RE: [BULK] Re: Feature request list all IP addresses of a host name

["Norris Carden" <ncarden () ascendfcu org>]

How about -sL with an option for multiple lookups so that even in a round robin situation you're likely to get all IPs 
in a group?

Norris Carden 
 


-----Original Message-----
From: nmap-dev-bounces () insecure org [mailto:nmap-dev-bounces () insecure org] On Behalf Of Rob Nicholls
Sent: Thursday, April 29, 2010 1:05 PM
To: Kris Katterjohn
Cc: Luis MartinGarcia.; nmap-dev; Fyodor; Ron
Subject: [BULK] Re: Feature request list all IP addresses of a host name
Importance: Low

On Thu, 29 Apr 2010 10:56:04 -0500, Kris Katterjohn <katterjohn () gmail com>
wrote:
> It's just that specifying one target on the command line but having
> several get scanned by default doesn't seem right.  Use an argument for
> this behavior since it can be surprising otherwise.  Nmap already tells
> you there are multiple IPs for a domain, so you're not left in the dark.

I agree with Kris. I'm not particularly keen on changing the behaviour. I
think the warning is sufficient for the few cases when more than one record
is returned. Not all IPs would be scanned if geolocation-aware DNS is used,
or if round robin DNS was implemented, so it's possible you're going to
"miss" IP addresses anyway. I'm aware that I'm generalising here, but I'd
imagine that most people wanting to run a quick test against a big server
like www.google.com probably don't want to run it against every IP that
Google returns, they just want to check that Nmap is setup correctly.

I'd also imagine that most people tend to scan a particular IP address
rather than a fully qualified domain name. If a client asks me to perform a
scan, they typically provide me with a list of IP addresses and all of the
fully qualified domain names associated with that IP (typically a 1:1
mapping, especially when SSL websites are involved). I can't imagine many
people are being asked to perform a port scan without being provided with a
list of IP addresses - or without the client caring which of the many IPs
gets scanned (sure, they might assume that all of their hosts are built and
configured the same, but that's kind of the point of a port scan, to
confirm that!). This might change once IPv6 becomes more popular, as it's
much easier for clients to enter a domain name than write down a cryptic
IPv6 address.

This actually gets more interesting (in my opinion) if I want to do the
opposite and scan a host with two (or more) FQDNs that always resolve to
the same IP (e.g. someone running a nameserver and mailserver on a single
host). If you enter both hostnames (for example mail.yyy.zzz and
ns.yyy.zzz) into Nmap, it'll provide two scan reports and appears to send
double the number of packets when scanning exactly the same IP (i.e. it's
being scanned twice!). This is essentially a huge waste of packets, and the
bad news is that based on some very brief testing I've done at home from a
Windows box I'm very concerned that it also results in inaccurate scan
reports! The majority of such scans result in the second host returning
everything filtered, even though the number of returned packets at the
bottom suggests that there were more responses than are displayed.

Is Nmap getting confused by the responses for the same IP? I notice that
by adding --max-hostgroup 1 the second scan displays accurate results,
which is a somewhat elegant workaround for now (I believe a connect scan
also does the trick). I also did a quick test against a Linux host (a
friend has a wildcard DNS configuration that points at a single Linux
server) and saw the same open and closed ports generally only appearing on
the first scan report, with the second host typically completely filtered
(annoyingly it's not completely consistent, which suggests to me that it's
some sort of race condition with responses being attributed to the wrong
scan report).

What would be nice would be a way to specify FQDNs to IP addresses in Nmap
so it can run the port scans once and then perhaps runs the NSE scripts
using all of the different FQDNs (for example, a web server with lots of
virtual hosts on TCP port 80, or even 443 if they're using a wildcard or
SANs). I don't believe there's currently a way of doing this in Nmap other
than running a full scan directly against the IP and then running the other
scans for each host name just against ports that I'm interested in (which
isn't very elegant)?

Rob

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/



_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/