Nmap dns-random-txid NSE Script
This page contains detailed information about how to use the dns-random-txid NSE script. For list of all NSE scripts, visit the Nmap NSE Library.
| Select: |
|---|
Script Overview
Script source code: https://github.com/nmap/nmap/tree/master/scripts/dns-random-txid.nse
Script categories: external, intrusive
Target service / protocol: dns, udp
Target network port(s): 53
List of CVEs: CVE-2008-1447
Script Description
The dns-random-txid.nse script checks a DNS server for the predictable-TXID DNS recursion vulnerability. Predictable TXID values can make a DNS server vulnerable to cache poisoning attacks (see CVE-2008-1447).
The script works by querying txidtest.dns-oarc.net (see https://www.dns-oarc.net/oarc/services/txidtest). Be aware that any targets against which this script is run will be sent to and potentially recorded by one or more DNS servers and the txidtest server. In addition your IP address will be sent along with the txidtest query to the DNS server running on the target.
Dns-random-txid NSE Script Arguments
The dns-random-txid.nse script does not have any arguments.
Dns-random-txid NSE Script Example Usage
Here's an example of how to use the dns-random-txid.nse script:
nmap -sU -p 53 --script=dns-random-txid <target>
Dns-random-txid NSE Script Example Output
Here's a sample output from the dns-random-txid.nse script:
PORT STATE SERVICE REASON
53/udp open domain udp-response
|_dns-random-txid: X.X.X.X is GREAT: 27 queries in 61.5 seconds from 27 txids with std dev 20509
Dns-random-txid NSE Script Example XML Output
There is no sample XML output for this module. However, by providing the -oX <file> option, Nmap will produce a XML output and save it in the file.xml file.
Authors
- Script: Brandon Enright
- txidtest.dns-oarc.net: Duane Wessels
References
- https://nmap.org/nsedoc/scripts/dns-random-txid.html
- https://github.com/nmap/nmap/tree/master/scripts/dns-random-txid.nse
- https://www.dns-oarc.net/oarc/services/txidtest
See Also
Related NSE scripts to the dns-random-txid.nse script:
- dns-blacklist.nse
- dns-brute.nse
- dns-cache-snoop.nse
- dns-check-zone.nse
- dns-client-subnet-scan.nse
- dns-fuzz.nse
- dns-ip6-arpa-scan.nse
- dns-nsec3-enum.nse
- dns-nsec-enum.nse
- dns-nsid.nse
- dns-random-srcport.nse
- dns-recursion.nse
- dns-service-discovery.nse
- dns-srv-enum.nse
- dns-update.nse
- dns-zeustracker.nse
- dns-zone-transfer.nse
Visit Nmap NSE Library for more scripts.
The dns-random-txid.nse script may fail with the following error messages. Check for the possible causes by using the code snippets highlighted below found in the script source code. This can often times help in identifying the root cause of the problem.
Malformed response
Here is a relevant code snippet related to the "Malformed response" error message:
84:
85: -- Now we need to "parse" the results to check to see if they are good
86:
87: -- We need a minimum of 5 bytes...
88: if (#result < 5) then
89: return fail("Malformed response")
90: end
91:
92: -- Check TXID
93: if (string.byte(result, 1) ~= 0xba
94: or string.byte(result, 2) ~= 0xbe) then
Invalid Transaction ID
Here is a relevant code snippet related to the "Invalid Transaction ID" error message:
90: end
91:
92: -- Check TXID
93: if (string.byte(result, 1) ~= 0xba
94: or string.byte(result, 2) ~= 0xbe) then
95: return fail("Invalid Transaction ID")
96: end
97:
98: -- Check response flag and recursion
99: if not ((string.byte(result, 3) & 0x80) == 0x80
100: and (string.byte(result, 4) & 0x80) == 0x80) then
Server refused recursion
Here is a relevant code snippet related to the "Server refused recursion" error message:
96: end
97:
98: -- Check response flag and recursion
99: if not ((string.byte(result, 3) & 0x80) == 0x80
100: and (string.byte(result, 4) & 0x80) == 0x80) then
101: return fail("Server refused recursion")
102: end
103:
104: -- Check error flag
105: if (string.byte(result, 4) & 0x0F) ~= 0x00 then
106: return fail("Server failure")
Server failure
Here is a relevant code snippet related to the "Server failure" error message:
101: return fail("Server refused recursion")
102: end
103:
104: -- Check error flag
105: if (string.byte(result, 4) & 0x0F) ~= 0x00 then
106: return fail("Server failure")
107: end
108:
109: -- Check for two Answer RRs and 1 Authority RR
110: if (string.byte(result, 5) ~= 0x00
111: or string.byte(result, 6) ~= 0x01
Response did not include expected answers
Here is a relevant code snippet related to the "Response did not include expected answers" error message:
109: -- Check for two Answer RRs and 1 Authority RR
110: if (string.byte(result, 5) ~= 0x00
111: or string.byte(result, 6) ~= 0x01
112: or string.byte(result, 7) ~= 0x00
113: or string.byte(result, 8) ~= 0x02) then
114: return fail("Response did not include expected answers")
115: end
116:
117: -- We need a minimum of 128 bytes...
118: if (#result < 128) then
119: return fail("Truncated response")
Truncated response
Here is a relevant code snippet related to the "Truncated response" error message:
114: return fail("Response did not include expected answers")
115: end
116:
117: -- We need a minimum of 128 bytes...
118: if (#result < 128) then
119: return fail("Truncated response")
120: end
121:
122: -- Here is the really fragile part. If the DNS response changes
123: -- in any way, this won't work and will fail.
124: -- Jump to second answer and check to see that it is TXT, IN
Answer record not of type TXT
Here is a relevant code snippet related to the "Answer record not of type TXT" error message:
126:
127: -- Check for TXT
128: if (string.byte(result, 118) ~= 0x00
129: or string.byte(result, 119) ~= 0x10)
130: then
131: return fail("Answer record not of type TXT")
132: end
133:
134: -- Check for IN
135: if (string.byte(result, 120) ~= 0x00
136: or string.byte(result, 121) ~= 0x01) then
Answer record not of type IN
Here is a relevant code snippet related to the "Answer record not of type IN" error message:
132: end
133:
134: -- Check for IN
135: if (string.byte(result, 120) ~= 0x00
136: or string.byte(result, 121) ~= 0x01) then
137: return fail("Answer record not of type IN")
138: end
139:
140: -- Get TXT length
141: local txtlen = string.byte(result, 128)
142:
Truncated response
Here is a relevant code snippet related to the "Truncated response" error message:
140: -- Get TXT length
141: local txtlen = string.byte(result, 128)
142:
143: -- We now need a minimum of 128 + txtlen bytes + 1...
144: if (#result < 128 + txtlen) then
145: return fail("Truncated response")
146: end
147:
148: -- GET TXT record
149: local txtrd = string.sub(result, 129, 128 + txtlen)
150:
Version
This page has been created based on Nmap version 7.92.
Go back to menu.
