From 4d7ed415c09b18c6b6b4a50ee061ffd2233d94b3 Mon Sep 17 00:00:00 2001 From: nnposter Date: Wed, 10 Dec 2025 18:29:53 +0000 Subject: [PATCH] Implement script argument hostmap-crtsh.lax. Close #3239, fix #2183 --- CHANGELOG | 6 ++++++ scripts/hostmap-crtsh.nse | 40 +++++++++++++++++++++++---------------- 2 files changed, 30 insertions(+), 16 deletions(-) diff --git a/CHANGELOG b/CHANGELOG index 7785283c9..23dc2280d 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,5 +1,11 @@ #Nmap Changelog ($Id$); -*-text-*- +o [GH#2183][GH#3239] Script hostmap-crtsh now reports only true subdomains + of a given target hostname by default. In the past, it was reporting any + DNS name that included the target hostname as a substring (but not + necessarily as a suffix). The old behavior can be enabled by setting script + argument hostmap-crtsh.lax. [Sweekar-cmd, nnposter] + o [GH#3191][GH#3218] Script http-internal-ip-disclosure has been enhanced, including added support for IPv6 and HTTPS and more accurate processing of target responses. [nnposter] diff --git a/scripts/hostmap-crtsh.nse b/scripts/hostmap-crtsh.nse index 3e62fb272..36f05e745 100644 --- a/scripts/hostmap-crtsh.nse +++ b/scripts/hostmap-crtsh.nse @@ -14,6 +14,11 @@ References: --- -- @args hostmap.prefix If set, saves the output for each host in a file -- called "". The file contains one entry per line. +-- +-- @args hostmap-crtsh.lax If set, include hostname-like identities from CT logs +-- that are not strict subdomains. When unset (default), only true subdomains +-- of the target hostname are returned. +-- -- @args newtargets If set, add the new hostnames to the scanning queue. -- This the names presumably resolve to the same IP address as the -- original target, this is only useful for services such as HTTP that @@ -38,16 +43,7 @@ References: -- output_nmap.org --- --- TODO: --- At the moment the script reports all hostname-like identities where --- the parent hostname is present somewhere in the identity. Specifically, --- the script does not verify that a returned identity is truly a subdomain --- of the parent hostname. As an example, one of the returned identities for --- "google.com" is "google.com.gr". --- Since fixing it would change the script behavior that some users might --- currently depend on then this should be discussed first. [nnposter] - -author = "Paulino Calderon " +author = {"Paulino Calderon ", "Sweekar-cmd"} license = "Same as Nmap--See https://nmap.org/book/man-legal.html" @@ -88,8 +84,15 @@ local function is_valid_hostname (name) return true end -local function query_ctlogs(hostname) - local url = string.format("https://crt.sh/?q=%%.%s&output=json", hostname) +local function is_subdomain (name, suffix) + -- suffix already includes ".", e.g., ".google.com" + return #name > #suffix and name:sub(-#suffix) == suffix +end + +local function query_ctlogs (hostname, lax_mode) + hostname = hostname:lower() + local suffix = "." .. hostname + local url = string.format("https://crt.sh/?q=%%%s&output=json", suffix) local response = http.get_url(url) if not (response.status == 200 and response.body) then stdnse.debug1("Error: Could not GET %s", url) @@ -110,9 +113,11 @@ local function query_ctlogs(hostname) name = name:sub(3) end if name ~= hostname and not hostnames[name] and is_valid_hostname(name) then - hostnames[name] = true - if target.ALLOW_NEW_TARGETS then - target.add(name) + if lax_mode or is_subdomain(name, suffix) then + hostnames[name] = true + if target.ALLOW_NEW_TARGETS then + target.add(name) + end end end end @@ -136,7 +141,10 @@ end action = function(host) local filename_prefix = stdnse.get_script_args("hostmap.prefix") local hostname = get_hostname(host) - local hostnames = query_ctlogs(hostname) + local lax = stdnse.get_script_args("hostmap-crtsh.lax") + local lax_mode = lax == true or lax == "true" or lax == 1 + + local hostnames = query_ctlogs(hostname, lax_mode) if not hostnames then return end local output_tab = stdnse.output_table()