技术笔记

nmap旁站查询脚本

字号+ 作者:secoff 来源:转载 2017-03-15 09:30 我要评论( )

为了快速得到某个段的shell临时简易的写了一个nmap脚本,主要功能是从bing获取同服务器站点。 local http = require http local nmap = require nmap local shortp......

为了快速得到某个段的shell临时简易的写了一个nmap脚本,主要功能是从bing获取同服务器站点。
local http = require "http"
local nmap = require "nmap"
local shortport = require "shortport"
local stdnse = require "stdnse"
local string = require "string"

description = [[
reverse domain for ip
]]

author = "b4dboy"
license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
categories = {"default", "discovery", "safe"}

portrule = shortport.http

local function trim(str)
  return (string.gsub(str, "^%s*(.-)%s*$", "%1"))
end

local function getBanner(host, port)
  local result = {}
  local socket, status
  local content = "GET / HTTP/1.0\r\n\r\n"
  socket = nmap.new_socket()
  socket:connect(host.ip, port)
  socket:send(content)
  local response, data = socket:receive()
  table.insert(result, string.format('%s', string.match(data, 'Server:')))
  data = string.gsub(data, "\r", "")
  data = string.match(data, 'Server:%s-([a-zA-Z-/0-9:\\.() ]+\n+)')
  if not(data) then
    data = 'Unknown'
  end
  return trim(data)
end

action = function(host, port)
  local uri, resp, redirect_url, title
  local result = {}

  -- Get Banner
  local server = getBanner(host, port)
  local banner = "Http Banner: "..server
  table.insert(result, banner)

  local request_options = {}
  request_options.header = {}
  request_options.header["If-None-Match"] = 'mark'

  uri = string.format('http://global.bing.com/search?q=ip:%s&count=50', host.ip)
  resp = http.get_url( uri, request_options )

  -- check for a redirect
  if resp.location then
    redirect_url = resp.location[#resp.location]
    if resp.status and tostring( resp.status ):match( "30%d" ) then
      return {redirect_url = redirect_url}, ("Did not follow redirect to %s"):format( redirect_url )
    end
  end

  if ( not(resp.body) ) then
    return
  end

  regx = '<li([^>]-)class="b_algo"([^>]-)><h2><a([^>]-)href=[\"|\']([^\"\']-)[\"|\']([^>]-)>'

  for s1, s2, s3, title in resp.body:gmatch(regx) do
    table.insert(result, title)
  end

  return stdnse.format_output(true, result)
end

将代码存为reverse-bing.nse放入nmap的scripts目录即可,使用命令如下:

nmap -p80 –open -Pn 36.51.255.* –script reverse-bing

为了后续的测试可以使用以下命令整理出相应的格式
nmap -p80 –open -Pn 36.51.255.* –script reverse-bing | grep -E ‘http(s)?://‘ | sed ‘s/|[_]\?[ ]+//‘

或从url里取域名
cat /tmp/urls.txt | sed ‘s/(http[s]\?):\/\//\b4dboy/;s|\/.*||;s/b4dboy/:\/\//‘

处理好格式后可以管道给sqlmap、whatweb、cmsmap等工具使用。没有做翻页查询因为我认为50个够用了,nmap使用版本6.4

本文来自: 蜗蜗侠's Blog-关注网络安全 http://blog.icxun.cn/Note/613.html

1.本站遵循行业规范,任何转载的稿件都会明确标注作者和来源;2.本站的原创文章,请转载时务必注明文章作者和来源,不尊重原创的行为我们将追究责任;3.作者投稿可能会经我们编辑修改或补充。

相关文章
网友点评
暂时未开启评论功能~