Nmap Development mailing list archives
Re: Google SoC Ideas - Feature Creep?
From: kx <kxmail () gmail com>
Date: Tue, 23 May 2006 19:37:17 -0400
Doug, You are right on. Lots of options here, and cymru dns might be an option for the interim (I would suggest any additional lookups to nmap's core functionality be opt-in - just my opinion). I suggested whois because it is standard across the big 3 ASN/IP correlators (radb, ripe, cymru), and I could see giving nmap users the choice of performing lookups across 0,1,2 or all 3 of them. I can also see people wanting to use local databases for similar IP correlation info, such as geolocation as you noted, if they have a local instance of GeoIP or Quova. Querying public Looking Glass servers for BGP data definitely has huge potential. All of this has potential for being core nmap functionality, or being implemented via nmap scripts (could we call it nscripts instead of NASL plugins - heh). Out of curiosity, had you put together a beta patch for using cymru and the rDNS architecture? If not, I might give it a try just to see how it might work. Great ideas! Cheers, kx On 5/23/06, doug () hcsw org <doug () hcsw org> wrote:
Hi kx, I really like your idea of ASN lookups! Although it hadn't occured to me to gather this information with Nmap, after thinking about it I now believe this information would complement Nmap's rDNS information extremely well! I definitley think we should integrate ASN into Nmap one way or another. Using the many available whois servers is definitley an option. As it turns out, It might even be possible to integrate this ASN lookup into the rDNS system. The company you mentioned, Cymru, seems to also offer this same information through a DNS TXT record. The resolution system is even designed similar to the in-addr.arpa domain! Here's a proof of concept: perl -ne 'chomp; $ip=join(".", reverse(split(/\./, $_))); print `host -t TXT $ip.origin.asn.cymru.com`; It reads IPs from stdin, resolves them using cymru.com's service, and prints out their BGP Origin ASNs and even a "country" code: 196.2.1.6 (ns.jm) gives 6.1.2.196.origin.asn.cymru.com text "3586 | 196.2.1.0/24 | JM | arin | 1993-02-11" 213.200.94.13 (tradesports.com - Irish book) gives 13.94.200.213.origin.asn.cymru.com text "3257 | 213.200.64.0/18 | EU | ripencc | 2000-11-14" Dsylexic hackers might prefer to use host directly: $ host -t TXT 13.94.200.213.origin.asn.cymru.com 13.94.200.213.origin.asn.cymru.com text "3257 | 213.200.64.0/18 | EU | ripencc | 2000-11-14" I don't know if other providers offer this service or if we'd be comfortable relying on a single provider. If not, whois might still be a better bet since it looks as though there are many companies offering that. Whois querying should then NOT be done by the rDNS framework but rather by the upcoming "NASL" framework. Using Cymru's DNS system would be very much ideal performance-wise because we could combine the queries with the rDNS framework and do both at the same time. Especially when dealing with super-high rtt queries like our recursive DNS requests, we do well to exploit parallelism as much as we can! If we're going to look for information on an IP outside of the DNS system, we might even want to consider things like more specific geo-location, RBL entries, maybe even deeper BGP information. It would be really cool if we could determine if the target is multi-homed and has many paths into its network. This information could be immediatley useful for things like, well, messing with IDS fragment reassembly. Doug On Mon, May 22, 2006 at 09:32:07PM -0400 or thereabouts, kx wrote:All of the whois servers I listed are well-respected sources. More info on the cymru service is here: http://www.cymru.com/BGP/asnlookup.html That page also lists their preferred method for bulk lookups. Cheers, kx On 5/22/06, Fyodor <fyodor () insecure org> wrote:On Sat, May 20, 2006 at 12:56:41AM -0400, kx wrote:Just some ideas, not sure what the user base thinks. AS lookup modeled on the rDNS architecture - asynchronous, parallel, with caching. Option to hit whois databases like whois.cymru.com, whois.radb.net , riswhois.ripe.net, etc... for ASN to IP mapping. Might consider registration and geo data as well.That is a good idea. And I can see how the AS number might be useful for the Nmap diagram project. Perhaps there could be circles containing all of the hosts in a single AS to represent organization boundaries. I will add this to the list of possible tasks. Does anyone have suggestions as to the best way to obtain this data? Also, you could probably do this with a simple Nmap Scripting Engine script. If such an infrastructure existed yet :). See my next email. Cheers, -F_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev
Current thread:
- Google SoC Ideas - Feature Creep? kx (May 19)
- Re: Google SoC Ideas - Feature Creep? Fyodor (May 22)
- Re: Google SoC Ideas - Feature Creep? kx (May 22)
- Re: Google SoC Ideas - Feature Creep? doug (May 23)
- Re: Google SoC Ideas - Feature Creep? kx (May 23)
- Re: Google SoC Ideas - Feature Creep? doug (May 23)
- Re: Google SoC Ideas - Feature Creep? kx (May 22)
- Re: Google SoC Ideas - Feature Creep? Fyodor (May 22)