NSEC3 brute force #1036
Replies: 1 comment 1 reply
-
|
I looked into how recoverable NSEC3 records are for subdomains. Combining a "top 41 million subdomains" wordlist with a mutated dictionary recovered around 40% of records. If it was Markov chained seeded with pre-observed subdomains and potentially even words scraped from websites it might be slightly higher and far less computationally expensive. NSEC3 records can be walked just like NSEC records, you can use my tool as reference for how they're walked and converted into a crackable hash format: https://github.com/Harrison-Mitchell/NSEC-3-Walker and my paper for the efficacy of cracking NSEC3 records: https://harrisonm.com/whitepaper/nsec3-prevalence-and-recoverability.pdf (e.g. 40% number taken from Figure 3) |
Beta Was this translation helpful? Give feedback.
-
|
Oh awesome! I bet we could get higher than 40% just by trying the subdomains BBOT already found. Do you wanna take a stab at writing the module? |
Beta Was this translation helpful? Give feedback.
-
It would be interesting to try brute-forcing NSEC3 records. Once we figured out the hash format we might even be able to write a specialized tool with Markov chains trained on DNS names.
Beta Was this translation helpful? Give feedback.
All reactions