1

Quick question. I was scanning a lab network with Nmap just doing host discovery to see what hosts were out there. I got a list of hosts, ips, hostnames, ports open, services, etc. Upon further investigation, though, I discovered discrepancies between the hostnames of the actual systems and what was reported in my scans. I know Nmap does a reverse lookup to obtain the systems hostnames. My question is, if there is the possibility of a hostname not being correct/accurate in dns as it was cached, what’s the value in every trusting/using the reverse lookup capability with an Nmap scan as it could be wrong?

Example

Hostname        IP               DNS Hostname      IP
--------        --               ------------      --
South1          10.10.10.1       South1            10.10.10.1                      
South2          10.10.10.2       South2            10.10.10.2                      
South3          10.10.10.3       South5            10.10.10.3                      
South4          10.10.10.4       South4            10.10.10.4                      
South5          10.10.10.5       South5            10.10.10.5
bonsaiviking
  • 11,316
  • 1
  • 27
  • 50
5lb Bass
  • 111
  • 2
  • Have you confirmed what happens if you do the reverse DNS lookups manually? Also, you can typically speed up scans by using the `-n` option to disable this. – multithr3at3d Apr 05 '18 at 15:27
  • I've seen the same behavior; I use the trust but verify approach with any tool including Nmap – 5lb Bass Jun 24 '18 at 17:54

0 Answers0