summaryrefslogtreecommitdiffstats
path: root/scripts/hostmap-robtex.nse
blob: 66035a349acd5ffdc7473c0c542c56d6bc032320 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
local http = require "http"
local ipOps = require "ipOps"
local stdnse = require "stdnse"
local slaxml = require "slaxml"

description = [[
Discovers hostnames that resolve to the target's IP address by querying the online Robtex service at http://ip.robtex.com/.

*TEMPORARILY DISABLED* due to changes in Robtex's API. See https://www.robtex.com/api/
]]

---
-- @usage
-- nmap --script hostmap-robtex -sn -Pn scanme.nmap.org
--
-- @output
-- | hostmap-robtex:
-- |   hosts:
-- |_    scanme.nmap.org
--
-- @xmloutput
-- <table key="hosts">
--  <elem>nmap.org</elem>
-- </table>
---

author = "Arturo 'Buanzo' Busleiman"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {
  "discovery",
  "safe",
  "external"
}


prerule = function() return true end
action = function()
  return "*TEMPORARILY DISABLED* due to changes in Robtex's API. See https://www.robtex.com/api/"
end

--[[
--- Scrape domains sharing target host ip from robtex website
--
-- //section[@id="x_shared"]//li//text()
-- @param data string containing the retrieved web page
-- @return table containing the host names sharing host.ip
function parse_robtex_response (data)
  local in_li = false
  local result = {}

  local parser = slaxml.parser:new({
      startElement = function(name, nsURI, nsPrefix)
        in_li = in_li or name == "li"
      end,
      closeElement = function(name, nsURI, nsPrefix)
        if name == "li" then
          in_li = false
        end
      end,
      text = function(text)
        if in_li then
          result[#result+1] = text
        end
      end,
    })
  parser:parseSAX(data:match('<section[^>]-id="x_shared".-</section>'))

  return result
end

hostrule = function (host)
  return not ipOps.isPrivate(host.ip)
end

action = function (host)
  local link = "https://www.robtex.com/en/advisory/ip/" .. host.ip:gsub("%.", "/") .. "/"
  local htmldata = http.get_url(link)
  local domains = parse_robtex_response(htmldata.body)
  local output_tab = stdnse.output_table()
  if (#domains > 0) then
    output_tab.hosts = domains
  end
  return output_tab
end
]]--