Suggestion for hostname guessing

One thing I find with scanning DMZes is that sites/domains can be pretty 
variable on how well they manage their DNS.

I find I can't use "reverse_lookup = yes" for two reasons:

1. it tends to replace almost all instances of the IP address in the 
reports with the PTR record. And the PTR record may bear no relationship 
to the "A" record that everyone knows the server by, so you end up with 
a report about a host named "258-44-55-isp.domain", and no-one knows 
what it is.
2. it doesn't exist a lot of the time

i.e. it appears to be a universal rule that people manage "A" records 
fine, but ignore "PTR" - which is needed by Nessus when doing 
subnet/IP-based scans.

What I thought was that when you connect using HTTP, HTTPS, SMTP and FTP 
there is a good chance the hostname will be shown to you. I was 
wondering if that might lead to a new plugin whereby the output from 
those services could be scanned for FQDN, and then those FQDN looked up 
to see if they match the current IP address. If so, then you have a 
match. HTTPS could also be parsed and the FQDN pulled out of its public 
cert - which is presented during the initial SSL connection.

Just a thought...?

--
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus