Nmap Development mailing list archives
Re: [NSE script] vhosts on the same ip
From: jah <jah () zadkiel plus com>
Date: Mon, 25 Aug 2008 15:35:07 +0100
On 25/08/2008 12:31, Sven Klemm wrote:
Hi, I've written a NSE script that queries search.live.com for host names using the same IP. The script requires the changes in my nse_sedusa branch (svn://svn.insecure.org/nmap-exp/sven/nse_sedusa). I don't like the fact that it uses an external search engine to get this information but I think the usefulness of the information outweighs this. I am open to hearing about better ideas to implement this or for further sources to get lists of vhosts from.
Hi Sven, I've written a script to do the same thing - not yet fully tested. I agree that it is a useful addition and that this fact outweighs the use of an external search engine. My worry is that Microsoft will change the output or remove the IP search or otherwise make it difficult to maintain such a script. For this reason, I've been sitting on the script and occasionally checking that it still works as expected. So far, my concerns haven't been borne out, but that may change if such a script were to be widely used. I guess there's only one way to find out... I have tried to make the script look less like an automated tool with the use of HTTP headers. I've also included a HTTP cookie which controls how many results are returned per request and then use nmap.verbosity to decide the number of domains printed (up to 30). The script also displays the total number of search results that live.com reported which I think is useful to know (many domains = hosting provider or similar) and how many duplicate entries have been suppressed in the final output (which needs some work). Examples: Host script results: | ipsearch: Showing 10 of 10 results. 4 duplicates not shown. | insecure.org | cgi.insecure.org | insecure.com | www.insecure.com | images.insecure.org |_ download.insecure.org Host script results: | ipsearch: Showing 10 of 158,000 results. | www.navynews.co.uk | www.avoncroft.org.uk | www.smokedproduce.co.uk | www.kashmir.co.uk | www.clitheroefc.co.uk | www.lbc.org.uk | www.falkirkfolkclub.co.uk | www.goodquarry.com | www.kokodigital.co.uk |_ www.barnsleyrufc.co.uk I much prefer the comma delimited output you've opted for. So I thought perhaps you might like to incorporate some of this into your script and I attach my version for this purpose. Of course, if you'd like me to send a patch I'd be happy to. Regards, jah
id="ipsearch" author="" runlevel="1" description = "" --[[ nmap -PS21,23,25,80,3389 -PA22,53,113,443,554 -sS -p80,443,8080 --script dev/ipsearch -iR 100 --]] local http = require "http" local ipOps = require "ipOps" local mutex = nmap.mutex( id ) hostrule = function( host ) return not ipOps.isPrivate( host.ip ) end action = function( host ) local request_uri = ( "http://search.live.com/results.aspx?q=IP:%s" ):format( host.ip ) local options, header = {}, {} header["Accept"] = "text/html,application/xhtml+xml,application/xml:q=0.9" header["Referer"] = "http://www.live.com/" header["Cookie"] = "SRCHHPGUSR=NRSLT=100" header["User-Agent"] = "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1" options.header = header mutex "lock" response = http.get_url( request_uri, options ) mutex "done" if not response or type( response.status ) ~= "number" or response.status ~= 200 or type( response.body ) ~= "string" then return nil end local t, dups, dup_note = {}, {}, "" t.dups = 0 local ptn_resshown, ptn_restotal = response.body:match( '<span%sclass="sb_count"%sid="count">([\-0-9]+)%sof%s([,0-9]+)%sresults</span>' ) local ptn_domain = "<cite>(.-)</cite>" for domain in response.body:gmatch( ptn_domain ) do domain = domain:gsub( "([^/]+)/.*", "%1" ) if not dups[domain] then t[#t+1]= domain dups[domain] = 1 else t.dups = t.dups + 1 end end if t.dups > 0 then dup_note = ( " %s duplicates not shown." ):format( t.dups ) end t[0] = { "Showing %s of %s results.%s", ptn_resshown, ptn_restotal, dup_note } return result_table( t ) end function result_table( t ) if type( t ) ~= "table" or #t < 1 then return nil end local v = nmap.verbosity() if v > 2 then v = 2 end local num_to_show = ( v+1 )*10 local str, n, total, dups = unpack( t[0] ) if n then n = tonumber( n:match( "[0-9]+\-([0-9]+)" ) ) or num_to_show if n <= num_to_show then num_to_show = n else dups = "" end else total = num_to_show end t[0] = str:format( num_to_show, total, dups ) local ret = {} for i = 0, num_to_show, 1 do ret[i+1] = t[i] end if #ret > 1 then return table.concat( ret, "\n" ) end return nil end
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- [NSE script] vhosts on the same ip Sven Klemm (Aug 25)
- Re: [NSE script] vhosts on the same ip sara fink (Aug 25)
- Re: [NSE script] vhosts on the same ip Sven Klemm (Aug 25)
- Re: [NSE script] vhosts on the same ip jah (Aug 25)
- Re: [NSE script] vhosts on the same ip : copyright issues eldraco (Aug 25)
- Re: [NSE script] vhosts on the same ip : copyright issues Arturo 'Buanzo' Busleiman (Aug 25)
- Re: [NSE script] vhosts on the same ip : copyright issues jah (Aug 25)
- Re: [NSE script] vhosts on the same ip : copyright issues eldraco (Aug 25)
- Re: [NSE script] vhosts on the same ip Fyodor (Sep 02)
- Re: [NSE script] vhosts on the same ip David Fifield (Sep 05)
- Re: [NSE script] vhosts on the same ip Kris Katterjohn (Sep 05)
- Re: [NSE script] vhosts on the same ip jah (Sep 05)
- Re: [NSE script] vhosts on the same ip Arturo 'Buanzo' Busleiman (Sep 05)
- Re: [NSE script] vhosts on the same ip David Fifield (Sep 05)
- Re: [NSE script] vhosts on the same ip Fyodor (Sep 05)
- "external" script category David Fifield (Sep 09)
- Re: [NSE script] vhosts on the same ip sara fink (Aug 25)