File dns-zone-transfer
Download: http://nmap.org/svn/scripts/dns-zone-transfer.nse
User Summary
Requests a zone transfer (AXFR) from a DNS server.
The script sends an AXFR query to a DNS server. The domain to query is
determined by examining the name given on the command line, the DNS
server's hostname, or it can be specified with the
dnszonetransfer.domain script argument. If the query is
successful all domains and domain types are returned along with common
type specific data (SOA/MX/NS/PTR/A).
If we don't have the "true" hostname for the DNS server we cannot determine a likely zone to perform the transfer on.
Useful resources
- DNS for rocket scientists: http://www.zytrax.com/books/dns/
- How the AXFR protocol works: http://cr.yp.to/djbdns/axfr-notes.html
Script Arguments
dnszonetransfer.domain
Domain to transfer.
Example Usage
nmap --script dns-zone-transfer.nse \
--script-args dnszonetransfer.domain=<domain>
Script Output
53/tcp open domain | dns-zone-transfer: | foo.com. SOA ns2.foo.com. piou.foo.com. | foo.com. TXT | foo.com. NS ns1.foo.com. | foo.com. NS ns2.foo.com. | foo.com. NS ns3.foo.com. | foo.com. A 127.0.0.1 | foo.com. MX mail.foo.com. | anansie.foo.com. A 127.0.0.2 | dhalgren.foo.com. A 127.0.0.3 | drupal.foo.com. CNAME | goodman.foo.com. A 127.0.0.4 i | goodman.foo.com. MX mail.foo.com. | isaac.foo.com. A 127.0.0.5 | julie.foo.com. A 127.0.0.6 | mail.foo.com. A 127.0.0.7 | ns1.foo.com. A 127.0.0.7 | ns2.foo.com. A 127.0.0.8 | ns3.foo.com. A 127.0.0.9 | stubing.foo.com. A 127.0.0.10 | vicki.foo.com. A 127.0.0.11 | votetrust.foo.com. CNAME | www.foo.com. CNAME |_ foo.com. SOA ns2.foo.com. piou.foo.com.
Requires
id \222\173
categories default intrusive discovery
author Eddie Bell
copyright © Same as Nmap--See http://nmap.org/book/man-legal.html
Functions
| bto16 (data, idx) | Convert two bytes into a 16bit number. |
| build_domain (host) | Build RFC 1035 root domain name from the name of the DNS server (e.g ns1.website.com.ar -> \007website\003com\002ar\000). |
| get_answer_record (table, data, offset) | Get a single answer record from the current offset |
| get_rdata (data, offset, ttype) | Retrieve type specific data (rdata) from dns packets |
| parse_domain (data, offset) | Parse an RFC 1035 domain name. |
| valid_tld (elm) | Check if domain name element is a tld |
Tables
| tld |
Whitelist of TLDs. Only way to reliably determine the root of a domain |
| typetab |
DNS query and response types. |
Functions
- bto16 (data, idx)
-
Convert two bytes into a 16bit number.
Parameters
- data: String of data.
- idx: Index in the string (first of two consecutive bytes).
Return value:
16 bit number represented by the two bytes. - build_domain (host)
-
Build RFC 1035 root domain name from the name of the DNS server (e.g ns1.website.com.ar -> \007website\003com\002ar\000).
Parameters
- host: The host.
- get_answer_record (table, data, offset)
-
Get a single answer record from the current offset
Parameters
- table:
- data:
- offset:
- get_rdata (data, offset, ttype)
-
Retrieve type specific data (rdata) from dns packets
Parameters
- data:
- offset:
- ttype:
- parse_domain (data, offset)
-
Parse an RFC 1035 domain name.
Parameters
- data: String of data.
- offset: Offset in the string to read the domain name.
- valid_tld (elm)
-
Check if domain name element is a tld
Parameters
- elm: Domain name element to check.
Return value:
boolean