Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [NSE] WHOIS

From: Fyodor <fyodor () insecure org>
Date: Sun, 3 Feb 2008 14:47:31 -0800
On Sun, Feb 03, 2008 at 01:46:35AM +0000, jah wrote:


I'd like to share the attached whois.nse, which performs whois queries 
against the five Regional Internet Registries (ARIN, RIPE NCC, APNIC, 
LACNIC and AFRINIC) in order to return (a small number of) fields from 
the record pertaining to the range of IP address assignments in which 
the target IP address resides.


Hi Jah.  This looks quite promising!  It would be the longest Nmap NSE
script by a wide margin.  I'm glad you have done so much testing.

I'm wondering if people will get their IP addresses banned for doing
too many whois queries?  It is very common that people scan
consecutive ranges.  What do you think about caching the resulting
net ranges?  So if someone scans 159.93.0.0/16, the first machine (159.93.0.0) would
show:

Host script results:
|  WHOIS: Record found at whois.ripe.net
|  inetnum: 159.93.0.0 - 159.93.255.255
|  netname: JINR-NET
|  descr: Joint Institute for Nuclear Research
|_ country: RU

But then for 159.93.0.1, the script would first look up its cached
entries and see that it already has results which include that IP.
Then it could either just include the same information or (probably
better) an abbreviated entry like we do with traceroute results.  For
example, maybe it could just give the netname or some other field, and
a pointer to 159.93.0.0 for full results.

Cheers,
Fyodor

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org
Previous By Date Next
Previous By Thread Next

Current thread: