Re: nmap-2.03 DNS address scanner

["johann sebastian bach" <jsb4ch () hotmail com>]

cool.  someone should do a better implementation that doesnt use 
gethostbyaddr() (maybe use res_mkquery(), and send multiple queries at a 
time.. ) determining hosts are *UN*resolvable takes a long time, and 
going serially is very slow..

another cool thing to add to nmap might be DNS AXFR query capability 
(have it transfer all the ip addresses in the zone and then scan them or 
whatever) so that you could scan based on domain and not ip address, or 
bypass firewalls (maybe in a very obscure case :)))

> From nmap-hackers-return-249-jsb4ch=hotmail.com () insecure org Thu Feb  4 
12:59:58 1999
> Received: (qmail 32164 invoked by uid 505); 4 Feb 1999 20:34:18 -0000
> Mailing-List: contact nmap-hackers-help () insecure org; run by ezmlm
> Precedence: bulk
> Delivered-To: mailing list nmap-hackers () insecure org
> Delivered-To: moderator for nmap-hackers () insecure org
> Received: (qmail 32074 invoked from network); 4 Feb 1999 20:21:42 -0000
> From: Dion Stempfley <dion () riptech com>
> Organization: Riptech Security Consulting
> To: nmap-hackers () insecure org
> Subject: nmap-2.03 DNS address scanner
> Date: Thu, 4 Feb 1999 11:56:48 -0500
> X-Mailer: KMail [version 1.0.14]
> Content-Type: text/plain
> MIME-Version: 1.0
> Message-Id: <99020412144601.01357 () user-38lciv0 dialup mindspring com>
> Content-Transfer-Encoding: 8bit
> X-KMail-Mark:
>
> Just to be annoying, I hacked the options of nmap and got a reasonable
> DNS gethostbyaddr scanner.  I know that there are already other tools 
to do
> this,  but I love the clean way that nmap supports network/mask for 
targetting.
> I only added a "-sD" option and hacked to logic to support it.  The 
scans
> aren't fast, the don't go in parallel, but it works so I thought I 
would offer
> the diffs.
>
> Enjoy,
> dMn 
> dion () riptech com
> --  
> /     Riptech, Inc.           I break hings as a matter of principle.
> |  Security Consulting Group 
> |  http://www.riptech.com              When your staff said you were secure, 
> \_____________________         did they tell you what from? 
>
> ##############################################################
> diff -Naur nmap-2.03/global_structures.h 
nmap-2.03_dns/global_structures.h
> --- nmap-2.03/global_structures.h      Fri Dec 11 16:00:21 1998
> +++ nmap-2.03_dns/global_structures.h  Thu Feb  4 09:08:14 1999
> @@ -162,6 +162,7 @@
>   int udpscan;
>   int noresolve;
>   int force; /* force nmap to continue on even when the outcome seems 
somewhat certain */
> +  int dnsscan;
>   FILE *logfd; /* Output log file descriptor */
>   FILE *machinelogfd; /* Machine parseable log file descriptor */
> };
> diff -Naur nmap-2.03/nmap.c nmap-2.03_dns/nmap.c
> --- nmap-2.03/nmap.c   Tue Jan 12 21:18:05 1999
> +++ nmap-2.03_dns/nmap.c       Thu Feb  4 11:00:18 1999
> @@ -222,7 +222,7 @@
>     break;
>   case 's': 
>     if (!*optarg) {
> -      fprintf(stderr, "An option is required for -s, most common are 
-sT (tcp scan), -sS (SYN scan), -sF (FIN scan), -sU (UDP scan) and -sP 
(Ping scan)");
> +      fprintf(stderr, "An option is required for -s, most common are 
-sT (tcp scan), -sS (SYN scan), -sF (FIN scan), -sU (UDP scan), -sP 
(Ping scan) and -sD (DNS scan)");
>       printusage(argv[0]);
>     }
>       p = optarg;
> @@ -236,11 +236,9 @@
>       case 'P':  o.pingscan = 1; break;
>       case 'S':  o.synscan = 1; break;
>       case 'T':  o.connectscan = 1; break;
> -      case 'U':  
> -        printf("WARNING:  -sU is now UDP scan -- for TCP FIN scan use 
-sF\n");
> -        o.udpscan++;
> -        break;
> +      case 'U':  o.udpscan++; break;
>       case 'X':  o.xmasscan++;break;
> +      case 'D':  o.dnsscan = 1;o.pingtype = 
PINGTYPE_NONE;resolve_all++;break;
>       default:  error("Scantype %c not supported\n",*p); 
printusage(argv[0]); break;
>       }
>       p++;
> @@ -263,7 +261,7 @@
>
> /* Now we check the option sanity */
> /* Insure that at least one scantype is selected */
> -if (!o.connectscan && !o.udpscan && !o.synscan && !o.finscan && 
!o.maimonscan &&  !o.nullscan && !o.xmasscan && !o.bouncescan && 
!o.pingscan) {
> +if (!o.connectscan && !o.udpscan && !o.synscan && !o.finscan && 
!o.maimonscan &&  !o.nullscan && !o.xmasscan && !o.bouncescan && 
!o.pingscan && !o.dnsscan) {
>   o.connectscan++;
>   if (o.verbose) error("No scantype specified, assuming vanilla tcp 
connect() scan. Use -sP if you really don't want to portscan (and just 
want to see what hosts are up).");
> }
> @@ -300,13 +298,16 @@
> if (!o.tcp_probe_port) o.tcp_probe_port = 80;
>
>
> -if (o.pingscan && (o.connectscan || o.udpscan || o.synscan || 
o.finscan || o.maimonscan ||  o.nullscan || o.xmasscan || o.bouncescan)) 
{
> +if (o.pingscan && (o.connectscan || o.udpscan || o.synscan || 
o.finscan || o.maimonscan ||  o.nullscan || o.xmasscan || o.bouncescan 
|| o.dnsscan)) {
>   fatal("Ping scan is not valid with any other scan types (the other 
ones all include a ping scan");
> }
>
> +if (o.dnsscan && (o.connectscan || o.udpscan || o.synscan || o.finscan 
|| o.maimonscan ||  o.nullscan || o.xmasscan || o.bouncescan || 
o.pingscan)) {
> +  fatal("The DNS scan is for gethostbyaddr scans only (do not specify 
any other scan type");
> +}
> +
> /* We start with stuff users should not do if they are not root */
> if (!o.isr00t) {
> -
>   if (o.pingtype & PINGTYPE_ICMP) {
>     error("Warning:  You are not root -- using TCP pingscan rather 
than ICMP");
>     o.pingtype = PINGTYPE_TCP;
> @@ -455,7 +456,7 @@
>
> if (o.debugging > 1) printf("The max # of sockets we are using is: 
%d\n", o.max_sockets);
> -if (randomize)
> +if (randomize && !o.dnsscan)
>   shortfry(ports); 
>
> starttime = time(NULL);
> @@ -476,9 +477,14 @@
>     else {
>       currenths->name = emptystring;
>     }
> -
>     if (o.source) memcpy(&currenths->source_ip, o.source, 
sizeof(struct in_addr));
> -if (!o.pingscan) {
> +
> +if (o.dnsscan) {
> +    nmap_log("Host: %s (%s)\n", inet_ntoa(currenths->host), 
(int)currenths->name==(int)emptystring?"NONE":currenths->name); 
> +    nmap_machine_log("Host: %s (%s)", inet_ntoa(currenths->host), 
> +       (int)currenths->name==(int)emptystring?"NONE":currenths->name);
> +}
> +else if (!o.pingscan) {
>   if (o.pingtype != PINGTYPE_NONE && (currenths->flags & HOST_UP) && 
(o.verbose || o.debugging)) 
>     printf("Host %s (%s) appears to be up ... good.\n", 
currenths->name, inet_ntoa(currenths->host));    
>   else if (o.verbose && o.pingtype != PINGTYPE_NONE && 
!(currenths->flags & HOST_UP)) {  
> @@ -550,7 +556,7 @@
>      os_scan(currenths);
>    }
>    
> -   if (!currenths->ports && !o.pingscan) {
> +   if (!currenths->ports && !o.pingscan && !o.dnsscan) {
>      nmap_log("No ports open for host %s (%s)\n", currenths->name,
>             inet_ntoa(currenths->host));
>      nmap_machine_log("Host: %s (%s) Status: Up", 
> @@ -852,6 +858,7 @@
>    -sP ping \"scan\". Find which hosts on specified network(s) are up 
but don't \n\
>        port scan them\n\
>    -sU UDP port scan, must be r00t\n\
> +   -sD Scan DNS records for resolved names\n\
>    -b <ftp_relay_host> ftp \"bounce attack\" port scan\n\
> Options (none are required, most can be combined):\n\
>    -f use tiny fragmented packets for SYN, FIN, Xmas, or NULL scan.\n\


______________________________________________________
Get Your Private, Free Email at http://www.hotmail.com