I was asked to identify Linux servers running on our 10.x global network. Instead of scanning the entire Class A address space (2^24 hosts, or 16,777,216 hosts!), we were content with scanning hosts listed in our internal DNS.
nmap's OS fingerprinting (-O flag) could have been used to determine the remote operating system, but it is not as fast as xprobe.
I used the following procedure to fingerprint all "live" hosts in our DNS namespace. After the process is complete, I searched through the output for hosts running Linux.
1. Perform a zone transfer of
the DNS zone to scan.
dig @namesever DNS_zone_to_transfer axfr > axfr.out
2. Scan each host in axfr.out using the following logic:
* Do not include lines in axfr.out
beginning with a comment (;)
* Send one ICMP ECHO REQUEST (ping) packet to each host in axfr.out. If an ICMP ECHO REPLY is not returned within one second, do not run xprobe against the host.
* Print the host and OS fingerprint to both STDOUT and fingerprint.out using the tee command.
for i in `grep
-v "^;" axfr.out | awk
ping -c 1 -w 1 $i > /dev/null 2>&1
if [ $? -eq 0 ] ; then
xprobe -o xprobe.tmp $i > /dev/null 2>&1
OS=`grep FINAL xprobe.tmp`
echo "$i $OS" | tee -a fingerprint.out
Back to brandonhutchinson.com.