NMAP Scanning without Scanning (Part 2) - The ipinfo API

    Published: 2024-05-22
    Last Updated: 2024-05-22 12:03:42 UTC
    by Rob VandenBrink (Version: 1)
    1 comment(s)

    Going back a year or so, I wrote a story on the passive recon, specifically the IPINFO API (https://isc.sans.edu/diary/28596).  This API returns various information on an IP address: the registered owning organization and ASN, and a (usually reasonably accurate) approximation of where that IP might reside.
    Looking at yesterday's story, I thought to myself, why not port my script from last year to an NMAP NSE script?  So I did!

    Using the shodan-api nmap script as a template, I updated the following lines:

    The actual API call of course is different:
      local response = http.get("ipinfo.io", 443, "/".. target .."/json?token=" .. registry.apiKey, {any_af = true})

    This was a simple change, since the API key is still represented a a parameter in the URI this was just plug-n-play.

    Also, because of differing return formats, in that same function I removed all the error checking of the returned values and replaced it with a simple return:
      return response.body

    Note that there is a line
    -- local apikey =""
    If you want to embed your own API key into this script, remove the "--" (comment characters) and put your key in that line.

    As with the Shodan script, you can tack IPINFO on to an existing active scan, or you can run it passively wiuth "-sn -Pn -n" as:

    nmap -Pn -sn -n -P 8.8.8.8 --script ipinfo.nse --script-args "ipinfo.apikey=<your apikey goes here>"
    Starting Nmap 7.92 ( https://nmap.org ) at 2024-05-21 11:34 Eastern Daylight Time
    Nmap scan report for 8.8.8.8
    Host is up.
    
    Host script results:
    | ipinfo: {
    |   "ip": "8.8.8.8",
    |   "hostname": "dns.google",
    |   "anycast": true,
    |   "city": "Mountain View",
    |   "region": "California",
    |   "country": "US",
    |   "loc": "37.4056,-122.0775",
    |   "org": "AS15169 Google LLC",
    |   "postal": "94043",
    |   "timezone": "America/Los_Angeles"
    |_}
    
    Post-scan script results:
    |_ipinfo: IPInfo done: 0 hosts up.
    Nmap done: 1 IP address (1 host up) scanned in 0.41 seconds

    Simple as that!  Now I can return host ownership and location info with my nmap scans, or if I'm in a hurry, instead of the normal nmap scan!  This information can be pretty handy when analyzing potential attacks, for instance looking at a failed authentication to see if the geography matches where that person could conceivably be - you only have to go back a few days for my post on VPN credential stuffing attacks for an example of this.

    I've got one more of these APIs in the hopper - if you have another recon API you'd like to see in an nmap script, by all means let me know in our comment form!

    All of my recon scripts (both the command-line and the nmap scripts) are posted in my github: https://github.com/robvandenbrink/recon_scripts

    ===============
    Rob VandenBrink
    rob@coherentsecurity.com

    1 comment(s)
    ISC Stormcast For Wednesday, May 22nd, 2024 https://isc.sans.edu/podcastdetail/8992

      Comments


      Diary Archives