diff options
Diffstat (limited to 'scripts/dns-recursion.nse')
-rw-r--r-- | scripts/dns-recursion.nse | 58 |
1 files changed, 58 insertions, 0 deletions
diff --git a/scripts/dns-recursion.nse b/scripts/dns-recursion.nse new file mode 100644 index 0000000..d1ea1b6 --- /dev/null +++ b/scripts/dns-recursion.nse @@ -0,0 +1,58 @@ +local comm = require "comm" +local nmap = require "nmap" +local shortport = require "shortport" +local string = require "string" + +description = [[ +Checks if a DNS server allows queries for third-party names. It is +expected that recursion will be enabled on your own internal +nameservers. +]] + +--- +-- @usage +-- nmap -sU -p 53 --script=dns-recursion <target> +-- @output +-- PORT STATE SERVICE REASON +-- 53/udp open domain udp-response +-- |_dns-recursion: Recursion appears to be enabled + +author = "Felix Groebert" + +license = "Same as Nmap--See https://nmap.org/book/man-legal.html" + +categories = {"default", "safe"} + + +portrule = shortport.portnumber(53, "udp") + +action = function(host, port) + + -- generate dns query + local request = "\xde\xad" -- Transaction-ID 0xdead + .. "\x01\x00" -- flags (recursion desired) + .. "\x00\x01" -- 1 question + .. "\x00\x00" -- 0 answers + .. "\x00\x00" -- 0 authority + .. "\x00\x00" -- 0 additional + .. "\x03www\x09wikipedia\x03org\x00" -- www.wikipedia.org. + .. "\x00\x01" -- type A + .. "\x00\x01" -- class IN + + local status, result = comm.exchange(host, port, request, {proto="udp"}) + + if not status then + return + end + + nmap.set_port_state(host, port, "open") + + -- parse response for dns flags + if (string.byte(result,3) & 0x80) == 0x80 + and (string.byte(result,4) & 0x85) == 0x80 + then + return "Recursion appears to be enabled" + end + + return +end |