diff --git a/CHANGELOG b/CHANGELOG index 0ecec811c..f18fd2124 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,5 +1,8 @@ # Nmap Changelog ($Id$); -*-text-*- +o [NSE] Added hostmap-robtex.nse by Arturo Busleiman, which finds other + domain names sharing the IP address of the target. + o [NSE] Added the script http-vlcstreamer-ls which queries the VLC Streamer helper service for a list of files in a given directory. [Patrik Karlsson] diff --git a/scripts/hostmap-robtex.nse b/scripts/hostmap-robtex.nse new file mode 100644 index 000000000..cd9b39227 --- /dev/null +++ b/scripts/hostmap-robtex.nse @@ -0,0 +1,71 @@ +description = [[ +Tries to find hostnames that resolve to the target's IP address by querying the Robtex service at http://www.robtex.com/dns/. +]]; + +--- +-- @usage +-- nmap --script hostmap-robtex --script-args hostmap-robtex.host='' +-- +-- @args hostmap-robtex.host IPv4 address of the host to lookup +-- +-- @output +-- Pre-scan script results: +-- | hostmap-robtex: +-- | example.edu +-- | example.net +-- | example.edu +-- |_ example.net +-- (some results omitted for brevity) +-- +-- TODO: +-- * Add list of nameservers, or group output accordingly +-- + +author = "Arturo Busleiman "; +license = "Same as Nmap--See http://nmap.org/book/man-legal.html"; +categories = { + "discovery", + "safe", + "external" +}; + +require "http"; +require "shortport"; + +--- Scrape domains sharing name servers from robtex website +-- @param data string containing the retrieved web page +-- @return table containing the resolved host names +function parse_robtex_response (data) + local result = {}; + + for linkhref, ns, domain in string.gmatch(data, "(.-)") do + if not table.contains(result, domain) then + table.insert(result, domain); + end + end + return result; +end + +prerule = function () + return stdnse.get_script_args("hostmap-robtex.host") ~= nil; +end; + +action = function (host, port) + local target = stdnse.get_script_args("hostmap-robtex.host"); + + local link = "http://www.robtex.com/dns/" .. target .. ".html"; + local htmldata = http.get_url(link); + local domains = parse_robtex_response(htmldata.body); + if (#domains > 0) then + return stdnse.format_output(true, domains); + end +end; + +function table.contains (table, element) + for _, value in pairs(table) do + if value == element then + return true; + end + end + return false; +end diff --git a/scripts/script.db b/scripts/script.db index 840cdeefe..0d8e0e384 100644 --- a/scripts/script.db +++ b/scripts/script.db @@ -102,6 +102,7 @@ Entry { filename = "hadoop-tasktracker-info.nse", categories = { "default", "dis Entry { filename = "hbase-master-info.nse", categories = { "default", "discovery", "safe", } } Entry { filename = "hbase-region-info.nse", categories = { "default", "discovery", "safe", } } Entry { filename = "hddtemp-info.nse", categories = { "default", "discovery", "safe", } } +Entry { filename = "hostmap-robtex.nse", categories = { "discovery", "external", "safe", } } Entry { filename = "hostmap.nse", categories = { "discovery", "external", "intrusive", } } Entry { filename = "http-affiliate-id.nse", categories = { "discovery", "safe", } } Entry { filename = "http-apache-negotiation.nse", categories = { "discovery", "safe", } }