Re: NSEC Enumeration script

[John Bond <john.r.bond () gmail com>]

On 26 February 2011 10:27, David Fifield <david () bamsoftware com> wrote:
> On Thu, Feb 24, 2011 at 09:48:54PM +0100, John Bond wrote:
> > Updated script which fixes a few issues which where occurring due to
> > bad error handeling, flawed logic and laziness.  if anyone needs a
> > copy of my dns.lua file or a patch file just let me know
>
> I like the idea and capabilities of this script a lot. I've been working
> on it to make it better fit the style of other scripts and hopefully be
> easier to understand. Please get the latest revision from
>
> svn co --username guest --password "" svn://svn.insecure.org/nmap-exp/david/nmap-nsec
>
> In this version I purposely removed some advanced features like
> secondary resolution of names. My idea is to get a simple version of the
> script debugged so it can be merged, and after that add more features.
To be honest I had stopped using that feature because the performance
was pretty bad and i think the whole bit needed rewriting.  i was
thinking it might be better to just add discovered hosts to the scan
list like dns-zone-transfer.  it would probably be a good idea to also
run dns-zone-transfer first and if this is successful scipt
dns-nsec-enum as a zone transfer should giv more info.  but not sure
how to do this yet

>  I
> also removed anything I was unsure was necessary, again with the goal of
> having a simpler script. For example, I removed the special wildcard
> detection because I wasn't having a problem without it and I suspected
> it may have been necessary because of a bug elsewhere. It's possible I'm
> wrong about this, so please test it with the environment that was giving
> you trouble before.
I am still having problems with this, ill send you the domain im using
of list.  once i have digested all your changes ill try adding a
better fix like i said in the comments the detection i added was only
a hack so i will try and adapt the dns library.  however the change i
suggested would requiere returning part of the additional section on a
success.  which starts to move the dnssec_query function further away
from the query function.  I keep on thinking it would be easier to
just ask the dns library to return the raw paket and use that in
dnssec enum.  Or possibly add dnssec functionality to the query
function and then write a wrapper nsec_query which wrappes around
query

> The script and the library hanges are getting closer to being accepted.
> I still have doubts about the interface of dns.dnssec_query. In the
> first place, it would be better if the DNSSEC queries could be made
> using the same top-level function as other DNS queries--is DNSSEC really
> so different that it needs a different interface? > I don't mind having a
> convenience wrapper for DNSSEC, but it should call the same underlying
> function as other queries.
not at all, i originally added all of this functionality to the normal
query fuction but i started to worry it might make other scripts
incompatible.  the main difference is dnssec_query has an extra return
'rPkt.dnssec' which indicates if the server responded with dnssec.  I
also use the host.ip instead of trying to use the system however this
is probably because of what im trying to do and could be set else
where.  edns is on by default but i think this should also be an
option for the query function.  Finnaly you would need another option
in query to request dnssec and that might be it.

> Second, I tried disabling one of the
> recursive calls that dnssec_query makes, which was triggering the "IF
> YOU SEE THIS MESSAGE" message.
>  I'm not sure what that was all about, but
> we should decide if we want the library making recursive calls like
> that, and if so, what the return value should be.
looking at the copy of dns.lua in your svn it looks the same as mine
so its possible i already removed it.  i did do some tiding up there
myself.  A lot of this was coded late at night after beer :)


> There are a lot of incorrect copy-pasted comments in the new
> answerFetchers in dns.lua.
yes well as you will have noticed and probably in anger, sorry, my
commenting skills are lacking.  ill ensure i do proper comments in
future

> Let me know if this version of the script works for you, and when you
> make changes, make them starting from the Subversion branch. I'll keep
> it up to date with any of your changes and it will be easier than
> tracking many patches through the mailing list.
Btw I love the changes you have made to the script makes things so
much easy to read and gives me a better idea of how to use lua
effectively thank you

one miner thing i noticed in your comments you referenced the rfc for
domain labels but you missed one, not sure if this is the best text to
quote though
RFC 2782
  Service
        The symbolic name of the desired service, as defined in Assigned
        Numbers [STD 2] or locally.  An underscore (_) is prepended to
        the service identifier to avoid collisions with DNS labels that
        occur in nature.
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/