I was asked to identify Linux servers running on our 10.x global network. Instead of scanning the entire Class A address space (2^24 hosts, or 16,777,216 hosts!), we were content with scanning hosts listed in our internal DNS.
nmap's OS fingerprinting (-O flag) could have been used to determine the remote operating system, but it is not as fast as xprobe.
I used the following procedure to fingerprint all "live" hosts in our DNS namespace. After the process is complete, I searched through the output for hosts running Linux.
Procedure:
1. Perform a zone transfer of
the DNS zone to scan.
dig @namesever
DNS_zone_to_transfer
axfr > axfr.out
2. Scan each host in axfr.out using the following logic:
* Do not include lines in axfr.out
beginning with a comment (;)
* Send one ICMP ECHO REQUEST (ping) packet to each host in axfr.out. If
an ICMP ECHO REPLY is not returned within one second, do not run xprobe
against the host.
* Print the host and OS fingerprint to both STDOUT and fingerprint.out
using the tee command.
#!/bin/sh
for i in `grep
-v "^;" axfr.out | awk
'{print $5}'`
do
ping -c 1 -w 1 $i
> /dev/null 2>&1
if [ $? -eq 0 ] ;
then
xprobe -o
xprobe.tmp $i > /dev/null 2>&1
OS=`grep
FINAL xprobe.tmp`
rm xprobe.tmp
echo "$i
$OS" | tee -a fingerprint.out
fi
done
Back to brandonhutchinson.com.