nwalk script for NSEC crawling complete, optimized to pipe in from the stdin, documentation updated
This commit is contained in:
parent
c4950062a6
commit
81d2ab767b
BIN
.screens/preview.gif
Normal file
BIN
.screens/preview.gif
Normal file
Binary file not shown.
After Width: | Height: | Size: 1.6 MiB |
13
README.md
13
README.md
@ -1,13 +1,18 @@
|
|||||||
# NSECX
|
# NSECX
|
||||||
|
> Research project on NSEC[3] walking for DNSSEC enabled Zones
|
||||||
|
|
||||||
###### Rsearch project on NSEC[3] walking for DNSSEC enabled Zones
|
![](./.screens/preview.gif)
|
||||||
|
|
||||||
## Work in progress: Come back later
|
## [Work in Progress]
|
||||||
|
|
||||||
The repository contains utilities for DNSSEC zone enumeration and subdomain discovery via NSEC/NSEC3 walking. It focuses on extracting and analyzing DNSSEC records for TLDs and specific target domains. Meant for educational purposes, security research, and sanctioned penetration testing, these tools aid in uncovering the underlying mechanisms of DNS security.
|
The repository contains utilities for DNSSEC zone enumeration and subdomain discovery via NSEC/NSEC3 walking. It focuses on extracting and analyzing DNSSEC records for TLDs and specific target domains. Meant for educational purposes, security research, and sanctioned penetration testing, these tools aid in uncovering the underlying mechanisms of DNS security.
|
||||||
|
|
||||||
## Statistics
|
## DNSSEC Statistics
|
||||||
Based on my research at the time of writing this repository, after mapping 1,458 TLD zones, 89.78% use NSEC3, and 3.50% use NSEC, and 6.72% do not have DNSSEC features at all.
|
| Status | Percentage | TLDs |
|
||||||
|
| ---------------------------------------- | ---------- | ----- |
|
||||||
|
| [NSEC3](./dnssec_stats/nsec3.txt) | 90% | 1,313 |
|
||||||
|
| [NSEC](./dnssec_stats/nsec.txt) | 3% | 51 |
|
||||||
|
| [NO DNSSEC](./dnssec_stats/nodnssec.txt) | 7% | 98 |
|
||||||
|
|
||||||
## NSEC Pitfalls
|
## NSEC Pitfalls
|
||||||
- Results inconsistent, must hop dns servers on ALL issues to continue the crawl.
|
- Results inconsistent, must hop dns servers on ALL issues to continue the crawl.
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
#!/bin/sh
|
#!/bin/sh
|
||||||
# NSEC walk script for DNSSEC - developed by acidvegas (https://git.acid.vegas/nsecx)
|
# NSEC Statistics for TLDs - developed by acidvegas (https://git.acid.vegas/nsecx)
|
||||||
# tldsec
|
# tldsec
|
||||||
|
|
||||||
# This script will check the DNSSEC status of all TLDs and output the results separated by NSEC, NSEC3, and NODNSSEC.
|
# This script will check the DNSSEC status of all TLDs and output the results separated by NSEC, NSEC3, and NODNSSEC.
|
||||||
@ -17,17 +17,8 @@ NC='\033[0m'
|
|||||||
# Create the output directory if it doesn't exist
|
# Create the output directory if it doesn't exist
|
||||||
mkdir -p output
|
mkdir -p output
|
||||||
|
|
||||||
# Parse the tld list from a root nameserver (todo: randomize the root nameserver)
|
# Parse the tld list from a root nameserver
|
||||||
tld_list=$(dig AXFR . @g.root-servers.net | grep -E 'IN\s+NS' | awk '{print $1}' | sed 's/\.$//' | sort -u)
|
tld_list=$(dig AXFR . @g.root-servers.net | grep -E 'IN\s+NS' | awk '{print $1}' | sed 's/\.$//' | sort -u)
|
||||||
if [ -z $tld_list ]; then
|
|
||||||
tld_list=$(curl -s 'https://data.iana.org/TLD/tlds-alpha-by-domain.txt' | tail -n +2 | tr '[:upper:]' '[:lower:]')
|
|
||||||
fi
|
|
||||||
|
|
||||||
# Check if the list was retrieved successfully
|
|
||||||
if [ -z "$tld_list" ]; then
|
|
||||||
printf "${RED}Failed to fetch the list of TLDs.${NC}\n"
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
|
|
||||||
# Get the total number of TLDs, excluding comments and empty lines
|
# Get the total number of TLDs, excluding comments and empty lines
|
||||||
total_tlds=$(echo "$tld_list" | grep -v '^#' | grep -v '^$' | wc -l | tr -d ' ')
|
total_tlds=$(echo "$tld_list" | grep -v '^#' | grep -v '^$' | wc -l | tr -d ' ')
|
54
nsec
54
nsec
@ -1,54 +0,0 @@
|
|||||||
#!/bin/sh
|
|
||||||
# NSEC walk script for DNSSEC - developed by acidvegas (https://git.acid.vegas/nsecx)
|
|
||||||
# nsec
|
|
||||||
|
|
||||||
# This script will walk through a DNS zone using NSEC records.
|
|
||||||
|
|
||||||
# You can wall all the zones outputted from tldsec using the following command:
|
|
||||||
# cat output/nsec.txt | while read line; do ./nsec "$line"; done
|
|
||||||
|
|
||||||
dns_servers=$(curl -s https://public-dns.info/nameservers.txt | grep -oE '\b([0-9]{1,3}\.){3}[0-9]{1,3}\b')
|
|
||||||
nameserver=$(echo "$dns_servers" | shuf -n 1)
|
|
||||||
|
|
||||||
# Loop to walk through the zone using NSEC records
|
|
||||||
while IFS= read -r line; do
|
|
||||||
tld="$line"
|
|
||||||
|
|
||||||
current_domain="$tld"
|
|
||||||
retry=0
|
|
||||||
breaker=0
|
|
||||||
while true; do
|
|
||||||
# Perform the dig command to get the NSEC record for the current domain
|
|
||||||
output="$(dig @${nameserver} +trace +time=10 +tries=3 $current_domain NSEC)"
|
|
||||||
|
|
||||||
# Use grep to find the line with the current domain and then use awk to extract the next domain
|
|
||||||
next_domain=$(echo "$output" | grep -F "$current_domain" | awk '$4 == "NSEC" { print $5 }')
|
|
||||||
|
|
||||||
if [ -z "$next_domain" ] || [ -n "$(printf '%s' "$next_domain" | tr -cd '\000')" ] || [ "$next_domain" = "$current_domain" ]; then
|
|
||||||
next_domain="$current_domain"
|
|
||||||
retry=$((retry + 1))
|
|
||||||
elif [ "$next_domain" = "nic.$tld" ]; then
|
|
||||||
echo "Found NIC!"
|
|
||||||
next_domain=
|
|
||||||
else
|
|
||||||
echo "Found NSEC record: $next_domain"
|
|
||||||
echo "$next_domain" >> output/nsec/$tld.txt
|
|
||||||
retry=0
|
|
||||||
breaker=0
|
|
||||||
fi
|
|
||||||
|
|
||||||
if [ $retry -eq 3 ]; then
|
|
||||||
nameserver=$(echo "$dns_servers" | shuf -n 1)
|
|
||||||
retry=0
|
|
||||||
breaker=$((breaker + 1))
|
|
||||||
if [ $breaker -eq 3 ]; then
|
|
||||||
echo "Failed to get NSEC record for $current_domain"
|
|
||||||
break
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
|
|
||||||
# Update the current domain to the next one for the following iteration
|
|
||||||
current_domain=$next_domain
|
|
||||||
|
|
||||||
done
|
|
||||||
done < nsec.txt
|
|
82
nwalk
82
nwalk
@ -1,5 +1,17 @@
|
|||||||
#!/bin/sh
|
#!/bin/sh
|
||||||
# NSEC Walk - developed by acidvegas (https://git.acid.vegas)
|
# NSEC Walking for DNSSEC enabled zones - developed by acidvegas (https://git.acid.vegas/nsecx)
|
||||||
|
|
||||||
|
# Usage:
|
||||||
|
# NSEC walk on a single domain:
|
||||||
|
# ./nwalk <domain>
|
||||||
|
# NSEC walk on a list of domains:
|
||||||
|
# cat domain_list.txt | ./nwalk
|
||||||
|
# NSEC walk on a list of domains using parallel:
|
||||||
|
# parallel -a domain_list.txt -j 10 ./nwalk
|
||||||
|
# NSEC walk on all TLDs:
|
||||||
|
# curl -s 'https://data.iana.org/TLD/tlds-alpha-by-domain.txt' | tail -n +2 | tr '[:upper:]' '[:lower:]' | ./nwalk
|
||||||
|
# NSEC walk on all PSL TLDs:
|
||||||
|
# curl -s https://publicsuffix.org/list/public_suffix_list.dat | grep -vE '^(//|.*[*!])' | grep '\.' | awk '{print $1}' | ./nwalk
|
||||||
|
|
||||||
# Colors
|
# Colors
|
||||||
BLUE="\033[1;34m"
|
BLUE="\033[1;34m"
|
||||||
@ -12,11 +24,6 @@ RED="\033[1;31m"
|
|||||||
YELLOW="\033[1;33m"
|
YELLOW="\033[1;33m"
|
||||||
RESET="\033[0m"
|
RESET="\033[0m"
|
||||||
|
|
||||||
# Set output directory
|
|
||||||
output_dir="nwalk_out"
|
|
||||||
mkdir -p $output_dir
|
|
||||||
|
|
||||||
|
|
||||||
nsec_crawl() {
|
nsec_crawl() {
|
||||||
domain=$1
|
domain=$1
|
||||||
|
|
||||||
@ -101,70 +108,15 @@ nsec_crawl() {
|
|||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# Set output directory
|
||||||
psl_crawl() {
|
output_dir="nwalk_out"
|
||||||
psl=$(curl -s https://publicsuffix.org/list/public_suffix_list.dat | grep -vE '^(//|.*[*!])' | grep '\.' | awk '{print $1}')
|
mkdir -p $output_dir
|
||||||
|
|
||||||
[ -z "$psl" ] && echo "${RED}No PSL TLDs found${RESET}" && exit 1
|
|
||||||
|
|
||||||
total_psl=$(echo "$psl" | wc -l)
|
|
||||||
echo "${BLUE}Found ${total_psl} PSL TLDs${RESET}"
|
|
||||||
|
|
||||||
for tld in $psl; do
|
|
||||||
nsec_crawl $tld
|
|
||||||
done
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
tld_crawl() {
|
|
||||||
process_domain "."
|
|
||||||
|
|
||||||
rndroot=$(find $output_dir/*.root-servers.net.txt -type f | shuf -n 1)
|
|
||||||
|
|
||||||
tlds=$(curl -s 'https://data.iana.org/TLD/tlds-alpha-by-domain.txt' | tail -n +2 | tr '[:upper:]' '[:lower:]')
|
|
||||||
|
|
||||||
[ -z "$tlds" ] && echo "${RED}No TLDs found${RESET}" && exit 1
|
|
||||||
|
|
||||||
total_tld=$(echo "$tlds" | wc -l)
|
|
||||||
echo "${BLUE}Found ${total_tld} TLDs${RESET}"
|
|
||||||
|
|
||||||
for tld in $tlds; do
|
|
||||||
nsec_crawl $tld
|
|
||||||
done
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
if [ -t 0 ]; then
|
if [ -t 0 ]; then
|
||||||
[ $# -eq 0 ] && echo "Usage: $0 <domain> or cat domain_list.txt | $0" && exit 1
|
[ $# -ne 1 ] && echo "Usage: $0 <domain> or cat domain_list.txt | $0" && exit 1
|
||||||
nsec_crawl $1
|
nsec_crawl $1
|
||||||
else
|
else
|
||||||
while IFS= read -r line; do
|
while IFS= read -r line; do
|
||||||
nsec_crawl $line
|
nsec_crawl $line
|
||||||
done
|
done
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ -t 0 ]; then
|
|
||||||
if [ $# -ne 1 ]; then
|
|
||||||
echo "Usage: $0 <option>"
|
|
||||||
echo ""
|
|
||||||
echo "Options:"
|
|
||||||
echo " -tld : Perform an NSEC crawl on all TLDs"
|
|
||||||
echo " -psl : Perform an NSEC crawl on all PSL TLDs"
|
|
||||||
echo " <domain> : Perform an NSEC crawl on a single domain"
|
|
||||||
echo ""
|
|
||||||
echo "Standard Input:"
|
|
||||||
echo " cat domain_list.txt | $0"
|
|
||||||
exit 1
|
|
||||||
elif [ $1 = '-tld' ]; then
|
|
||||||
tld_crawl
|
|
||||||
elif [ $1 = '-psl' ]; then
|
|
||||||
psl_crawl
|
|
||||||
else
|
|
||||||
nsec_crawl $1
|
|
||||||
fi
|
|
||||||
else
|
|
||||||
while IFS= read -r line; do
|
|
||||||
nsec_crawl $line
|
|
||||||
done
|
|
||||||
fi
|
|
@ -1,51 +0,0 @@
|
|||||||
arpa
|
|
||||||
audio
|
|
||||||
auto
|
|
||||||
ax
|
|
||||||
bd
|
|
||||||
br
|
|
||||||
bt
|
|
||||||
car
|
|
||||||
cars
|
|
||||||
ch
|
|
||||||
christmas
|
|
||||||
ci
|
|
||||||
diet
|
|
||||||
dz
|
|
||||||
ee
|
|
||||||
er
|
|
||||||
flowers
|
|
||||||
game
|
|
||||||
gdn
|
|
||||||
gn
|
|
||||||
gov
|
|
||||||
guitars
|
|
||||||
hosting
|
|
||||||
id
|
|
||||||
ir
|
|
||||||
kg
|
|
||||||
kz
|
|
||||||
lb
|
|
||||||
li
|
|
||||||
lk
|
|
||||||
lol
|
|
||||||
lr
|
|
||||||
mc
|
|
||||||
mom
|
|
||||||
nu
|
|
||||||
pics
|
|
||||||
pr
|
|
||||||
ruhr
|
|
||||||
se
|
|
||||||
sl
|
|
||||||
tn
|
|
||||||
tz
|
|
||||||
ve
|
|
||||||
xn--54b7fta0cc
|
|
||||||
xn--80ao21a
|
|
||||||
xn--fzc2c9e2c
|
|
||||||
xn--l1acc
|
|
||||||
xn--mgbai9azgqp6j
|
|
||||||
xn--pgbs0dh
|
|
||||||
xn--xkc2al3hye2a
|
|
||||||
xn--ygbi2ammx
|
|
Loading…
Reference in New Issue
Block a user