Recently while conducting a vulnerability assessment for a rather large customer I was given a list of hostnames from around 20 domains culminating in a list of over 5000 targets that needed to go through the motions. Due to scale of the testing I needed to run the scans from several cloud nodes simultaneously to speed up the scanning. The other thing I needed to do was to extract all the IP addresses from the hostnames so as not to scan boxes multiple times when performing Port Scans for instance.

I had been playing with Perl for literally a couple of hours and decided to give writing my first Perl script a go in order to grab all the IP addresses from the list of hosts which I could then Unique and Sort to get the final list of target IP’s. I initially played with the idea of running ping commands or nslookups and then regex’ing the IP’s from there but I discovered a fantastic method called gethostbyname in Perl.

After some trial and error I ended up with this little gem that literally shaved days off this vulnerability assessment (5000+ hostnames ended up being less than 1000 IP addresses).

#!/usr/bin/perl

use Socket;

# Print usage when no hosts file is specified
if ($ARGV[0] eq '') {
  print "n Usage: ".$0." <hosts_file>nn";
  print " e.g: ".$0." hosts.txtnn";
}

# Open file containing list of Hostnames
open(FILE, $ARGV[0]);
@hosts = ;
close(FILE);

# For each hostname, fetch the IP address
foreach $hostname (@hosts) {
   chomp($hostname);
   if($hostname) {
      $ip = gethostbyname($hostname);
      if($ip) {
        printf "%sn" , $hostname.":".inet_ntoa($ip);
        undef $ip;
      } else {
      	# Print 0.0.0.0 for unresolved Hostnames
        printf "%sn" , $hostname.":0.0.0.0";
        undef $ip;
      }
   }
}

It works by taking each hostname and running the gethostbyname method on it to print out the original hostname and IP address separated by a : for easy regex or to use delimited import in Excel. Feel free to change the delimiter if you so wish. The other function I added was to set an IP address of 0.0.0.0 whenever a hostname could not be resolved.

Here’s what it looks like in action.

If you want to import the output into another program you can just append " > output.csv"

Hope you found this useful.

Keep on sploiting,

norsec0de

References:

• http://www.tutorialspoint.com/perl/perl_gethostbyname.htm
• http://www.tutorialspoint.com/perl/perl_printf.htm
• http://www.cs.cmu.edu/afs/cs/usr/rgs/mosaic/pl-predef.html
• http://perldoc.perl.org/Socket.html#%24string-%3d-inet_ntoa-%24ip_address