Re: Forward DNS names in output

[David Fifield <david () bamsoftware com>]

On Fri, Aug 28, 2009 at 03:55:35PM -0700, Fyodor wrote:
> Right.  The rDNS name can be useful in that it can expose ISPs, web
> hosting providers, and more.  For example, if you scan
> www.openbsd.org, Nmap forward resolves it to 129.128.5.191 and then
> reverse-resolves that to openbsd.sunsite.ualberta.ca.  The latter
> tells you that the site is hosted by a Sunsite server at the
> University of Alberta in Canada.  This is useful information.
>
> On the other hand, it can be confusing when you specify multiple
> hostsnames on the command-line and you just get IP numbers back (or
> rDNS names without an immediate relation to the hostname) and have
> trouble figuring out which target is which.
>
> > I have a personal TODO item to use the forward name in Zenmap, but I
> > found that it is not even in the XML output.
> >
> > <host><status state="up" reason="conn-refused"/>
> > <address addr="208.80.152.2" addrtype="ipv4" />
> > <hostnames><hostname name="rr.pmtpa.wikimedia.org" type="PTR" /></hostnames>
> > </host>
>
> Yeah, adding the forward name here sounds reasonable.

I've added this with a type attribute of "user".

<hostnames>
<hostname name="en.wikipedia.org" type="user"/>
<hostname name="rr.pmtpa.wikimedia.org" type="PTR"/>
</hostnames>

> # nmap -v www.google.com
> Starting Nmap 5.00 ( http://nmap.org ) at 2009-08-28 15:16 PDT
> NSE: Loaded 0 scripts for scanning.
> Warning: Hostname www.google.com resolves to 6 IPs. Using 74.125.127.103.
> Initiating Ping Scan at 15:16
> Scanning 74.125.127.103 [4 ports]
> Completed Ping Scan at 15:16, 0.03s elapsed (1 total hosts)
> [...]
> Host pz-in-f103.google.com (74.125.127.103) is up (0.094s latency).
> Interesting ports on pz-in-f103.google.com (74.125.127.103):
> Not shown: 997 filtered ports
> PORT    STATE  SERVICE
> 80/tcp  open   http
> 113/tcp closed auth
> 443/tcp open   https
>
> Maybe that second section could be changed to:
>
> Nmap scan report for www.google.com (74.125.127.103)
> ^^^ This is a new line, which I think is better than only listing the
>     host/IP for "Interesting ports" table.  After all, we give a whole
>     report now, often including NSE, traceroute, OS detection,
>     etc. all below the interesting ports table.
> Host is up, received echo-reply (0.094s latency).
> ^^^ This line still only appears in verbose mode.  I removed the
>     name/IP since it is on the previous line.  I added the --reason
>     information, as we now should have space to print it in all cases.
>     In fact, maybe we should print this line in all cases?  I thinkd
>     I'd favor that approach.
> Hostname www.google.com resolves to 6 IPs. Only scanned 74.125.127.103
> ^^^ I'm suggesting moving this here to the target section so it is
>     more closely associated with the particular target.  This means
>     delaying the information a bit though, so we might still want to keep
>     the earlier warning in -v mode (or maybe require -vv).
> rDNS record for 74.125.127.103: pz-in-f103.google.com
> ^^^ This line is only printed if we get an rDNS record and it does not
>     match the target name.
> Not shown: 997 filtered ports
> PORT    STATE  SERVICE
> 80/tcp  open   http
> 113/tcp closed auth
> 443/tcp open   https
> ^^^ These 5 lines are the same as before, though I removed the line
>     "Interesting ports on ..." because we now already know the target
>     name/IP, and the "PORT STATE SERVICE" line introduced the port table
>     just as well IMHO.

I think I've got this implemented. Here are some examples.

# nmap www.google.com
Nmap scan report for www.google.com (74.125.53.105)
Hostname www.google.com resolves to 6 IPs. Only scanned 74.125.53.105
rDNS record for 74.125.53.105: pw-in-f105.1e100.net
Not shown: 997 filtered ports
PORT    STATE  SERVICE
80/tcp  open   http
113/tcp closed auth
443/tcp open   https

# nmap -sP -PN --traceroute google.com
Nmap scan report for google.com (74.125.53.100)
Host is up.
Hostname google.com resolves to 3 IPs. Only scanned 74.125.53.100
rDNS record for 74.125.53.100: pw-in-f100.1e100.net

TRACEROUTE (using proto 1/icmp)
HOP RTT      ADDRESS
1   3.93 ms  192.168.0.1

# nmap -sL google.com/30
Nmap scan report for google.com (74.125.53.100)
Host not scanned
Hostname google.com resolves to 3 IPs. Only scanned 74.125.53.100
rDNS record for 74.125.53.100: pw-in-f100.1e100.net
Nmap scan report for pw-in-f101.1e100.net (74.125.53.101)
Host not scanned
Nmap scan report for pw-in-f102.1e100.net (74.125.53.102)
Host not scanned
Nmap scan report for pw-in-f103.1e100.net (74.125.53.103)
Host not scanned

Notice in the last example how each host gets an "Nmap scan report"
line. It comes before all the other lines with information on a host,
which may include a host status, reverse DNS name, count of IP
addresses, and MAC address. However, because most hosts have only a host
status line, adding the "Nmap scan report" is about twice as verbose.
Would it be better to remove the "Nmap scan report" line and embed the
name and address in the "Host is up" line in the case of a list scan or
a ping-only scan?

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/