Re: Feature request list all IP addresses of a host name

[Kris Katterjohn <katterjohn () gmail com>]

On Thu, 29 Apr 2010 10:34:09 -0500
Ron <ron () skullsecurity net> wrote:

> It seems to me, the way Nmap currently works, you're missing
> potentially important data. If the same hostname points to multiple
> addresses, and the different addresses have different configurations,
> or one is compromised, then you're basically closing your eyes and
> taking a shot in the dark. The next time you scan the same address,
> you aren't necessarily scanning the same machine. In other words, the
> current method of only scanning the first ip address is likely
> missing things, and is also non-deterministic. 

Agreed.

> I would personally advocate scanning all addresses (or the first x
> for a reasonable value of x (16?) with a warning if there are too
> many) by default, and giving options to scan one or all. I realize
> the issues with changing the output for sysadmins, but I think they'd
> rather go "holy crap, we have a Trojan on one of our 10 servers!?"
> than "hmm, looks fine to me!"

However, I still disagree here.  Having the ability to scan multiple
IPs retrieved for a domain does sound (very) useful at times but doesn't
sound like good default behavior.  Sysadmins can still get that "holy
crap" moment by using an additional command argument, so thrusting this
behavior upon everyone by default doesn't gain anything.

It's just that specifying one target on the command line but having
several get scanned by default doesn't seem right.  Use an argument for
this behavior since it can be surprising otherwise.  Nmap already tells
you there are multiple IPs for a domain, so you're not left in the dark.

Cheers,
Kris Katterjohn

Attachment: signature.asc
Description:

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/