update script to work with changes made to robtex website

2025-12-06 04:31:29 +00:00 · 2012-07-16 19:46:43 +00:00
parent 6ea54949fb
commit ea7da393f4
1 changed files with 76 additions and 36 deletions
--- a/scripts/http-robtex-shared-ns.nse
+++ b/scripts/http-robtex-shared-ns.nse
@@ -7,7 +7,7 @@ description = [[
 Finds up to 100 domain names which use the same name server as the target by querying the Robtex service at http://www.robtex.com/dns/.

 The target must be specified by DNS name, not IP address.
-]];
+]]

 ---
 -- @usage
@@ -26,47 +26,87 @@ The target must be specified by DNS name, not IP address.
 -- * Add list of nameservers, or group output accordingly
 --

-author = "Arturo Busleiman <buanzo@buanzo.com.ar>";
-license = "Same as Nmap--See http://nmap.org/book/man-legal.html";
-categories = {
-  "discovery",
-  "safe",
-  "external"
-};
+author = "Arturo Busleiman <buanzo@buanzo.com.ar>"
+license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
+categories = {"discovery", "safe", "external"}
+
+local function unescape(s)
+    return string.gsub(s, "\\x(%x%x)", function(hex)
+        return string.char(tonumber(hex, 16))
+    end)
+end


 --- Scrape domains sharing name servers from robtex website
 -- @param data string containing the retrieved web page
 -- @return table containing the resolved host names
-function parse_robtex_response (data)
-  local result = {};
+function parse_robtex_response(data)
+  local result = {}

-  for linkhref, ns, domain in string.gmatch(data, "<a href=\"(.-)%.html#shared\"%s*title=\"using ns (.-)\">(.-)</a>") do
-    if not table.contains(result, domain) then
-      table.insert(result, domain);
-    end
-  end
-  return result;
+	-- cut out the section we're interested in
+	data = data:match("<span id=\\\"sharednss?\\\">.-<ul.->(.-)</ul>")
+	if ( not(data) ) then
+		return
+	end
+	
+	-- process each html list item
+	for li in data:gmatch("<li>(.-)</li>") do
+		local domain = li:match("<a.->(.*)</a>")
+		if ( domain ) then
+			table.insert(result, domain)
+		end
+	end
+	
+  return result
 end

-hostrule = function (host)
-  return host.targetname
-end;
-
-action = function (host)
-  local link = "http://www.robtex.com/dns/" .. host.targetname .. ".html";
-  local htmldata = http.get_url(link);
-  local domains = parse_robtex_response(htmldata.body);
-  if (#domains > 0) then
-    return stdnse.format_output(true, domains);
-  end
-end;
-
-function table.contains (table, element)
-  for _, value in pairs(table) do
-    if value == element then
-      return true;
-    end
-  end
-  return false;
+local function lookup_dns_server(data)
+	return data:match("The primary name server is <a.->(.-)</a>.")
+end
+
+local function fetch_robtex_data(url)
+  local htmldata = http.get_url(url)
+	if ( not(htmldata) or not(htmldata.body) ) then
+		return
+	end
+  
+	local url = htmldata.body:match("var%s*uurl%s*='([^']*)")
+	if ( not(url) ) then
+		return
+	end
+	
+	-- retreive the url having the shared dns information
+	htmldata = http.get_url(url)
+	if ( not(htmldata) or not(htmldata.body) ) then
+		return
+	end
+	
+	-- fixup line breaks
+	htmldata = htmldata.body:gsub("(.-)\\\r?\n", "%1")
+
+	-- fixup hex encodings
+	return unescape(htmldata)
+end
+
+hostrule = function (host) return host.targetname end
+
+action = function(host)
+	local base_url = "http://www.robtex.com/dns/%s.html"
+	local data = fetch_robtex_data(base_url:format(host.targetname))
+  local domains = parse_robtex_response(data)
+	
+	if ( not(domains) ) then
+		local server = lookup_dns_server(data)
+		if ( not(server) ) then
+			return
+		end
+		local url = base_url:format(server)
+		stdnse.print_debug(2, "%s: Querying URL: %s", SCRIPT_NAME, url)
+		data = fetch_robtex_data(url)
+		domains = parse_robtex_response(data)
+	end
+
+  if (domains and #domains > 0) then
+    return stdnse.format_output(true, domains)
+  end
 end