[NSE] request: feeding hosts back into Nmap

[Ron <ron () skullsecurity net>]

Hey all,

This is a feature I've thought of before, and that we've talked about before, but now I have a really good "first 
script" that I'm hoping will provide motivation. This also goes well with the idea of "scan scripts" (as opposed to 
host/port scripts). 

The idea is, having a script that can find more IP addresses for Nmap to scan. Those IP addresses are fed into a new 
hostgroup, and, when Nmap is done the current scan, it continues on with scanning the new hosts. 

Technologically, I talked to Patrick a little and he doesn't think it'll be too bad. 

Here are some ideas of what it can be used for:
o One person I've talked to via email and on IRC has used bruteforce to collected reverse DNS records for every host on 
the Internet. He wants to write an Nmap script that will probe that database for a domain name (say, *.foxnews.com) and 
generate the list of addresses to scan. 
o Something else I posted about before is using a query to get every IP address in a given AS and scan them. Although 
the usefulness of this can be disputed, it would be trivial to do with this type of script. 
o The ntp-monlist script currently lists all IP addresses that have used an NTP server. This can potentially have an 
option to feed those IP addresses back into Nmap. 
o Other scripts can potentially find new targets, like one that queries a peer-to-peer port. 

Clearly, there would have to be some kind of intelligence for host- or port-scripts, because if they run every time 
there are going to be infinite loops to deal with. But the idea of having a scan-script that generates the addresses to 
scan is a useful idea, I think. 

-- 
Ron Bowes
http://www.skullsecurity.org
http://www.twitter.com/iagox86

Attachment: _bin
Description:

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/