1

I have a round-robin dns record I want to test with nmap, currently it only tries one of the IPs (if I run a loop it checks each in order).

Is there a way to have nmap test all A/AAAA records from a dns record?

example: nmap -p25 rr-test.jacobdevans.com

Castaglia
  • 3,349
  • 3
  • 21
  • 42
Jacob Evans
  • 7,886
  • 3
  • 29
  • 57

2 Answers2

2

I think it's impossible without loop. Try to use nping instead nmap. Example for IPv4:

$ host -t MX gmail.com | awk '{print $NF}' | xargs -I{} host -t A {} | awk '{print $NF}' | xargs -e nping -c 1 -p 25,465 | grep -P "(SENT)|(RECV)"
SENT (0.0014s) Starting TCP Handshake > 74.125.204.26:25
RECV (0.3228s) Handshake with 74.125.204.26:25 completed
SENT (1.0036s) Starting TCP Handshake > 74.125.201.26:25
RECV (1.1765s) Handshake with 74.125.201.26:25 completed
SENT (2.0065s) Starting TCP Handshake > 74.125.28.26:25
RECV (2.2137s) Handshake with 74.125.28.26:25 completed
SENT (3.0086s) Starting TCP Handshake > 173.194.222.26:25
RECV (3.0475s) Handshake with 173.194.222.26:25 completed
SENT (4.0116s) Starting TCP Handshake > 74.125.30.27:25
RECV (4.1853s) Handshake with 74.125.30.27:25 completed
SENT (5.0142s) Starting TCP Handshake > 74.125.204.26:465
SENT (6.0163s) Starting TCP Handshake > 74.125.201.26:465
SENT (7.0184s) Starting TCP Handshake > 74.125.28.26:465
SENT (8.0196s) Starting TCP Handshake > 173.194.222.26:465
SENT (9.0217s) Starting TCP Handshake > 74.125.30.27:465

For IPv6 use command:

$ host -t MX gmail.com | awk '{print $NF}' | xargs -I{} host -t AAAA {} | awk '{print $NF}' | xargs -e nping -c 1 -6 -p 25,465 | grep -P "(SENT)|(RECV)"
Mikhail Khirgiy
  • 2,073
  • 11
  • 7
  • think you can figure it out for v4 and v6 hosts in the same report? – Jacob Evans Apr 12 '17 at 04:15
  • You can combine two commands in one line by `;` separate character. By example `$ command1 ; command2`. To redirect outputs these commands to one file use: `$ { command1 ; command2 } > output_file`. – Mikhail Khirgiy Apr 12 '17 at 07:51
0

Nmap can accomplish something like this with the resolveall NSE script. It needs the newtargets script argument to be set in order to actually add the other addresses to the scan queue instead of only listing them. So your solution would be:

nmap --script resolveall --script-args newtargets -p25 rr-test.jacobdevans.com

This will work for a name that has multiple A (or AAAA, with the -6 option) records, all of which are returned in response to a single query. Round-robin DNS can be implemented by returning a single A record from a pool in response to each query; the resolveall script will not be able to detect this, since it only sends one query.

EDIT: I forgot that this is a new feature in Nmap 7.40, so earlier versions won't work the same way. For those versions (back to version 5.50) you need to use this syntax:

nmap --script resolveall --script-args "newtargets,resolveall.hosts={rr-test.jacobdevans.com}" -p25
bonsaiviking
  • 4,420
  • 17
  • 26
  • does not do what I am looking for: `Other addresses for rr-test.jacobdevans.com (not scanned): 2605:6400:30:fb26::10 2605:6400:20:931::10 2605:6400:10:434::10 199.195.250.251 209.141.51.12 ` – Jacob Evans Apr 12 '17 at 04:12
  • @JacobEvans Are you sure it did not also scan those addresses? That line is output no matter what because Nmap (port scanner) doesn't know that the other IP addresses added by the NSE script are related at all. As far as it knows, you entered "rr-test.jacobdevans.com 199.195.250.251 209.141.51.12" (IPv6 addresses are not added unless you use `-6`) – bonsaiviking Apr 12 '17 at 18:26
  • https://pastebin.com/niszaR7v I'm sure. @bonsaiviking – Jacob Evans Apr 12 '17 at 18:30
  • @JacobEvans My bad, I forgot I had only changed this recently. Old versions use a more complicated syntax, which I've put in my edited answer above. – bonsaiviking Apr 12 '17 at 19:11