Script dns-zone-transfer

Script types: prerule, portrule
Categories: intrusive, discovery
Download: https://svn.nmap.org/nmap/scripts/dns-zone-transfer.nse

Script Summary

Requests a zone transfer (AXFR) from a DNS server.

The script sends an AXFR query to a DNS server. The domain to query is determined by examining the name given on the command line, the DNS server's hostname, or it can be specified with the dns-zone-transfer.domain script argument. If the query is successful all domains and domain types are returned along with common type specific data (SOA/MX/NS/PTR/A).

This script can run at different phases of an Nmap scan:

• Script Pre-scanning: in this phase the script will run before any

Nmap scan and use the defined DNS server in the arguments. The script arguments in this phase are: dns-zone-transfer.server the DNS server to use, can be a hostname or an IP address and must be specified. The dns-zone-transfer.port argument is optional and can be used to specify the DNS server port.

• Script scanning: in this phase the script will run after the other

Nmap phases and against an Nmap discovered DNS server. If we don't have the "true" hostname for the DNS server we cannot determine a likely zone to perform the transfer on.

Useful resources

• DNS for rocket scientists: http://www.zytrax.com/books/dns/
• How the AXFR protocol works: http://cr.yp.to/djbdns/axfr-notes.html

See also:

• dns-nsec-enum.nse
• dns-nsec3-enum.nse
• dns-ip6-arpa-scan.nse
• dns-brute.nse

Script Arguments

dns-zone-transfer.port

DNS server port, this argument concerns the "Script Pre-scanning phase" and it's optional, the default value is 53.

dns-zone-transfer.server

DNS server. If set, this argument will enable the script for the "Script Pre-scanning phase".

newtargets

If specified, adds returned DNS records onto Nmap scanning queue.

dns-zone-transfer.domain

Domain to transfer.

dns-zone-transfer.addall

If specified, adds all IP addresses including private ones onto Nmap scanning queue when the script argument newtargets is given. The default behavior is to skip private IPs (non-routable).

max-newtargets

See the documentation for the target library.

Example Usage

nmap --script dns-zone-transfer.nse \
     --script-args dns-zone-transfer.domain=<domain>

Script Output

53/tcp   open     domain
|  dns-zone-transfer:
|  foo.com.            SOA     ns2.foo.com. piou.foo.com.
|  foo.com.            TXT
|  foo.com.            NS      ns1.foo.com.
|  foo.com.            NS      ns2.foo.com.
|  foo.com.            NS      ns3.foo.com.
|  foo.com.            A       127.0.0.1
|  foo.com.            MX      mail.foo.com.
|  anansie.foo.com.    A       127.0.0.2
|  dhalgren.foo.com.   A       127.0.0.3
|  drupal.foo.com.     CNAME
|  goodman.foo.com.    A       127.0.0.4 i
|  goodman.foo.com.    MX      mail.foo.com.
|  isaac.foo.com.      A       127.0.0.5
|  julie.foo.com.      A       127.0.0.6
|  mail.foo.com.       A       127.0.0.7
|  ns1.foo.com.        A       127.0.0.7
|  ns2.foo.com.        A       127.0.0.8
|  ns3.foo.com.        A       127.0.0.9
|  stubing.foo.com.    A       127.0.0.10
|  vicki.foo.com.      A       127.0.0.11
|  votetrust.foo.com.  CNAME
|  www.foo.com.        CNAME
|_ foo.com.            SOA     ns2.foo.com. piou.foo.com.

Requires

• dns
• ipOps
• listop
• nmap
• shortport
• stdnse
• strbuf
• string
• stringaux
• tab
• table
• target

---

Author:

• Eddie Bell

License: Same as Nmap--See https://nmap.org/book/man-legal.html