[dns-operations] Fwd: [FD] [Tool] nsec3map v0.3 - DNSSEC Zone Enumerator

Paul Vixie paul at redbarn.org
Fri Apr 10 01:29:10 UTC 2015

FYI, coming from another mailing list.


-------- Original Message --------
Subject: 	[FD] [Tool] nsec3map v0.3 - DNSSEC Zone Enumerator
Date: 	Fri, 10 Apr 2015 00:49:07 +0200
From: 	An Onion <nsec3map at 3fnc.org>
To: 	fulldisclosure at seclists.org

nsec3map is a DNS zone enumerator that makes use of DNSSEC NSEC or NSEC3
records. It allows to discover hosts quickly and with a minimal number
of DNS queries (usually just one query per resource record). 

In NSEC mode, it can be configured to send "A" queries, which can be
useful in cases where the nameserver blocks the direct querying of NSEC

In NSEC3 mode, the tool finds a domain name which is not covered
by any received NSEC3 record locally and then queries the computed name
to receive a new record of the NSEC3 chain.
Once the chain (or a part of it) is obtained, the NSEC3 hashes can be
cracked (e.g. using John the Ripper) to get the plaintext record names.
This is usually not very hard to do using a dictionary attack or even
brute force, as domain names tend to be rather short and easy to guess.
nsec3map can also accurately extrapolate the total size of the NSEC3
chain based on the hash-distance covered by a small number of already
obtained records. Furthermore, it supports an aggressive mode which can
speed up the enumeration significantly by sending multiple queries in
parallel, although this might cause the tool to send more queries than
absolutely needed. 

Version 0.3 of nsec3map is capable of enumerating a high percentage ( >
99% ) of NSEC3 records even if the zone is very large (e.g. a million or
more entries) in a matter of minutes on contemporary hardware.
A few years ago we also demonstrated that we were able to crack 84% of a
total of 1.31 million NSEC3 records obtained from a real TLD zone in a
few days using common CPUs at the time.

nsec3map v0.3 has now moved to a new repository on GitHub:

Sent through the Full Disclosure mailing list
Web Archives & RSS: http://seclists.org/fulldisclosure/

More information about the dns-operations mailing list