dns-zone-transfer-check: DNS Zone Transfer Check

日期: 2025-08-01 | 影响软件: DNS Zone Transfer Check | POC: 已公开

漏洞描述

Ensure DNS zone transfers are restricted by verifying that the SecureSecondaries registry value is set to 2 for all active zones. Unrestricted zone transfers can expose sensitive domain information, helping attackers map the network infrastructure.

PoC代码[已公开]

id: dns-zone-transfer-check

info:
  name: DNS Zone Transfer Check
  author: nukunga[SungHyunJeon]
  severity: medium
  description: |
    Ensure DNS zone transfers are restricted by verifying that the SecureSecondaries registry value is set to 2 for all active zones.
    Unrestricted zone transfers can expose sensitive domain information, helping attackers map the network infrastructure.
  impact: |
    If DNS zone transfers are not properly restricted, attackers could access domain and zone details, which may aid in planning and launching further attacks against the network infrastructure.
  remediation: |
    Configure DNS zone transfer restrictions by:
    - Disabling zone transfers entirely, or
    - Restricting transfers to designated servers by setting the SecureSecondaries registry value to 2.
  reference:
    - https://isms.kisa.or.kr/main/csap/notice/?boardId=bbs_0000000000000004&mode=view&cntId=85
  tags: code,windows-audit,kisa,dns,zone-transfer

self-contained: true

code:
  - pre-condition: |
      IsWindows();
    engine:
      - powershell
      - powershell.exe
    args:
      - -ExecutionPolicy
      - Bypass
    pattern: "*.ps1"
    source: |
      $regPath = "HKLM:\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\DNS Server\Zones"
      $zones = Get-ChildItem -Path $regPath -ErrorAction SilentlyContinue
      if (!$zones) {
          "DNS_ZONE_TRANSFER_COMPLIANT"
          exit
      }
      $vulnerable = $false
      foreach ($zone in $zones) {
          $secureVal = (Get-ItemProperty -Path $zone.PSPath -ErrorAction SilentlyContinue).SecureSecondaries
          if ($secureVal -ne 2) {
              $vulnerable = $true
              break
          }
      }
      if ($vulnerable) {
          "DNS_ZONE_TRANSFER_VULNERABLE"
      } else {
          "DNS_ZONE_TRANSFER_COMPLIANT"
      }

    matchers:
      - type: word
        words:
          - "DNS_ZONE_TRANSFER_VULNERABLE"
# digest: 4b0a00483046022100be81b405c5b43fdf1fb9aee817558e543a42f9c049d3df45c13ec227f7b0db900221009822d46e216e816a520a0bc614186cf3b157a4dd8adcfc092e035485822bd400:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/./code/windows/audit/kisa/dns-zone-transfer-check.yaml