Script dns-client-subnet-scan
Script types:
prerule, portrule
Categories:
discovery, safe
Download: https://svn.nmap.org/nmap/scripts/dns-client-subnet-scan.nse
Script Summary
Performs a domain lookup using the edns-client-subnet option which allows clients to specify the subnet that queries supposedly originate from. The script uses this option to supply a number of geographically distributed locations in an attempt to enumerate as many different address records as possible. The script also supports requests using a given subnet.
Script Arguments
- dns-client-subnet-scan.domain
The domain to lookup eg. www.example.org
- dns-client-subnet-scan.mask
[optional] The number of bits to use as subnet mask (default: 24)
- dns-client-subnet-scan.nameserver
[optional] nameserver to use. (default = host.ip)
- dns-client-subnet-scan.address
The client subnet address to use
Example Usage
nmap -sU -p 53 --script dns-client-subnet-scan --script-args \ 'dns-client-subnet-scan.domain=www.example.com, \ dns-client-subnet-scan.address=192.168.0.1 \ [,dns-client-subnet-scan.nameserver=8.8.8.8] \ [,dns-client-subnet-scan.mask=24]' <target> nmap --script dns-client-subnet-scan --script-args \ 'dns-client-subnet-scan.domain=www.example.com, \ dns-client-subnet-scan.address=192.168.0.1 \ dns-client-subnet-scan.nameserver=8.8.8.8, \ [,dns-client-subnet-scan.mask=24]'
Script Output
53/udp open domain udp-response | dns-client-subnet-scan: | www.google.com | 1.2.3.4 | 5.6.7.8 | 9.10.11.12 | 13.14.15.16 | . | . |_ .
Requires
Author:
License: Simplified (2-clause) BSD license--See https://nmap.org/svn/docs/licenses/BSD-simplified