{"id":13438465,"url":"https://github.com/anonion0/nsec3map","last_synced_at":"2025-03-20T06:30:26.052Z","repository":{"id":30086994,"uuid":"33636626","full_name":"anonion0/nsec3map","owner":"anonion0","description":"a tool to enumerate the resource records of a DNS zone using its DNSSEC NSEC or NSEC3 chain","archived":false,"fork":false,"pushed_at":"2023-03-06T11:55:34.000Z","size":170,"stargazers_count":195,"open_issues_count":5,"forks_count":34,"subscribers_count":10,"default_branch":"master","last_synced_at":"2025-03-06T17:17:19.769Z","etag":null,"topics":["dns","dns-security","dnssec","enumeration","network-security","nsec","nsec-walking","nsec3","nsec3-enumeration","nsec3-mapping","nsec3-walking","scanner","security"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/anonion0.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"COPYING","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":"AUTHORS","dei":null,"publiccode":null,"codemeta":null}},"created_at":"2015-04-08T22:56:58.000Z","updated_at":"2025-02-19T02:36:22.000Z","dependencies_parsed_at":"2024-10-27T22:37:06.227Z","dependency_job_id":null,"html_url":"https://github.com/anonion0/nsec3map","commit_stats":{"total_commits":124,"total_committers":5,"mean_commits":24.8,"dds":0.09677419354838712,"last_synced_commit":"d145b134742e88dc74579e2252db827a321316c7"},"previous_names":[],"tags_count":12,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/anonion0%2Fnsec3map","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/anonion0%2Fnsec3map/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/anonion0%2Fnsec3map/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/anonion0%2Fnsec3map/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/anonion0","download_url":"https://codeload.github.com/anonion0/nsec3map/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":244564780,"owners_count":20473129,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["dns","dns-security","dnssec","enumeration","network-security","nsec","nsec-walking","nsec3","nsec3-enumeration","nsec3-mapping","nsec3-walking","scanner","security"],"created_at":"2024-07-31T03:01:05.755Z","updated_at":"2025-03-20T06:30:21.039Z","avatar_url":"https://github.com/anonion0.png","language":"Python","funding_links":[],"categories":["Asset Discovery","[↑](#contents)Domain / Subdomain Discovery"],"sub_categories":["Domain / Subdomain Discovery"],"readme":"nsec3map - DNSSEC Zone Enumerator\n=================================\n\n`n3map` is a tool that can enumerate DNS zone entries based on DNSSEC\n[NSEC][NSEC] or [NSEC3][NSEC3] record chains.  It can be used to discover hosts\nin a DNS zone quickly and with a minimum amount of queries if said zone is\nDNSSEC-enabled.\n\n`n3map` was written primarily to show that NSEC3 does not offer meaningful\nprotection against zone enumeration.\nAlthough originally only intended as a PoC and written in Python, it is\nactually quite fast and able to enumerate even large zones (with a million or\nmore entries) in a short time given adequate hardware.\n\nIt also includes a simple [John the Ripper][JtR] plugin that can be used to crack the\nobtained NSEC3 hashes.\n\n![n3map screenshot](screenshot.png)\n\nUsage Examples\n--------------\n\nSome typical usage examples are shown below. For a more detailed documentation,\nrefer to the man pages or the output of `n3map --help`.\n\n### NSEC Zone Walking\n\nThe most basic example is to enumerate a particular zone (e.g. example.com) and\nstore the retrieved NSEC/NSEC3 records in a file example.com.zone:\n\n\t$ n3map -v -o example.com.zone example.com\n\tn3map 0.4.0: starting mapping of example.com\n\tlooking up nameservers for zone example.com.\n\tusing nameserver: 199.43.133.53:53 (b.iana-servers.net.)\n\tusing nameserver: 199.43.132.53:53 (a.iana-servers.net.)\n\tchecking SOA...\n\tdetecting zone type...\n\tzone uses NSEC records\n\tstarting enumeration in mixed query mode...\n\tdiscovered owner: example.com.\tA NS SOA TXT AAAA RRSIG NSEC DNSKEY\n\tdiscovered owner: www.example.com.\tA TXT AAAA RRSIG NSEC\n\t;; walking example.com.: records =   2; queries =   4; ............. q/s = 11 ;;\n\tfinished mapping of example.com. in 0:00:00.196471\n\nThe `-v` switch is only used for more verbosity and not generally needed. With\nno further arguments, `nsec3map` detects automatically whether the zone uses\nNSEC or NSEC3 and uses the corresponding enumeration method. It also looks up\nthe zone's nameservers by itself.\n\nSome nameservers do not accept NSEC queries. In such a case, `--query-mode A`\n(short `-A`) can be used instead. For example, to enumerate the root zone, one\ncould run the command:\n\n\tn3map -v -A --output root.zone  .\n\n#### Avoiding Sub-Zones\n\nNote that the above command will likely print a lot of warnings about sub-zones\n(children of the zone that we want to enumerate). `n3map` tries its best to\navoid descending into sub-zones and instead tries to jump over them\nautomatically.\nIf you wish to avoid most of these warnings, you can tell `n3map` to never add\nprefix labels to the queries it sends using the `--no-prefix-labels` option.\nFor example:\n\n    n3map -vA --no-prefix-labels -o root.zone .\n\nThis option is particularly useful to enumerate top-level domain (TLD) zones.\nNote however that using it can sometimes lead to a less complete enumeration\nfor zones with nested subdomains.\n\nAlternatively, you can try to find nameservers that respond to\ndirect NSEC queries (find them e.g. by trying `--query-mode=NSEC`) and tell\n`n3map` to only use those:\n\n    n3map -vo example.com.zone goodns{1,2}.example.com example.com\n\n### NSEC3 Zone Enumeration\n\nThe following example shows the enumeration of a NSEC3 chain at example.com\nusing a nameserver at 192.168.1.37. It also shows the NSEC3 zone size\nprediction and progress indicator (enabled using the `-p` switch).\n\n\t$ n3map -3po example.com.zone 192.168.1.37 example.com\n\t;; mapping example.com.: 79% [===========================================================================                   ] ;;\n\t;; records = 797; queries = 802; hashes = 3840; predicted zone size = 1003; ............... q/s = 513; coverage =  95.677595% ;;\n\t\n\treceived SIGINT, terminating\n\nNote that the enumeration will proceed slower towards the end as it becomes\nharder to find domain names that are not covered by any retrieved NSEC3\nrecords. Therefore, finishing the enumeration of a large zone can take quite\nsome time and computing resources. It is advisable to manually cancel the\nenumeration once the query rate drops under a certain limit.\n\nYou should also make use of the `--limit-rate` option to reduce stress on the\nnameservers. If you think the enumeration is too slow because of a high\nround-trip time to the nameservers, you can also use a more aggressive mode\nwhich sends multiple queries simultaneously (`--aggressive` option). The\nfollowing example shows how to use these options:\n\n\tn3map -3pvo example.com.zone --aggressive 16 --limit-rate 100/s example.com\n\nThis will cause nsec3map to send a maximum of 16 queries in parallel while at\nthe same time keeping the query rate at or below roughly 100 queries per\nsecond.\n\nIt is also possible to continue the enumeration from a partially obtained NSEC3\n(or NSEC) chain, as long as the zone's NSEC3 parameters (salt, iteration count)\nhave not been changed:\n\n\tn3map -3pv --input example.com.partial --output example.com.zone --ignore-overlapping example.com\n\nThis will first read the NSEC3 records from example.com.partial and then\ncontinue the enumeration, saving the NSEC3 chain to example.com.zone.\nThe `--ignore-overlapping` option should be used for large zones, or if it is\notherwise likely that changes are made to the zone during the enumeration.  If\nspecified, nsec3map will not abort the enumeration when it receives an NSEC3\nrecord which overlaps with another record that was received earlier. Note\nhowever that you will not get a completely consistent view of the NSEC3 chain\nif you use this option.\n\n### Cracking NSEC3 Hashes\n\nOnce you obtained some NSEC3 records from a particular zone, you can (try to)\ncrack them using John the Ripper and the supplied NSEC3 patch (see *John the\nRipper Plugin* below on how to install it).\n\nFirst, the NSEC3 records need to be converted to a different format used by the\nJtR patch:\n\n\tn3map-johnify example.com.zone example.com.john\n\nThe records can then be cracked simply by running  `john` on the resulting file:\n\n\tjohn example.com.john\n\nRefer to the JtR documentation for more information on how to make use of\njohn's different cracking modes, wordlist rules and so on. It is probably a\ngood idea to adapt the wordlist and mangling rules to the kind of zone you are\ntrying to map.\n\nYou can also try to crack NSEC3 records using [hashcat][hashcat],\nusing hashes converted to a slightly different format:\n\n\tn3map-hashcatify example.com.zone example.com.hashcat\n\nThe records can then be cracked simply by running `hashcat` on the resulting file:\n\n\thashcat -m 8300 example.com.hashcat\n\n\n\nInstallation\n------------\n\n### From PyPI\n\nThe PyPI package still needs to compile the C extension module for faster hashing,\nwhich means you need a C compiler as well as the necessary header files for\nPython and libcrypto (OpenSSL) installed.\n\nFor Debian-based systems:\n\n    sudo apt-get install python3 python3-pip python3-dev gcc libssl3 libssl-dev\n\nTo then install nsec3map from PyPI, simply run:\n\n    python3 -m pip install n3map[predict]\n\nIf you do not care about NSEC3 zone size prediction and don't want\nnumpy and scipy installed, you can use:\n\n    python3 -m pip install n3map\n\n#### Installing into a Virtual Environment\n\nIt may be advisable to install n3map into a Python venv, especially if you are\nfaced with any dependency problems:\n\n    mkdir venv\n    python3 -m venv venv\n    source venv/bin/activate\n    python3 -m pip install n3map[predict]\n\nMore conveniently, you can also use [pipx](https://github.com/pypa/pipx):\n\n    pipx install n3map[predict]\n\nNote that you still need libssl, libssl-dev, gcc and python3-dev.\n\n### From Git Repository\n\nDependencies:\n\n  * Python \u003e= 3.9\n  * dnspython \u003e= 2.0\n  * OpenSSL (libcrypto) \u003e= 3.0.0\n  * Optionally numpy and scipy for zone size prediction (recommended)\n\nAdditionally, pip, setuptools and GCC (for the extension module) are required\nduring setup.\n\nOn a Debian system, just run\n\n\tsudo apt-get install python3 python3-dev gcc python3-pip \\\n         python3-setuptools python3-dnspython libssl3 libssl-dev \\\n         python3-numpy python3-scipy\n\nInstallation:\n\nAfter cloning the repositry / unpacking the tarball, cd into the project\ndirectory and run:\n\n\tpython3 -m pip install .[predict]\n\nThis will compile the extension modules(s) and install the scripts, python\nmodules as well as the man pages.\nIt will make a user install if you are not root.\n\nIf you do not care about NSEC3 zone size prediction and don't want\nnumpy and scipy installed, you can use:\n\n\tpython3 -m pip install .\n\nAlternatively, you can install it w/o pip:\n\n\tsudo python3 setup.py install\n\n#### Running directly from Source Directory\n\nAlternatively, you can also run nsec3map directly from the source directory\nwithout installing it:\n\n    ./map.py [options]\n\nIf you want to use OpenSSL accelerated\nhashing however, you still need to build the extension module:\n\n\tpython3 setup.py build_ext\n\nThis should compile a shared object nsec3hash.so in the build/ directory. You\ncan then copy this file to the n3map/ directory.\n\n### John the Ripper Plugin\n\n**Update**: The latest version of [John the Ripper jumbo][JtR] includes the NSEC3\ncracking patch from this project. There is no need to install it separately,\njust follow the build instructions for JtR-Jumbo. Using the latest source\nversion is recommended.\n\nAlternatively, you can also use [hashcat][hashcat].\n\nDocker\n--------\n\nBuilding the docker container.\n\n\tdocker build -t nsec3map .\n\nRunning n3map or e.g. n3map-hashcatify:\n\n\tdocker run -it --rm -v \"${PWD}:/host\" nsec3map -v -o example.com.zone example.com\n\tdocker run -it --entrypoint n3map-hashcatify --rm -v \"${PWD}:/host\" nsec3map example.com.zone example.com.hashcat\n\n\nLimitations\n-----------\n\n* Many DNS errors are not handled correctly\n* No automatic parallelization of NSEC walking (though it is possible to do this manually by partitioning the namespace)\n* High memory usage (mostly as a result of using CPython)\n* ...\n\n(remember that nsec3map is still mostly a PoC tool...)\n\n[NSEC]: https://www.ietf.org/rfc/rfc4034.txt \"Resource Records for the DNS Security Extensions\"\n[NSEC3]: https://www.ietf.org/rfc/rfc5155.txt \"DNS Security (DNSSEC) Hashed Authenticated Denial of Existence\"\n[JtR]: https://github.com/openwall/john \"John the Ripper (Jumbo)\"\n[hashcat]: https://hashcat.net/hashcat/ \"hashcat\"\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fanonion0%2Fnsec3map","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fanonion0%2Fnsec3map","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fanonion0%2Fnsec3map/lists"}