Nmap Development mailing list archives
Re: Feature request list all IP addresses of a host name
From: Rob Nicholls <robert () robnicholls co uk>
Date: Thu, 29 Apr 2010 19:04:49 +0100
On Thu, 29 Apr 2010 10:56:04 -0500, Kris Katterjohn <katterjohn () gmail com> wrote:
It's just that specifying one target on the command line but having several get scanned by default doesn't seem right. Use an argument for this behavior since it can be surprising otherwise. Nmap already tells you there are multiple IPs for a domain, so you're not left in the dark.
I agree with Kris. I'm not particularly keen on changing the behaviour. I think the warning is sufficient for the few cases when more than one record is returned. Not all IPs would be scanned if geolocation-aware DNS is used, or if round robin DNS was implemented, so it's possible you're going to "miss" IP addresses anyway. I'm aware that I'm generalising here, but I'd imagine that most people wanting to run a quick test against a big server like www.google.com probably don't want to run it against every IP that Google returns, they just want to check that Nmap is setup correctly. I'd also imagine that most people tend to scan a particular IP address rather than a fully qualified domain name. If a client asks me to perform a scan, they typically provide me with a list of IP addresses and all of the fully qualified domain names associated with that IP (typically a 1:1 mapping, especially when SSL websites are involved). I can't imagine many people are being asked to perform a port scan without being provided with a list of IP addresses - or without the client caring which of the many IPs gets scanned (sure, they might assume that all of their hosts are built and configured the same, but that's kind of the point of a port scan, to confirm that!). This might change once IPv6 becomes more popular, as it's much easier for clients to enter a domain name than write down a cryptic IPv6 address. This actually gets more interesting (in my opinion) if I want to do the opposite and scan a host with two (or more) FQDNs that always resolve to the same IP (e.g. someone running a nameserver and mailserver on a single host). If you enter both hostnames (for example mail.yyy.zzz and ns.yyy.zzz) into Nmap, it'll provide two scan reports and appears to send double the number of packets when scanning exactly the same IP (i.e. it's being scanned twice!). This is essentially a huge waste of packets, and the bad news is that based on some very brief testing I've done at home from a Windows box I'm very concerned that it also results in inaccurate scan reports! The majority of such scans result in the second host returning everything filtered, even though the number of returned packets at the bottom suggests that there were more responses than are displayed. Is Nmap getting confused by the responses for the same IP? I notice that by adding --max-hostgroup 1 the second scan displays accurate results, which is a somewhat elegant workaround for now (I believe a connect scan also does the trick). I also did a quick test against a Linux host (a friend has a wildcard DNS configuration that points at a single Linux server) and saw the same open and closed ports generally only appearing on the first scan report, with the second host typically completely filtered (annoyingly it's not completely consistent, which suggests to me that it's some sort of race condition with responses being attributed to the wrong scan report). What would be nice would be a way to specify FQDNs to IP addresses in Nmap so it can run the port scans once and then perhaps runs the NSE scripts using all of the different FQDNs (for example, a web server with lots of virtual hosts on TCP port 80, or even 443 if they're using a wildcard or SANs). I don't believe there's currently a way of doing this in Nmap other than running a full scan directly against the IP and then running the other scans for each host name just against ports that I'm interested in (which isn't very elegant)? Rob _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Feature request list all IP addresses of a host name Derek (Apr 28)
- Re: Feature request list all IP addresses of a host name David Fifield (Apr 28)
- Re: Feature request list all IP addresses of a host name kafansi () gmail com (Apr 28)
- Re: Feature request list all IP addresses of a host name Fyodor (Apr 28)
- Re: Feature request list all IP addresses of a host name Djalal Harouni (Apr 29)
- Re: Feature request list all IP addresses of a host name Luis MartinGarcia. (Apr 29)
- Re: Feature request list all IP addresses of a host name Djalal Harouni (Apr 29)
- Re: Feature request list all IP addresses of a host name Kris Katterjohn (Apr 29)
- Re: Feature request list all IP addresses of a host name Ron (Apr 29)
- Re: Feature request list all IP addresses of a host name Kris Katterjohn (Apr 29)
- Re: Feature request list all IP addresses of a host name Rob Nicholls (Apr 29)
- Re: Duplicate IPs in hostgroup (was: Feature request list all IP addresses of a host name) Fyodor (Apr 29)
- Re: Duplicate IPs in hostgroup (was: Feature request list all IP addresses of a host name) David Fifield (Jun 15)
- Re: Duplicate IPs in hostgroup (was: Feature request list all IP addresses of a host name) David Fifield (Jun 25)
- Re: Feature request list all IP addresses of a host name Ron (Apr 29)
- RE: [BULK] Re: Feature request list all IP addresses of a host name Norris Carden (Apr 30)
- Re: Feature request list all IP addresses of a host name David Fifield (Apr 28)
- Re: Feature request list all IP addresses of a host name Djalal Harouni (Apr 29)
- Re: Feature request list all IP addresses of a host name jah (Apr 29)
- Re: Feature request list all IP addresses of a host name David Fifield (May 11)