Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Nmap on Windows: use appropriate DNS servers for the target address #1349

Open
dmiller-nmap opened this issue Oct 9, 2018 · 1 comment
Open

Nmap on Windows: use appropriate DNS servers for the target address #1349

dmiller-nmap opened this issue Oct 9, 2018 · 1 comment
Labels
bug enhancement Nmap

Comments

@dmiller-nmap
Copy link

While investigating #1328, I realized that Nmap may be choosing the "wrong" DNS servers in some cases. Imagine a Windows system connected to several different networks: maybe a VPN, WiFi, and a wired network. The user scans a target on the WiFi network, and Nmap tries to do reverse-DNS lookup of the address. But it retrieves the list of DNS servers from all configured network interfaces and distributes PTR requests across them all. The request may very well go to the VPN's DNS server or the wired Ethernet connection's server.

I propose trying to identify the interface for the target (I think we already track this internally) and using the appropriate servers for that interface, unless --dns-servers is specified.
@dmiller-nmap dmiller-nmap mentioned this issue Oct 9, 2018
Closed
@newsgrep
Copy link

It seems like I have encountered a similar problem.

My problem in short:

There are some DNS-Servers configured on an inactive interface (208.67.220.220 and
(208.67.220.222), which are then used by Nmap instead of the DNS-Server (192.168.2.1)
of the active intrface (eth1) that is used for the scan. This leads to the problem that
the wrong DNS-Server is used and that local DNS-Names can not be resolved.

My System:

Windows 10 .0.17134.165 64Bit
Nmap 7.70, Npcap version 0.99-r2, based on libpcap version 1.8.1
Running with administrative privileges
IP of my GW and DNS: 192.168.2.1
IP of a random Linux box on my network: 192.168.2.2
Only connected networkinterface (wifi / wlan) with one DNS-Server configured 192.168.2.1

Nmap output:

When I run "nmap 192.168.2.2 -sn -R -dd" I get this (line numbers added by me):

[... output 1]

     1 Completed ARP Ping Scan at 12:50, 2.34s elapsed (1 total hosts)
     2 Overall sending rates: 0.43 packets / s, 17.93 bytes / s.
     3 mass_rdns: Using DNS server 192.168.2.1
     4 Interface {0b60d9ac-1325-4ea0-87c6-0f1c18d8deeb} is not known; ignoring its nameservers.
     5 mass_rdns: Using DNS server 192.168.2.1
     6 Interface {4a8ac9ba-ee80-49d1-92d4-a53e0847e37f} is not known; ignoring its nameservers.
     7 Interface {52bef847-4ae9-4acf-b091-fd9324e14f89} is not known; ignoring its nameservers.
     8 Interface {5842239c-25bd-409d-9d82-0134c98c5d49} is not known; ignoring its nameservers.
     9 Interface {6aa17278-d045-4e64-93f6-e3d2b1f650d9} is not known; ignoring its nameservers.
    10 Interface {707c25fb-3586-4793-ba00-9400ccf2d0af} is not known; ignoring its nameservers.
    11 Interface {8718928d-cbeb-45ea-a621-800a9249001d} is not known; ignoring its nameservers.
    12 Interface {9787dd06-93e4-4ad0-a234-be6a9f028bdf} is not known; ignoring its nameservers.
    13 Interface {b3c56828-1c21-44bb-9e50-87b99b6afe15} is not known; ignoring its nameservers.
    14 Interface {b5989594-4306-4d77-8b75-7be6b3e3634c} is not known; ignoring its nameservers.
    15 Interface {C2B6F598-4948-4328-B889-68F3CD7D217F} is not known; ignoring its nameservers.
    16 mass_rdns: Using DNS server 192.168.2.1
    17 mass_rdns: Using DNS server 208.67.220.220
    18 mass_rdns: Using DNS server 208.67.220.222
    19 Interface {ed00082b-1ea3-4c13-a24a-ab42ccc70c1c} is not known; ignoring its nameservers.
    20 Interface {ee67dd7f-24fe-11e8-ba91-806e6f6e6963} is not known; ignoring its nameservers.
    21 Interface {fc8b2978-80c8-4de2-b411-da8f4552ba72} is not known; ignoring its nameservers.
    22 NSOCK INFO [7.8590s] nsock_iod_new2(): nsock_iod_new (IOD #1)
    23 NSOCK INFO [7.8750s] nsock_connect_udp(): UDP connection requested to 208.67.220.222:53 (IOD #1) EID 8
    24 NSOCK INFO [7.8750s] nsock_read(): Read request from IOD #1 [208.67.220.222:53] (timeout: -1ms) EID 18
    25 NSOCK INFO [7.8750s] nsock_iod_new2(): nsock_iod_new (IOD #2)
    26 NSOCK INFO [7.8750s] nsock_connect_udp(): UDP connection requested to 208.67.220.220:53 (IOD #2) EID 24
    27 NSOCK INFO [7.8750s] nsock_read(): Read request from IOD #2 [208.67.220.220:53] (timeout: -1ms) EID 34
    28 NSOCK INFO [7.8750s] nsock_iod_new2(): nsock_iod_new (IOD #3)
    29 NSOCK INFO [7.8750s] nsock_connect_udp(): UDP connection requested to 192.168.2.1:53 (IOD #3) EID 40
    30 NSOCK INFO [7.8900s] nsock_read(): Read request from IOD #3 [192.168.2.1:53] (timeout: -1ms) EID 50
    31 NSOCK INFO [7.8900s] nsock_iod_new2(): nsock_iod_new (IOD #4)
    32 NSOCK INFO [7.8900s] nsock_connect_udp(): UDP connection requested to 192.168.2.1:53 (IOD #4) EID 56
    33 NSOCK INFO [7.8900s] nsock_read(): Read request from IOD #4 [192.168.2.1:53] (timeout: -1ms) EID 66
    34 NSOCK INFO [7.8900s] nsock_iod_new2(): nsock_iod_new (IOD #5)
    35 NSOCK INFO [7.8900s] nsock_connect_udp(): UDP connection requested to 192.168.2.1:53 (IOD #5) EID 72
    36 NSOCK INFO [7.9060s] nsock_read(): Read request from IOD #5 [192.168.2.1:53] (timeout: -1ms) EID 82
    37 Initiating Parallel DNS resolution of 1 host. at 12:50
    38 NSOCK INFO [7.9060s] nsock_write(): Write request for 42 bytes to IOD #1 EID 91 [208.67.220.222:53]
    39 NSOCK INFO [7.9060s] nsock_trace_handler_callback(): Callback: CONNECT SUCCESS for EID 8 [208.67.220.222:53]
    40 NSOCK INFO [7.9060s] nsock_trace_handler_callback(): Callback: WRITE SUCCESS for EID 91 [208.67.220.222:53]
    41 NSOCK INFO [7.9060s] nsock_trace_handler_callback(): Callback: CONNECT SUCCESS for EID 24 [208.67.220.220:53]
    42 NSOCK INFO [7.9060s] nsock_trace_handler_callback(): Callback: CONNECT SUCCESS for EID 40 [192.168.2.1:53]
    43 NSOCK INFO [7.9060s] nsock_trace_handler_callback(): Callback: CONNECT SUCCESS for EID 56 [192.168.2.1:53]
    44 NSOCK INFO [7.9060s] nsock_trace_handler_callback(): Callback: CONNECT SUCCESS for EID 72 [192.168.2.1:53]
    45 NSOCK INFO [7.9370s] nsock_trace_handler_callback(): Callback: READ SUCCESS for EID 18 [208.67.220.222:53] (101 bytes)
    46 NSOCK INFO [7.9370s] nsock_read(): Read request from IOD #1 [208.67.220.222:53] (timeout: -1ms) EID 98
    47 NSOCK INFO [7.9370s] nsock_iod_delete(): nsock_iod_delete (IOD #1)
    48 NSOCK INFO [7.9370s] nevent_delete(): nevent_delete on event #98 (type READ)
    49 NSOCK INFO [7.9370s] nsock_iod_delete(): nsock_iod_delete (IOD #2)
    50 NSOCK INFO [7.9370s] nevent_delete(): nevent_delete on event #34 (type READ)
    51 NSOCK INFO [7.9370s] nsock_iod_delete(): nsock_iod_delete (IOD #3)
    52 NSOCK INFO [7.9370s] nevent_delete(): nevent_delete on event #50 (type READ)
    53 NSOCK INFO [7.9370s] nsock_iod_delete(): nsock_iod_delete (IOD #4)
    54 NSOCK INFO [7.9370s] nevent_delete(): nevent_delete on event #66 (type READ)
    55 NSOCK INFO [7.9370s] nsock_iod_delete(): nsock_iod_delete (IOD #5)
    56 NSOCK INFO [7.9370s] nevent_delete(): nevent_delete on event #82 (type READ)
    57 mass_rdns: 4.91s 0/1 [#: 5, OK: 0, NX: 0, DR: 0, SF: 0, TR: 1]
    58 Completed Parallel DNS resolution of 1 host. at 12:50, 0.06s elapsed
    59 DNS resolution of 1 IPs took 4.94s. Mode: Async [#: 5, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
    60 Nmap scan report for 192.168.2.2

[... end of output 1]

My problem in detail:

  • "mass_rdns" findes the DNS-Server 192.168.2.1 three times so "nsock_iod_new2(): nsock_iod_new" creates three "IOD #". (Line: 3, 5, 16)
  • It is not printed in the debug output in which file or interface a DNS-Server was found.
  • nsock_iod_new2(), nsock_connect_udp() and nsock_read() take place before "Initiating Parallel DNS resolution" (Line 37)
  • During the Parallel DNS resolution the "nsock_write():" (Line 38) only takes place for IOD I get this error scanning against my gpsd  #1 (which is the most recently discovered DNS-Server 208.67.220.222, Line 18) which like IOD Added IPv6 support for the idle scan.  #2 (208.67.220.220, Line 17) belongs to an inactive interface.
    This means that IOD I get this error scanning against my gpsd  #1 is the only "WRITE SUCCESS" (EID 91, Line 40) and "READ SUCCESS" (EID 18, Line 45) callback of "nsock_trace_handler_callback()".
  • Also IOD I get this error scanning against my gpsd  #1 does a "nsock_read()" twice (EID 18, 98; Line 24, 46) but only the first nsock_read() receives a callback (Line 45), by this also the "nsock_iod_delete()" (Line 47) for IOD I get this error scanning against my gpsd  #1 gets associated with EID 98 (Line 48) and so "nevent_delete()" is never run for EID 18 (Line 24).

Further notes:

When I run nmap 192.168.2.2 -sn -R -dd --system-dns,
the resolution over the local DNS (192.168.2.1) works fine but the used DNS-Server is never printed in the output. Actually it feels like there is a lot of debug output missing:

[... start of output 2]

     1 Completed ARP Ping Scan at 13:53, 2.14s elapsed (1 total hosts)
     2 Overall sending rates: 0.47 packets / s, 19.63 bytes / s.
     3 Initiating System DNS resolution of 1 host. at 13:53
     4 Completed System DNS resolution of 1 host. at 13:53, 0.02s elapsed
     5 DNS resolution of 1 IPs took 0.02s. Mode: System [OK: 1, ??: 0]

[... end of output 2]

This is odd, specialy compared to the output of, the also successful,
nmap 192.168.2.2 -sn -R -dd --dns-servers 192.168.2.1:

[... start of output 3]

     1 Completed ARP Ping Scan at 13:57, 2.22s elapsed (1 total hosts)
     2 Overall sending rates: 0.45 packets / s, 18.93 bytes / s.
     3 mass_rdns: Using DNS server 192.168.2.1
     4 NSOCK INFO [2.9690s] nsock_iod_new2(): nsock_iod_new (IOD #1)
     5 NSOCK INFO [2.9690s] nsock_connect_udp(): UDP connection requested to 192.168.2.1:53 (IOD #1) EID 8
     6 NSOCK INFO [2.9840s] nsock_read(): Read request from IOD #1 [192.168.2.1:53] (timeout: -1ms) EID 18
     7 Initiating Parallel DNS resolution of 1 host. at 13:57
     8 NSOCK INFO [2.9840s] nsock_write(): Write request for 42 bytes to IOD #1 EID 27 [192.168.2.1:53]
     9 NSOCK INFO [2.9840s] nsock_trace_handler_callback(): Callback: CONNECT SUCCESS for EID 8 [192.168.2.1:53]
    10 NSOCK INFO [2.9840s] nsock_trace_handler_callback(): Callback: WRITE SUCCESS for EID 27 [192.168.2.1:53]
    11 NSOCK INFO [2.9840s] nsock_trace_handler_callback(): Callback: READ SUCCESS for EID 18 [192.168.2.1:53] (118 bytes)
    12 NSOCK INFO [3.0000s] nsock_read(): Read request from IOD #1 [192.168.2.1:53] (timeout: -1ms) EID 34
    13 NSOCK INFO [3.0000s] nsock_iod_delete(): nsock_iod_delete (IOD #1)
    14 NSOCK INFO [3.0000s] nevent_delete(): nevent_delete on event #34 (type READ)
    15 mass_rdns: 0.03s 0/1 [#: 1, OK: 0, NX: 0, DR: 0, SF: 0, TR: 1]
    16 Completed Parallel DNS resolution of 1 host. at 13:57, 0.02s elapsed
    17 DNS resolution of 1 IPs took 0.03s. Mode: Async [#: 1, OK: 1, NX: 0, DR: 0, SF: 0, TR: 1, CN: 0]

[... end of output 3]

Also is there a way to get a more verbose debug output? -v3, -v4, -d3, -d4, -d5, or -d6 like used here https://nmap.org/book/nping-man-output-options.html seem to make no difference at all.
Also I think that line numbers would be great for the debug output.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug enhancement Nmap
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@dmiller-nmap @newsgrep