Re: Forward DNS names in output

[Brandon Enright <bmenrigh () ucsd edu>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Fri, 28 Aug 2009 13:54:37 -0600
David Fifield <david () bamsoftware com> wrote:

> On Thu, Aug 27, 2009 at 05:08:32PM -0500, Ron wrote:
> > On 08/27/2009 05:01 PM, Patrick Donnelly wrote:
> > > /output.cc uses the hostname value (Target.h) for output. The value
> > > *you* want is targetname, which is the name specified on the
> > > command line. The hostname field is the same for all the hosts
> > > probably because of rDNS?
> >
> > Yes, that's correct, it's using rDNS to get the name (in this
> > case, test.skullsecurity.org).
> >
> > I realize this makes perfect sense when scanning an ip range, but
> > when I give tagetnames on the commandline it'd be nice if they'd
> > display in the output.
> >
> > I don't think it's an urgent thing that has to be done, but it's  
> > something that makes scanning web servers with multiple domains a
> > little tricky.
>
> I think this is worth commenting on so I'm starting a new thread.
> Patrick is right that Nmap uses the reverse DNS name in its output.
>
> $ nmap -sP en.wikipedia.org
> Host rr.pmtpa.wikimedia.org (208.80.152.2) is up (0.092s latency).
>
> When the reverse DNS is not available, it uses the IP address only,
> even if it came from forward resolution of a domain name.
>
> $ nmap -sP en.wikipedia.org -n
> Host 208.80.152.2 is up (0.11s latency).
>
> I have a personal TODO item to use the forward name in Zenmap, but I
> found that it is not even in the XML output.
>
> <host><status state="up" reason="conn-refused"/>
> <address addr="208.80.152.2" addrtype="ipv4" />
> <hostnames><hostname name="rr.pmtpa.wikimedia.org"
> type="PTR" /></hostnames> </host>
>
> I agree with Ron that this is confusing sometimes. It also loses
> information. How should Nmap work in this regard? My quick proposal is
> to always prefer the forward name to the reverse name in normal
> output, and to use the reverse name when the forward name is not
> available. The latter behavior is clearly what's wanted when scanning
> an IP range. In XML output, both names would be recorded, with a
> different "type" attribute for the forward name.
>
> David Fifield

For the sake of providing a comment, I totally agree with your above
suggestion.

WRT forward name lookups, I think a long-term TODO item should be to
either expand our asynchronous rDNS to do forward resolving too or to
think about writing a new, fast, parallel, asynchronous forward
resolver.

As we start adding more web related scripts, names are going to matter
a lot more.  -iL is great until it hits the gethostbyname() loop.

Brandon

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.11 (GNU/Linux)

iEYEARECAAYFAkqYQHoACgkQqaGPzAsl94LZcgCgh9MB+1tnWXpuKWiLc7oO7gYo
3RAAnj7mlLywVPCAjyK4M5KUnYXZzKGm
=f30g
-----END PGP SIGNATURE-----

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org