Script dns-nsec-enum

Script types: portrule
Categories: discovery, intrusive
Download: https://svn.nmap.org/nmap/scripts/dns-nsec-enum.nse

Script Summary

Enumerates DNS names using the DNSSEC NSEC-walking technique.

Output is arranged by domain. Within a domain, subzones are shown with increased indentation.

The NSEC response record in DNSSEC is used to give negative answers to queries, but it has the side effect of allowing enumeration of all names, much like a zone transfer. This script doesn't work against servers that use NSEC3 rather than NSEC; for that, see dns-nsec3-enum.

See also:

• dns-nsec3-enum.nse
• dns-ip6-arpa-scan.nse
• dns-brute.nse
• dns-zone-transfer.nse

Script Arguments

dns-nsec-enum.domains

The domain or list of domains to enumerate. If not provided, the script will make a guess based on the name of the target.

Example Usage

nmap -sSU -p 53 --script dns-nsec-enum --script-args dns-nsec-enum.domains=example.com <target>

Script Output

53/udp open  domain  udp-response
| dns-nsec-enum:
|   example.com
|     bulbasaur.example.com
|     charmander.example.com
|     dugtrio.example.com
|     www.dugtrio.example.com
|     gyarados.example.com
|       johto.example.com
|       blue.johto.example.com
|       green.johto.example.com
|       ns.johto.example.com
|       red.johto.example.com
|     ns.example.com
|     snorlax.example.com
|_    vulpix.example.com

Requires

• dns
• nmap
• shortport
• stdnse
• string
• stringaux
• table
• tableaux

---

Author:

• John R. Bond

License: Simplified (2-clause) BSD license--See https://nmap.org/svn/docs/licenses/BSD-simplified