Information gathering with Nmap scripts
Nmap scripting engine
Nmap now has an scripting engine, that allows users to write their own custom scripts that can perform various scanning tasks in an automated fashion. This provides a powerful way to code a multi-step complex scanner using the inbuilt features of nmap. There are already many scripts available along with nmap that have been developed and submitted by the community. Details about the existing nmap scripts can be found here.
The scripts basically use nmap's own scanning features, but in an automated and programmatic manner like calling an external library.
In this post we shall take a look at some of the scripts that can be used to perform "information gathering" on domain names and ip addresses.
1. Find geo location of an ip address or domain
Nmap has multiple scripts to get the geo location of an ip address. To use them issue a command like this
$ nmap -Pn -p80 --script ip-geolocation-* 220.127.116.11 Starting Nmap 6.00 ( http://nmap.org ) at 2013-03-04 14:11 IST Nmap scan report for 18.104.22.168 Host is up. PORT STATE SERVICE 80/tcp filtered http Host script results: | ip-geolocation-geobytes: | 22.214.171.124 | coordinates (lat,lon): 40.7488,-73.9846 |_ city: New York, New York, United States Nmap done: 1 IP address (1 host up) scanned in 31.19 seconds
As can be seen in the output, the latitude, longitude,city and country have been detected from the ip address. It uses web services like geoplugin, ipinfodb and geobytes to find the location.
2. Dns bruteforcing
This tool attempts to enumerate DNS hostnames by brute force guessing of common subdomains. Here is a sample usage.
$ nmap -p80 --script dns-brute insecure.org Starting Nmap 6.00 ( http://nmap.org ) at 2013-03-04 14:41 IST Nmap scan report for insecure.org (126.96.36.199) Host is up (0.33s latency). rDNS record for 188.8.131.52: web.insecure.org PORT STATE SERVICE 80/tcp open http Host script results: | dns-brute: | DNS Brute-force hostnames | www.insecure.org - 184.108.40.206 | mx0.insecure.org - 220.127.116.11 | lab.insecure.org - 18.104.22.168 | corp.insecure.org - 22.214.171.124 | whois.insecure.org - 126.96.36.199 | www.insecure.org - 2600:3c01:0:0:f03c:91ff:fe96:967c | mail.insecure.org - 188.8.131.52 | intranet.insecure.org - 184.108.40.206 | mx1.insecure.org - 220.127.116.11 | ssl.insecure.org - 18.104.22.168 | ldap.insecure.org - 22.214.171.124 | mysql.insecure.org - 126.96.36.199 | crs.insecure.org - 188.8.131.52 | linux.insecure.org - 184.108.40.206 | secure.insecure.org - 220.127.116.11 | sql.insecure.org - 18.104.22.168 .............
But since this tool uses a predefined list of subdomains to query for, it is limited. However can be useful sometimes.
3. Find other domains hosted on the same ip address or on same server of a host
During information gathering it is often needed to know what other domains are hosted on a certain server. The easiest way to do this is to use the bing search engine. To find domains hosted on a certain ip address we have to search for the following on bing.com
The same thing can be automated with nmap to produce results in a neat format. There is a nse script that does the same thing and can be downloaded here.
Download the script and save it in the scripts directory of nmap. On linux the directory is generally
otherwise use any of the following commands to find the exact location
find / -name '*.nse' locate *.nse
Once the http-reverse-ip.nse script is saved in the nmap scripts directory, use it like this
$ nmap -Pn -p80 --script http-reverse-ip nmap.org Starting Nmap 6.00 ( http://nmap.org ) at 2013-03-04 14:30 IST Nmap scan report for nmap.org (22.214.171.124) Host is up (0.30s latency). rDNS record for 126.96.36.199: web.insecure.org PORT STATE SERVICE 80/tcp open http | http-reverse-ip: | nmap.org | sectools.org | insecure.org | seclists.org |_cgi.insecure.org Nmap done: 1 IP address (1 host up) scanned in 7.09 seconds
So it lists out all domains that are on the same ip address as that of nmap.org.