├── dischosts
├── domain
├── hostfind.sh
├── hostnames.txt
└── list


/dischosts:
--------------------------------------------------------------------------------
 1 | 
 2 | Starting Nmap 4.01 ( http://www.insecure.org/nmap/ ) at 2006-08-29 23:15 EDT
 3 | Nmap finished: 0 IP addresses (0 hosts up) scanned in 0.128 seconds
 4 | 
 5 | Starting Nmap 4.01 ( http://www.insecure.org/nmap/ ) at 2006-08-29 23:15 EDT
 6 | Nmap finished: 0 IP addresses (0 hosts up) scanned in 0.070 seconds
 7 | 
 8 | Starting Nmap 4.01 ( http://www.insecure.org/nmap/ ) at 2006-08-29 23:15 EDT
 9 | Nmap finished: 0 IP addresses (0 hosts up) scanned in 0.052 seconds
10 | 
11 | Starting Nmap 4.01 ( http://www.insecure.org/nmap/ ) at 2006-08-29 23:15 EDT
12 | Nmap finished: 0 IP addresses (0 hosts up) scanned in 0.058 seconds
13 | 
14 | Starting Nmap 4.01 ( http://www.insecure.org/nmap/ ) at 2006-08-29 23:15 EDT
15 | Nmap finished: 0 IP addresses (0 hosts up) scanned in 0.052 seconds
16 | 
17 | Starting Nmap 4.01 ( http://www.insecure.org/nmap/ ) at 2006-08-29 23:15 EDT
18 | Nmap finished: 0 IP addresses (0 hosts up) scanned in 0.051 seconds
19 | 
20 | Starting Nmap 4.01 ( http://www.insecure.org/nmap/ ) at 2006-08-29 23:15 EDT
21 | Nmap finished: 0 IP addresses (0 hosts up) scanned in 0.051 seconds
22 | 
23 | Starting Nmap 4.01 ( http://www.insecure.org/nmap/ ) at 2006-08-29 23:15 EDT
24 | Host mail.microsoft.com (131.107.1.71) not scanned
25 | Nmap finished: 1 IP address (0 hosts up) scanned in 0.071 seconds
26 | 
27 | Starting Nmap 4.01 ( http://www.insecure.org/nmap/ ) at 2006-08-29 23:15 EDT
28 | Host mail1.microsoft.com (131.107.1.6) not scanned
29 | Nmap finished: 1 IP address (0 hosts up) scanned in 0.146 seconds
30 | 
31 | Starting Nmap 4.01 ( http://www.insecure.org/nmap/ ) at 2006-08-29 23:15 EDT
32 | Host mail2.microsoft.com (131.107.1.7) not scanned
33 | Nmap finished: 1 IP address (0 hosts up) scanned in 0.071 seconds
34 | 
35 | Starting Nmap 4.01 ( http://www.insecure.org/nmap/ ) at 2006-08-29 23:15 EDT
36 | Nmap finished: 0 IP addresses (0 hosts up) scanned in 0.052 seconds
37 | 
38 | Starting Nmap 4.01 ( http://www.insecure.org/nmap/ ) at 2006-08-29 23:15 EDT
39 | Nmap finished: 0 IP addresses (0 hosts up) scanned in 0.051 seconds
40 | 
41 | Starting Nmap 4.01 ( http://www.insecure.org/nmap/ ) at 2006-08-29 23:15 EDT
42 | Nmap finished: 0 IP addresses (0 hosts up) scanned in 0.150 seconds
43 | 
44 | Starting Nmap 4.01 ( http://www.insecure.org/nmap/ ) at 2006-08-29 23:15 EDT
45 | Nmap finished: 0 IP addresses (0 hosts up) scanned in 0.136 seconds
46 | 
47 | Starting Nmap 4.01 ( http://www.insecure.org/nmap/ ) at 2006-08-29 23:15 EDT
48 | Nmap finished: 0 IP addresses (0 hosts up) scanned in 0.056 seconds
49 | 
50 | Starting Nmap 4.01 ( http://www.insecure.org/nmap/ ) at 2006-08-29 23:15 EDT
51 | Nmap finished: 0 IP addresses (0 hosts up) scanned in 0.139 seconds
52 | 
53 | Starting Nmap 4.01 ( http://www.insecure.org/nmap/ ) at 2006-08-29 23:15 EDT
54 | Nmap finished: 0 IP addresses (0 hosts up) scanned in 0.053 seconds
55 | 
56 | Starting Nmap 4.01 ( http://www.insecure.org/nmap/ ) at 2006-08-29 23:15 EDT
57 | Host smtp.microsoft.com (205.248.106.32) not scanned
58 | Nmap finished: 1 IP address (0 hosts up) scanned in 0.070 seconds
59 | 
60 | Starting Nmap 4.01 ( http://www.insecure.org/nmap/ ) at 2006-08-29 23:15 EDT
61 | Nmap finished: 0 IP addresses (0 hosts up) scanned in 0.051 seconds
62 | 
63 | Starting Nmap 4.01 ( http://www.insecure.org/nmap/ ) at 2006-08-29 23:15 EDT
64 | Nmap finished: 0 IP addresses (0 hosts up) scanned in 0.144 seconds
65 | 


--------------------------------------------------------------------------------
/domain:
--------------------------------------------------------------------------------
1 | microsoft.com
2 | 


--------------------------------------------------------------------------------
/hostfind.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | # Hostfind -- A lame tool for finding hostnames to
 4 | #  include in a scan
 5 | 
 6 | # Variables to be used
 7 | hostnames=`cat ./list`
 8 | domain=`cat ./domain`
 9 | 
10 | # Prompt them
11 | echo ""
12 | echo "-------------------------------------------------------"
13 | echo "- Hostfind -- A lame tool for finding hostnames to scan"
14 | echo "-------------------------------------------------------"
15 | sleep 1
16 | 
17 | echo ""
18 | echo "Searching $domain..."
19 | # Clean the previous hosts found
20 | if [ -f ./dischosts ]
21 | then 
22 |    rm ./dischosts
23 | fi
24 | 
25 | # Loop through the possible hostnames
26 | for i in $hostnames
27 | do
28 |     nmap -sL $i.$domain >> dischosts 2> /dev/null
29 | done
30 | 
31 | # Clean up the output
32 | grep ^Host dischosts | cut -f2 >> cleanedhosts
33 | 
34 | # Display the results
35 | echo ""
36 | cat cleanedhosts
37 | echo ""
38 | echo "Enjoy..."
39 | 
40 | # Clean up for next time
41 | rm cleanedhosts
42 | 


--------------------------------------------------------------------------------
/hostnames.txt:
--------------------------------------------------------------------------------
 1 | access
 2 | citrix
 3 | dns
 4 | extranet
 5 | firewall
 6 | fw
 7 | gateway
 8 | mail
 9 | mail1
10 | mail2
11 | ns
12 | ns1
13 | ns2
14 | pop3
15 | proxy
16 | remote
17 | secure
18 | smtp
19 | ssh
20 | test
21 | remoteaccess
22 | owa
23 | email
24 | web
25 | imap
26 | pop
27 | private
28 | secret
29 | 


--------------------------------------------------------------------------------
/list:
--------------------------------------------------------------------------------
 1 | access
 2 | citrix
 3 | dns
 4 | extranet
 5 | firewall
 6 | fw
 7 | gateway
 8 | mail
 9 | mail1
10 | mail2
11 | ns
12 | ns1
13 | ns2
14 | pop3
15 | proxy
16 | remote
17 | secure
18 | smtp
19 | ssh
20 | test
21 | 
22 | 


--------------------------------------------------------------------------------