RE: [BULK] Re: need help with ping of list by name

["Norris Carden" <ncarden () ascendfcu org>]

-----Original Message-----
From: David Fifield [mailto:david () bamsoftware com] 
Sent: Saturday, April 17, 2010 9:27 PM
To: Norris Carden
Cc: nmap-dev () insecure org
Subject: Re: [BULK] Re: need help with ping of list by name

On Fri, Apr 16, 2010 at 02:12:30PM -0500, Norris Carden wrote:
> What I am trying to do is take a very long list of system names
> enumerated from Active Directory and identify systems that do not
exist.
> All I have is computer names. I was hoping Nmap would be able to help
me
> with this.
>
> Here are my assumptions:
>
> A system that exists will respond to a ping. I can easily assume these
> exist.
> A system that does not respond to a ping, but has a DNS entry might
> still exist, but is currently powered down.
> A system that has no DNS entry either never existed or has been
powered
> off long enough for their DDNS entry to expire. These are the systems
I
> am trying to identify.

> Are you talking about forward (hostname to IP) or reverse (IP to
> hostname) DNS? If I understand you right, the list scan -sL is what
you
> want. That will print a list of all the target you specify, along with
> their forward and reverse DNS names. Systems that don't have forward
DNS
> entries will say "Failed to resolve given hostname/IP: xxx".
>
> David Fifield

David, the problem is I can't get Nmap to reported that failure to
resolve anything for a host that doesn't have a DNS entry. It reports
what it finds, not what it doesn't. I tried the list scan (-sL) and
didn't get the needed info.

Assume a ping to this list of system names:

Server1 (the server is up)
Server2 (the server is current down, but was up recently)
Server3 (the server is retired, but the DDNS entry has not expired)
Server4 (the server is retired and the DDNS entry has expired)
Server5 (the server is retired, but another system is up on the same IP)
Server6 (I can't figure out what this status is)

Here's what Nmap reports:

Server1 - Host: x.x.x.1 (Server1.domain.com) Status: Up
Server5 - Host: x.x.x.5 (Server8.domain.com) Status: Up
Server2 - Host: x.x.x.2 (Server2.domain.com) Status: Unknown
Server3 - Host: x.x.x.2 (Server3.domain.com) Status: Unknown
Server6 - Host: x.x.x.9 () Status: Unknown

Nmap fails to report anything on Server4. On Server5, the results don't
tell me anything about Server5, but I now get information on Server8
that I can't correlate. I have no idea the status of Server6 as Nmap is
finding an IP address, but it doesn't correlate to any DNS entry. (I
think) Nmap reports the results in the order received, so the Server5
result comes before the timeouts of Server2 and Server3 (again, I think
this is the case, but not positive). I get nothing reported on Server4.
Nmap also doesn't give me any way to correlate the ping to any specific
name to any specific result... so I honestly have no way of knowing that
Server8 responded to the Server5 ping.

With a small list of system names, this can be done manually, but in a
medium environment, it would take significant time. In a large
enterprise, it would be dang near impossible.

To focus back, I'm trying to determine what computer entries in Active
Directory are stagnant. Maybe I should  have looked for a way to query
AD for computers by most recent logon.





_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/