Nmap Announce mailing list archives
Re: nmap-2.03 DNS address scanner
From: "johann sebastian bach" <jsb4ch () hotmail com>
Date: Thu, 04 Feb 1999 22:02:37 PST
cool. someone should do a better implementation that doesnt use gethostbyaddr() (maybe use res_mkquery(), and send multiple queries at a time.. ) determining hosts are *UN*resolvable takes a long time, and going serially is very slow.. another cool thing to add to nmap might be DNS AXFR query capability (have it transfer all the ip addresses in the zone and then scan them or whatever) so that you could scan based on domain and not ip address, or bypass firewalls (maybe in a very obscure case :)))
From nmap-hackers-return-249-jsb4ch=hotmail.com () insecure org Thu Feb 4
12:59:58 1999
Received: (qmail 32164 invoked by uid 505); 4 Feb 1999 20:34:18 -0000 Mailing-List: contact nmap-hackers-help () insecure org; run by ezmlm Precedence: bulk Delivered-To: mailing list nmap-hackers () insecure org Delivered-To: moderator for nmap-hackers () insecure org Received: (qmail 32074 invoked from network); 4 Feb 1999 20:21:42 -0000 From: Dion Stempfley <dion () riptech com> Organization: Riptech Security Consulting To: nmap-hackers () insecure org Subject: nmap-2.03 DNS address scanner Date: Thu, 4 Feb 1999 11:56:48 -0500 X-Mailer: KMail [version 1.0.14] Content-Type: text/plain MIME-Version: 1.0 Message-Id: <99020412144601.01357 () user-38lciv0 dialup mindspring com> Content-Transfer-Encoding: 8bit X-KMail-Mark: Just to be annoying, I hacked the options of nmap and got a reasonable DNS gethostbyaddr scanner. I know that there are already other tools
to do
this, but I love the clean way that nmap supports network/mask for
targetting.
I only added a "-sD" option and hacked to logic to support it. The
scans
aren't fast, the don't go in parallel, but it works so I thought I
would offer
the diffs. Enjoy, dMn dion () riptech com -- / Riptech, Inc. I break hings as a matter of principle. | Security Consulting Group | http://www.riptech.com When your staff said you were secure, \_____________________ did they tell you what from? ############################################################## diff -Naur nmap-2.03/global_structures.h
nmap-2.03_dns/global_structures.h
--- nmap-2.03/global_structures.h Fri Dec 11 16:00:21 1998 +++ nmap-2.03_dns/global_structures.h Thu Feb 4 09:08:14 1999 @@ -162,6 +162,7 @@ int udpscan; int noresolve; int force; /* force nmap to continue on even when the outcome seems
somewhat certain */
+ int dnsscan; FILE *logfd; /* Output log file descriptor */ FILE *machinelogfd; /* Machine parseable log file descriptor */ }; diff -Naur nmap-2.03/nmap.c nmap-2.03_dns/nmap.c --- nmap-2.03/nmap.c Tue Jan 12 21:18:05 1999 +++ nmap-2.03_dns/nmap.c Thu Feb 4 11:00:18 1999 @@ -222,7 +222,7 @@ break; case 's': if (!*optarg) { - fprintf(stderr, "An option is required for -s, most common are
-sT (tcp scan), -sS (SYN scan), -sF (FIN scan), -sU (UDP scan) and -sP (Ping scan)");
+ fprintf(stderr, "An option is required for -s, most common are
-sT (tcp scan), -sS (SYN scan), -sF (FIN scan), -sU (UDP scan), -sP (Ping scan) and -sD (DNS scan)");
printusage(argv[0]); } p = optarg; @@ -236,11 +236,9 @@ case 'P': o.pingscan = 1; break; case 'S': o.synscan = 1; break; case 'T': o.connectscan = 1; break; - case 'U': - printf("WARNING: -sU is now UDP scan -- for TCP FIN scan use
-sF\n");
- o.udpscan++; - break; + case 'U': o.udpscan++; break; case 'X': o.xmasscan++;break; + case 'D': o.dnsscan = 1;o.pingtype =
PINGTYPE_NONE;resolve_all++;break;
default: error("Scantype %c not supported\n",*p);
printusage(argv[0]); break;
} p++; @@ -263,7 +261,7 @@ /* Now we check the option sanity */ /* Insure that at least one scantype is selected */ -if (!o.connectscan && !o.udpscan && !o.synscan && !o.finscan &&
!o.maimonscan && !o.nullscan && !o.xmasscan && !o.bouncescan && !o.pingscan) {
+if (!o.connectscan && !o.udpscan && !o.synscan && !o.finscan &&
!o.maimonscan && !o.nullscan && !o.xmasscan && !o.bouncescan && !o.pingscan && !o.dnsscan) {
o.connectscan++; if (o.verbose) error("No scantype specified, assuming vanilla tcp
connect() scan. Use -sP if you really don't want to portscan (and just want to see what hosts are up).");
} @@ -300,13 +298,16 @@ if (!o.tcp_probe_port) o.tcp_probe_port = 80; -if (o.pingscan && (o.connectscan || o.udpscan || o.synscan ||
o.finscan || o.maimonscan || o.nullscan || o.xmasscan || o.bouncescan)) {
+if (o.pingscan && (o.connectscan || o.udpscan || o.synscan ||
o.finscan || o.maimonscan || o.nullscan || o.xmasscan || o.bouncescan || o.dnsscan)) {
fatal("Ping scan is not valid with any other scan types (the other
ones all include a ping scan");
} +if (o.dnsscan && (o.connectscan || o.udpscan || o.synscan || o.finscan
|| o.maimonscan || o.nullscan || o.xmasscan || o.bouncescan || o.pingscan)) {
+ fatal("The DNS scan is for gethostbyaddr scans only (do not specify
any other scan type");
+} + /* We start with stuff users should not do if they are not root */ if (!o.isr00t) { - if (o.pingtype & PINGTYPE_ICMP) { error("Warning: You are not root -- using TCP pingscan rather
than ICMP");
o.pingtype = PINGTYPE_TCP; @@ -455,7 +456,7 @@ if (o.debugging > 1) printf("The max # of sockets we are using is:
%d\n", o.max_sockets);
-if (randomize) +if (randomize && !o.dnsscan) shortfry(ports); starttime = time(NULL); @@ -476,9 +477,14 @@ else { currenths->name = emptystring; } - if (o.source) memcpy(¤ths->source_ip, o.source,
sizeof(struct in_addr));
-if (!o.pingscan) { + +if (o.dnsscan) { + nmap_log("Host: %s (%s)\n", inet_ntoa(currenths->host),
(int)currenths->name==(int)emptystring?"NONE":currenths->name);
+ nmap_machine_log("Host: %s (%s)", inet_ntoa(currenths->host), + (int)currenths->name==(int)emptystring?"NONE":currenths->name); +} +else if (!o.pingscan) { if (o.pingtype != PINGTYPE_NONE && (currenths->flags & HOST_UP) &&
(o.verbose || o.debugging))
printf("Host %s (%s) appears to be up ... good.\n",
currenths->name, inet_ntoa(currenths->host));
else if (o.verbose && o.pingtype != PINGTYPE_NONE &&
!(currenths->flags & HOST_UP)) {
@@ -550,7 +556,7 @@ os_scan(currenths); } - if (!currenths->ports && !o.pingscan) { + if (!currenths->ports && !o.pingscan && !o.dnsscan) { nmap_log("No ports open for host %s (%s)\n", currenths->name, inet_ntoa(currenths->host)); nmap_machine_log("Host: %s (%s) Status: Up", @@ -852,6 +858,7 @@ -sP ping \"scan\". Find which hosts on specified network(s) are up
but don't \n\
port scan them\n\ -sU UDP port scan, must be r00t\n\ + -sD Scan DNS records for resolved names\n\ -b <ftp_relay_host> ftp \"bounce attack\" port scan\n\ Options (none are required, most can be combined):\n\ -f use tiny fragmented packets for SYN, FIN, Xmas, or NULL scan.\n\
______________________________________________________ Get Your Private, Free Email at http://www.hotmail.com
Current thread:
- nmap-2.03 DNS address scanner Dion Stempfley (Feb 04)
- <Possible follow-ups>
- Re: nmap-2.03 DNS address scanner johann sebastian bach (Feb 04)
- RE: nmap-2.03 DNS address scanner Brown, Mark (Feb 05)
- RE: nmap-2.03 DNS address scanner Matthew Franz (Feb 05)
- RE: nmap-2.03 DNS address scanner johann sebastian bach (Feb 05)
- RE: nmap-2.03 DNS address scanner wanb0y (Feb 05)