Nmap 6:Network exploration and security auditing Cookbook
上QQ阅读APP看书,第一时间看更新
上一章目录下一章

Forcing DNS resolution

DNS names reveal valuable information very often because system administrators name their hosts according to their functions, such as firewall or mail.domain.com. Nmap, by default, does not perform DNS resolution if a host is offline. By forcing DNS resolution, we can gather extra information about the network even if the host seemed to be offline.

This recipe describes how to force DNS resolution for offline hosts during Nmap scans.

How to do it...

Open your terminal and enter the following command:

# nmap -sS -PS -F -R XX.XXX.XXX.220-230

This command will force DNS resolution for offline hosts in the range XX.XXX.XXX.220-230.

Consider using a list scan, which will also perform DNS resolution, respectively –sL.

Yes, a list scan will do that. What I'm trying to convey here is that you can include DNS information of hosts that are down during a port scan or when running an NSE script.

How it works...

The arguments -sS -PS -F -R tell Nmap to perform a TCP SYN Stealth (-sS), SYN ping (-PS), fast port scan (-F), and always perform DNS resolution (-R).

Let's say we want to scan the two IPs surrounding the domain 0xdeadbeefcafe.com with IP XX.XXX.XXX.223, the following command can be used:

# nmap -sS -PS -F -R XX.XXX.XXX.222-224
Nmap scan report for liXX-XXX.members.linode.com (XX.XXX.XXX.222) 
Host is up (0.11s latency). 
All 100 scanned ports on liXX-XXX.members.linode.com (XX.XXX.XXX.222) are filtered 

Nmap scan report for 0xdeadbeefcafe.com (XX.XXX.XXX.223) 
Host is up (0.11s latency). 
Not shown: 96 closed ports 
PORT STATE SERVICE 
22/tcp open ssh 
25/tcp open smtp 

Nmap scan report for mail.0xdeadbeefcafe.com (XX.XXX.XXX.224) 
Host is up (0.11s latency). 
Not shown: 96 closed ports 
PORT STATE SERVICE 
25/tcp filtered smtp

In this case, a quick scan has told us that this is probably a VPS hosted by Linode and is the location of their mail server as well.

There's more...

You can also disable DNS resolution completely with the argument -n. This speeds up scans and is very recommended if you don't need to DNS resolve a host.

# nmap -sS -PS -F -n scanme.nmap.org

Specifying different DNS nameservers

For DNS resolution, Nmap by default queries your system's DNS server. Alternative DNS nameservers can be set with the argument --dns-servers. For example, to use Google's open DNS servers:

# nmap -sS -PS -R --dns-servers 8.8.8.8,8.8.4.4 <target>

See also

  • The Hiding our traffic with additional random data recipe
  • The Scanning using specific port ranges recipe in Chapter 1, Nmap Fundamentals
  • The Spoofing the origin IP of a port scan recipe in Chapter 3, Gathering Additional Host Information
  • The Excluding hosts from yours scans recipe
  • The Scanning IPv6 addresses recipe
  • The Skipping tests to speed up long scans recipe in Chapter 7, Scanning Large Networks
  • The Adjusting timing parameters recipe in Chapter 7, Scanning Large Networks
  • The Selecting the correct timing template recipe in Chapter 7, Scanning Large Networks
上一章目录下一章