hackertarget
diff --git a/‎LICENSE
+340 b/‎LICENSE
+340
diff --git a/‎README.md
+28 b/‎README.md
+28
diff --git a/‎hostmap-hackertarget.nse
+83 b/‎hostmap-hackertarget.nse
+83
diff --git a/‎http-wordpress-info.nse
+123 b/‎http-wordpress-info.nse
+123
@@ -0,0 +1,28 @@
+# nmap-nse-scripts
+Nmap NSE scripts that I have created or customised. At this stage these are custom scripts that you will have to copy into your Nmap Scripts directory manually to use them.
+
+##Installation of Custom Nmap Scripts
+
+Depending on your installation method and distribution the exact location of the Nmap script files could be slightly different. If you have installed from source then copying these into the `/usr/local/share/nmap/scripts/` folder will do the trick.
+
+Note for the **http-wordpress-themes.nse** script you will also need to copy the **wp-themes.lst** into the `/usr/local/share/nmap/nselib/data/` folder for the script to access the theme list.
+
+If you have a Windows installation of Nmap or are using a package, then the location of the files could be slightly different (it should not be too hard to find).
+
+##http-wordpress-info.nse
+
+This script is non-intrusive and simply examines the source HTML of a WordPress page to find plugins, theme and the version of WordPress from the Meta Generator Tag, if the Meta Generator is not present it will attempt to download the **/readme.html** file that also contains the WordPress version.
+
+##http-wordpress-plugins.nse
+
+A modified version of the original `http-wordpress-plugins.nse` script that will also attempt to identify the version of the plugins that have been detected following the brute force of the plugin paths.
+
+##http-wordpress-themes.nse 
+
+Another modified version of the `http-wordpress-plugins.nse` script this script will identify themes installed in the **/wp-content/themes/** folder and also attempt to identify the version of the themes from the **style.css** file. The **wp-theme.lst** was created by crawling the Top 1 million WordPress sites and ranking the themes by popularity.
+
+Themes that are installed but not in use by a WordPress installation can still contain vulnerabilities that could lead to the compromise of the WordPress installation and server.
+
+##hostmap-hackertarget.nse
+
+Similar to the hostmap-robtex.nse this script will attempt to identify hosts sharing the IP address that is being scanned. The hosts are found using the [Reverse IP Lookup API](https://hackertarget.com/reverse-ip-lookup/ "Reverse IP Lookup") that utilises DNS records from the [Scans.IO](https://scans.io) project.
@@ -0,0 +1,83 @@
+local http = require "http"
+local ipOps = require "ipOps"
+local stdnse = require "stdnse"
+local string = require "string"
+local table = require "table"
+
+description = [[
+Discovers hostnames (DNS A records) that resolve to the target's IP address by querying the online reverse IP lookup at http://hackertarget.com/reverse-ip-lookup/.
+
+Script based on hostmap-robtex.nse by Arturo 'Buanzo' Busleiman.
+
+Nmap 6.47 may error with:
+/usr/local/bin/../share/nmap/nselib/shortport.lua:200: attempt to index field 'version' (a nil value)
+Fix issue by getting latest shortport.lua from the Nmap svn.
+
+]]
+
+---
+-- @usage
+-- nmap --script hostmap-hackertarget -p 80 -Pn nmap.org
+--
+-- @output
+-- | hostmap-hackertarget:
+-- |   hosts:
+-- |     cgi.insecure.org
+-- |     download.insecure.org
+-- |     images.insecure.org
+-- |     insecure.com
+-- |     insecure.org
+-- |     nmap.com
+-- |     nmap.net
+-- |     nmap.org
+-- |     seclists.org
+-- |     sectools.org
+-- |     svn.nmap.org
+-- |     www.insecure.org
+-- |     www.nmap.org
+-- |_    www.sectools.org
+
+--
+-- @xmloutput
+-- <table key="hosts">
+--  <elem>nmap.org</elem>
+-- </table>
+---
+
+author = "Peter Hill"
+license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
+categories = {
+  "discovery",
+  "safe",
+  "external"
+}
+
+
+-- Scrape domains sharing target host ip from hackertarget.com website
+-- @param data string containing the retrieved web page
+-- @return table containing the host names sharing host.ip
+function parse_hackertarget_response (data)
+  local result = {}
+
+  for domain in string.gmatch(data, "([0-9a-z-.]+)") do
+    if not stdnse.contains(result, domain) then
+      table.insert(result, domain)
+    end
+  end
+  return result
+end
+
+hostrule = function (host)
+  return not ipOps.isPrivate(host.ip)
+end
+
+action = function (host)
+  local link = "http://api.hackertarget.com/reverseiplookup/?q=" .. host.ip
+  local htmldata = http.get_url(link)
+  local domains = parse_hackertarget_response(htmldata.body)
+  local output_tab = stdnse.output_table()
+  if (#domains > 0) then
+    output_tab.hosts = domains
+  end
+  return output_tab
+end
@@ -0,0 +1,123 @@
+local http = require "http"
+local shortport = require "shortport"
+local stdnse = require "stdnse"
+local string = require "string"
+
+description = [[
+Finds the WordPress version, theme and plugins observed in the page response. 
+- Version detection tests for a meta generator html tag, if this is not found an attempt 
+is made to access /readme.html a default file in all versions of WordPress.
+- Theme is determined by searching HTML resposne for /wp-content/themes/$themename
+- Discovered plugins are those that match /wp-content/plugins/$pluginname in the HTML 
+response. This will not find all plugins, to find all plugins you will need the 
+http-wordpress-plugins nse script to brute force the plugin paths.
+
+Script based on code from Michael Kohl's http-generator.nse
+]]
+
+author = "Peter Hill <[email protected]>"
+license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
+categories = {"default", "discovery", "safe"}
+
+---
+-- @usage
+-- nmap --script http-wordpress-info [--script-args http-wordpress-info.path=<path>,http-wordpress-info.redirects=<number>,...] <host>
+--
+-- @output
+-- PORT    STATE SERVICE
+-- 80/tcp  open  http
+-- | http-wordpress-info: 
+-- |   version: WordPress 4.0
+-- |   theme: canvas
+-- |   plugins: 
+-- |     w3-total-cache
+-- |_    simple-tooltips
+
+-- @args http-wordpress-info.path Specify the path you want to check for a generator meta tag (default to '/').
+-- @args http-wordpress-info.redirects Specify the maximum number of redirects to follow (defaults to 3).
+
+
+-- helper function
+local follow_redirects = function(host, port, path, n)
+  local pattern = "^[hH][tT][tT][pP]/1.[01] 30[12]"
+  local response = http.get(host, port, path)
+
+  while (response['status-line'] or ""):match(pattern) and n > 0 do
+    n = n - 1
+    local loc = response.header['location']
+    response = http.get_url(loc)
+  end
+
+  return response
+end
+
+
+-- find plugins in HTML page source and return table
+function parse_plugins_response (data)
+  local result = {}
+  local pluginmatch = 'wp%-content/plugins/([0-9a-z%-.]+)'
+
+  for plugin in string.gmatch(data, pluginmatch) do
+    if not stdnse.contains(result, plugin) then
+      table.insert(result, plugin)
+    end
+  end
+  return result
+end
+
+
+portrule = shortport.http
+
+action = function(host, port)
+  local response, loc, generator
+  local path = stdnse.get_script_args('http-wordpress-info.path') or '/'
+  local redirects = tonumber(stdnse.get_script_args('http-wordpress-info.redirects')) or 3
+  local output_tab = stdnse.output_table()
+
+  -- Find Version in "meta generator tag"
+  local pattern = '<meta name="?generator"? content="WordPress ([.0-9]*)" ?/?>'
+  local themematch = 'wp%-content/themes/([0-9a-z]+)'
+ 
+  -- make pattern case-insensitive
+  pattern = pattern:gsub("%a", function (c)
+      return string.format("[%s%s]", string.lower(c),
+        string.upper(c))
+      end)
+
+  -- Find version in readme.html file
+  local readmepattern = 'Version ([.0-9]*)'
+  local wpversion = nil
+  local themes = nil
+  
+
+
+  response = follow_redirects(host, port, path, redirects)
+  if ( response and response.body ) then
+    wpversion = response.body:match(pattern)
+    themes = response.body:match(themematch)
+    plugins = parse_plugins_response(response.body)
+  end
+
+  -- If version not in generator tag, check /readme.html
+  if ( not wpversion and response.body:match("wp%-content")) then
+    readmepath = path .. '/readme.html'
+    readmeresponse = follow_redirects(host, port, readmepath, redirects)
+    if ( readmeresponse and readmeresponse.body ) then
+      wpversion = readmeresponse.body:match(readmepattern)
+    end
+  end
+
+  -- Store results in output table
+  if wpversion then
+    output_tab.version = 'WordPress ' .. wpversion
+  end
+  if ( themes and #themes > 0 ) then
+    output_tab.theme = themes
+  end
+  if ( plugins and #plugins > 0 ) then
+    output_tab.plugins = plugins 
+  end
+  if ( output_tab.version or output_tab.plugins or output_tab.theme ) then
+     return output_tab
+  end
+end