Re: Google SoC Ideas - Feature Creep?

[kx <kxmail () gmail com>]

Doug,
  You are right on. Lots of options here, and cymru dns might be an
option for the interim (I would suggest any additional lookups to
nmap's core functionality be opt-in - just my opinion).
  I suggested whois because it is standard across the big 3 ASN/IP
correlators (radb, ripe, cymru), and I could see giving nmap users the
choice of performing lookups across 0,1,2 or all 3 of them.
  I can also see people wanting to use local databases for similar IP
correlation info, such as geolocation as you noted, if they have a
local instance of GeoIP or Quova.
  Querying public Looking Glass servers for BGP data definitely has
huge potential.

All of this has potential for being core nmap functionality, or being
implemented via nmap scripts (could we call it nscripts instead of
NASL plugins - heh).

Out of curiosity, had you put together a beta patch for using cymru
and the rDNS architecture? If not, I might give it a try just to see
how it might work.

Great ideas!

Cheers,
  kx


On 5/23/06, doug () hcsw org <doug () hcsw org> wrote:
> Hi kx,
>
> I really like your idea of ASN lookups! Although it hadn't occured to me
> to gather this information with Nmap, after thinking about it I now believe
> this information would complement Nmap's rDNS information extremely well!
>
> I definitley think we should integrate ASN into Nmap one way or another.
> Using the many available whois servers is definitley an option. As it turns out,
> It might even be possible to integrate this ASN lookup into the rDNS system. The company
> you mentioned, Cymru, seems to also offer this same information through a DNS
> TXT record. The resolution system is even designed similar to the in-addr.arpa domain!
>
> Here's a proof of concept:
>
> perl -ne 'chomp; $ip=join(".", reverse(split(/\./, $_))); print `host -t TXT $ip.origin.asn.cymru.com`;
>
> It reads IPs from stdin, resolves them using cymru.com's service, and
> prints out their BGP Origin ASNs and even a "country" code:
>
> 196.2.1.6 (ns.jm) gives
>
> 6.1.2.196.origin.asn.cymru.com text "3586 | 196.2.1.0/24 | JM | arin | 1993-02-11"
>
> 213.200.94.13 (tradesports.com - Irish book) gives
>
> 13.94.200.213.origin.asn.cymru.com text "3257 | 213.200.64.0/18 | EU | ripencc | 2000-11-14"
>
>
> Dsylexic hackers might prefer to use host directly:
>
> $ host -t TXT 13.94.200.213.origin.asn.cymru.com
> 13.94.200.213.origin.asn.cymru.com text "3257 | 213.200.64.0/18 | EU | ripencc | 2000-11-14"
>
>
> I don't know if other providers offer this service or if we'd be comfortable
> relying on a single provider. If not, whois might still be a better bet since
> it looks as though there are many companies offering that. Whois querying should
> then NOT be done by the rDNS framework but rather by the upcoming "NASL" framework.
>
> Using Cymru's DNS system would be very much ideal performance-wise because we
> could combine the queries with the rDNS framework and do both at the same time.
> Especially when dealing with super-high rtt queries like our recursive DNS requests,
> we do well to exploit parallelism as much as we can!
>
> If we're going to look for information on an IP outside of the DNS system, we
> might even want to consider things like more specific geo-location, RBL entries,
> maybe even deeper BGP information. It would be really cool if we could determine
> if the target is multi-homed and has many paths into its network. This information
> could be immediatley useful for things like, well, messing with IDS fragment reassembly.
>
> Doug
>
>
>
>
> On Mon, May 22, 2006 at 09:32:07PM -0400 or thereabouts, kx wrote:
> > All of the whois servers I listed are well-respected sources.
> >
> > More info on the cymru service is here:
> >
> > http://www.cymru.com/BGP/asnlookup.html
> >
> > That page also lists their preferred method for bulk lookups.
> >
> > Cheers,
> >   kx
> >
> > On 5/22/06, Fyodor <fyodor () insecure org> wrote:
> > > On Sat, May 20, 2006 at 12:56:41AM -0400, kx wrote:
> > > > Just some ideas, not sure what the user base thinks.
> > > >
> > > > AS lookup modeled on the rDNS architecture - asynchronous, parallel,
> > > > with caching.  Option to hit whois databases like whois.cymru.com,
> > > > whois.radb.net , riswhois.ripe.net, etc... for ASN to IP mapping.
> > > > Might consider registration and geo data as well.
> > >
> > > That is a good idea.  And I can see how the AS number might be useful
> > > for the Nmap diagram project.  Perhaps there could be circles
> > > containing all of the hosts in a single AS to represent organization
> > > boundaries.  I will add this to the list of possible tasks.  Does
> > > anyone have suggestions as to the best way to obtain this data?
> > >
> > > Also, you could probably do this with a simple Nmap Scripting Engine
> > > script.  If such an infrastructure existed yet :).  See my next email.
> > >
> > > Cheers,
> > > -F
> >
> >
> > _______________________________________________
> > Sent through the nmap-dev mailing list
> > http://cgi.insecure.org/mailman/listinfo/nmap-dev
>
>
>
>
> _______________________________________________
> Sent through the nmap-dev mailing list
> http://cgi.insecure.org/mailman/listinfo/nmap-dev


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev