Re: [NSE] hostmap.nse, hostnames discovery

[David Fifield <david () bamsoftware com>]

On Fri, Jul 23, 2010 at 11:39:50AM +0200, Gutek wrote:
> If it can be of any interest for some of you, here is a script I often
> use that I wanted to share.
> Inspired from the hostmap tool
> (http://hostmap.lonerunners.net/index.html ), its purpose is to provide
> a list of other names hosted on a given target.
> It's simpler and quicker than the original hostmap: the only thing that
> both share is querying the BFK.de database.
> At the end, the script also creates a one-entry-per-line file usable
> with other security tools.
>
> Sample output :
> - -- @output
> - -- 80/tcp open  http
> - -- | hostmap: (results from bfk.de database)
> - -- | insecure.org
> - -- | 74.207.254.18
> - -- | web.insecure.org
> - -- | images.insecure.org
> - -- | lists.insecure.org
> - -- | www.insecure.org
> - -- | nmap.org
> - -- | sectools.org
> - -- | mirror.sectools.org
> - -- | seclists.org
> - -- |_(file created: ./hostmap-for-74-207-254-18.nmap)
>
> As you can see, nothing special here. I just thought that, as dev-list
> readers, it could be usefull for you as it often is for me.

Since this script only needs the host's IP address, and nothing about
individual ports, it should use a hostrule and not a portrule. That way
it will run for -sn scans with no port scan. The hostrule can just be a
function that returns true, or if you want to be really careful, it can
check that the host.ip key exists, which it always does at the moment.

function hostrule(host)
        return host.ip ~= nil
end

The categories are a little messed up; they should be

categories = {"external", "discovery", "safe"}

You should use stdnse.strsplit instead of a custom split function.

I prefer that the script not create files in the filesystem unless asked
to with a script argument. It could look like this:

nmap -sn --script hostmap --script-args hostmap.save <target>

In the script you would access it like this:

local save = stdnse.get_script_args("hostmap.save")

The page at http://www.bfk.de/bfk_dnslogger.html says, "This web
interface must not be used for automated queries. For details about bulk
queries please contact: ..." The script isn't exactly automated because
users have to ask for it, but someone could easily or accidentally cause
a lot of queries by running it against a big network. Would you contact
the email address they give and ask if they object to this script?
Michael Pattrick was able to work out an arrangement with Team Cymru for
asn-query.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/