-
Notifications
You must be signed in to change notification settings - Fork 2.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
muliple host IPs: Feature request to scan all IPs per default or at least offer a cmd line switch #949
Comments
@drwetter For part 1 you can use the "resolveall" script like so:
This will add all resulting IP addresses to the target list, not just the first one. For part 2, I thought Nmap did use the hostname for SNI if it was specified as a hostname in the target list, but I haven't actually verified that. |
Nmap will use stdnse.get_hostname for both SNI and the HTTP One hack could be to instrument a lightweight resolver, such as |
yes, thx. But a) I am wondering whether scanning all IPs shouldn't be the default. b) also if not: The solution you suggested may have side effects, depends on the scripts invoked. For part 2: my mistake, I looked at the wrong scan. You're right. |
Just added this today after some refactoring over the weekend. New syntax "*all" appended to target name will result in scanning all IP addresses for the target. Each one will have the same targetname, so SNI and HTTP Host header for vhosts should work perfectly. Remaining issue: requests made through http.get are cached by hostname and port, so there will be cross-caching. I think we should split the http cache into separate ones in each host registry (if present), and only fall back to the global cache if host cache is unavailable. That way large parts of the cache drop out when each host is done scanning. Thoughts, @nnposter? |
I do not quite follow what you mean by
Namely, what would populate the global cache vs. the host-specific one and under what condition the host cache would not be available. Trying to contemplate the issue completely independently, I think that the best approach might perhaps be to:
This way the localized instance-specific findings will not get polluted by simultaneous scanning of sibling instances while we still optimize for a situation where multiple hosts/targets might be invoking the same script that is then repeatedly requesting some third-party data. |
That's exactly what I was trying to describe, thanks. The host cache is unavailable from the point of view of the http library when the "host" is a string and not a table with a registry subtable (i.e. not a NSE host object passed to a script by NSE). This would be the case when using |
Thx btw! |
Hello there,
I have a target which resolves to multiple IP addresses, let's say 1 through 4. There are two things I don't get and wasn't able to find in the man page.
For 1) it would be great to have a switch at least so that I can tell nmap to scan all IPs and not only one.
For 2) a switch would be great like --servername (see openssl s_client).
Cheers, Dirk
The text was updated successfully, but these errors were encountered: