Using nmap to Generate Host Lists - Networking

This is a discussion on Using nmap to Generate Host Lists - Networking ; I wrote a quick little tutorial on how to use nmap to generate a list of hosts. http://systemnotesorg.blogspot.com/2...ost-lists.html I hope it is useful to someone....

+ Reply to Thread
Results 1 to 3 of 3

Thread: Using nmap to Generate Host Lists

  1. Using nmap to Generate Host Lists

    I wrote a quick little tutorial on how to use nmap to generate a list
    of hosts.

    http://systemnotesorg.blogspot.com/2...ost-lists.html

    I hope it is useful to someone.


  2. Re: Using nmap to Generate Host Lists

    On 2 Apr 2007, in the Usenet newsgroup comp.os.linux.networking, in article
    <1175552212.738277.115340@y80g2000hsf.googlegroups. com>, systemnotes@gmail.com
    wrote:

    >I wrote a quick little tutorial on how to use nmap to generate a list
    >of hosts.
    >
    >http://systemnotesorg.blogspot.com/2007/04/

    using-nmap-to-generate-host-lists.html
    [Indented material below is from a snapshot of that page grabbed around
    04:00 UTC on 03 April 2007]

    Using nmap to Generate Host Lists

    An easy way to get a list of hosts from a single domain that you are a
    part of, is to query DNS

    host -l mydomain.com

    But that is not always practical. Sometimes you have machines that are
    in different domains, but they all are part of a network you manage.
    Rather than trying write a script that pings hosts and reports the
    output, just use nmap for a very fast scan.

    Two problems - the primary being that you are still depending on DNS to
    provide name resolution, and despite the inverse resolution function
    being a part of DNS since the earliest documents ("may" in RFC0882, and
    required in RFC1035, but see also RFC1536, 1912, 2050, 2181, and others)
    a lot of network administrators don't think it necessary to provide this
    service. This is a big problem in the insecure world of microsoft
    brainwashed admins who think DHCP and mDNS is adequate. Thus, you can't
    depend on getting a correct answer from the DNS.

    Secondly, be VERY careful using nmap to scan a network. Some security
    and network administrators react harshly to such scans, deeming them to
    be abuse.

    >I hope it is useful to someone.


    The "ping every host" technique (or pinging a broadcast address) has
    been much less useful since about 1995, when skript-kiddiez discovered
    the Internet, and how to knock a windoze box off the air just by pinging
    it. As a result, many networks block ICMP Echo, and many administrators
    have disabled ping responders on the individual hosts. Additional forms
    of abuse have resulted in additional firewall rules, and disabled
    services. Even _detecting_ the existence of a system is more difficult,
    given network switches in place of hubs or coaxial networks. None the
    less, using a packet sniffer such as 'tcpdump', 'ethereal' (now called
    'wireshark') or even 'ngrep' is often more successful, even though they
    are passive tools, and only provide information when the "targets" are
    transmitting.

    Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
    Host (192.168.0.0) appears to be down.
    Host box1.mydomain.com (192.168.0.1) appears to be up.

    [...]

    Notice how names are resolved for existing hosts, but only an IP is
    returned, if there is no DNS record (e.g. 192.168.0.0).

    In your example, you are using /24 networks, which means that the first
    IP address (here, 192.168.0.0) is the "network" address, not a host
    (just as the last address - here, 192.168.0.255 - would be the broadcast
    address). Some operating systems allow the "network" address to be used
    as a host, but this is much less common.

    echo "nmap -sP -R -iL subnets.dat | grep "to be up" | awk '{print
    \$2}' "

    Minor typo - the slash belongs at the end of the first line, as it is
    escaping the newline that immediately follows.

    To get rid of the parenthesis, I redirected the output to
    hosts_up.dat, and piped the output to grep and awk to illustrate:

    cat hosts_up.dat | grep \( | awk -F[\(\)] '{print $2}

    Overkill - awk is more expensive to use than "tr -d '()'" ;-)

    Old guy

  3. Re: Using nmap to Generate Host Lists

    On Tue, 03 Apr 2007 14:50:37 -0500, Moe Trin wrote:
    >
    > The "ping every host" technique (or pinging a broadcast address) has
    > been much less useful since about 1995, when skript-kiddiez discovered
    > the Internet, and how to knock a windoze box off the air just by pinging
    > it.


    And, the Winders boxen (at least my First Wife's XP) do *not* respond
    to a ping on a broadcast address.

    Jonesy

+ Reply to Thread