Nmap Development mailing list archives
dns-fuzz script is not working with example usage command
From: Fabian Bräunlein <fabian.braeunlein () gmail com>
Date: Mon, 27 Jan 2014 17:23:22 +0100
Hi, while doing some research on DNS, I was trying to make use of the dns-fuzz script (http://nmap.org/nsedoc/scripts/dns-fuzz.html). I executed the example usage command against a DNS server I set up, which failed quite silently. (debug output below) I figured out that the rule for this script is:
portrule = shortport.portnumber(53, "udp")
which only takes UDP into account. However, the example usage command solely performs a TCP scan, so the script's action will never be executed. Nevertheless, the DNS standard also requires TCP support ( http://tools.ietf.org/search/rfc5966) for large messages and zone transfers, so it may be good to run the script likewise when an open TCP-port 53 was encountered. I think, there are a few options to resolve this issue: - by updating the doc page (+ comments in the script) - e.g. changing the example usage command to something like nmap -sU -p53 --script dns-fuzz --script-args timelimit=2h <target> - clarify, that an UDP scan on port 53 is necessary - by updating just the portrule ( portrule = shortport.portnumber(53, {"tcp", "udp"}) ) - makes the assumption, that DNS is also listening on port 53 UDP, when the corresponding TCP port is scanned and open - by changing small portions of the script (especially line 76 and 266) to make it work with both protocols - script has to decide which protocol to use - maybe some more.. I'm not sure, which one of these proposed solutions fits best into nmap's "policies", so I wrote to the list instead of just requesting a pull. Furthermore, the script could update it's status accordingly ( (elapsed/timelimit)% ) and some minor mistakes in the comments could be fixed (e.g. line 98, 205). Is it desirable for this script to have a more verbose output in the case of failing? If I get some feedback regarding the udp/tcp issue, I could fix this stuff. Fabian Bräunlein Output: root@kali:/usr/share/nmap/scripts# nmap --script dns-fuzz --script-args timelimit=2h 192.168.34.52 -d Starting Nmap 6.40 ( http://nmap.org ) at 2014-01-24 18:44 CET PORTS: Using top 1000 ports found open (TCP:1000, UDP:0, SCTP:0) --------------- Timing report --------------- hostgroups: min 1, max 100000 rtt-timeouts: init 1000, min 100, max 10000 max-scan-delay: TCP 1000, UDP 1000, SCTP 1000 parallelism: min 0, max 0 max-retries: 10, host-timeout: 0 min-rate: 0, max-rate: 0 --------------------------------------------- NSE: Using Lua 5.2. NSE: Script Arguments seen from CLI: timelimit=2h NSE: Loaded 1 scripts for scanning. NSE: Script Pre-scanning. NSE: Starting runlevel 1 (of 1) scan. Initiating ARP Ping Scan at 18:44 Scanning 192.168.34.52 [1 port] Packet capture filter (device eth0): arp and arp[18:4] = 0x000C2905 and arp[22:2] = 0x57E5 Completed ARP Ping Scan at 18:44, 0.01s elapsed (1 total hosts) Overall sending rates: 114.85 packets / s, 4823.71 bytes / s. mass_rdns: Using DNS server 8.8.8.8 mass_rdns: Using DNS server 8.8.4.4 Initiating Parallel DNS resolution of 1 host. at 18:44 mass_rdns: 0.02s 0/1 [#: 2, OK: 0, NX: 0, DR: 0, SF: 0, TR: 1] Completed Parallel DNS resolution of 1 host. at 18:44, 0.02s elapsed DNS resolution of 1 IPs took 0.02s. Mode: Async [#: 2, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0] Initiating SYN Stealth Scan at 18:44 Scanning 192.168.34.52 [1000 ports] Packet capture filter (device eth0): dst host 192.168.34.51 and (icmp or icmp6 or ((tcp or udp or sctp) and (src host 192.168.34.52))) Discovered open port 22/tcp on 192.168.34.52 Discovered open port 53/tcp on 192.168.34.52 Completed SYN Stealth Scan at 18:44, 0.04s elapsed (1000 total ports) Overall sending rates: 26565.36 packets / s, 1168876.02 bytes / s. NSE: Script scanning 192.168.34.52. NSE: Starting runlevel 1 (of 1) scan. Nmap scan report for 192.168.34.52 Host is up, received arp-response (0.00030s latency). Scanned at 2014-01-24 18:44:48 CET for 0s Not shown: 998 closed ports Reason: 998 resets PORT STATE SERVICE REASON 22/tcp open ssh syn-ack 53/tcp open domain syn-ack MAC Address: 00:0C:29:7B:5E:8E (VMware) Final times for host: srtt: 299 rttvar: 23 to: 100000 NSE: Script Post-scanning. NSE: Starting runlevel 1 (of 1) scan. Read from /usr/bin/../share/nmap: nmap-mac-prefixes nmap-payloads nmap-services. Nmap done: 1 IP address (1 host up) scanned in 0.15 seconds Raw packets sent: 1001 (44.028KB) | Rcvd: 1001 (40.036KB) _______________________________________________ Sent through the dev mailing list http://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- dns-fuzz script is not working with example usage command Fabian Bräunlein (Jan 27)
- Re: dns-fuzz script is not working with example usage command John Bond (Jan 28)
- Re: dns-fuzz script is not working with example usage command John Bond (Jan 29)
- Re: dns-fuzz script is not working with example usage command Daniel Miller (Jan 31)
- Re: dns-fuzz script is not working with example usage command John Bond (Feb 10)
- Re: dns-fuzz script is not working with example usage command Daniel Miller (Feb 10)
- Re: dns-fuzz script is not working with example usage command John Bond (Feb 10)
- Re: dns-fuzz script is not working with example usage command John Bond (Feb 11)
- Re: dns-fuzz script is not working with example usage command John Bond (Feb 11)
- Re: dns-fuzz script is not working with example usage command John Bond (Jan 29)
- Re: dns-fuzz script is not working with example usage command John Bond (Jan 28)