File dns-nsec-enum
Script types:
portrule
Categories:
discovery, intrusive
Download: http://nmap.org/svn/scripts/dns-nsec-enum.nse
User Summary
Enumerates DNS names using the DNSSEC NSEC-walking technique.
Output is arranged by domain. Within a domain, subzones are shown with increased indentation.
The NSEC response record in DNSSEC is used to give negative answers to queries, but it has the side effect of allowing enumeration of all names, much like a zone transfer. This script doesn't work against servers that use NSEC3 rather than NSEC.
Script Arguments
dns-nsec-enum.domains
The domain or list of domains to enumerate. If not provided, the script will make a guess based on the name of the target.
Example Usage
nmap -sSU -p 53 --script dns-nsec-enum --script-args dns-nsec-enum.domains=example.com <target>
Script Output
53/udp open domain udp-response | dns-nsec-enum: | example.com | bulbasaur.example.com | charmander.example.com | dugtrio.example.com | www.dugtrio.example.com | gyarados.example.com | johto.example.com | blue.johto.example.com | green.johto.example.com | ns.johto.example.com | red.johto.example.com | ns.example.com | snorlax.example.com |_ vulpix.example.com
Requires
Author: John Bond
License: Simplified (2-clause) BSD license--See http://nmap.org/svn/docs/licenses/BSD-simplified
