Lucene search

K
nmapAnge GutekNMAP:HOSTMAP-BFK.NSE
HistoryApr 09, 2012 - 6:35 a.m.

hostmap-bfk NSE Script

2012-04-0906:35:15
Ange Gutek
nmap.org
713

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.973 High

EPSS

Percentile

99.8%

Discovers hostnames that resolve to the target’s IP address by querying the online database at <http://www.bfk.de/bfk_dnslogger.html&gt;.

The script is in the “external” category because it sends target IPs to a third party in order to query their database.

This script was formerly (until April 2012) known as hostmap.nse.

Script Arguments

hostmap-bfk.prefix

If set, saves the output for each host in a file called “<prefix><target>”. The file contains one entry per line.

newtargets

If set, add the new hostnames to the scanning queue. This the names presumably resolve to the same IP address as the original target, this is only useful for services such as HTTP that can change their behavior based on hostname.

slaxml.debug

See the documentation for the slaxml library.

http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline, http.truncated-ok, http.useragent

See the documentation for the http library.

max-newtargets

See the documentation for the target library.

smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername

See the documentation for the smbauth library.

Example Usage

nmap --script hostmap-bfk --script-args hostmap-bfk.prefix=hostmap- &lt;targets&gt;

Script Output

Host script results:
| hostmap-bfk:
|   hosts:
|     insecure.org
|     173.255.243.189
|     images.insecure.org
|     www.insecure.org
|     nmap.org
|     189.243.255.173.in-addr.arpa
|     mail.nmap.org
|     svn.nmap.org
|     www.nmap.org
|     sectools.org
|     seclists.org
|_    li253-189.members.linode.com

Requires


local http = require "http"
local io = require "io"
local ipOps = require "ipOps"
local stdnse = require "stdnse"
local string = require "string"
local stringaux = require "stringaux"
local table = require "table"
local target = require "target"

description = [[
Discovers hostnames that resolve to the target's IP address by querying the online database at http://www.bfk.de/bfk_dnslogger.html.

The script is in the "external" category because it sends target IPs to a third party in order to query their database.

This script was formerly (until April 2012) known as hostmap.nse.
]]

---
-- @args hostmap-bfk.prefix If set, saves the output for each host in a file
-- called "<prefix><target>". The file contains one entry per line.
-- @args newtargets If set, add the new hostnames to the scanning queue.
-- This the names presumably resolve to the same IP address as the
-- original target, this is only useful for services such as HTTP that
-- can change their behavior based on hostname.
--
-- @usage
-- nmap --script hostmap-bfk --script-args hostmap-bfk.prefix=hostmap- <targets>
--
-- @output
-- Host script results:
-- | hostmap-bfk:
-- |   hosts:
-- |     insecure.org
-- |     173.255.243.189
-- |     images.insecure.org
-- |     www.insecure.org
-- |     nmap.org
-- |     189.243.255.173.in-addr.arpa
-- |     mail.nmap.org
-- |     svn.nmap.org
-- |     www.nmap.org
-- |     sectools.org
-- |     seclists.org
-- |_    li253-189.members.linode.com
--
-- @xmloutput
-- <table key="hosts">
--  <elem>insecure.org</elem>
--  <elem>173.255.243.189</elem>
--  <elem>images.insecure.org</elem>
--  <elem>www.insecure.org</elem>
--  <elem>nmap.org</elem>
--  <elem>189.243.255.173.in-addr.arpa</elem>
--  <elem>mail.nmap.org</elem>
--  <elem>svn.nmap.org</elem>
--  <elem>www.nmap.org</elem>
--  <elem>sectools.org</elem>
--  <elem>seclists.org</elem>
--  <elem>li253-189.members.linode.com</elem>
-- </table>
---

author = "Ange Gutek"

license = "Same as Nmap--See https://nmap.org/book/man-legal.html"

categories = {"external", "discovery"}


local HOSTMAP_SERVER = "www.bfk.de"

local write_file

hostrule = function(host)
  return not ipOps.isPrivate(host.ip)
end

action = function(host)
  local query = "/bfk_dnslogger.html?query=" .. host.ip
  local response
  local output_tab = stdnse.output_table()
  response = http.get(HOSTMAP_SERVER, 80, query, {any_af=true})
  if not response.status then
    stdnse.debug1("Error: could not GET http://%s%s", HOSTMAP_SERVER, query)
    return nil
  end
  local hostnames = {}
  local hosts_log = {}
  for entry in string.gmatch(response.body, "#result\" rel=\"nofollow\">(.-)</a></tt>") do
    if not hostnames[entry] then
      if target.ALLOW_NEW_TARGETS then
        local status, err = target.add(entry)
      end
      hostnames[entry] = true
      hosts_log[#hosts_log + 1] = entry
    end
  end

  if #hosts_log == 0 then
    if not string.find(response.body, "<p>The server returned no hits.</p>") then
      stdnse.debug1("Error: found no hostnames but not the marker for \"no hostnames found\" (pattern error?)")
    end
    return nil
  end
  output_tab.hosts = hosts_log
  local hostnames_str = table.concat(hostnames, "\n")

  local filename_prefix = stdnse.get_script_args("hostmap-bfk.prefix")
  if filename_prefix then
    local filename = filename_prefix .. stringaux.filename_escape(host.targetname or host.ip)
    local status, err = write_file(filename, hostnames_str .. "\n")
    if status then
      output_tab.filename = filename
    else
      stdnse.debug1("Error saving to %s: %s\n", filename, err)
    end
  end

  return output_tab
end

function write_file(filename, contents)
  local f, err = io.open(filename, "w")
  if not f then
    return f, err
  end
  f:write(contents)
  f:close()
  return true
end

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.973 High

EPSS

Percentile

99.8%

Related for NMAP:HOSTMAP-BFK.NSE