summaryrefslogtreecommitdiffstats
path: root/scripts/dns-client-subnet-scan.nse
diff options
context:
space:
mode:
Diffstat (limited to 'scripts/dns-client-subnet-scan.nse')
-rw-r--r--scripts/dns-client-subnet-scan.nse359
1 files changed, 359 insertions, 0 deletions
diff --git a/scripts/dns-client-subnet-scan.nse b/scripts/dns-client-subnet-scan.nse
new file mode 100644
index 0000000..ce35dc2
--- /dev/null
+++ b/scripts/dns-client-subnet-scan.nse
@@ -0,0 +1,359 @@
+local dns = require "dns"
+local ipOps = require "ipOps"
+local nmap = require "nmap"
+local shortport = require "shortport"
+local stdnse = require "stdnse"
+local string = require "string"
+local table = require "table"
+
+description = [[
+Performs a domain lookup using the edns-client-subnet option which
+allows clients to specify the subnet that queries supposedly originate
+from. The script uses this option to supply a number of
+geographically distributed locations in an attempt to enumerate as
+many different address records as possible. The script also supports
+requests using a given subnet.
+
+* https://tools.ietf.org/html/rfc7871
+]]
+
+---
+-- @usage
+-- nmap -sU -p 53 --script dns-client-subnet-scan --script-args \
+-- 'dns-client-subnet-scan.domain=www.example.com, \
+-- dns-client-subnet-scan.address=192.168.0.1 \
+-- [,dns-client-subnet-scan.nameserver=8.8.8.8] \
+-- [,dns-client-subnet-scan.mask=24]' <target>
+-- nmap --script dns-client-subnet-scan --script-args \
+-- 'dns-client-subnet-scan.domain=www.example.com, \
+-- dns-client-subnet-scan.address=192.168.0.1 \
+-- dns-client-subnet-scan.nameserver=8.8.8.8, \
+-- [,dns-client-subnet-scan.mask=24]'
+--
+-- @output
+-- 53/udp open domain udp-response
+-- | dns-client-subnet-scan:
+-- | www.google.com
+-- | 1.2.3.4
+-- | 5.6.7.8
+-- | 9.10.11.12
+-- | 13.14.15.16
+-- | .
+-- | .
+-- |_ .
+---
+-- @args dns-client-subnet-scan.domain The domain to lookup eg. www.example.org
+-- @args dns-client-subnet-scan.address The client subnet address to use
+-- @args dns-client-subnet-scan.mask [optional] The number of bits to use as subnet mask (default: 24)
+-- @args dns-client-subnet-scan.nameserver [optional] nameserver to use. (default = host.ip)
+--
+
+author = "John R. Bond"
+license = "Simplified (2-clause) BSD license--See https://nmap.org/svn/docs/licenses/BSD-simplified"
+categories = {"discovery", "safe"}
+
+
+local argNS = stdnse.get_script_args(SCRIPT_NAME .. '.nameserver')
+local argDomain = stdnse.get_script_args(SCRIPT_NAME .. '.domain')
+local argMask = stdnse.get_script_args(SCRIPT_NAME .. '.mask') or 24
+local argAddr = stdnse.get_script_args(SCRIPT_NAME .. '.address')
+
+prerule = function()
+ return argDomain and nmap.address_family() == "inet"
+end
+
+portrule = function(host, port)
+ if ( nmap.address_family() ~= "inet" ) then
+ return false
+ end
+ if not shortport.port_or_service(53, "domain", {"tcp", "udp"})(host, port) then
+ return false
+ end
+ -- only check tcp if udp is not open or open|filtered
+ if port.protocol == 'tcp' then
+ local tmp_port = nmap.get_port_state(host, {number=port.number, protocol="udp"})
+ if tmp_port then
+ return not string.match(tmp_port.state, '^open')
+ end
+ end
+ return true
+end
+
+local areaIPs = {
+ A4 = {ip=47763456, desc="GB,A4,Bath"},
+ A5 = {ip=1043402336, desc="GB,A5,Biggleswade"},
+ A6 = {ip=1364222182, desc="FR,A6,Chèvremont"},
+ A7 = {ip=35357952, desc="GB,A7,Birmingham"},
+ A8 = {ip=1050694009, desc="FR,A8,Romainville"},
+ A9 = {ip=534257152, desc="FR,A9,Montpellier"},
+ AB = {ip=2156920832, desc="CA,AB,Edmonton"},
+ AK = {ip=202125312, desc="US,AK,Anchorage"},
+ B1 = {ip=1041724648, desc="FR,B1,Robert"},
+ B2 = {ip=35138048, desc="GB,B2,Bournemouth"},
+ B3 = {ip=33949696, desc="FR,B3,Toulouse"},
+ B4 = {ip=1050704998, desc="FR,B4,Lomme"},
+ B5 = {ip=35213312, desc="GB,B5,Wembley"},
+ B6 = {ip=773106752, desc="FR,B6,Amiens"},
+ B7 = {ip=35148800, desc="GB,B7,Bristol"},
+ B8 = {ip=786088496, desc="FR,B8,Valbonne"},
+ B9 = {ip=33753088, desc="FR,B9,Lyon"},
+ BC = {ip=201674096, desc="CA,BC,Victoria"},
+ C1 = {ip=522223616, desc="FR,C1,Strasbourg"},
+ C2 = {ip=41598976, desc="GB,C2,Halifax"},
+ C3 = {ip=534676272, desc="GB,C3,Cambridge"},
+ C5 = {ip=1043410032, desc="GB,C5,Runcorn"},
+ C6 = {ip=773987544, desc="GB,C6,Saltash"},
+ C7 = {ip=35165184, desc="GB,C7,Coventry"},
+ C8 = {ip=35248128, desc="GB,C8,Croydon"},
+ C9 = {ip=1892301824, desc="PH,C9,Iloilo"},
+ D1 = {ip=35414016, desc="GB,D1,Darlington"},
+ D2 = {ip=35164672, desc="GB,D2,Derby"},
+ D3 = {ip=35301376, desc="GB,D3,Chesterfield"},
+ D4 = {ip=1043450424, desc="GB,D4,Barnstaple"},
+ D5 = {ip=2036385792, desc="PH,D5,Legaspi"},
+ D7 = {ip=41451520, desc="GB,D7,Dudley"},
+ D8 = {ip=35279104, desc="GB,D8,Durham"},
+ D9 = {ip=460228608, desc="PH,D9,Manila"},
+ DC = {ip=68514448, desc="US,DC,Washington"},
+ E1 = {ip=1040645056, desc="GB,E1,Beverley"},
+ E2 = {ip=35206912, desc="GB,E2,Brighton"},
+ E3 = {ip=47822848, desc="GB,E3,Enfield"},
+ E4 = {ip=39874560, desc="GB,E4,Colchester"},
+ E5 = {ip=35270656, desc="GB,E5,Gateshead"},
+ E6 = {ip=1368606720, desc="GB,E6,Coleford"},
+ E7 = {ip=1051376056, desc="GB,E7,Woolwich"},
+ E8 = {ip=1044737528, desc="GB,E8,Hackney"},
+ F1 = {ip=1043451648, desc="GB,F1,Hammersmith"},
+ F2 = {ip=35176448, desc="GB,F2,Basingstoke"},
+ F4 = {ip=47998976, desc="GB,F4,Harrow"},
+ F5 = {ip=1040622704, desc="GB,F5,Hart"},
+ F6 = {ip=35230720, desc="GB,F6,Romford"},
+ F8 = {ip=35214848, desc="GB,F8,Watford"},
+ F9 = {ip=41693184, desc="GB,F9,Uxbridge"},
+ G1 = {ip=41437184, desc="GB,G1,Hounslow"},
+ G2 = {ip=35188224, desc="GB,G2,Ryde"},
+ G3 = {ip=41861120, desc="GB,G3,Islington"},
+ G4 = {ip=1040704992, desc="GB,G4,Kensington"},
+ G5 = {ip=41506816, desc="GB,G5,Ashford"},
+ G6 = {ip=786894336, desc="GB,G6,Hull"},
+ G8 = {ip=40112128, desc="GB,G8,Huddersfield"},
+ G9 = {ip=1380217968, desc="GB,G9,Knowsley"},
+ H1 = {ip=1044731464, desc="GB,H1,Lambeth"},
+ H2 = {ip=3512017264, desc="GB,H2,Earby"},
+ H3 = {ip=35221504, desc="GB,H3,Leeds"},
+ H4 = {ip=35158016, desc="GB,H4,Leicester"},
+ H5 = {ip=1043402716, desc="GB,H5,Loughborough"},
+ H6 = {ip=41732608, desc="GB,H6,Catford"},
+ H7 = {ip=41863168, desc="GB,H7,Lincoln"},
+ H8 = {ip=35294976, desc="GB,H8,Liverpool"},
+ H9 = {ip=35196928, desc="GB,H9,London"},
+ I1 = {ip=35253760, desc="GB,I1,Luton"},
+ I2 = {ip=35263488, desc="GB,I2,Manchester"},
+ I3 = {ip=47714304, desc="GB,I3,Rochester"},
+ I4 = {ip=1298651136, desc="GB,I4,Morden"},
+ I5 = {ip=1382961968, desc="GB,I5,Middlesborough"},
+ I8 = {ip=1371219061, desc="GB,I8,Stepney"},
+ I9 = {ip=35282944, desc="GB,I9,Norwich"},
+ IA = {ip=201438272, desc="US,IA,Urbandale"},
+ J1 = {ip=523578880, desc="GB,J1,Daventry"},
+ J2 = {ip=788492344, desc="GB,J2,Grimsby"},
+ J3 = {ip=3282790208, desc="GB,J3,Flixborough"},
+ J5 = {ip=41759232, desc="GB,J5,Wallsend"},
+ J6 = {ip=1043412268, desc="GB,J6,Alnwick"},
+ J7 = {ip=41783296, desc="GB,J7,Harrogate"},
+ J8 = {ip=35160064, desc="GB,J8,Nottingham"},
+ J9 = {ip=47742976, desc="GB,J9,Newark"},
+ JA = {ip=1476096512, desc="RU,JA,Kurilsk"},
+ K1 = {ip=48015360, desc="GB,K1,Oldham"},
+ K2 = {ip=1043402360, desc="GB,K2,Kidlington"},
+ K3 = {ip=39956480, desc="GB,K3,Peterborough"},
+ K4 = {ip=41735168, desc="GB,K4,Plymouth"},
+ K5 = {ip=775747568, desc="GB,K5,Poole"},
+ K6 = {ip=774162844, desc="GB,K6,Portsmouth"},
+ K7 = {ip=41746432, desc="GB,K7,Reading"},
+ K8 = {ip=35229696, desc="GB,K8,Ilford"},
+ L1 = {ip=47773696, desc="GB,L1,Twickenham"},
+ L2 = {ip=48103424, desc="GB,L2,Rochdale"},
+ L3 = {ip=35304192, desc="GB,L3,Rotherham"},
+ L4 = {ip=1043416984, desc="GB,L4,Oakham"},
+ L5 = {ip=772988024, desc="GB,L5,Salford"},
+ L6 = {ip=35336192, desc="GB,L6,Shrewsbury"},
+ L7 = {ip=1043419464, desc="GB,L7,Oldbury"},
+ L8 = {ip=39936000, desc="GB,L8,Lytham"},
+ L9 = {ip=35304448, desc="GB,L9,Sheffield"},
+ M1 = {ip=35384320, desc="GB,M1,Slough"},
+ M2 = {ip=41470976, desc="GB,M2,Solihull"},
+ M4 = {ip=35139584, desc="GB,M4,Southampton"},
+ M5 = {ip=1043402176, desc="GB,M5,Southend-on-sea"},
+ M6 = {ip=773986248, desc="GB,M6,Hill"},
+ M8 = {ip=1443330688, desc="GB,M8,Camberwell"},
+ M9 = {ip=35322880, desc="GB,M9,Stafford"},
+ MB = {ip=1076550400, desc="CA,MB,Winnipeg"},
+ MI = {ip=201393888, desc="US,MI,Saginaw"},
+ N1 = {ip=1318741928, desc="GB,N1,Haydock"},
+ N2 = {ip=35266560, desc="GB,N2,Stockport"},
+ N3 = {ip=41832448, desc="GB,N3,Stockton-on-tees"},
+ N4 = {ip=3231559680, desc="GB,N4,Longport"},
+ N5 = {ip=1043424608, desc="GB,N5,Beccles"},
+ N6 = {ip=35276800, desc="GB,N6,Sunderland"},
+ N7 = {ip=41551872, desc="GB,N7,Tadworth"},
+ N8 = {ip=41697280, desc="GB,N8,Sutton"},
+ N9 = {ip=35252736, desc="GB,N9,Swindon"},
+ NB = {ip=2211053568, desc="CA,NB,Fredericton"},
+ ND = {ip=201473536, desc="US,ND,Bismarck"},
+ NH = {ip=201772808, desc="US,NH,Laconia"},
+ NJ = {ip=201352704, desc="US,NJ,Piscataway"},
+ NS = {ip=3226164992, desc="CA,NS,Halifax"},
+ NT = {ip=3332472320, desc="CA,NT,Yellowknife"},
+ NV = {ip=202261184, desc="US,NV,Henderson"},
+ O2 = {ip=40251392, desc="GB,O2,Telford"},
+ O3 = {ip=35230208, desc="GB,O3,Grays"},
+ O4 = {ip=35318784, desc="GB,O4,Torquay"},
+ O5 = {ip=1368498352, desc="GB,O5,Poplar"},
+ O6 = {ip=1546138112, desc="GB,O6,Stretford"},
+ O7 = {ip=35219456, desc="GB,O7,Wakefield"},
+ O8 = {ip=35321856, desc="GB,O8,Walsall"},
+ O9 = {ip=1359108248, desc="GB,O9,Walthamstow"},
+ ON = {ip=201620304, desc="CA,ON,Ottawa"},
+ P1 = {ip=1043431736, desc="GB,P1,Wandsworth"},
+ P2 = {ip=35260416, desc="GB,P2,Warrington"},
+ P3 = {ip=41766912, desc="GB,P3,Nuneaton"},
+ P4 = {ip=41893888, desc="GB,P4,Newbury"},
+ P5 = {ip=772987648, desc="GB,P5,Westminster"},
+ P7 = {ip=41466624, desc="GB,P7,Wigan"},
+ P8 = {ip=48087808, desc="GB,P8,Salisbury"},
+ P9 = {ip=41793536, desc="GB,P9,Maidenhead"},
+ Q1 = {ip=41457664, desc="GB,Q1,Wallasey"},
+ Q2 = {ip=1040739840, desc="GB,Q2,Wokingham"},
+ Q3 = {ip=35323392, desc="GB,Q3,Wolverhampton"},
+ Q4 = {ip=539624744, desc="GB,Q4,Redditch"},
+ Q5 = {ip=1043415688, desc="GB,Q5,Wetherby"},
+ Q6 = {ip=1043439984, desc="GB,Q6,Antrim"},
+ Q7 = {ip=41811456, desc="GB,Q7,Newtownards"},
+ Q8 = {ip=1347208672, desc="GB,Q8,Armagh"},
+ Q9 = {ip=1044726432, desc="GB,Q9,Connor"},
+ QC = {ip=2210594816, desc="CA,QC,Varennes"},
+ R1 = {ip=1482707288, desc="GB,R1,Ballymoney"},
+ R3 = {ip=47828992, desc="GB,R3,Belfast"},
+ R4 = {ip=1051352576, desc="GB,R4,Eden"},
+ R5 = {ip=1056827328, desc="GB,R5,Castlereagh"},
+ R6 = {ip=47895040, desc="GB,R6,Coleraine"},
+ R7 = {ip=3270400320, desc="GB,R7,Dunmore"},
+ R8 = {ip=1367996672, desc="GB,R8,Portadown"},
+ R9 = {ip=773985608, desc="GB,R9,Square"},
+ RI = {ip=67285760, desc="US,RI,Providence"},
+ S1 = {ip=1040409048, desc="GB,S1,Drummond"},
+ S2 = {ip=1353842208, desc="GB,S2,Enniskillen"},
+ S3 = {ip=1368133632, desc="GB,S3,Larne"},
+ S4 = {ip=1446384520, desc="GB,S4,Ardmore"},
+ S5 = {ip=1043419184, desc="GB,S5,Lisburn"},
+ S6 = {ip=1056826304, desc="GB,S6,Londonderry"},
+ S7 = {ip=1359111383, desc="GB,S7,Curran"},
+ S8 = {ip=1369435392, desc="GB,S8,Waterfoot"},
+ S9 = {ip=1043434592, desc="GB,S9,Newry"},
+ T1 = {ip=3242033152, desc="GB,T1,Jordanstown"},
+ T2 = {ip=1043402000, desc="GB,T2,Bangor"},
+ T3 = {ip=1043429728, desc="GB,T3,Omagh"},
+ T4 = {ip=1043429520, desc="GB,T4,Strabane"},
+ T5 = {ip=39849984, desc="GB,T5,Aberdeen"},
+ T6 = {ip=1043407024, desc="GB,T6,Inverurie"},
+ T7 = {ip=47917056, desc="GB,T7,Forfar"},
+ T8 = {ip=1051457600, desc="GB,T8,Sandbank"},
+ T9 = {ip=1043429424, desc="GB,T9,Melrose"},
+ TX = {ip=201673024, desc="US,TX,Mckinney"},
+ U1 = {ip=1043400976, desc="GB,U1,Alloa"},
+ U2 = {ip=1353815544, desc="GB,U2,Langholm"},
+ U3 = {ip=1042190336, desc="GB,U3,Dundee"},
+ U4 = {ip=1043428036, desc="GB,U4,Newmilns"},
+ U5 = {ip=1051334704, desc="GB,U5,Bishopbriggs"},
+ U6 = {ip=1040628912, desc="GB,U6,Musselburgh"},
+ U7 = {ip=1056881248, desc="GB,U7,Barrhead"},
+ U8 = {ip=35188736, desc="GB,U8,Edinburgh"},
+ U9 = {ip=1318744616, desc="GB,U9,Blackstone"},
+ V1 = {ip=47947776, desc="GB,V1,Kirkcaldy"},
+ V2 = {ip=35190784, desc="GB,V2,Glasgow"},
+ V4 = {ip=1043417560, desc="GB,V4,Greenock"},
+ V5 = {ip=3570359128, desc="GB,V5,Borthwick"},
+ V6 = {ip=1398983520, desc="GB,V6,Findhorn"},
+ V7 = {ip=1043452928, desc="GB,V7,Saltcoats"},
+ V8 = {ip=523564544, desc="GB,V8,Bothwell"},
+ V9 = {ip=1353706504, desc="GB,V9,Redland"},
+ VT = {ip=201355264, desc="US,VT,Brattleboro"},
+ W1 = {ip=1042195200, desc="GB,W1,Perth"},
+ W2 = {ip=1043412560, desc="GB,W2,Paisley"},
+ W4 = {ip=1056825616, desc="GB,W4,Dundonald"},
+ W5 = {ip=1040411544, desc="GB,W5,Douglas"},
+ W6 = {ip=41547776, desc="GB,W6,Stirling"},
+ W7 = {ip=1443523584, desc="GB,W7,Bearsden"},
+ W8 = {ip=534572928, desc="GB,W8,Cross"},
+ W9 = {ip=1042221056, desc="GB,W9,Livingston"},
+ WA = {ip=201806720, desc="US,WA,Issaquah"},
+ WY = {ip=135495936, desc="US,WY,Casper"},
+ X1 = {ip=1043425760, desc="GB,X1,Valley"},
+ X2 = {ip=773988152, desc="GB,X2,Victoria"},
+ X3 = {ip=35149824, desc="GB,X3,Bridgend"},
+ X4 = {ip=1043402272, desc="GB,X4,Blackwood"},
+ X5 = {ip=39946240, desc="GB,X5,Cardiff"},
+ X6 = {ip=1043435700, desc="GB,X6,Aberystwyth"},
+ X7 = {ip=1043408760, desc="GB,X7,Llanelli"},
+ X8 = {ip=1368926208, desc="GB,X8,Abergele"},
+ X9 = {ip=1043411032, desc="GB,X9,Rhyl"},
+ Y1 = {ip=1043407256, desc="GB,Y1,Holywell"},
+ Y2 = {ip=1043401576, desc="GB,Y2,Caernarfon"},
+ Y4 = {ip=1043428692, desc="GB,Y4,Cwmbran"},
+ Y5 = {ip=3265794544, desc="GB,Y5,Cwmafan"},
+ Y6 = {ip=35153920, desc="GB,Y6,Newport"},
+ Y7 = {ip=1353763984, desc="GB,Y7,Haverfordwest"},
+ Y8 = {ip=1043430344, desc="GB,Y8,Welshpool"},
+ Z1 = {ip=40116224, desc="GB,Z1,Swansea"},
+ Z2 = {ip=40189952, desc="GB,Z2,Pontypool"},
+ Z3 = {ip=35147776, desc="GB,Z3,Barry"},
+ Z4 = {ip=40321024, desc="GB,Z4,Wrexham"}
+}
+
+local get_addresses = function(address, mask, domain, nameserver, port)
+
+ -- translate the IP's in the areaIPs to strings, as this is what the
+ -- DNS library expects
+ if ( "number" == type(address) ) then
+ address = ipOps.fromdword(address)
+ end
+
+ local subnet = { family = nmap.address_family(), address = address, mask = mask }
+ local status, resp = dns.query(domain, {host = nameserver, port=port.number, protocol=port.protocol, retAll=true, subnet=subnet})
+ if ( not(status) ) then
+ return {}
+ end
+ if ( "table" ~= type(resp) ) then resp = { resp } end
+ return resp
+end
+
+action = function(host, port)
+
+ if ( not(argDomain) ) then
+ return stdnse.format_output(false, SCRIPT_NAME .. ".domain was not specified")
+ end
+
+ local nameserver = (host and host.ip) or argNS
+ -- if we have no nameserver argument and no host, we don't have sufficient
+ -- information to continue, abort
+ if not nameserver then
+ return nil
+ end
+
+ -- if we are running as a prerule pick some defaults
+ port = port or { number = "53", protocol ="udp" }
+
+ local addrs = argAddr or areaIPs
+ if ( "string" == type(addrs) ) then addrs = {{ ip = addrs }} end
+
+ local lookup, result = {}, { name = argDomain }
+ for _,ip in pairs(addrs) do
+ for _, addr in ipairs( get_addresses (ip.ip, argMask, argDomain, nameserver, port) ) do
+ lookup[addr] = true
+ end
+ end
+ for addr in pairs(lookup) do table.insert(result, addr) end
+ table.sort(result)
+ return stdnse.format_output(true, result)
+end
generated by cgit v1.2.3 (git 2.39.1) at 2024-06-11 18:37:55 +0000