- Nmap 6:Network exploration and security auditing Cookbook
- Paulino Calderon Pale
- 476字
- 2021-08-05 18:31:06
Forcing DNS resolution
DNS names reveal valuable information very often because system administrators name their hosts according to their functions, such as firewall or mail.domain.com. Nmap, by default, does not perform DNS resolution if a host is offline. By forcing DNS resolution, we can gather extra information about the network even if the host seemed to be offline.
This recipe describes how to force DNS resolution for offline hosts during Nmap scans.
How to do it...
Open your terminal and enter the following command:
# nmap -sS -PS -F -R XX.XXX.XXX.220-230
This command will force DNS resolution for offline hosts in the range XX.XXX.XXX.220-230.
Consider using a list scan, which will also perform DNS resolution, respectively –sL.
Yes, a list scan will do that. What I'm trying to convey here is that you can include DNS information of hosts that are down during a port scan or when running an NSE script.
How it works...
The arguments -sS -PS -F -R tell Nmap to perform a TCP SYN Stealth (-sS), SYN ping (-PS), fast port scan (-F), and always perform DNS resolution (-R).
Let's say we want to scan the two IPs surrounding the domain 0xdeadbeefcafe.com with IP XX.XXX.XXX.223, the following command can be used:
# nmap -sS -PS -F -R XX.XXX.XXX.222-224 Nmap scan report for liXX-XXX.members.linode.com (XX.XXX.XXX.222) Host is up (0.11s latency). All 100 scanned ports on liXX-XXX.members.linode.com (XX.XXX.XXX.222) are filtered Nmap scan report for 0xdeadbeefcafe.com (XX.XXX.XXX.223) Host is up (0.11s latency). Not shown: 96 closed ports PORT STATE SERVICE 22/tcp open ssh 25/tcp open smtp Nmap scan report for mail.0xdeadbeefcafe.com (XX.XXX.XXX.224) Host is up (0.11s latency). Not shown: 96 closed ports PORT STATE SERVICE 25/tcp filtered smtp
In this case, a quick scan has told us that this is probably a VPS hosted by Linode and is the location of their mail server as well.
There's more...
You can also disable DNS resolution completely with the argument -n. This speeds up scans and is very recommended if you don't need to DNS resolve a host.
# nmap -sS -PS -F -n scanme.nmap.org
See also
- The Hiding our traffic with additional random data recipe
- The Scanning using specific port ranges recipe in Chapter 1, Nmap Fundamentals
- The Spoofing the origin IP of a port scan recipe in Chapter 3, Gathering Additional Host Information
- The Excluding hosts from yours scans recipe
- The Scanning IPv6 addresses recipe
- The Skipping tests to speed up long scans recipe in Chapter 7, Scanning Large Networks
- The Adjusting timing parameters recipe in Chapter 7, Scanning Large Networks
- The Selecting the correct timing template recipe in Chapter 7, Scanning Large Networks