Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: NSEC Enumeration script

From: John Bond <john.r.bond () gmail com>
Date: Mon, 16 May 2011 23:12:47 +0200
On 19 April 2011 10:02, John Bond <john.r.bond () gmail com> wrote:

On 19 April 2011 01:17, David Fifield <david () bamsoftware com> wrote:

Thanks, John, I put these changes in a local branch. Remind me, do you
have a working NSEC3 enumeration script, or are still working on it?

Not really, i have a proof of concept script which is slow, buggy and
keeps changing.  i am not sure of the best way to do this yet.  Ill
have another look at it tonight



Ok i finally got round to looking at this again and like i said i have
tried various different methods.  and the more i think about this the
more i think nmap is not the correct tool for this.  As far as i can
tell you would need to run this for ever and then quit when you think
you have got enough records or you continue to get repeat entries.  as
far as i can tell the nsec3walker works this way

On 5 April 2011 01:47, David Fifield <david () bamsoftware com> wrote:

You don't run forever--run until every hash value is accounted for.
Guess a name, and suppose that an NSEC3 comes back with values 246e6bbc
and 27fb6080.

unfortunatly this is not how it happens, its not like nsec which says
there is nothing between a and b.  All its says is the next hash is b


Now you know that 246e6bbc and 27fb6080 exist, and nothing
between them does.

Again this is not the case, even if the above was true, all you would
know is nothing exists between A and B where hash(A)==246e6bbc and
hash(b)==27fb6080

The best thing i can think of is using something like the following

subdomain = base32.enc(openssl.rand_bytes(20),true)
#this is old code and i think we could probably get away with a random
5-10 char string

to generate the next guess and then try and have a bit of fuzzy logic
too work out a logical time to give up.

If im missing something obvious here then i would welcome comments are
recommendations.

I would also welcome some discussion on if people think this type of
script dose sit well with nmap and if so  what type of configuration
would you want to pass to have the script stop.  e.g. after x amount
of hashs have been enumerated, after x amount of duplicates have been
received, after x amount of time has passed, something else.
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: