Home page logo
/
Intro Reference Guide Book Install Guide
Download Changelog Zenmap GUI Docs
Bug Reports OS Detection Propaganda Related Projects
In the Movies In the News

Sponsors


File dns-nsec3-enum

Script types: portrule
Categories: discovery, intrusive
Download: http://nmap.org/svn/scripts/dns-nsec3-enum.nse

User Summary

Tries to enumerate domain names from the DNS server that supports DNSSEC NSEC3 records.

The script queries for nonexistant domains until it exhausts all domain ranges keeping track of hashes. At the end, all hashes are printed along with salt and number of iterations used. This technique is known as "NSEC3 walking".

That info should then be fed into an offline cracker, like unhash from http://dnscurve.org/nsec3walker.html, to bruteforce the actual names from the hashes. Assuming that the script output was written into a text file hashes.txt like:

domain example.com
salt 123456
iterations 10
nexthash d1427bj0ahqnpi4t0t0aaun18oqpgcda vhnelm23s1m3japt7gohc82hgr9un2at
nexthash k7i4ekvi22ebrim5b6celtaniknd6ilj prv54a3cr1tbcvqslrb7bftf5ji5l0p8
nexthash 9ool6bk7r2diaiu81ctiemmb6n961mph nm7v0ig7h9c0agaedc901kojfj9bgabj
nexthash 430456af8svfvl98l66shhrgucoip7mi mges520acstgaviekurg3oksh9u31bmb

Run this command to recover the domain names:

# ./unhash < hashes.txt > domains.txt
names: 8
d1427bj0ahqnpi4t0t0aaun18oqpgcda ns.example.com.
found 1 private NSEC3 names (12%) using 235451 hash computations
k7i4ekvi22ebrim5b6celtaniknd6ilj vulpix.example.com.
found 2 private NSEC3 names (25%) using 35017190 hash computations

Use the dns-nsec-enum script to handle servers that use NSEC rather than NSEC3.

References:

Script Arguments

dns-nsec3-enum.domains

The domain or list of domains to enumerate. If not provided, the script will make a guess based on the name of the target.

dns-nsec3-enum.timelimit

Sets a script run time limit. Default 30 minutes.

smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername

See the documentation for the smbauth library.

randomseed, smbbasic, smbport, smbsign

See the documentation for the smb library.

unittest.run

See the documentation for the unittest library.

Example Usage

nmap  -sU -p 53 <target> --script=dns-nsec3-enum --script-args dns-nsec3-enum.domains=example.com

Script Output

PORT   STATE SERVICE
53/udp open  domain
| dns-nsec3-enum:
|   domain example.com
|   salt 123456
|   iterations 10
|   nexthash d1427bj0ahqnpi4t0t0aaun18oqpgcda vhnelm23s1m3japt7gohc82hgr9un2at
|   nexthash k7i4ekvi22ebrim5b6celtaniknd6ilj prv54a3cr1tbcvqslrb7bftf5ji5l0p8
|   nexthash 9ool6bk7r2diaiu81ctiemmb6n961mph nm7v0ig7h9c0agaedc901kojfj9bgabj
|   nexthash 430456af8svfvl98l66shhrgucoip7mi mges520acstgaviekurg3oksh9u31bmb
|_  Total hashes found: 8

Requires


Author: Aleksandar Nikolic, John R. Bond

License: Simplified (2-clause) BSD license--See http://nmap.org/svn/docs/licenses/BSD-simplified

Nmap Site Navigation

Intro Reference Guide Book Install Guide
Download Changelog Zenmap GUI Docs
Bug Reports OS Detection Propaganda Related Projects
In the Movies In the News
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]