Nmap Development mailing list archives
Re: Feature request: scanning an AS
From: Fyodor <fyodor () insecure org>
Date: Thu, 8 Apr 2010 02:31:56 -0700
On Tue, Apr 06, 2010 at 03:04:57PM -0500, Ron wrote:
On Tue, 6 Apr 2010 19:48:22 +0000 Brandon Enright <bmenrigh () ucsd edu> wrote:It does sound cool. I think spending the time to do the lookup yourself will actually save a lot of time in the long run. For example, if you look up insecure.org you find it is routed out AS8121. When you look up that AS you find they route 65792 IPs. Do you ever want to scan more than a /16 when you started with a target of one or two hosts? Here's a more extreme example. If you look up UCSD you find out we're AS7377. When you look up our ranges you find out we route 17,057,024 IPs. I can understand wanting to scan all of the IPs for an organization but scanning all IPs for their AS is generally not what you want. BrandonYeah, you're absolutely right. If it's non-trivial, it's probably pointless to implement. But if it's something that can be done reasonably easily, it might be a "wow cool!" type of feature to add.
It might make a good NSE script, though I suppose it would be best as one of those network (once per Nmap execution) scripts we've been talking about adding. As it is right now, you'd have to give a bogus target like in your California license plate script (http://www.skullsecurity.org/blog/?p=723). As Brandon notes, in many cases you may not want to scan every IP in an AS. But sometimes you do, and even when you don't it can be a good starting point. So it would be nice to have a script which could output the IP ranges for an AS, and then you could filter/review them before running Nmap again with -iL and your target list. I see this as similar to the way we have a script for doing zone transfers, which you may review/filter and then pass to a new Nmap -iL execution. Section 3.3.3 "Internet Routing Information" of the Nmap book covers finding IP addresses based on AS numbers, using Microsoft (AS #8075) as an example. Note that Nmap already does let you do a scan with 0 targets, which would be useful for running a script like this. Also, when I last chatted with David about the network scripts idea, he made this statement which I recorded in the TODO item: "I regret saying this before I say it, because I'm imagining implementation difficulties, we should think about having such auxiliary scripts be able to do things like host discovery, and then let the following phases work on the list it discovers." With that feature enabled, maybe you wouldn't have to do two Nmap executions if you didn't want to. The AS number or zone transfer script or whatever could feed new targets to Nmap. Obviously there are some potential complications, but the idea is out there. In any case, I'll add the AS number idea as a potential application to that TODO item. Cheers, Fyodor _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Feature request: scanning an AS Ron (Apr 06)
- Re: Feature request: scanning an AS Brandon Enright (Apr 06)
- Re: Feature request: scanning an AS Ron (Apr 06)
- Re: Feature request: scanning an AS Michael Pattrick (Apr 06)
- Re: Feature request: scanning an AS Fyodor (Apr 08)
- Re: Feature request: scanning an AS Ron (Apr 08)
- Re: Feature request: scanning an AS Ron (Apr 06)
- Re: Feature request: scanning an AS Brandon Enright (Apr 06)
- <Possible follow-ups>
- Re: Feature request: scanning an AS Oliver Day (Apr 08)