The key focus of Nmap host discovery is determining which hosts
are up and responsive on the network. That narrows down the field of
targets, since you can't hack a host which doesn't exist. But don't
let discovery end there. You wouldn't date girls (or guys) just
because they're breathing, and selecting boxes on the network to
penetrate deserves special care
A great source of information
(about networked hosts, not potential dates) is DNS, the domain name
system. Even security conscious organizations often assign names
which disclose the function of their systems. It's not uncommon to
see wireless access points named
wireless, firewalls named
development web servers with not-yet-published content named
beta. Locations or
department names are also often disclosed, as in the company whose
Chicago office firewall is named
By default, Nmap performs
resolution for every IP
which responds to host discovery probes (i.e. those that are online).
If host discovery is skipped with
-Pn, resolution is
performed for all IPs. Rather than use the slow standard DNS
resolution libraries, Nmap uses a custom stub resolver which
performs dozens of requests in parallel.
While the defaults generally work well, Nmap offers four options
for controlling DNS resolution. They can substantially affect
scanning speed and the amount of information gathered.
-n (No DNS resolution)
Tells Nmap to never do reverse
DNS resolution on the active IP addresses it finds. Since
DNS can be slow even with Nmap's built-in parallel stub
resolver, this option reduces scanning times.
-R (DNS resolution for all targets)
Tells Nmap to
always do reverse DNS
resolution on the target IP addresses. Normally reverse DNS is
only performed against responsive (online) hosts.
--system-dns (Use system DNS resolver)
By default, Nmap resolves IP addresses by sending
queries directly to the name servers configured on your host
and then listening for responses. Many requests (often
dozens) are performed in parallel to improve performance.
Specify this option to use your system resolver instead (one
IP at a time via the
getnameinfo call). This is slow
and rarely useful unless you find a bug in the Nmap parallel
resolver (please let us know if you do). The system
resolver is always used for IPv6 scans.
--dns-servers (Servers to use for reverse DNS queries)
By default, Nmap determines your DNS servers
(for rDNS resolution) from your resolv.conf file (Unix) or the
Registry (Win32). Alternatively, you may use this option to
specify alternate servers. This option is not honored if you
--system-dns or an IPv6 scan. Using
multiple DNS servers is often faster, especially if you choose
authoritative servers for your target IP space. This option can
also improve stealth, as your requests can be bounced off just
about any recursive DNS server on the Internet.
This option also comes in handy when scanning private
networks. Sometimes only a few name servers provide
proper rDNS information, and you may not even know where
they are. You can scan the network for port 53 (perhaps
with version detection), then try Nmap list scans
-sL) specifying each name server one at a
--dns-servers until you find one