Lucene search
John R. BondNMAP:DNS-NSEC-ENUM.NSEHistoryMar 27, 2011 - 4:24 a.m.
dns-nsec-enum NSE Script
2011-03-2704:24:43
John R. Bond
nmap.org
345
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.973 High
EPSS
Percentile
99.8%
Enumerates DNS names using the DNSSEC NSEC-walking technique.
Output is arranged by domain. Within a domain, subzones are shown with increased indentation.
The NSEC response record in DNSSEC is used to give negative answers to queries, but it has the side effect of allowing enumeration of all names, much like a zone transfer. This script doesn’t work against servers that use NSEC3 rather than NSEC; for that, see dns-nsec3-enum.
See also:
Script Arguments
dns-nsec-enum.domains
The domain or list of domains to enumerate. If not provided, the script will make a guess based on the name of the target.
Example Usage
nmap -sSU -p 53 --script dns-nsec-enum --script-args dns-nsec-enum.domains=example.com <target>
Script Output
53/udp open domain udp-response
| dns-nsec-enum:
| example.com
| bulbasaur.example.com
| charmander.example.com
| dugtrio.example.com
| www.dugtrio.example.com
| gyarados.example.com
| johto.example.com
| blue.johto.example.com
| green.johto.example.com
| ns.johto.example.com
| red.johto.example.com
| ns.example.com
| snorlax.example.com
|_ vulpix.example.com
Requires
local dns = require "dns"
local nmap = require "nmap"
local shortport = require "shortport"
local stdnse = require "stdnse"
local string = require "string"
local stringaux = require "stringaux"
local table = require "table"
local tableaux = require "tableaux"
description = [[
Enumerates DNS names using the DNSSEC NSEC-walking technique.
Output is arranged by domain. Within a domain, subzones are shown with
increased indentation.
The NSEC response record in DNSSEC is used to give negative answers to
queries, but it has the side effect of allowing enumeration of all
names, much like a zone transfer. This script doesn't work against
servers that use NSEC3 rather than NSEC; for that, see
<code>dns-nsec3-enum</code>.
]]
---
-- @args dns-nsec-enum.domains The domain or list of domains to
-- enumerate. If not provided, the script will make a guess based on the
-- name of the target.
--
-- @usage
-- nmap -sSU -p 53 --script dns-nsec-enum --script-args dns-nsec-enum.domains=example.com <target>
--
-- @see dns-nsec3-enum.nse
-- @see dns-ip6-arpa-scan.nse
-- @see dns-brute.nse
-- @see dns-zone-transfer.nse
--
-- @output
-- 53/udp open domain udp-response
-- | dns-nsec-enum:
-- | example.com
-- | bulbasaur.example.com
-- | charmander.example.com
-- | dugtrio.example.com
-- | www.dugtrio.example.com
-- | gyarados.example.com
-- | johto.example.com
-- | blue.johto.example.com
-- | green.johto.example.com
-- | ns.johto.example.com
-- | red.johto.example.com
-- | ns.example.com
-- | snorlax.example.com
-- |_ vulpix.example.com
author = "John R. Bond"
license = "Simplified (2-clause) BSD license--See https://nmap.org/svn/docs/licenses/BSD-simplified"
categories = {"discovery", "intrusive"}
portrule = function (host, port)
if not shortport.port_or_service(53, "domain", {"tcp", "udp"})(host, port) then
return false
end
-- only check tcp if udp is not open or open|filtered
if port.protocol == 'tcp' then
local tmp_port = nmap.get_port_state(host, {number=port.number, protocol="udp"})
if tmp_port then
return not string.match(tmp_port.state, '^open')
end
end
return true
end
local function remove_empty(t)
local result = {}
for _, v in ipairs(t) do
if v ~= "" then
result[#result + 1] = v
end
end
return result
end
local function split(domain)
return stringaux.strsplit("%.", domain)
end
local function join(components)
return table.concat(remove_empty(components, "."))
end
-- Remove the first component of a domain name. Return nil if the number of
-- components drops below min_length (default 0).
local function remove_component(domain, min_length)
local components
min_length = min_length or 0
components = split(domain)
if #components <= min_length then
return nil
end
table.remove(components, 1)
return join(components)
end
-- Guess the domain given a host. Return nil on failure. This function removes
-- a domain name component unless the name would become shorter than 2
-- components.
local function guess_domain(host)
local name
local components
name = stdnse.get_hostname(host)
if name and name ~= host.ip then
return remove_component(name, 2) or name
else
return nil
end
end
-- RFC 952: "A 'name' is a text string up to 24 characters drawn from the
-- alphabet (A-Z), digits (0-9), minus sign (-), and period (.). ... The first
-- character must be an alpha character."
-- RFC 1123, section 2.1: "One aspect of host name syntax is hereby changed:
-- the restriction on the first character is relaxed to allow either a letter
-- or a digit."
-- RFC 2782: An underscore (_) is prepended to the service identifier to avoid
-- collisions with DNS labels that occur in nature.
local DNS_CHARS = { string.byte("-0123456789_abcdefghijklmnopqrstuvwxyz", 1, -1) }
local DNS_CHARS_INV = tableaux.invert(DNS_CHARS)
-- Return the lexicographically next component, or nil if component is the
-- lexicographically last.
local function increment_component(name)
local i, bytes, indexes
-- Easy cases first.
if #name == 0 then
return "0"
elseif #name < 63 then
return name .. "-"
elseif #name > 64 then
-- Shouldn't happen.
return nil
end
-- Convert the string into an array of indexes into DNS_CHARS.
indexes = {}
for i, b in ipairs({ string.byte(name, 1, -1) }) do
indexes[i] = DNS_CHARS_INV[b]
end
-- Increment.
i = #name
while i >= 1 do
repeat
indexes[i] = indexes[i] + 1
-- No "-" in first position.
until not (i == 1 and string.char(DNS_CHARS[indexes[i]]) == "-")
if indexes[i] > #DNS_CHARS then
-- Wrap around, next digit.
indexes[i] = 1
else
break
end
i = i - 1
end
-- Overflow.
if i == 0 then
return nil
end
-- Convert array of indexes back into string.
bytes = {}
for i, index in ipairs(indexes) do
bytes[i] = DNS_CHARS[index]
end
return string.char(table.unpack(bytes))
end
-- Return the lexicographically next domain name that does not add a new
-- subdomain. This is used after enumerating a whole subzone to jump out of the
-- subzone and on to more names.
local function bump_domain(domain)
local components
components = split(domain)
while #components > 0 do
components[1] = increment_component(components[1])
if components[1] then
break
else
table.remove(components[1])
end
end
if #components == 0 then
return nil
else
return join(components)
end
end
-- Return the lexicographically next domain name. This adds a new subdomain
-- consisting of the smallest character. This function never returns a domain
-- outside the current subzone.
local function next_domain(domain)
if #domain == 0 then
return "0"
else
return "0" .. "." .. domain
end
end
-- Cut out a portion of an array and return it as a new array, setting the
-- elements in the original array to nil.
local function excise(t, i, j)
local result
result = {}
if j < 0 then
j = #t + j + 1
end
for i = i, j do
result[#result + 1] = t[i]
t[i] = nil
end
return result
end
-- Remove a suffix from a domain (to isolate a subdomain from its parent).
local function remove_suffix(domain, suffix)
local dc, sc
dc = split(domain)
sc = split(suffix)
while #dc > 0 and #sc > 0 and dc[#dc] == sc[#sc] do
dc[#dc] = nil
sc[#sc] = nil
end
return join(dc), join(sc)
end
-- Return the subset of authoritative records with the given label.
local function auth_filter(retPkt, label)
local result = {}
for _, rec in ipairs(retPkt.auth) do
if rec[label] then
result[#result + 1] = rec[label]
end
end
return result
end
-- "Less than" function for two domain names. Compares starting with the last
-- component.
local function domain_lt(a, b)
local a_parts, b_parts
a_parts = split(a)
b_parts = split(b)
while #a_parts > 0 and #b_parts > 0 do
if a_parts[#a_parts] < b_parts[#b_parts] then
return true
elseif a_parts[#a_parts] > b_parts[#b_parts] then
return false
end
a_parts[#a_parts] = nil
b_parts[#b_parts] = nil
end
return #a_parts < #b_parts
end
-- Find the NSEC record that brackets the given domain.
local function get_next_nsec(retPkt, domain)
for _, nsec in ipairs(auth_filter(retPkt, "NSEC")) do
-- The last NSEC record points backwards to the start of the subzone.
if domain_lt(nsec.dname, domain) and not domain_lt(nsec.dname, nsec.next_dname) then
return nsec
end
if domain_lt(nsec.dname, domain) and domain_lt(domain, nsec.next_dname) then
return nsec
end
end
end
local function empty(t)
return not next(t)
end
-- Enumerate a single domain.
local function enum(host, port, domain)
local all_results = {}
local seen = {}
local subdomain = next_domain("")
while subdomain do
local result = {}
local status, result, nsec
stdnse.debug1("Trying %q.%q", subdomain, domain)
status, result = dns.query(join({subdomain, domain}), {host = host.ip, port=port.number, proto=port.protocol, dtype='A', retAll=true, retPkt=true, dnssec=true})
nsec = status and get_next_nsec(result, join({subdomain, domain})) or nil
if nsec then
local first, last, remainder
local index
first, remainder = remove_suffix(nsec.dname, domain)
if #remainder > 0 then
stdnse.debug1("Result name %q doesn't end in %q.", nsec.dname, domain)
subdomain = nil
break
end
last, remainder = remove_suffix(nsec.next_dname, domain)
if #remainder > 0 then
stdnse.debug1("Result name %q doesn't end in %q.", nsec.next_dname, domain)
subdomain = nil
break
end
if #last == 0 then
stdnse.debug1("Wrapped")
subdomain = nil
break
end
if not seen[first] then
table.insert(all_results, join({first, domain}))
seen[first] = #all_results
end
index = seen[last]
if index then
-- Ignore if first is the original domain.
if #first > 0 then
subdomain = bump_domain(last)
-- Replace a chunk of the output with a sub-table for the zone.
all_results[index] = excise(all_results, index, -1)
end
else
stdnse.debug1("adding %s", last)
subdomain = next_domain(last)
table.insert(all_results, join({last, domain}))
seen[last] = #all_results
end
else
local parent = remove_component(subdomain, 1)
-- This branch is entered if name resolution failed or
-- there were no NSEC records. If at the top, quit.
-- Otherwise continue to the next subdomain.
if parent then
subdomain = bump_domain(parent)
else
return nil
end
end
end
return all_results
end
action = function(host, port)
local output = {}
local domains
domains = stdnse.get_script_args('dns-nsec-enum.domains')
if not domains then
domains = guess_domain(host)
end
if not domains then
return string.format("Can't determine domain for host %s; use %s.domains script arg.", host.ip, SCRIPT_NAME)
end
if type(domains) == 'string' then
domains = { domains }
end
for _, domain in ipairs(domains) do
local result = enum(host, port, domain)
if type(result) == "table" then
result["name"] = domain
output[#output + 1] = result
else
output[#output + 1] = "No NSEC records found"
end
end
return stdnse.format_output(true, output)
end
Related
nmap
nmap
epmd-info NSE Script
2011-04-04 18:28:33
afp-showmount NSE Script
2010-01-20 21:49:30
hbase-master-info NSE Script
2011-11-08 16:00:16
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.973 High
EPSS
Percentile
99.8%
Related for NMAP:DNS-NSEC-ENUM.NSE