Nmap dns-nsec-enum NSE Script

Script Overview

---

Script source code: https://github.com/nmap/nmap/tree/master/scripts/dns-nsec-enum.nse
Script categories: discovery, intrusive
Target service / protocol: dns, udp, tcp
Target network port(s): 53
List of CVEs: -

Script Description

---

The dns-nsec-enum.nse script enumerates DNS names using the DNSSEC NSEC-walking technique.

Output is arranged by domain. Within a domain, subzones are shown with increased indentation.

The NSEC response record in DNSSEC is used to give negative answers to queries, but it has the side effect of allowing enumeration of all names, much like a zone transfer. This script doesn't work against servers that use NSEC3 rather than NSEC; for that, see dns-nsec3-enum.

Dns-nsec-enum NSE Script Arguments

---

This is a full list of arguments supported by the dns-nsec-enum.nse script:

dns-nsec-enum.domains

The domain or list of domains to enumerate. If not provided, the script will make a guess based on the name of the target.

- - -
To use this script argument, add it to Nmap command line like in this example:

nmap --script=dns-nsec-enum --script-args dns-nsec-enum.domains=value <target>

Dns-nsec-enum NSE Script Example Usage

---

Here's an example of how to use the dns-nsec-enum.nse script:

nmap -sSU -p 53 --script dns-nsec-enum --script-args dns-nsec-enum.domains=example.com <target>

Dns-nsec-enum NSE Script Example Output

---

Here's a sample output from the dns-nsec-enum.nse script:

53/udp open  domain  udp-response
| dns-nsec-enum:
|   example.com
|     bulbasaur.example.com
|     charmander.example.com
|     dugtrio.example.com
|     www.dugtrio.example.com
|     gyarados.example.com
|       johto.example.com
|       blue.johto.example.com
|       green.johto.example.com
|       ns.johto.example.com
|       red.johto.example.com
|     ns.example.com
|     snorlax.example.com
|_    vulpix.example.com

Dns-nsec-enum NSE Script Example XML Output

---

There is no sample XML output for this module. However, by providing the -oX <file> option, Nmap will produce a XML output and save it in the file.xml file.

Author

---

• John R. Bond

References

---

• https://nmap.org/nsedoc/scripts/dns-nsec-enum.html
• https://github.com/nmap/nmap/tree/master/scripts/dns-nsec-enum.nse
• https://nmap.org/svn/docs/licenses/BSD-simplified

See Also

---

Related NSE scripts to the dns-nsec-enum.nse script:

• dns-blacklist.nse
• dns-brute.nse
• dns-cache-snoop.nse
• dns-check-zone.nse
• dns-client-subnet-scan.nse
• dns-fuzz.nse
• dns-ip6-arpa-scan.nse
• dns-nsec3-enum.nse
• dns-nsid.nse
• dns-random-srcport.nse
• dns-random-txid.nse
• dns-recursion.nse
• dns-service-discovery.nse
• dns-srv-enum.nse
• dns-update.nse
• dns-zeustracker.nse
• dns-zone-transfer.nse

Visit Nmap NSE Library for more scripts.