0

I have a number of nodes on a couple of networks whose hostnames all start with org. Some examples are:

  • orgwebsvr1
  • orgwebsvr2
  • orgwebsvr3
  • orgdbsvrmysql
  • orgdbsvrmssql
  • orgdbsvrosql

With nmap, I know that I can scan multiple targets using the IP or an external list. But I want to discover all the devices on a network that start with org. Is there such a way to write that using nmap?

Thank you.

user717236
  • 265
  • 1
  • 4
  • 17

2 Answers2

3

Assuming the hosts all have valid DNS entries, you can do a list scan querying the DNS for each host on your target network, then filter the output to a file and use it as target for a second nmap scan:

nmap -sL 192.168.0.0/24 | awk '{print $5}' | grep ^org > ~/targets.txt; nmap -iL ~/targets.txt

blau
  • 738
  • 4
  • 9
  • A more accurate command: `nmap -sL -oG - 192.168.0.0/24 | awk '$3~/^(org/{print $2}' | nmap -iL -`; This will only check hostnames, not other output, and will pipe directly to the second nmap instance. – bonsaiviking Mar 21 '13 at 15:43
  • I like your command more, but it needs an extra escape to the awk command: `nmap -sL -oG - 192.168.0.0/24 | awk '$3~/^\(org/{print $2}' | nmap -iL -` – blau Mar 21 '13 at 15:51
  • Thanks, I always forget between awk, sed, grep, and vi which syntax must be escaped. – bonsaiviking Mar 21 '13 at 15:54
  • This is incredible, thank you. What would be the equivalent in a Windows machine? If there is none, you need a programming language like Perl, how would you do it Perl? Thank you. – user717236 Mar 22 '13 at 18:49
  • I'm not looking for something downloading sed, awk, or grep for Windows. Those are fine, but I'd prefer something innate like PowerShell or Perl. – user717236 Mar 22 '13 at 19:03
2

Three routes to handle this, not related to NMAP directly.

  1. If you have an inventory system (or directory) of hosts, you should be able to query that to find your related IP addresses.
  2. Since you manage DNS assumably for this network, you should be able to access your nameserver details to find all A (host) records that match your pattern and get the associated IP addresses.
  3. Manually scan all DNS PTR (reverse) records across your IP space and find the hosts you care about using a simple regex like /^org/ (if you have reverse DNS records setup).

In all cases, you then can pass the resulting IPs to NMAP to conduct your scan (unless you were just wanting to use NMAP for the discovery portion and not actual scans).

Mark Stanislav
  • 206
  • 1
  • 4