Scavenge

From ConShell

Contents 1 About Scavenge 2 What does Scavenge find? 3 Usage 4 Requirements 5 Download & Distribution 5.1 Stable (production) Version 6 Future plans 7 Report bugs 8 Known bugs 9 License 10 See Also

About Scavenge

Scavenge is a program to find old, outdated and incorrect DNS records. It's current method is to enumerate a network range such as 10.1.0.0/16. So it looks at the namespace from the reverse (PTR) perspective. The beta version (see below) supports interrogation from the forward perspective.

DNS Scavenging is a term commonly used with Microsoft DNS which supports active tracking and cleanup of stale records (when enabled). I realized the BIND had no concept of this and the other tools I found (e.g. dnswalk) did not quite fit the bill -- I wanted a report of stale records which could be manually validated before deletion.

What does Scavenge find?

For each IP in the range it checks...

• If the host is DOWN...
  • If a PTR record is found and the hostname provided resolves to NXDOMAIN, it reports as Stale A
  • If the hostname provided above resolves to an A record which, in turn, does not match the original IP, it reports as Stale PTR+A

• If the host is UP ...
  • If a PTR record is found and the hostname provided resolves to NXDOMAIN, it reports Missing A
  • If a PTR record is found and the hostname provided resolves, in turn, to an A record which does match the original IP, it reports Mismatch A
  • If a PTR record is not found it reports Missing PTR

Usage

scavenge [-r ip-range] [-d][-h]
 -r ip-range e.g. 192.168.0.1-255
               or 192.168.0.0/16
               or 192.168.0.0/24
               or '192.88-90.*.*'
 -d turn on debugging
 -h this help message
 
 Note that this command reads from STDIN unless -r is used. The input format
 should be the greppable-format produced by nmap -oG

Once installed, you can use the command perldoc scavenge to see more information.

Here is a snippet of actual output from the program auditing a small subnet.

 scavenge -r 10.1.253.0/24
 ...
 Down    Stale PTR+A     10.1.253.130 => (f32-1952-kr4.example.org) => 10.1.253.130
 Up      Missing A       10.1.253.131 => (DART-DB2707E9A5) => NXDOMAIN
 Down    Stale PTR+A     10.1.253.132 => (f32-1605-PLP) => 10.1.253.132
 Up      Mismatch A      10.1.253.137 => (f32-1910-GJV.example.org) => 10.1.249.106
 Down    Stale PTR       10.1.253.138 => (p6j.example.com) => NXDOMAIN
 ...

As shown above, there is no host responding at 10.1.253.130, yet a PTR exists in DNS, as well as a corresponding A record for the PTR. Both records may likely be removed from DNS. On the other hand, 10.1.253.131 is responding and has a PTR record, but the corresponding A record is not found - thus scavenge reports it as a Missing A. Finally, 10.1.253.237 is responding and has a valid PTR record, but the corresponding A record points to a different IP address than we started with - thus reported as a Mismatch A.

Scavenge can also use the output from a previous run of nmap -sP <range> -oG <file> where file is the output in greppable (-oG) format. See nmap -h for more details about that.

---

Running scavenge as non-root can lead to erroneous results about which hosts are really up.

Here's what Fyodor (author of nmap) had to say about that:

 You need to be root to send "real" ICMP pings (which is why the   
 ping app is setuid).  The Nmap workaround for nonroot users isn't 
 always as effective.

Not only that, but nmap seems to have some issues identifying "UP" hosts on local nets - see the bug report.

Requirements

Scavenge relies on [nmap], perl 5.x or higher, and the perl module [Net::DNS] .

Download & Distribution

Stable (production) Version

Version 2.x supports not only reverse-interrogation but forward-interrogation as well. It also includes a man page.

Tarball

• http://mark.foster.cc/pub/scavenge/scavenge-2.0.tar.gz
• http://mark.foster.cc/pub/scavenge/scavenge-1.3.tar.gz

FreeBSD

• Scavenge can be found in the ports tree at dns/scavenge or installed using pkg_add -r scavenge
• See the freshports page for more information.

Linux: Redhat, CentOS, SUSE, etc... (RPM)

Should work on most any RPM-based distribution as long as Net::DNS perl module is installed and nmap is available.

• http://mark.foster.cc/pub/centos/5/i386/RPMS/scavenge-2.0-1.el5.i386.rpm - RPM for RHEL5/CentOS-5-i386
• http://mark.foster.cc/pub/centos/5/i386/SRPMS/scavenge-2.0-1.src.rpm - Source RPM
• http://mark.foster.cc/pub/centos/4/i386/RPMS/scavenge-2.0-1.el4.i386.rpm - RPM for RHEL4/CentOS-4-i386
• http://mark.foster.cc/pub/centos/3/i386/RPMS/scavenge-2.0-1.el3.i386.rpm - RPM for RHEL3/CentOS-3-i386

Linux: Debian (DEB)

• See the ScavengeNotes page for an explanation of using alien to generate a .deb package from the .rpm.

Future plans

None at this time.

Report bugs

Bug reports and feature requests can be added to the sourceforge site.

Known bugs

2005-06-20 - Multiple PTRs: if IP resolves to multiple PTR records, the following conditions apply:

 Host Up => 
 Host Down => only the first PTR encountered is evaluated and shown

2005-06-29 - Existence of a filename matching the wildcard causes failure.

 scavenge -r '172.16.100.*'
 Failed to resolve given hostname/IP: 172.16.100.txt.  Note that you can't use '/mask'
   AND '[1-4,7,100-]' style IP ranges
 WARNING: No targets were specified, so 0 hosts scanned.

So for example, a filename of 172.16.100.txt matched the above range, so it was interpolated by the shell and nmap didn't know what to do with it.

The ScavengeNotes page also talks about some bugs and known issues.

License

Scavenge is licensed under the GPL.

See Also

• Scavenge Notes
• Sourceforge Project page