Nmap Development mailing list archives
Re: [NSE] hostmap.nse, hostnames discovery
From: Gutek <ange.gutek () gmail com>
Date: Wed, 15 Sep 2010 22:54:39 +0200
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Le 26/08/2010 16:43, David Fifield a écrit :
On Fri, Jul 23, 2010 at 11:39:50AM +0200, Gutek wrote:If it can be of any interest for some of you, here is a script I often use that I wanted to share. Inspired from the hostmap tool (http://hostmap.lonerunners.net/index.html ), its purpose is to provide a list of other names hosted on a given target. It's simpler and quicker than the original hostmap: the only thing that both share is querying the BFK.de database. At the end, the script also creates a one-entry-per-line file usable with other security tools. Sample output : - -- @output - -- 80/tcp open http - -- | hostmap: (results from bfk.de database) - -- | insecure.org - -- | 74.207.254.18 - -- | web.insecure.org - -- | images.insecure.org - -- | lists.insecure.org - -- | www.insecure.org - -- | nmap.org - -- | sectools.org - -- | mirror.sectools.org - -- | seclists.org - -- |_(file created: ./hostmap-for-74-207-254-18.nmap) As you can see, nothing special here. I just thought that, as dev-list readers, it could be usefull for you as it often is for me.Since this script only needs the host's IP address, and nothing about individual ports, it should use a hostrule and not a portrule. That way it will run for -sn scans with no port scan. The hostrule can just be a function that returns true, or if you want to be really careful, it can check that the host.ip key exists, which it always does at the moment. function hostrule(host) return host.ip ~= nil end The categories are a little messed up; they should be categories = {"external", "discovery", "safe"} You should use stdnse.strsplit instead of a custom split function. I prefer that the script not create files in the filesystem unless asked to with a script argument. It could look like this: nmap -sn --script hostmap --script-args hostmap.save <target> In the script you would access it like this: local save = stdnse.get_script_args("hostmap.save") The page at http://www.bfk.de/bfk_dnslogger.html says, "This web interface must not be used for automated queries. For details about bulk queries please contact: ..." The script isn't exactly automated because users have to ask for it, but someone could easily or accidentally cause a lot of queries by running it against a big network. Would you contact the email address they give and ask if they object to this script? Michael Pattrick was able to work out an arrangement with Team Cymru for asn-query. David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Hi list, It's been a long time since my first hostmap.nse post because I didn't get any answer from bfk.de despite several mails. However (and for testing purpose), here is an update according to David's suggestions. What's more, I've noticed that sometimes the bfk.de results are somehow polluted with false-positives (hostnames that do not really exist). So as to be as accurate as possible, the script performs a dns query against every hostname that bfk.de returns. Further developpement: o Besides hostmap.nse creates a target-list file if such an argument is provided, I'm very interested in the new "target-add" feature. I think it will also be invoqued via an arg. I will keep the file creation because its first goal is to be usable with other security tools like, say, a web vulnerability scanner. o The original hostmap tool performs a large amount of different checks to achieve its comprehensive hostnames list for a given target (see http://hostmap.lonerunners.net/doc/README.pdf ). As said before, my hostmap.nse only performs one of them called "passive web enumeration" because I wanted it to be fast and just informational. But if anyone thinks that including other checks could be interesting, it's obviously also possible. Keep in mind that every technique increases significantly the timing for the overall process. Regards, A.G. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.12 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/ iEYEARECAAYFAkyRMo4ACgkQ3aDTTO0ha7g9agCcDIfm/1v9AzFbyHvppYWp7YuH yaAAn3zHMh88jkESSKJ67KsxiNyXOQoz =XpUT -----END PGP SIGNATURE-----
Attachment:
hostmap.nse
Description:
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [NSE] hostmap.nse, hostnames discovery Gutek (Jul 23)
- Re: [NSE] hostmap.nse, hostnames discovery David Fifield (Aug 26)
- Re: [NSE] hostmap.nse, hostnames discovery Gutek (Sep 15)
- Re: [NSE] hostmap.nse, hostnames discovery David Fifield (Aug 26)