Home page logo
/
Intro Reference Guide Book Install Guide
Download Changelog Zenmap GUI Docs
Bug Reports OS Detection Propaganda Related Projects
In the Movies In the News

File dns-zone-transfer

Download: http://nmap.org/svn/scripts/dns-zone-transfer.nse

User Summary

Requests a zone transfer (AXFR) from a DNS server.

The script sends an AXFR query to a DNS server. The domain to query is determined by examining the name given on the command line, the DNS server's hostname, or it can be specified with the dnszonetransfer.domain script argument. If the query is successful all domains and domain types are returned along with common type specific data (SOA/MX/NS/PTR/A).

This script can run at different phases of an Nmap scan:

  • Script Pre-scanning: in this phase the script will run before any
Nmap scan and use the defined DNS server in the arguments. The script arguments in this phase are: dnszonetransfer.server the DNS server to use, can be a hostname or an IP address and must be specified. The dnszonetransfer.port argument is optional and can be used to specify the DNS server port.
  • Script scanning: in this phase the script will run after the other
Nmap phases and against an Nmap discovered DNS server. If we don't have the "true" hostname for the DNS server we cannot determine a likely zone to perform the transfer on.

Useful resources

Script Arguments

dnszonetransfer.domain

Domain to transfer.

dnszonetransfer.port

DNS server port, this argument concerns the "Script Pre-scanning phase" and it's optional, the default value is 53.

dnszonetransfer.server

DNS server. If set, this argument will enable the script for the "Script Pre-scanning phase".

Example Usage 

nmap --script dns-zone-transfer.nse \
     --script-args dnszonetransfer.domain=<domain>

Script Output 

53/tcp   open     domain
|  dns-zone-transfer:
|  foo.com.            SOA     ns2.foo.com. piou.foo.com.
|  foo.com.            TXT  
|  foo.com.            NS      ns1.foo.com.               
|  foo.com.            NS      ns2.foo.com.               
|  foo.com.            NS      ns3.foo.com.               
|  foo.com.            A       127.0.0.1                  
|  foo.com.            MX      mail.foo.com.              
|  anansie.foo.com.    A       127.0.0.2                  
|  dhalgren.foo.com.   A       127.0.0.3                  
|  drupal.foo.com.     CNAME
|  goodman.foo.com.    A       127.0.0.4 i                
|  goodman.foo.com.    MX      mail.foo.com.              
|  isaac.foo.com.      A       127.0.0.5                  
|  julie.foo.com.      A       127.0.0.6                  
|  mail.foo.com.       A       127.0.0.7                  
|  ns1.foo.com.        A       127.0.0.7                  
|  ns2.foo.com.        A       127.0.0.8                  
|  ns3.foo.com.        A       127.0.0.9                  
|  stubing.foo.com.    A       127.0.0.10                 
|  vicki.foo.com.      A       127.0.0.11                 
|  votetrust.foo.com.  CNAME
|  www.foo.com.        CNAME
|_ foo.com.            SOA     ns2.foo.com. piou.foo.com.

Requires

id \222\173

Categories: default intrusive discovery

Author: Eddie Bell

License: Same as Nmap--See http://nmap.org/book/man-legal.html

Nmap Site Navigation

Intro Reference Guide Book Install Guide
Download Changelog Zenmap GUI Docs
Bug Reports OS Detection Propaganda Related Projects
In the Movies In the News
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]