Nmap Announce mailing list archives
nmap-2.03 DNS address scanner
From: Dion Stempfley <dion () riptech com>
Date: Thu, 4 Feb 1999 11:56:48 -0500
Just to be annoying, I hacked the options of nmap and got a reasonable DNS gethostbyaddr scanner. I know that there are already other tools to do this, but I love the clean way that nmap supports network/mask for targetting. I only added a "-sD" option and hacked to logic to support it. The scans aren't fast, the don't go in parallel, but it works so I thought I would offer the diffs. Enjoy, dMn dion () riptech com -- / Riptech, Inc. I break hings as a matter of principle. | Security Consulting Group | http://www.riptech.com When your staff said you were secure, \_____________________ did they tell you what from? ############################################################## diff -Naur nmap-2.03/global_structures.h nmap-2.03_dns/global_structures.h --- nmap-2.03/global_structures.h Fri Dec 11 16:00:21 1998 +++ nmap-2.03_dns/global_structures.h Thu Feb 4 09:08:14 1999 @@ -162,6 +162,7 @@ int udpscan; int noresolve; int force; /* force nmap to continue on even when the outcome seems somewhat certain */ + int dnsscan; FILE *logfd; /* Output log file descriptor */ FILE *machinelogfd; /* Machine parseable log file descriptor */ }; diff -Naur nmap-2.03/nmap.c nmap-2.03_dns/nmap.c --- nmap-2.03/nmap.c Tue Jan 12 21:18:05 1999 +++ nmap-2.03_dns/nmap.c Thu Feb 4 11:00:18 1999 @@ -222,7 +222,7 @@ break; case 's': if (!*optarg) { - fprintf(stderr, "An option is required for -s, most common are -sT (tcp scan), -sS (SYN scan), -sF (FIN scan), -sU (UDP scan) and -sP (Ping scan)"); + fprintf(stderr, "An option is required for -s, most common are -sT (tcp scan), -sS (SYN scan), -sF (FIN scan), -sU (UDP scan), -sP (Ping scan) and -sD (DNS scan)"); printusage(argv[0]); } p = optarg; @@ -236,11 +236,9 @@ case 'P': o.pingscan = 1; break; case 'S': o.synscan = 1; break; case 'T': o.connectscan = 1; break; - case 'U': - printf("WARNING: -sU is now UDP scan -- for TCP FIN scan use -sF\n"); - o.udpscan++; - break; + case 'U': o.udpscan++; break; case 'X': o.xmasscan++;break; + case 'D': o.dnsscan = 1;o.pingtype = PINGTYPE_NONE;resolve_all++;break; default: error("Scantype %c not supported\n",*p); printusage(argv[0]); break; } p++; @@ -263,7 +261,7 @@ /* Now we check the option sanity */ /* Insure that at least one scantype is selected */ -if (!o.connectscan && !o.udpscan && !o.synscan && !o.finscan && !o.maimonscan && !o.nullscan && !o.xmasscan && !o.bouncescan && !o.pingscan) { +if (!o.connectscan && !o.udpscan && !o.synscan && !o.finscan && !o.maimonscan && !o.nullscan && !o.xmasscan && !o.bouncescan && !o.pingscan && !o.dnsscan) { o.connectscan++; if (o.verbose) error("No scantype specified, assuming vanilla tcp connect() scan. Use -sP if you really don't want to portscan (and just want to see what hosts are up)."); } @@ -300,13 +298,16 @@ if (!o.tcp_probe_port) o.tcp_probe_port = 80; -if (o.pingscan && (o.connectscan || o.udpscan || o.synscan || o.finscan || o.maimonscan || o.nullscan || o.xmasscan || o.bouncescan)) { +if (o.pingscan && (o.connectscan || o.udpscan || o.synscan || o.finscan || o.maimonscan || o.nullscan || o.xmasscan || o.bouncescan || o.dnsscan)) { fatal("Ping scan is not valid with any other scan types (the other ones all include a ping scan"); } +if (o.dnsscan && (o.connectscan || o.udpscan || o.synscan || o.finscan || o.maimonscan || o.nullscan || o.xmasscan || o.bouncescan || o.pingscan)) { + fatal("The DNS scan is for gethostbyaddr scans only (do not specify any other scan type"); +} + /* We start with stuff users should not do if they are not root */ if (!o.isr00t) { - if (o.pingtype & PINGTYPE_ICMP) { error("Warning: You are not root -- using TCP pingscan rather than ICMP"); o.pingtype = PINGTYPE_TCP; @@ -455,7 +456,7 @@ if (o.debugging > 1) printf("The max # of sockets we are using is: %d\n", o.max_sockets); -if (randomize) +if (randomize && !o.dnsscan) shortfry(ports); starttime = time(NULL); @@ -476,9 +477,14 @@ else { currenths->name = emptystring; } - if (o.source) memcpy(¤ths->source_ip, o.source, sizeof(struct in_addr)); -if (!o.pingscan) { + +if (o.dnsscan) { + nmap_log("Host: %s (%s)\n", inet_ntoa(currenths->host), (int)currenths->name==(int)emptystring?"NONE":currenths->name); + nmap_machine_log("Host: %s (%s)", inet_ntoa(currenths->host), + (int)currenths->name==(int)emptystring?"NONE":currenths->name); +} +else if (!o.pingscan) { if (o.pingtype != PINGTYPE_NONE && (currenths->flags & HOST_UP) && (o.verbose || o.debugging)) printf("Host %s (%s) appears to be up ... good.\n", currenths->name, inet_ntoa(currenths->host)); else if (o.verbose && o.pingtype != PINGTYPE_NONE && !(currenths->flags & HOST_UP)) { @@ -550,7 +556,7 @@ os_scan(currenths); } - if (!currenths->ports && !o.pingscan) { + if (!currenths->ports && !o.pingscan && !o.dnsscan) { nmap_log("No ports open for host %s (%s)\n", currenths->name, inet_ntoa(currenths->host)); nmap_machine_log("Host: %s (%s) Status: Up", @@ -852,6 +858,7 @@ -sP ping \"scan\". Find which hosts on specified network(s) are up but don't \n\ port scan them\n\ -sU UDP port scan, must be r00t\n\ + -sD Scan DNS records for resolved names\n\ -b <ftp_relay_host> ftp \"bounce attack\" port scan\n\ Options (none are required, most can be combined):\n\ -f use tiny fragmented packets for SYN, FIN, Xmas, or NULL scan.\n\
Current thread:
- nmap-2.03 DNS address scanner Dion Stempfley (Feb 04)
- <Possible follow-ups>
- Re: nmap-2.03 DNS address scanner johann sebastian bach (Feb 04)
- RE: nmap-2.03 DNS address scanner Brown, Mark (Feb 05)
- RE: nmap-2.03 DNS address scanner Matthew Franz (Feb 05)
- RE: nmap-2.03 DNS address scanner johann sebastian bach (Feb 05)
- RE: nmap-2.03 DNS address scanner wanb0y (Feb 05)