Re: [NSE] hostmap.nse, hostnames discovery

[Gutek <ange.gutek () gmail com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Le 26/08/2010 16:43, David Fifield a écrit :
> On Fri, Jul 23, 2010 at 11:39:50AM +0200, Gutek wrote:
> > If it can be of any interest for some of you, here is a script I often
> > use that I wanted to share.
> > Inspired from the hostmap tool
> > (http://hostmap.lonerunners.net/index.html ), its purpose is to provide
> > a list of other names hosted on a given target.
> > It's simpler and quicker than the original hostmap: the only thing that
> > both share is querying the BFK.de database.
> > At the end, the script also creates a one-entry-per-line file usable
> > with other security tools.
> >
> > Sample output :
> > - -- @output
> > - -- 80/tcp open  http
> > - -- | hostmap: (results from bfk.de database)
> > - -- | insecure.org
> > - -- | 74.207.254.18
> > - -- | web.insecure.org
> > - -- | images.insecure.org
> > - -- | lists.insecure.org
> > - -- | www.insecure.org
> > - -- | nmap.org
> > - -- | sectools.org
> > - -- | mirror.sectools.org
> > - -- | seclists.org
> > - -- |_(file created: ./hostmap-for-74-207-254-18.nmap)
> >
> > As you can see, nothing special here. I just thought that, as dev-list
> > readers, it could be usefull for you as it often is for me.
>
> Since this script only needs the host's IP address, and nothing about
> individual ports, it should use a hostrule and not a portrule. That way
> it will run for -sn scans with no port scan. The hostrule can just be a
> function that returns true, or if you want to be really careful, it can
> check that the host.ip key exists, which it always does at the moment.
>
> function hostrule(host)
>       return host.ip ~= nil
> end
>
> The categories are a little messed up; they should be
>
> categories = {"external", "discovery", "safe"}
>
> You should use stdnse.strsplit instead of a custom split function.
>
> I prefer that the script not create files in the filesystem unless asked
> to with a script argument. It could look like this:
>
> nmap -sn --script hostmap --script-args hostmap.save <target>
>
> In the script you would access it like this:
>
> local save = stdnse.get_script_args("hostmap.save")
>
> The page at http://www.bfk.de/bfk_dnslogger.html says, "This web
> interface must not be used for automated queries. For details about bulk
> queries please contact: ..." The script isn't exactly automated because
> users have to ask for it, but someone could easily or accidentally cause
> a lot of queries by running it against a big network. Would you contact
> the email address they give and ask if they object to this script?
> Michael Pattrick was able to work out an arrangement with Team Cymru for
> asn-query.
>
> David Fifield
> _______________________________________________
> Sent through the nmap-dev mailing list
> http://cgi.insecure.org/mailman/listinfo/nmap-dev
> Archived at http://seclists.org/nmap-dev/
Hi list,

It's been a long time since my first hostmap.nse post because I didn't
get any answer from bfk.de despite several mails.
However (and for testing purpose), here is an update according to
David's suggestions. What's more, I've noticed that sometimes the bfk.de
results are somehow polluted with false-positives (hostnames that do not
really exist). So as to be as accurate as possible, the script performs
a dns query against every hostname that bfk.de returns.

Further developpement:
o Besides hostmap.nse creates a target-list file if such an argument is
provided, I'm very interested in the new "target-add" feature. I think
it will also be invoqued via an arg. I will keep the file creation
because its first goal is to be usable with other security tools like,
say, a web vulnerability scanner.
o The original hostmap tool performs a large amount of different checks
to achieve its comprehensive hostnames list for a given target (see
http://hostmap.lonerunners.net/doc/README.pdf ). As said before, my
hostmap.nse only performs one of them called "passive web enumeration"
because I wanted it to be fast and just informational. But if anyone
thinks that including other checks could be interesting, it's obviously
also possible. Keep in mind that every technique increases significantly
the timing for the overall process.

Regards,

A.G.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.12 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/

iEYEARECAAYFAkyRMo4ACgkQ3aDTTO0ha7g9agCcDIfm/1v9AzFbyHvppYWp7YuH
yaAAn3zHMh88jkESSKJ67KsxiNyXOQoz
=XpUT
-----END PGP SIGNATURE-----

Attachment: hostmap.nse
Description:

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/