Networking / Beginners

Host Listing

When DNS zone transfers are not available, hosts may still be discovered using a brute-force domain scan (Listing below). The technique simply iterates through all network addresses in a subnet. Each address that has a hostname (reverse lookup) can be readily discovered. A second search of the discovered hostnames can identify name aliases and additional DNS information.

Some DNS servers mitigate this attack by restricting the number of lookups that can be requested by any particular network address. For example, the host may only be allowed to query a DNS server 100 times per hour. Attackers that use proxies or relay requests through a variety of DNS caches can overcome this type of restriction.

Code to List Hosts in a Domain

 ListRange(): Scan a range of IP addresses.
 List any that resolve.
void ListRange (uint32_t Start, uint32_t Stop)
  int i;
  char *S, AddrIP[100];
  struct hostent *Hent;
  struct in_addr AddrIn;
  int Counter=0;

  /* process each IP address */
  for( ; Start <= Stop ; Start++)
    AddrIn.s_addr = htonl(Start);
    /* check for a hostname */
    Hent = gethostbyaddr((char *)&AddrIn,sizeof(AddrIn),AF_INET);
    if (Hent) S = Hent->h_name;
    else S = NULL;
    if (S)
      printf("%s %s\n",AddrIP,S);
      /* check every alias */
      for(i=0; Hent->h_aliases[i]; i++)
	S = Hent->h_aliases[i];
	printf(" %s\n",S);
    } /* for() */
} /* ListRange() */
[Previous] [Contents] [Next]