Nmap dns-nsec3-enum NSE Script
This page contains detailed information about how to use the dns-nsec3-enum NSE script. For list of all NSE scripts, visit the Nmap NSE Library.
Select: |
---|
Script Overview
Script source code: https://github.com/nmap/nmap/tree/master/scripts/dns-nsec3-enum.nse
Script categories: discovery, intrusive
Target service / protocol: dns, udp, tcp
Target network port(s): 53
List of CVEs: -
Script Description
The dns-nsec3-enum.nse script tries to enumerate domain names from the DNS server that supports DNSSEC NSEC3 records.
The script queries for nonexistant domains until it exhausts all domain ranges keeping track of hashes. At the end, all hashes are printed along with salt and number of iterations used. This technique is known as "NSEC3 walking".
That info should then be fed into an offline cracker, like
unhash
from https://dnscurve.org/nsec3walker.html, to
bruteforce the actual names from the hashes. Assuming that the script
output was written into a text file hashes.txt
like:
domain example.com
salt 123456
iterations 10
nexthash d1427bj0ahqnpi4t0t0aaun18oqpgcda vhnelm23s1m3japt7gohc82hgr9un2at
nexthash k7i4ekvi22ebrim5b6celtaniknd6ilj prv54a3cr1tbcvqslrb7bftf5ji5l0p8
nexthash 9ool6bk7r2diaiu81ctiemmb6n961mph nm7v0ig7h9c0agaedc901kojfj9bgabj
nexthash 430456af8svfvl98l66shhrgucoip7mi mges520acstgaviekurg3oksh9u31bmb
Run this command to recover the domain names:
# ./unhash < hashes.txt > domains.txt
names: 8
d1427bj0ahqnpi4t0t0aaun18oqpgcda ns.example.com.
found 1 private NSEC3 names (12%) using 235451 hash computations
k7i4ekvi22ebrim5b6celtaniknd6ilj vulpix.example.com.
found 2 private NSEC3 names (25%) using 35017190 hash computations
Use the dns-nsec-enum
script to handle servers that use NSEC
rather than NSEC3.
References:
Dns-nsec3-enum NSE Script Arguments
This is a full list of arguments supported by the dns-nsec3-enum.nse script:
dns-nsec3-enum.domainsThe domain or list of domains to enumerate. If not provided, the script will make a guess based on the name of the target.
dns-nsec3-enum.timelimitSets a script run time limit. Default 30 minutes.
- - -
To use these script arguments, add them to the Nmap command line using the --script-args arg1=value,[arg2=value,..]
syntax. For example:
nmap --script=dns-nsec3-enum --script-args dns-nsec3-enum.domains=value,dns-nsec3-enum.timelimit=value <target>
Dns-nsec3-enum NSE Script Example Usage
Here's an example of how to use the dns-nsec3-enum.nse script:
nmap -sU -p 53 <target> --script=dns-nsec3-enum --script-args dns-nsec3-enum.domains=example.com
Dns-nsec3-enum NSE Script Example Output
Here's a sample output from the dns-nsec3-enum.nse script:
PORT STATE SERVICE
53/udp open domain
| dns-nsec3-enum:
| domain example.com
| salt 123456
| iterations 10
| nexthash d1427bj0ahqnpi4t0t0aaun18oqpgcda vhnelm23s1m3japt7gohc82hgr9un2at
| nexthash k7i4ekvi22ebrim5b6celtaniknd6ilj prv54a3cr1tbcvqslrb7bftf5ji5l0p8
| nexthash 9ool6bk7r2diaiu81ctiemmb6n961mph nm7v0ig7h9c0agaedc901kojfj9bgabj
| nexthash 430456af8svfvl98l66shhrgucoip7mi mges520acstgaviekurg3oksh9u31bmb
|_ Total hashes found: 8
Dns-nsec3-enum NSE Script Example XML Output
There is no sample XML output for this module. However, by providing the -oX <file>
option, Nmap will produce a XML output and save it in the file.xml
file.
Authors
- Aleksandar Nikolic
- John R. Bond
References
- https://nmap.org/nsedoc/scripts/dns-nsec3-enum.html
- https://github.com/nmap/nmap/tree/master/scripts/dns-nsec3-enum.nse
- https://dnscurve.org/nsec3walker.html
- https://nmap.org/svn/docs/licenses/BSD-simplified
See Also
Related NSE scripts to the dns-nsec3-enum.nse script:
- dns-blacklist.nse
- dns-brute.nse
- dns-cache-snoop.nse
- dns-check-zone.nse
- dns-client-subnet-scan.nse
- dns-fuzz.nse
- dns-ip6-arpa-scan.nse
- dns-nsec-enum.nse
- dns-nsid.nse
- dns-random-srcport.nse
- dns-random-txid.nse
- dns-recursion.nse
- dns-service-discovery.nse
- dns-srv-enum.nse
- dns-update.nse
- dns-zeustracker.nse
- dns-zone-transfer.nse
Visit Nmap NSE Library for more scripts.
The dns-nsec3-enum.nse script may fail with the following error messages. Check for the possible causes by using the code snippets highlighted below found in the script source code. This can often times help in identifying the root cause of the problem.
DNS error: %s
Here is a relevant code snippet related to the "DNS error: %s" error message:
224: stdnse.debug1("nexthash " .. h1 .. " " .. h2)
225: end
226: ranges[h1] = h2
227: end
228: else
229: stdnse.debug1("DNS error: %s", result)
230: end
231: return ranges
232: end
233:
234: -- does the actual enumeration
Version
This page has been created based on Nmap version 7.92.
Go back to menu.