Nmap Development mailing list archives

Re: [NSE script] vhosts on the same ip

From: jah <jah () zadkiel plus com>
Date: Mon, 25 Aug 2008 15:35:07 +0100

On 25/08/2008 12:31, Sven Klemm wrote:

Hi,

I've written a NSE script that queries search.live.com for host names
using the same IP. The script requires the changes in my nse_sedusa
branch (svn://svn.insecure.org/nmap-exp/sven/nse_sedusa).

I don't like the fact that it uses an external search engine to get
this information but I think the usefulness of the information
outweighs this.
I am open to hearing about better ideas to implement this or for
further sources to get lists of vhosts from.

Hi Sven,

I've written a script to do the same thing - not yet fully tested.
I agree that it is a useful addition and that this fact outweighs the
use of an external search engine.  My worry is that Microsoft will
change the output or remove the IP search or otherwise make it difficult
to maintain such a script.  For this reason, I've been sitting on the
script and occasionally checking that it still works as expected.  So
far, my concerns haven't been borne out, but that may change if such a
script were to be widely used.  I guess there's only one way to find out...
I have tried to make the script look less like an automated tool with
the use of HTTP headers.

I've also included a HTTP cookie which controls how many results are
returned per request and then use nmap.verbosity to decide the number of
domains printed (up to 30).  The script also displays the total number
of search results that live.com reported which I think is useful to know
(many domains = hosting provider or similar) and how many duplicate
entries have been suppressed in the final output (which needs some work).

Examples:

Host script results:
|  ipsearch: Showing 10 of 10 results. 4 duplicates not shown.
|  insecure.org
|  cgi.insecure.org
|  insecure.com
|  www.insecure.com
|  images.insecure.org
|_ download.insecure.org

Host script results:
|  ipsearch: Showing 10 of 158,000 results.
|  www.navynews.co.uk
|  www.avoncroft.org.uk
|  www.smokedproduce.co.uk
|  www.kashmir.co.uk
|  www.clitheroefc.co.uk
|  www.lbc.org.uk
|  www.falkirkfolkclub.co.uk
|  www.goodquarry.com
|  www.kokodigital.co.uk
|_ www.barnsleyrufc.co.uk

I much prefer the comma delimited output you've opted for.

So I thought perhaps you might like to incorporate some of this into
your script and I attach my version for this purpose.  Of course, if
you'd like me to send a patch I'd be happy to.

Regards,

jah

id="ipsearch"
author=""
runlevel="1"
description = ""

--[[ nmap -PS21,23,25,80,3389 -PA22,53,113,443,554 -sS -p80,443,8080 --script dev/ipsearch -iR 100 --]]

local http      = require "http"
local ipOps     = require "ipOps"

local mutex     = nmap.mutex( id )

hostrule = function( host )
  return not ipOps.isPrivate( host.ip )
end

action = function( host )


local request_uri = ( "http://search.live.com/results.aspx?q=IP:%s"; ):format( host.ip )
local options, header = {}, {}
header["Accept"] = "text/html,application/xhtml+xml,application/xml:q=0.9"
header["Referer"] = "http://www.live.com/";
header["Cookie"] = "SRCHHPGUSR=NRSLT=100"
header["User-Agent"] = "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1"
options.header = header

mutex "lock"
response = http.get_url( request_uri, options )
mutex "done"

if not response or type( response.status ) ~= "number" or response.status ~= 200 or type( response.body ) ~= "string" 
then
  return nil
end

local t, dups, dup_note = {}, {}, ""
t.dups = 0
local ptn_resshown, ptn_restotal = response.body:match( 
'<span%sclass="sb_count"%sid="count">([\-0-9]+)%sof%s([,0-9]+)%sresults</span>' )
local ptn_domain = "<cite>(.-)</cite>"
for domain in response.body:gmatch( ptn_domain ) do
  domain = domain:gsub( "([^/]+)/.*", "%1" )
  if not dups[domain] then
    t[#t+1]= domain
    dups[domain] = 1
  else
    t.dups = t.dups + 1
  end
end
if t.dups > 0 then
  dup_note = ( " %s duplicates not shown." ):format( t.dups )
end
t[0] = { "Showing %s of %s results.%s", ptn_resshown, ptn_restotal, dup_note }

return result_table( t )

end

function result_table( t )

  if type( t ) ~= "table" or #t < 1 then return nil end
  local v = nmap.verbosity()
  if v > 2 then v = 2 end
  local num_to_show = ( v+1 )*10
  local str, n, total, dups = unpack( t[0] )
  if n then
    n = tonumber( n:match( "[0-9]+\-([0-9]+)" ) ) or num_to_show
    if n <= num_to_show then
      num_to_show = n
    else
      dups = ""
    end
  else
    total = num_to_show
  end
  t[0] = str:format( num_to_show, total, dups )
  local ret = {}
  for i = 0, num_to_show, 1 do
    ret[i+1] = t[i]
  end

  if #ret > 1 then return table.concat( ret, "\n" ) end

  return nil



end


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org

Current thread:

[NSE script] vhosts on the same ip Sven Klemm (Aug 25)
- Re: [NSE script] vhosts on the same ip sara fink (Aug 25)
  - Re: [NSE script] vhosts on the same ip Sven Klemm (Aug 25)
- Re: [NSE script] vhosts on the same ip jah (Aug 25)
  - Re: [NSE script] vhosts on the same ip : copyright issues eldraco (Aug 25)
    - Re: [NSE script] vhosts on the same ip : copyright issues Arturo 'Buanzo' Busleiman (Aug 25)
    - Re: [NSE script] vhosts on the same ip : copyright issues jah (Aug 25)
- Re: [NSE script] vhosts on the same ip Fyodor (Sep 02)
  - Re: [NSE script] vhosts on the same ip David Fifield (Sep 05)
    - Re: [NSE script] vhosts on the same ip Kris Katterjohn (Sep 05)
    - Re: [NSE script] vhosts on the same ip jah (Sep 05)
    - Re: [NSE script] vhosts on the same ip Arturo 'Buanzo' Busleiman (Sep 05)
    - Re: [NSE script] vhosts on the same ip Fyodor (Sep 05)
    - "external" script category David Fifield (Sep 09)