masscan
masscan copied to clipboard
robertdavidgraham
Possibly add the ability to scan for PTR (Reverse DNS) records?
Hi, I've been using nmap for the longest time to do scans for PTR records. However, I'd like to be able to do the same thing but with masscan's speed. Please correct me if this is not possible as I've just recently started using masscan.
why don't you just write script to do so?
or use this oneliner:
cat list_of_ips.txt | nslookup - | grep arpa
I'd like to do the entire internet. It'd probably take a couple months to do that :/
but nmap is doing pretty much the same... o.O it wouldn't be faster in masscan...
@kobiluvesmemes / @ravkr
I would recommend https://github.com/agreene5/go-bulk-dns-resolver which beats the hell out of nmap for this task. It is just https://github.com/threatstream/go-bulk-dns-resolver with PTR record support added (it's a 2-3 line change) since the original tool only support forward (A) record lookups.
It's written in golang and uses the C language unbound library to do really fast DNS lookups. It does things in goroutines so it can be arbitrarily parallelized.
nmap works fine as well, it just isn't as fast.
Note: if you're curious, read the masscan code where I believe it says specifically why masscan has nothing to do with DNS in any of its layer 7 stuff.
@agreene5 What I'm looking to do is scan the entire internet (0.0.0.0/0) and retrieve the reverse DNS name from the IPs. Am I able to specify IPs and get the rDNS record with your program?
@kobiluvesmemes ah, yes the current implementation does not fit your use case since bulkdns only takes 1 IP per line input and does not support CIDR blocks. It's easy to hack around by making a small program that spits out the IP addresses one at a time and pipes the output to bulkdns like this:
./ipgen 0.0.0.0/0 | ./bulkdns > resolved
... but this is clunky and is significantly slower than nmap -T5. About 10x slower- non-starter. You might be better off with just using the following as @ravkr suggested:
nmap -T5 -sL -iL <cidrblocklistFILE> -Og resolved.grep
I will probably add CIDR block support to my fork of bulkdns, but for now, @ravkr is correct, nmap is the best (at least fastest) tool for the job, especially when used with the above parameters. When I tested the timing of the 'hacky' version with bulkdns, it was much slower than just using nmap -T5 -sL
Either way, I will send you a note if I do add the feature and it comes out noticeably faster or has any advantages over nmap -T5 -sL.
One advantage you generally have with using a golang binary is that golang binaries can easily be cross compiled and are statically linked as well so there are no dependencies. You can copy an x86_64 linux binary to any box and it will work. Or you can easily generate a Win32 binary on Linux x86_64 and it will work just as well. Unfortunately in this case there's a third party library (libounbound) that is used to do the heavy DNS lifting that has to be loaded at runtime, so this possible benefit goes out the window (though I did spend an hour of my life trying to statically link libunbound into the bulkdns binary)
@agreene5 How long did it take when you used bulkdns to do it? Thank you for the answer by the way :smile: . I think I'll just look into using nmap for it.
I only tested with a /16. But it was something like 5s for nmap -T5 and 50 seconds for bulkdns
Wow, 5 years old!
My recommendation at this point, FWIW, is to use massdns which has native support for encoding IP addresses into PTR questions, is asynchronous and very fast (written in C and optimized for fast TX)
You'll still need to pipe an IP address generator to it, but that's the case with most tools like this
Safe to say this can be closed?