d33tah/http-exfiltrated.nse

## http-exfiltrated.nse
description = [[
This script looks up the exfiltrated.com data, looking for historical data
on SYN port scans for the given IP.
]]

---
-- @usage nmap --script http-exfiltrated.nse <target>
--
-- This script will search the exfiltrated.com database and it will output any
-- results. exfiltrated.com is the online archive of data gathered by Carna
-- botnet during the Internet Census 2012.

author = {'Jacek Wielemborek'}
license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
categories = {"safe", "external", "discovery"}

local http = require "http"
local shortport = require "shortport"
local stdnse = require "stdnse"
local nmap = require "nmap"
local table = require "table"
local string = require "string"

hostrule = function(host, port) return true end
EXFILTRATED_URL = "http://exfiltrated.com/query.php?startIP=%s&endIP=%s&Port=&includeHostnames=Yes&rawDownload=Yes&nse=Yes"

action = function(host, port)

    if not host then return false end

    local ret = ""
    -- Only one instantiation of the script should ping xssed at once.
    local mutex = nmap.mutex("http-exfiltrated")
    mutex "lock"

    local url = (EXFILTRATED_URL):format(host.ip, host.ip)
    response = http.get("exfiltrated.com", 80, url)
    local results = stdnse.strsplit( "\r\n", response.body )
    local skipped = false
    for k, v in pairs(results) do
        if skipped then
            local line = stdnse.strsplit( "\t", v )
            if line[3] then
                ret = ret..line[3].."\n"
                nmap.set_port_state({ ip = host.ip }, {number=tonumber(line[3]), protocol="tcp"}, "open")
            end
        else
            skipped = true
        end
    end

    mutex "done"

    return ret

end
	description = [[
	This script looks up the exfiltrated.com data, looking for historical data
	on SYN port scans for the given IP.
	]]

	---
	-- @usage nmap --script http-exfiltrated.nse <target>
	--
	-- This script will search the exfiltrated.com database and it will output any
	-- results. exfiltrated.com is the online archive of data gathered by Carna
	-- botnet during the Internet Census 2012.

	author = {'Jacek Wielemborek'}
	license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
	categories = {"safe", "external", "discovery"}

	local http = require "http"
	local shortport = require "shortport"
	local stdnse = require "stdnse"
	local nmap = require "nmap"
	local table = require "table"
	local string = require "string"

	hostrule = function(host, port) return true end
	EXFILTRATED_URL = "http://exfiltrated.com/query.php?startIP=%s&endIP=%s&Port=&includeHostnames=Yes&rawDownload=Yes&nse=Yes"

	action = function(host, port)

	if not host then return false end

	local ret = ""
	-- Only one instantiation of the script should ping xssed at once.
	local mutex = nmap.mutex("http-exfiltrated")
	mutex "lock"

	local url = (EXFILTRATED_URL):format(host.ip, host.ip)
	response = http.get("exfiltrated.com", 80, url)
	local results = stdnse.strsplit( "\r\n", response.body )
	local skipped = false
	for k, v in pairs(results) do
	if skipped then
	local line = stdnse.strsplit( "\t", v )
	if line[3] then
	ret = ret..line[3].."\n"
	nmap.set_port_state({ ip = host.ip }, {number=tonumber(line[3]), protocol="tcp"}, "open")
	end
	else
	skipped = true
	end
	end

	mutex "done"

	return ret

	end