Is there an application that will resolve obfuscated hostnames ?

2 replies [Last post]
amenex
Offline
Joined: 01/03/2015

After several months of learning text scripting at Magic Banana's insistence, there's one last
gap in my project: While nMap is excellent for getting WhoIs-like data (CIDR blocks, autonomous
system numbers, and country codes) from IP addresses, there are still some multiply-addressed
hostnames that can only be discovered with online searches like Google. True, nMap can even do
the same sorts of searches for hostnames as for IP addresses, but it doesn't get 'em all.

Google does well because there are many helpful folks who keep track of the many email scams
and malevolences that are frequently used to attack the Internet infrastructure; and the emails
have headers which reveal the originating IP addresses of their senders as well as the hostnames
that go with those IP addresses.

I have been finishing off my spreadsheets by using Google to find the IP addresses that the
scripts cannot find. While entertaining - because of all the multiply-addressed hostnames that
the searches reveal - it's tedious and time-consuming.

Are there such applications that can be used ? My manual searches just put the target hostname
in quotes ... and then I scan the results for the IP address(es) that the reporters associate
with that hostname. Any suspicious combination of IP address and nonspecific hostname I can also
search in Hurricane Electric's "BGP" application, which will return all the hostnames (actually,
pointer (PTR) records) that are used to identify the IP addresses in the associated CIDR block.
I sometimes find that address space populated with many identical PTR's.

Thanks,
George Langford

martinh
Offline
Joined: 02/21/2014

Not sure if this helps:

"When a hostname is given as a target, it is resolved via the Domain Name System (DNS) to determine the IP address to scan. If the name resolves to more than one IP address, only the first one will be scanned. To make Nmap scan all the resolved addresses instead of only the first one, use the --resolve-all option."

amenex
Offline
Joined: 01/03/2015

martinh suggests: "... the --resolve-all option"

Alas, my trisquel flidas is using version 7.01, and Nmap didn't start using "--resolve-all" until version 7.70.

Here's the script that I tried, based on https://nmap.org/nsedoc/scripts/resolveall.html

time nmap -Pn -sn --script=resolveall --script-args=newtargets, resolveall.hosts="126.64.uzpak.uz","129.mtsnet.ru",
"139.188.94-binat-smaug.in-addr.arpa","14.mtsnet.ru","154-70-132.static.xpressgt.co.za",
"173-232-44.static.rdns.serverhub.com","177.97.223.dynamic.adsl.gvt.net.br" > HostsAll02.txt

Output: Error: segmentation fault (core dumped)

Later, when I returned to my usual scan, but on some hostnames known to have duplicate IP addresses;
some of which have IPv6 alternatives (-6 option in nMap):

time nmap -Pn -sn -6 --script asn-query -iL Hosts03UAll.txt > HostsAll03U6.txt
and
time nmap -Pn -sn --script asn-query -iL Hosts03UAll.txt > HostsAll03U.txt

Both scans produce alternative IPv4 or IPv6 addresses, which I hadn't noticed in any prior
scans before today.

That's a step in the right direction, but the explicit method that I tried in the first of the three
scripts above appears to have some sort of bug.

These are all real hostnames, but one shouldn't try to visit them, as their owners either don't know
how to configure their servers, or do know and are hiding something.

I think I need to upgrade my version of nMap, but I'm unsure about the approved trisquel method of doing so.

AttachmentSize
Hosts03UAll.txt 780 bytes
HostsAll03U6.txt 1.12 KB
HostsAll03U.txt 8.35 KB