From ea2e9e4499556010a1d4211b3ebe9cf30de4ee3b Mon Sep 17 00:00:00 2001 From: dmiller Date: Sun, 11 Mar 2018 03:50:52 +0000 Subject: [PATCH] Fix hostmap-crtsh hostrule to require a name --- scripts/hostmap-crtsh.nse | 20 ++++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-) diff --git a/scripts/hostmap-crtsh.nse b/scripts/hostmap-crtsh.nse index 10e03dddc..5684652dc 100644 --- a/scripts/hostmap-crtsh.nse +++ b/scripts/hostmap-crtsh.nse @@ -1,6 +1,9 @@ description = [[ -Finds subdomains of a web server by querying Google's - Certificate Transparency logs database (https://crt.sh). +Finds subdomains of a web server by querying Google's Certificate Transparency +logs database (https://crt.sh). + +The script will run against any target that has a name, either specified on the +command line or obtained via reverse-DNS. NSE implementation of ctfr.py (https://github.com/UnaPibaGeek/ctfr.git) by Sheila Berta. @@ -50,12 +53,17 @@ local target = require "target" local table = require "table" local shortport = require "shortport" -hostrule = function(host) - return shortport.http +-- Different from stdnse.get_hostname +-- this function returns nil if the host is only known by IP address +local function get_hostname (host) + return host.targetname or (host.name ~= '' and host.name) end +-- Run on any target that has a name +hostrule = get_hostname + local function query_ctlogs(host) - local query = string.format("/?q=%%.%s&output=json", host.targetname) + local query = string.format("/?q=%%.%s&output=json", get_hostname(host)) local response response = http.get("crt.sh", 443, query ) local hostnames = {} @@ -99,7 +107,7 @@ action = function(host) output_tab.subdomains = hostnames --write to file if filename_prefix then - local filename = filename_prefix .. stdnse.filename_escape(host.targetname or host.ip) + local filename = filename_prefix .. stdnse.filename_escape(get_hostname(host)) hostnames_str = stdnse.strjoin("\n", hostnames) local status, err = write_file(filename, hostnames_str)