1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
|
local http = require "http"
local stdnse = require "stdnse"
local string = require "string"
local table = require "table"
description = [[
Finds up to 100 domain names which use the same name server as the target by querying the Robtex service at http://www.robtex.com/dns/.
The target must be specified by DNS name, not IP address.
*TEMPORARILY DISABLED* due to changes in Robtex's API. See https://www.robtex.com/api/
]]
---
-- @usage
-- nmap --script http-robtex-shared-ns
--
-- @outt
-- Host script results:
-- | http-robtex-shared-ns:
-- | example.edu
-- | example.net
-- | example.edu
-- |_ example.net
-- (some results omitted for brevity)
--
-- TODO:
-- * Add list of nameservers, or group output accordingly
--
author = "Arturo 'Buanzo' Busleiman"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"discovery", "safe", "external"}
prerule = function() return true end
action = function()
return "*TEMPORARILY DISABLED* due to changes in Robtex's API. See https://www.robtex.com/api/"
end
--[[
local function unescape(s)
return string.gsub(s, "\\x(%x%x)", function(hex)
return string.char(tonumber(hex, 16))
end)
end
--- Scrape domains sharing name servers from robtex website
-- @param data string containing the retrieved web page
-- @return table containing the resolved host names
function parse_robtex_response(data)
local result = {}
if ( not(data) ) then
return
end
-- cut out the section we're interested in
data = data:match('<span id="shared[^"]*_pn_mn">.-<ol.->(.-)</ol>')
-- process each html list item
if data then
for domain in data:gmatch("<li[^>]*>(.-)</li>") do
domain = domain:gsub("<[^>]+>","")
if ( domain ) then
table.insert(result, domain)
end
end
end
return result
end
local function lookup_dns_server(data)
return data:match("The primary name server is <a.->(.-)</a>.")
end
local function fetch_robtex_data(url)
local htmldata = http.get("www.robtex.net", 443, url, {any_af=true})
if ( not(htmldata) or not(htmldata.body) ) then
return
end
-- fixup hex encodings
return unescape(htmldata.body)
end
hostrule = function (host) return host.targetname end
action = function(host)
local base_url = "/?dns=" .. host.targetname
local data = fetch_robtex_data(base_url)
local domains = parse_robtex_response(data)
if ( not(domains) ) then
local server = lookup_dns_server(data)
if ( not(server) ) then
return
end
local url = base_url:format(server)
stdnse.debug2("Querying URL: %s", url)
data = fetch_robtex_data(url)
domains = parse_robtex_response(data)
end
if (domains and #domains > 0) then
return stdnse.format_output(true, domains)
end
end
]]--
|
