# HEADER FOR NSE INTEGRATION
# SNIP IT !
id = "Nmap Candidates Finder"
description = "Little Perl script (despite its name...), usefull to build a target list file from Google search results.\
It could help testing web-oriented NSE scripts (hence its name!).\
The script uses the famous Google hacking concept\
(see http://johnny.ihackstuff.com/ghdb/ for details)\
\
Usage: \
Just edit the script, clean it (those lines Perl doesn't like...) and change the $hack var with your query string.\
This should give you a [ targets.txt ] file : <i>nmap -iL targets.txt --whatever</i> and you're done.\
\
Output: \
==========================\
Nmap Candidates Finder launched with query string:\
[ %22Microsoft-IIS/6.0+Server+at%22+intitle:index.of ]\
==========================\
-------\
[+] retrieving page x from Google results...\
[+] 10 results found, Google says 829 max results. Going further.\
\
found www.foo.com (993.185.75.120)\
(...)\
found www.bar.com (already seen)\
found (...)\
-------\
[+] retrieving page 6 from Google results...\
[+] 60 results found, Google says 59 max results. Those are the last ones.\
\
found foo.com (already seen)\
(...)\
\
[+] file [ targets.txt ] saved with 36 hosts.\
\
...for testing purpose."

author = "Gutek"

# 8<------------8<-----------------
#   SNIP ALL ABOVE

use LWP::UserAgent;
 use Net::DNS;

 my $query;
 my $page=0;
 my $start;
 my $flag = "y";
 my $tgt = 0;

# $hack IS YOUR GOOLE HACK QUERY STRING
# $hack = '%22Microsoft-IIS/6.0+Server+at%22+intitle:index.of';
$hack = '';

# =====================================

print "==========================\n";
print "Nmap Candidates Finder launched with query string:\n";
print "[ $hack ]\n";
print "==========================\n";

open IN, ">targets.txt" || die "flop in da file !\n";
 for ($start=0 ; $start<10000 ; $start=$start+10)
 {
 $query = "http://www.google.com/search?q=".$hack."&hl=en&start=".$start."&sa=N";

 print "\n-------\n[+] retrieving page $page from Google results...\n";
 $page++;
   my $ua  = LWP::UserAgent->new(
                                 # be carefull with UA, as Google rejects queries from 'funny' ones
                                 agent => 'Mozilla/4.73 [en] (X11; I; Nmap Candidates Finder; Nav)'
                                 );
    my $req = HTTP::Request->new( GET => $query );

    my $res = $ua->request($req);

        my $dump = $res->content();

        # below are boundaries for parsing Google results pages, in case its page source code changes in time
        # boundaries for hostnames
        my $mdeb = '</p><p><a href=\"http://';
        my $mfin = "/";
        # boundaries for max results
        $mark_for_max_res_deb = 'about <b>';
        $mark_for_max_res_end = '</b> ';

        my @domaines = $dump =~ /$mdeb(.*?)$mfin/ig;

        # must check max results for each page, so as to detect the 'In order to show you the most relevant results(...)' mechanism
        @max = $dump =~ /$mark_for_max_res_deb(.*?)$mark_for_max_res_end/ig;
        print "[+] $start results found, Google says $max[0] max results. ";
        if ($start > $max[0]) {
                               print "Those are the last ones.\n\n";
                               $start = 10000;
                               }
        else { print "Going further.\n\n"; }

        foreach my $line (@domaines) {
                                     print "found $line (";
                                     $flag = "y";
                                     # we need only unique hosts, and this one may have been found x pages ago. Let's check this.
                                     foreach $check (@global) {
                                                              if ($line eq $check) {
                                                                                    $flag="x";
                                                                                    print "already seen)\n";
                                                                                    }
                                                              }

                                     if ($flag ne "x") {
                                                       push (@global,$line);
                                                       my $dnsres   = Net::DNS::Resolver->new;
                                                       my $dnsquery = $dnsres->search($line);


                                                       if ($dnsquery) {
                                                                      foreach my $rr ($dnsquery->answer) {
                                                                                                         next unless $rr->type eq "A";
                                                                                                         print IN $rr->address, "\n";
                                                                                                         $tgt++;
                                                                                                         print $rr->address, ")\n";
                                                                                                         }
                                                                      } else {
                                                                             print "No IP for $line (error was ".$dnsres->errorstring."), keeping hostname.)\n";
                                                                             print IN $line."\n";
                                                                             $tgt++;
                                                                             }
                                                          }
                                        }

        }
        close (IN);
        print "\n[+] file [ targets.txt ] saved with $tgt hosts.\n";