API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Jul 24th, 2014
238
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Bash 4.40 KB | None | 0 0
raw download clone embed print report
  1. #!/bin/bash
  2. # bing-ip2hosts - Enumerate hostnames from Bing.com for an IP address.
  3. # Bing.com is Microsoft's search engine which has an IP: search parameter.
  4. #
  5. # By Andrew Horton aka urbanadventurer, MorningStar Security
  6. # Homepage: http://www.morningstarsecurity.com/research/bing-ip2hosts
  7. #
  8. # Version 0.4 Released December 19th, 2013. Updated to use nslookup, new usage, fixed tmp file issue
  9. # Version 0.3 Released September 21st, 2012. Updated because Bing mobile search changed.
  10. # Version 0.2 Released April 2nd, 2010
  11. # Version 0.1 Released December 2nd, 2009 at Kiwicon III in New Zealand
  12. #
  13. # License: GPLv3
  14.  
  15. VERSION=o.4
  16. TMPDIR=/tmp
  17. ANIMATION=1
  18. OUTPUTIP=0
  19. HTTPPREFIX=0
  20. IP=
  21. PREFIX=
  22. DEBUG=0
  23.  
  24. if [ -z "$1" ] || [ "$1" == "-h" ] || [ "$1" == "--help" ]; then
  25. echo -en '\E[31m'
  26. echo -e "bing-ip2hosts ($VERSION) by Andrew Horton aka urbanadventurer
  27. Homepage: http://www.morningstarsecurity.com/research/bing-ip2hosts
  28. "
  29. echo -en '\033[0m'
  30.  
  31. echo -e "Useful for web intelligence and attack surface mapping of vhosts during
  32. penetration tests. Find hostnames that share an IP address with your target
  33. which can be a hostname or an IP address.  This makes use of Microsoft
  34. Bing.com ability to seach by IP address, e.g. \"IP:210.48.71.196\".
  35.  
  36. Usage: $0 [OPTIONS] <IP|hostname>
  37.  
  38. OPTIONS are:
  39. -n\t\tTurn off the progress indicator animation
  40. -t <DIR>\tUse this directory instead of /tmp. The directory must exist.
  41. -i\t\tOptional CSV output. Outputs the IP and hostname on each line, separated by a comma.
  42. -p\t\tOptional http:// prefix output. Useful for right-clicking in the shell.
  43. "
  44. exit 1
  45. fi
  46.  
  47. while getopts "nipt:" optionName; do
  48.     case "$optionName" in
  49.          n) ANIMATION=0;;
  50.      t) TMPDIR="$OPTARG";;
  51.      i) OUTPUTIP=1;;
  52.      p) HTTPPREFIX=1;;
  53.      [?]) echo "Error"; exit 1;;
  54.     esac
  55. done
  56.  
  57. shift $(($OPTIND -1))
  58.  
  59. if [ -z "$1" ]; then
  60.  echo "need an IP or hostname"
  61.  exit 1
  62. fi
  63.  
  64. animation="/-\|"
  65. page=0
  66. last_page_check=
  67. how_many=1
  68. uniq_hosts=0
  69. single_page=
  70.  
  71. # if the parameter looks like an IP go ahead, otherwise resolve it
  72. if [ `echo "$1" | egrep  "(([0-9]+\.){3}[0-9]+)|\[[a-f0-9:]+\]"`  ]; then
  73.  IP="$1"
  74. else
  75. # IP=`resolveip -s "$1"`
  76.  IP=`nslookup "$1" |egrep "^Address: \w+\.\w+\.\w+\.\w+$"|tail -1|awk '{ print $2 }'`
  77.  #  dig -t a treshna.com  +short
  78.  if [ "$IP" == "" ]; then
  79.     echo "Error: cannot resolve $1 to an IP"
  80.     exit
  81.  fi
  82. fi
  83.  
  84. all_hosts=`mktemp -p $TMPDIR -t bing-ip2hosts.tmp.XXXXXX`
  85.  
  86. while [ -z "$last_page_check" ] && [ -n "$how_many" ] && [ -z "$single_page" ]; do
  87.  if [ $ANIMATION == 1 ]; then
  88.   echo -ne "\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b"
  89.   echo -en "[ $IP | Scraping $how_many | Found $uniq_hosts | ${animation: $(( $page % 4 )) :1} ]"
  90.  fi
  91.  url="http://www.bing.com/search?q=ip%3A$IP&go=&qs=n&first=${page}0&FORM=PERE"
  92.  
  93.  out=`mktemp -p "$TMPDIR" -t bing-ip2hosts.tmp.XXXXXX`
  94.  wget -q -O "$out" "$url"
  95.  
  96.  last_page_check=`egrep -o '<span class="sb_count" id="count">[0-9]+-([0-9]+) of (\1)' $out`
  97.  if [ "$DEBUG" -eq 1 ]; then
  98.   echo "Last Page Check: $last_page_check"
  99.  fi
  100.  
  101.  # if no results are found, how_many is empty and the loop will exit
  102.  how_many=`egrep -o '<span class="sb_count" id="count">[^<]+' $out|cut -d '>' -f 2|cut -d ' ' -f 1-3`
  103.  
  104.  # check for a single page of results
  105.  single_page=`egrep -o '<span class="sb_count" id="count">[0-9] results' $out`
  106.  if [ $DEBUG -eq 1 ];then
  107.   echo "Single Page: $single_page"
  108.  fi
  109.  
  110.  # no captcha support or detection
  111.  # pages will contain "Typing the characters in the picture above helps us ensure that a person, not a program, is performing a search"
  112.  
  113.  vhosts=`cat "$out"| egrep -o "<h2><a href=\"[^\"]+" $out |cut -d '"' -f 2`
  114.  echo -e "$vhosts" >> "$all_hosts"
  115.  
  116.  uniq_hosts=`cat "$all_hosts" | cut -d '/' -f 3 | tr '[:upper:]' '[:lower:]' | sort | uniq | wc -l`
  117.  
  118.  if [ $DEBUG -eq 0 ]; then
  119.   rm -f "$out"
  120.  fi
  121.  
  122.  let page=$page+1
  123.  if [ $DEBUG -eq 1 ]; then
  124.   echo "Page: $page"
  125.  fi
  126. done
  127.  
  128. if [ $ANIMATION == 1 ]; then
  129.     echo
  130. fi
  131.  
  132. uniq_hosts=`cat "$all_hosts" | cut -d '/' -f 3 | tr '[:upper:]' '[:lower:]' | sort | uniq`
  133.  
  134. if [ $DEBUG -eq 0 ]; then
  135.   rm -f "$all_hosts"
  136. fi
  137.  
  138. if [ $OUTPUTIP == 1 ]; then
  139.     PREFIX="$IP,"
  140. fi
  141. if [ $HTTPPREFIX == 1 ]; then
  142.     PREFIX="$PREFIX""http://"
  143. fi
  144.  
  145. for h in `echo "$uniq_hosts"`
  146. do
  147.     echo "$PREFIX$h"
  148. done
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!