--- 
-- Tries to find vhosts by querying search.live.com for other hosts on the same IP
--
--@output 
-- |_ vhosts: cgi.insecure.org, download.insecure.org, images.insecure.org, insecure.com, insecure.org, www.insecure.com, www.insecure.org

require "sedusa"
require "ipOps"

id = "vhosts"
description = "Tries to find vhosts by querying search.live.com for other hosts on the same IP"
author = "Sven Klemm <sven@c3d2.de>"
license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
categories = {"discovery","intrusive","external"}


hostrule = function( host ) 
  return not ipOps.isPrivate( host.ip ) and ipOps.get_parts_as_number( host.ip ) ~= 127
end

--- extract host names from search result page
--@return table with names of the hosts
local extract_hosts = function( document )
  local _,results,vhosts,host
  vhosts = {}

  results = document.xml:find_all('//div[@id="results"]/ul[@class="sb_results"]/li/ul[@class="sb_meta"]/li/cite')
  for _,host in pairs( results ) do
    host = host:gsub("https?://",""):gsub("/.*",""):lower()
    table.insert( vhosts, host )
  end

  return vhosts
end

--- add table of hosts to vhosts table ignoring duplicates
--@param vhosts vhosts table
--@param hosts table of hosts to be added to vhosts
local add_hosts = function( vhosts, hosts )
  local _,host
  for _,host in pairs( hosts ) do
    if not vhosts[host] then
      vhosts[host] = host
      table.insert( vhosts, host )
    end
  end
end

action = function(host, port)
  local _,doc,vhosts,pages
  vhosts = {}

  doc = sedusa.http_get( 'http://search.live.com/results.aspx?go=&q=ip:' .. host.ip )

  -- the result section is not empty
  if doc.xml:find('//div[@id="results"]/ul[@class="sb_results"]') then

    add_hosts( vhosts, extract_hosts( doc ))

    -- look whether there are more result pages
    pages = doc.xml:find_all('//div[@id="results_area"]/div[@class="sb_pag"]/ul/li/a[not(@class="sb_pagN")]/@href')

    local counter
    -- fetch further result pages
    for counter,url in pairs( pages ) do
      if counter > 3 then break end
      doc = sedusa.http_get( 'http://search.live.com' .. url )
      add_hosts( vhosts, extract_hosts( doc ))
    end

  end

  if #vhosts > 0 then
    table.sort( vhosts )
    return table.concat( vhosts, ', ')
  end
end