nwalk script for NSEC crawling complete, optimized to pipe in from the stdin, documentation updated

This commit is contained in:
Dionysus 2024-03-18 18:27:03 -04:00
parent c4950062a6
commit 81d2ab767b
Signed by: acidvegas
GPG Key ID: EF4B922DB85DC9DE
9 changed files with 28 additions and 185 deletions

BIN
.screens/preview.gif Normal file

Binary file not shown.

After

Width:  |  Height:  |  Size: 1.6 MiB

View File

@ -1,13 +1,18 @@
# NSECX # NSECX
> Research project on NSEC[3] walking for DNSSEC enabled Zones
###### Rsearch project on NSEC[3] walking for DNSSEC enabled Zones ![](./.screens/preview.gif)
## Work in progress: Come back later ## [Work in Progress]
The repository contains utilities for DNSSEC zone enumeration and subdomain discovery via NSEC/NSEC3 walking. It focuses on extracting and analyzing DNSSEC records for TLDs and specific target domains. Meant for educational purposes, security research, and sanctioned penetration testing, these tools aid in uncovering the underlying mechanisms of DNS security. The repository contains utilities for DNSSEC zone enumeration and subdomain discovery via NSEC/NSEC3 walking. It focuses on extracting and analyzing DNSSEC records for TLDs and specific target domains. Meant for educational purposes, security research, and sanctioned penetration testing, these tools aid in uncovering the underlying mechanisms of DNS security.
## Statistics ## DNSSEC Statistics
Based on my research at the time of writing this repository, after mapping 1,458 TLD zones, 89.78% use NSEC3, and 3.50% use NSEC, and 6.72% do not have DNSSEC features at all. | Status | Percentage | TLDs |
| ---------------------------------------- | ---------- | ----- |
| [NSEC3](./dnssec_stats/nsec3.txt) | 90% | 1,313 |
| [NSEC](./dnssec_stats/nsec.txt) | 3% | 51 |
| [NO DNSSEC](./dnssec_stats/nodnssec.txt) | 7% | 98 |
## NSEC Pitfalls ## NSEC Pitfalls
- Results inconsistent, must hop dns servers on ALL issues to continue the crawl. - Results inconsistent, must hop dns servers on ALL issues to continue the crawl.

View File

@ -1,5 +1,5 @@
#!/bin/sh #!/bin/sh
# NSEC walk script for DNSSEC - developed by acidvegas (https://git.acid.vegas/nsecx) # NSEC Statistics for TLDs - developed by acidvegas (https://git.acid.vegas/nsecx)
# tldsec # tldsec
# This script will check the DNSSEC status of all TLDs and output the results separated by NSEC, NSEC3, and NODNSSEC. # This script will check the DNSSEC status of all TLDs and output the results separated by NSEC, NSEC3, and NODNSSEC.
@ -17,17 +17,8 @@ NC='\033[0m'
# Create the output directory if it doesn't exist # Create the output directory if it doesn't exist
mkdir -p output mkdir -p output
# Parse the tld list from a root nameserver (todo: randomize the root nameserver) # Parse the tld list from a root nameserver
tld_list=$(dig AXFR . @g.root-servers.net | grep -E 'IN\s+NS' | awk '{print $1}' | sed 's/\.$//' | sort -u) tld_list=$(dig AXFR . @g.root-servers.net | grep -E 'IN\s+NS' | awk '{print $1}' | sed 's/\.$//' | sort -u)
if [ -z $tld_list ]; then
tld_list=$(curl -s 'https://data.iana.org/TLD/tlds-alpha-by-domain.txt' | tail -n +2 | tr '[:upper:]' '[:lower:]')
fi
# Check if the list was retrieved successfully
if [ -z "$tld_list" ]; then
printf "${RED}Failed to fetch the list of TLDs.${NC}\n"
exit 1
fi
# Get the total number of TLDs, excluding comments and empty lines # Get the total number of TLDs, excluding comments and empty lines
total_tlds=$(echo "$tld_list" | grep -v '^#' | grep -v '^$' | wc -l | tr -d ' ') total_tlds=$(echo "$tld_list" | grep -v '^#' | grep -v '^$' | wc -l | tr -d ' ')

54
nsec
View File

@ -1,54 +0,0 @@
#!/bin/sh
# NSEC walk script for DNSSEC - developed by acidvegas (https://git.acid.vegas/nsecx)
# nsec
# This script will walk through a DNS zone using NSEC records.
# You can wall all the zones outputted from tldsec using the following command:
# cat output/nsec.txt | while read line; do ./nsec "$line"; done
dns_servers=$(curl -s https://public-dns.info/nameservers.txt | grep -oE '\b([0-9]{1,3}\.){3}[0-9]{1,3}\b')
nameserver=$(echo "$dns_servers" | shuf -n 1)
# Loop to walk through the zone using NSEC records
while IFS= read -r line; do
tld="$line"
current_domain="$tld"
retry=0
breaker=0
while true; do
# Perform the dig command to get the NSEC record for the current domain
output="$(dig @${nameserver} +trace +time=10 +tries=3 $current_domain NSEC)"
# Use grep to find the line with the current domain and then use awk to extract the next domain
next_domain=$(echo "$output" | grep -F "$current_domain" | awk '$4 == "NSEC" { print $5 }')
if [ -z "$next_domain" ] || [ -n "$(printf '%s' "$next_domain" | tr -cd '\000')" ] || [ "$next_domain" = "$current_domain" ]; then
next_domain="$current_domain"
retry=$((retry + 1))
elif [ "$next_domain" = "nic.$tld" ]; then
echo "Found NIC!"
next_domain=
else
echo "Found NSEC record: $next_domain"
echo "$next_domain" >> output/nsec/$tld.txt
retry=0
breaker=0
fi
if [ $retry -eq 3 ]; then
nameserver=$(echo "$dns_servers" | shuf -n 1)
retry=0
breaker=$((breaker + 1))
if [ $breaker -eq 3 ]; then
echo "Failed to get NSEC record for $current_domain"
break
fi
fi
# Update the current domain to the next one for the following iteration
current_domain=$next_domain
done
done < nsec.txt

82
nwalk
View File

@ -1,5 +1,17 @@
#!/bin/sh #!/bin/sh
# NSEC Walk - developed by acidvegas (https://git.acid.vegas) # NSEC Walking for DNSSEC enabled zones - developed by acidvegas (https://git.acid.vegas/nsecx)
# Usage:
# NSEC walk on a single domain:
# ./nwalk <domain>
# NSEC walk on a list of domains:
# cat domain_list.txt | ./nwalk
# NSEC walk on a list of domains using parallel:
# parallel -a domain_list.txt -j 10 ./nwalk
# NSEC walk on all TLDs:
# curl -s 'https://data.iana.org/TLD/tlds-alpha-by-domain.txt' | tail -n +2 | tr '[:upper:]' '[:lower:]' | ./nwalk
# NSEC walk on all PSL TLDs:
# curl -s https://publicsuffix.org/list/public_suffix_list.dat | grep -vE '^(//|.*[*!])' | grep '\.' | awk '{print $1}' | ./nwalk
# Colors # Colors
BLUE="\033[1;34m" BLUE="\033[1;34m"
@ -12,11 +24,6 @@ RED="\033[1;31m"
YELLOW="\033[1;33m" YELLOW="\033[1;33m"
RESET="\033[0m" RESET="\033[0m"
# Set output directory
output_dir="nwalk_out"
mkdir -p $output_dir
nsec_crawl() { nsec_crawl() {
domain=$1 domain=$1
@ -101,70 +108,15 @@ nsec_crawl() {
fi fi
} }
# Set output directory
psl_crawl() { output_dir="nwalk_out"
psl=$(curl -s https://publicsuffix.org/list/public_suffix_list.dat | grep -vE '^(//|.*[*!])' | grep '\.' | awk '{print $1}') mkdir -p $output_dir
[ -z "$psl" ] && echo "${RED}No PSL TLDs found${RESET}" && exit 1
total_psl=$(echo "$psl" | wc -l)
echo "${BLUE}Found ${total_psl} PSL TLDs${RESET}"
for tld in $psl; do
nsec_crawl $tld
done
}
tld_crawl() {
process_domain "."
rndroot=$(find $output_dir/*.root-servers.net.txt -type f | shuf -n 1)
tlds=$(curl -s 'https://data.iana.org/TLD/tlds-alpha-by-domain.txt' | tail -n +2 | tr '[:upper:]' '[:lower:]')
[ -z "$tlds" ] && echo "${RED}No TLDs found${RESET}" && exit 1
total_tld=$(echo "$tlds" | wc -l)
echo "${BLUE}Found ${total_tld} TLDs${RESET}"
for tld in $tlds; do
nsec_crawl $tld
done
}
if [ -t 0 ]; then if [ -t 0 ]; then
[ $# -eq 0 ] && echo "Usage: $0 <domain> or cat domain_list.txt | $0" && exit 1 [ $# -ne 1 ] && echo "Usage: $0 <domain> or cat domain_list.txt | $0" && exit 1
nsec_crawl $1 nsec_crawl $1
else else
while IFS= read -r line; do while IFS= read -r line; do
nsec_crawl $line nsec_crawl $line
done done
fi
if [ -t 0 ]; then
if [ $# -ne 1 ]; then
echo "Usage: $0 <option>"
echo ""
echo "Options:"
echo " -tld : Perform an NSEC crawl on all TLDs"
echo " -psl : Perform an NSEC crawl on all PSL TLDs"
echo " <domain> : Perform an NSEC crawl on a single domain"
echo ""
echo "Standard Input:"
echo " cat domain_list.txt | $0"
exit 1
elif [ $1 = '-tld' ]; then
tld_crawl
elif [ $1 = '-psl' ]; then
psl_crawl
else
nsec_crawl $1
fi
else
while IFS= read -r line; do
nsec_crawl $line
done
fi fi

View File

@ -1,51 +0,0 @@
arpa
audio
auto
ax
bd
br
bt
car
cars
ch
christmas
ci
diet
dz
ee
er
flowers
game
gdn
gn
gov
guitars
hosting
id
ir
kg
kz
lb
li
lk
lol
lr
mc
mom
nu
pics
pr
ruhr
se
sl
tn
tz
ve
xn--54b7fta0cc
xn--80ao21a
xn--fzc2c9e2c
xn--l1acc
xn--mgbai9azgqp6j
xn--pgbs0dh
xn--xkc2al3hye2a
xn--ygbi2ammx