Networking / Beginners

Host Listing

When DNS zone transfers are not available, hosts may still be discovered using a brute-force domain scan (Listing below). The technique simply iterates through all network addresses in a subnet. Each address that has a hostname (reverse lookup) can be readily discovered. A second search of the discovered hostnames can identify name aliases and additional DNS information.

Some DNS servers mitigate this attack by restricting the number of lookups that can be requested by any particular network address. For example, the host 10.1.2.3 may only be allowed to query a DNS server 100 times per hour. Attackers that use proxies or relay requests through a variety of DNS caches can overcome this type of restriction.

Code to List Hosts in a Domain

/**************************************************
 ListRange(): Scan a range of IP addresses.
 List any that resolve.
**************************************************/
void ListRange (uint32_t Start, uint32_t Stop)
{
  int i;
  char *S, AddrIP[100];
  struct hostent *Hent;
  struct in_addr AddrIn;
  int Counter=0;

  /* process each IP address */
  for( ; Start <= Stop ; Start++)
    {
    memset(AddrIP,0,sizeof(AddrIP));
    AddrIn.s_addr = htonl(Start);
    strcpy(AddrIP,inet_ntoa(AddrIn));
    sethostent(1);
    /* check for a hostname */
    Hent = gethostbyaddr((char *)&AddrIn,sizeof(AddrIn),AF_INET);
    if (Hent) S = Hent->h_name;
    else S = NULL;
    if (S)
      {
      printf("%s %s\n",AddrIP,S);
      /* check every alias */
      for(i=0; Hent->h_aliases[i]; i++)
	{
	S = Hent->h_aliases[i];
	printf(" %s\n",S);
	fflush(stdout);
	}
      }
    } /* for() */
  endhostent();
} /* ListRange() */
[Previous] [Contents] [Next]

In this tutorial:

  1. Domain Name System (DNS)
  2. DNS Common Uses
  3. Hostname-to-Address Mapping
  4. Common Lookup Tools
  5. Naming Confusion Attack Vectors
  6. Dotted Names
  7. Name Formatting
  8. Exploited Anonymity
  9. Mail Servers
  10. Sender Policy Framework Overloading
  11. Domain Keys Overloading
  12. DNS Protocol
  13. Packet Information
  14. Simple DNS Server
  15. Distributed Architecture
  16. Top Level Domain Servers
  17. Generic Top Level Domain (gTLD)
  18. Secondary Level Domain (SLD)
  19. Primary and Secondary Servers
  20. Caching Servers
  21. DNS Management
  22. DNS Direct Risks
  23. DNS Performance versus Security
  24. DNS Cache Poisoning
  25. Corrupt DNS Packets
  26. DNS Domain Hijacking
  27. DNS Server Hijacking
  28. Dynamic DNS
  29. Similar Hostnames
  30. Domain Renewals
  31. Hostnames
  32. Zone Transfers
  33. Host Listing
  34. DNS Fields
  35. Mitgation Option
  36. Technical Threat Mitigation
  37. Social Threat Mitigation
  38. Defining Trusted Replies