Nmap Development mailing list archives
Re: Feature request list all IP addresses of a host name
From: Fyodor <fyodor () insecure org>
Date: Wed, 28 Apr 2010 23:23:21 -0700
On Wed, Apr 28, 2010 at 07:19:34PM -0600, David Fifield wrote:
On Wed, Apr 28, 2010 at 09:11:21PM -0400, Derek wrote: We do keep track of all the IP addresses, in the Target::resolved_addrs member. But I don't think they're printed out anywhere. Please give us an example of what you want the output to look like.
It is certainly an interesting issue. When I scan Google.com, I get (in verbose mode or not) a line like: Hostname google.com resolves to 4 IPs. Only scanned 74.125.19.147 Of course the IP address shifts among the four each time, and someone elsewhere might get a completely different set if it is geo based DNS. I agree that printing all four IPs is desirable, but I wonder if we should go even further. Maybe instead of picking one of the IPs arbitrarily to scan, we should scan ALL the IPs (and print a line noting what we are doing)? When I specify a host name without a subnet mask, that is usually what I want. It is true that most clients (web browsers, ftp, etc.) do just what Nmap does: pluck one A record from the list. But a scanner is a very different beast. I normally want to look at scan results for each IP and compare for differences. Maybe one of the boxes isn't quite as patched as the others. I suppose there is a risk that a hostname could have some obscene number of A records. I don't know how many can be returned from a query, but I don't see this as a big issue. People can always specify IP addresses if they don't want to match multiple A records. Or we could even provide an option to select Nmap's current first-IP-in-the-list behavior. Subnet masks are another issue. What should we do if someone specifies google.com/24? Well, right now I get these IPs for google.com:
host google.com
google.com has address 74.125.19.99 google.com has address 74.125.19.103 google.com has address 74.125.19.104 google.com has address 74.125.19.147 So they are in the same /24 anyway. So I think an ideal system would scan 74.125.19.0/24. But what if you specified google.com/28? Then #2 and #3 overlap #1, so we would just end up with 74.125.19.96/28 and 74.125.19.144/28. A potential downside is that it means the user (and Nmap) can't predict how many IPs will be scanned total until DNS is completed. But users can avoid that risk by using IPs or checking with -sL before they scan or using a special single-ip-per-hostname option if we provide one. And Nmap generally doesn't know how many IPs it has left anyway (though it could know in most cases now if the code was there, and that might provide nice "when will the whole scan be completed" estimates). I haven't even thought about possible implementation issues yet. I'm trying to figure out what behavior is ideal from a user's standpoint first. Does anyone have opinions on what "nmap google.com" should do? Cheers, Fyodor _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Feature request list all IP addresses of a host name Derek (Apr 28)
- Re: Feature request list all IP addresses of a host name David Fifield (Apr 28)
- Re: Feature request list all IP addresses of a host name kafansi () gmail com (Apr 28)
- Re: Feature request list all IP addresses of a host name Fyodor (Apr 28)
- Re: Feature request list all IP addresses of a host name Djalal Harouni (Apr 29)
- Re: Feature request list all IP addresses of a host name Luis MartinGarcia. (Apr 29)
- Re: Feature request list all IP addresses of a host name Djalal Harouni (Apr 29)
- Re: Feature request list all IP addresses of a host name Kris Katterjohn (Apr 29)
- Re: Feature request list all IP addresses of a host name Ron (Apr 29)
- Re: Feature request list all IP addresses of a host name Kris Katterjohn (Apr 29)
- Re: Feature request list all IP addresses of a host name Rob Nicholls (Apr 29)
- Re: Duplicate IPs in hostgroup (was: Feature request list all IP addresses of a host name) Fyodor (Apr 29)
- Re: Duplicate IPs in hostgroup (was: Feature request list all IP addresses of a host name) David Fifield (Jun 15)
- Re: Duplicate IPs in hostgroup (was: Feature request list all IP addresses of a host name) David Fifield (Jun 25)
- Re: Feature request list all IP addresses of a host name David Fifield (Apr 28)