This commit is contained in:
Dionysus 2023-11-14 18:32:29 -05:00
parent a10ca94dc7
commit 9f85678d0a
Signed by: acidvegas
GPG Key ID: EF4B922DB85DC9DE
2 changed files with 91 additions and 26 deletions

View File

@ -7,7 +7,55 @@
The repository contains utilities for DNSSEC zone enumeration and subdomain discovery via NSEC/NSEC3 walking. It focuses on extracting and analyzing DNSSEC records for TLDs and specific target domains. Meant for educational purposes, security research, and sanctioned penetration testing, these tools aid in uncovering the underlying mechanisms of DNS security. The repository contains utilities for DNSSEC zone enumeration and subdomain discovery via NSEC/NSEC3 walking. It focuses on extracting and analyzing DNSSEC records for TLDs and specific target domains. Meant for educational purposes, security research, and sanctioned penetration testing, these tools aid in uncovering the underlying mechanisms of DNS security.
## Statistics ## Statistics
Based on my research at the time of writing this repository, after mapping 1,458 TLD zones, 89.37% use NSEC3, and 3.70% use NSEC, and 6.93% do not have DNSSEC features at all. Based on my research at the time of writing this repository, after mapping 1,458 TLD zones, 89.78% use NSEC3, and 3.50% use NSEC, and 6.72% do not have DNSSEC features at all.
## NSEC Pitfalls
- Results inconsistent, must hop dns servers on ALL issues to continue the crawl.
- Running into \000 *(null)* characters in sub-domains *(strange bind version issue missing "w" character in the charmap)*
- Running into *.domain.tld issues creates a crawling loop :
```
Next domain: myfreedom.auto.
Next domain: ne.auto.
Next domain: neom.auto.
Next domain: netdirector.auto.
Next domain: netprophet.auto.
Next domain: netto.auto.
Next domain: newjersey.auto.
Next domain: nexteer.auto.
Next domain: nextev.auto.
Next domain: nh.auto.
Next domain: nic.auto.
Next domain: *.nic.auto.
Next domain: _c311ff38bcd400b0adf7fa2b71732858.nic.auto.
Next domain: a.nic.auto.
Next domain: b.nic.auto.
Next domain: c.nic.auto.
Next domain: d.nic.auto.
Next domain: web1.nic.auto.
Next domain: web2.nic.auto.
Next domain: whois.nic.auto.
Next domain: _aa5536969dd3a62238209b6b2b750c1c.whois.nic.auto.
Next domain: www.nic.auto.
Next domain: _b529263a31adafb2e3be5d632e66c16b.www.nic.auto.
Next domain: nic.auto.
Next domain: *.nic.auto.
Next domain: _c311ff38bcd400b0adf7fa2b71732858.nic.auto.
Next domain: a.nic.auto.
Next domain: b.nic.auto.
Next domain: c.nic.auto.
Next domain: d.nic.auto.
Next domain: web1.nic.auto.
Next domain: web2.nic.auto.
Next domain: whois.nic.auto.
Next domain: _aa5536969dd3a62238209b6b2b750c1c.whois.nic.auto.
Next domain: www.nic.auto.
Next domain: _b529263a31adafb2e3be5d632e66c16b.www.nic.auto.
Next domain: nic.auto.
Next domain: *.nic.auto.
Next domain: _c311ff38bcd400b0adf7fa2b71732858.nic.auto.
```
## References ## References
@ -16,3 +64,5 @@ ___
###### Mirrors ###### Mirrors
[acid.vegas](https://git.acid.vegas/nsecx) • [GitHub](https://github.com/acidvegas/nsecx) • [GitLab](https://gitlab.com/acidvegas/nsecx) • [SuperNETs](https://git.supernets.org/acidvegas/nsecx) [acid.vegas](https://git.acid.vegas/nsecx) • [GitHub](https://github.com/acidvegas/nsecx) • [GitLab](https://gitlab.com/acidvegas/nsecx) • [SuperNETs](https://git.supernets.org/acidvegas/nsecx)

51
nsec
View File

@ -4,36 +4,51 @@
# This script will walk through a DNS zone using NSEC records. # This script will walk through a DNS zone using NSEC records.
# TLD to start the walk from # You can wall all the zones outputted from tldsec using the following command:
tld="$1" # cat output/nsec.txt | while read line; do ./nsec "$line"; done
# Initialize the top-level domain (TLD) to start the walk from dns_servers=$(curl -s https://public-dns.info/nameservers.txt | grep -oE '\b([0-9]{1,3}\.){3}[0-9]{1,3}\b')
current_domain="$tld" nameserver=$(echo "$dns_servers" | shuf -n 1)
#dns_servers=$(curl -s https://public-dns.info/nameservers.txt | grep -Eo '([0-9]{1,3}\.){3}[0-9]{1,3}')
# Loop to walk through the zone using NSEC records # Loop to walk through the zone using NSEC records
while true; do while IFS= read -r line; do
# Select a random DNS server from the list tld="$line"
#nameserver=$(shuf -n 1 -e $dns_servers)
current_domain="$tld"
retry=0
breaker=0
while true; do
# Perform the dig command to get the NSEC record for the current domain # Perform the dig command to get the NSEC record for the current domain
#output="$(dig @${nameserver} +trace $current_domain NSEC)" output="$(dig @${nameserver} +trace +time=10 +tries=3 $current_domain NSEC)"
output="$(dig +trace $current_domain NSEC)"
# Use grep to find the line with the current domain and then use awk to extract the next domain # Use grep to find the line with the current domain and then use awk to extract the next domain
next_domain=$(echo "$output" | grep -F "$current_domain" | awk '$4 == "NSEC" { print $5 }') next_domain=$(echo "$output" | grep -F "$current_domain" | awk '$4 == "NSEC" { print $5 }')
# Check if we got a valid next domain if [ -z "$next_domain" ] || [ -n "$(printf '%s' "$next_domain" | tr -cd '\000')" ] || [ "$next_domain" = "$current_domain" ]; then
if [ -z "$next_domain" ] || [ "$next_domain" = "$current_domain" ]; then next_domain="$current_domain"
echo "$output" retry=$((retry + 1))
echo "End of zone reached or no more domains found." elif [ "$next_domain" = "nic.$tld" ]; then
break echo "Found NIC!"
next_domain=
else
echo "Found NSEC record: $next_domain"
echo "$next_domain" >> output/nsec/$tld.txt
retry=0
breaker=0
fi fi
# Print the next domain if [ $retry -eq 3 ]; then
echo "Next domain: $next_domain" nameserver=$(echo "$dns_servers" | shuf -n 1)
retry=0
breaker=$((breaker + 1))
if [ $breaker -eq 3 ]; then
echo "Failed to get NSEC record for $current_domain"
break
fi
fi
# Update the current domain to the next one for the following iteration # Update the current domain to the next one for the following iteration
current_domain=$next_domain current_domain=$next_domain
done done
done < nsec.txt