diff --git a/CHANGELOG b/CHANGELOG index 64002e217..aa7c94838 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,5 +1,9 @@ # Nmap Changelog ($Id$); -*-text-*- +o [NSE] Added the http-robtex-reverse-ip script that uses the Robtex service to + perform a reverse lookup in order to discover all names associated with the + IP. [riemann] + o [NSE] Updated script.db to correct some of the category changes made previously and to remove the accidental addition of non-existing snmp-brute2 script. [Patrik] diff --git a/scripts/http-robtex-reverse-ip.nse b/scripts/http-robtex-reverse-ip.nse new file mode 100644 index 000000000..81cb8708e --- /dev/null +++ b/scripts/http-robtex-reverse-ip.nse @@ -0,0 +1,71 @@ +description = [[ +This script is inspired from http-reverse-ip to do a reverse ip lookup +using robtex website by parsing http://www.robtex.com/ip/ and return +maximum of 100 domains +]] + +--- +-- @usage +-- nmap --script http-robtex-reverse-ip --script-args http-robtex-reverse-ip.host='' +-- +-- @output +-- Pre-scan script results: +-- | http-robtex-reverse-ip: +-- | *.insecure.org +-- | *.nmap.com +-- | *.nmap.org +-- | *.seclists.org +-- | insecure.com +-- | insecure.org +-- | lists.insecure.org +-- | nmap.com +-- | nmap.net +-- | nmap.org +-- | seclists.org +-- | sectools.org +-- | web.insecure.org +-- | www.insecure.org +-- | www.nmap.com +-- | www.nmap.org +-- | www.seclists.org +-- |_ images.insecure.org +-- +-- @args http-robtex-reverse-ip.host IPv4 address of the host to lookup +-- + +author = "riemann" +license = "Same as Nmap--See http://nmap.org/book/man-legal.html" +categories = {"discovery", "safe", "external"} + +require "http" +require "ipOps" +require "shortport" + +--- Scrape reverse ip informations from robtex website +-- @param data string containing the retrieved web page +-- @return table containing the resolved host names +function parse_robtex_response(data) + local data = string.gsub(data,"\r?\n","") + local result = {} + for num,href,link in string.gmatch(data,"(.-)") do + table.insert(result,link) + end + return result +end + +prerule = function() return stdnse.get_script_args("http-robtex-reverse-ip.host") ~= nil end + +action = function(host, port) + local target = stdnse.get_script_args("http-robtex-reverse-ip.host") + local ip = ipOps.ip_to_str(target) + if ( not(ip) or #ip ~= 4 ) then + return stdnse.format_output(false, "The argument \"http-robtex-reverse-ip.host\" did not contain a valid IPv4 address") + end + + local link = "http://www.robtex.com/ip/"..target..".html" + local htmldata = http.get_url(link) + local domains = parse_robtex_response(htmldata.body) + if ( #domains > 0 ) then + return stdnse.format_output(true, domains) + end +end diff --git a/scripts/script.db b/scripts/script.db index ad78b7a4f..4612985bc 100644 --- a/scripts/script.db +++ b/scripts/script.db @@ -98,6 +98,7 @@ Entry { filename = "http-passwd.nse", categories = { "intrusive", "vuln", } } Entry { filename = "http-php-version.nse", categories = { "discovery", "safe", } } Entry { filename = "http-put.nse", categories = { "discovery", "intrusive", } } Entry { filename = "http-robots.txt.nse", categories = { "default", "discovery", "safe", } } +Entry { filename = "http-robtex-reverse-ip.nse", categories = { "discovery", "external", "safe", } } Entry { filename = "http-title.nse", categories = { "default", "discovery", "safe", } } Entry { filename = "http-trace.nse", categories = { "discovery", "safe", "vuln", } } Entry { filename = "http-userdir-enum.nse", categories = { "auth", "intrusive", } }