have anything between a and c
they say i dont have anything between hash(a) and hash(b).  so it will
be possible to build some logic where you can do a light weight brute
force* to get all hashes.  i was thinking of using the nse thread
library for this and starting one thread for each valid dns host
character

Finally with the server i used a public one.  i could produce a valid
ish zone to put on scanme.nmap.org but i am not sure my home adsl line
could take all the nmap-dev testers :)


*the type of thing im thinking of with a light wait brute force is to
do something lie request a and b if the hashes returned are the same
then there are no records between and an b else check a and ak etc etc

Attachment: dns.lua.patch
Description:

Attachment: dns-nsec-enum.nse
Description:

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/