Re: Feature request: scanning an AS

[Fyodor <fyodor () insecure org>]

On Tue, Apr 06, 2010 at 03:04:57PM -0500, Ron wrote:
> On Tue, 6 Apr 2010 19:48:22 +0000 Brandon Enright <bmenrigh () ucsd edu>
> wrote:
> > It does sound cool.  I think spending the time to do the lookup
> > yourself will actually save a lot of time in the long run.
> >
> > For example, if you look up insecure.org you find it is routed out
> > AS8121.  When you look up that AS you find they route 65792 IPs.  Do
> > you ever want to scan more than a /16 when you started with a target
> > of one or two hosts?
> >
> > Here's a more extreme example.  If you look up UCSD you find out we're
> > AS7377.  When you look up our ranges you find out we route 17,057,024
> > IPs.  I can understand wanting to scan all of the IPs for an
> > organization but scanning all IPs for their AS is generally not what
> > you want.
> >
> > Brandon
>
> Yeah, you're absolutely right. If it's non-trivial, it's probably
> pointless to implement. But if it's something that can be done
> reasonably easily, it might be a "wow cool!" type of feature to add.

It might make a good NSE script, though I suppose it would be best as
one of those network (once per Nmap execution) scripts we've been
talking about adding.  As it is right now, you'd have to give a bogus
target like in your California license plate script
(http://www.skullsecurity.org/blog/?p=723).

As Brandon notes, in many cases you may not want to scan every IP in
an AS.  But sometimes you do, and even when you don't it can be a good
starting point.  So it would be nice to have a script which could
output the IP ranges for an AS, and then you could filter/review them
before running Nmap again with -iL and your target list.

I see this as similar to the way we have a script for doing zone
transfers, which you may review/filter and then pass to a new Nmap -iL
execution.

Section 3.3.3 "Internet Routing Information" of the Nmap book covers
finding IP addresses based on AS numbers, using Microsoft (AS #8075)
as an example.

Note that Nmap already does let you do a scan with 0 targets, which
would be useful for running a script like this.

Also, when I last chatted with David about the network scripts idea,
he made this statement which I recorded in the TODO item:

  "I regret saying this before I say it, because I'm imagining
   implementation difficulties, we should think about having such
   auxiliary scripts be able to do things like host discovery, and
   then let the following phases work on the list it discovers."

With that feature enabled, maybe you wouldn't have to do two Nmap
executions if you didn't want to.  The AS number or zone transfer
script or whatever could feed new targets to Nmap.  Obviously there
are some potential complications, but the idea is out there.

In any case, I'll add the AS number idea as a potential application to
that TODO item.

Cheers,
Fyodor
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/