Home page logo

nmap-dev logo Nmap Development mailing list archives

[NSE] ip-geolocation
From: Gorjan Petrovski <mogi57 () gmail com>
Date: Fri, 10 Jun 2011 17:36:23 +0200


Please find attached the ip-geolocation script. I've implemented IP
geolocation lookups on 4 web services(Geoplugin, IPInfoDB, Geobytes
and Quova) and a query against a Maxmind database based on the API
from Maxmind.

The usage is as follows:
nmap --script ip-geolocation <target> [--script-args

As you can see there are many arguments but all of them are optional.
When the script is run with no arguments it performs lookups on all
the web services. If a web service is selected, it only does lookup on
those services which are selected. The <maxmind_db> argument can be
supplied without a filename, in which case the script searches for the
Maxmind database as a "nselib/data/GeoLiteCity.dat" file, or if the
filename is present, the script treats that like a database.

A little bit about each web service:
* Geoplugin looks up IP's in the free Maxmind GeoLiteCity database and
returns the results. I don't know why but the results which I got
below from Geoplugin and Maxmind are different. There is no limit on
the queries against this web service
* IPInfoDB has no limit on queries, but use of an API key is required
supplied through a registration to the service
* Geobytes has a limit of 20 requests per host per hour. Upon reaching
that limit it responds with a "Limit Exceeded" value, which the script
uses and writes to the registry so the server is not flooded with any
more requests during a single scan.
* Quova boasts that they have the best accuracy. They require a free
registration after which an API key is supplied. The limit is 1000
requests per API key per day, 2 requests per API key per second. They
supply 3 API keys per developer, I've inserted all 3 of them into this

The code for the querying of the Maxmind database is big, mainly
because of the big lookup tables which must be implemented into the
script (or maybe moved to an external file). The code can be used to
access any IP geolocation database supplied by Maxmind including the
commercial ones with greater accuracy. The Geoplugin web service
claims they offer access to the free Maxmind database. Those are the
main arguments of whether we should keep the code in the script or
not. I'd be sorry to have worked in vain on that code, however I have
no opinion on whether we should keep the code or not.

Sample usage:

./nmap -Pn -sn --script ip-geolocation --script-args
ip-geolocation.maxmind_db  scanme.nmap.org

Sample output:

Host script results:
| ip-geolocation:
| (scanme.nmap.org)
|   Geoplugin
|     coordinates (lat,lon): 39.4208984375,-74.497703552246
|     state: New Jersey, United States
|   IPInfoDB
|     coordinates (lat,lon): 37.5384,-121.99
|   Geobytes
|     coordinates (lat,lon): 43.667,-79.417
|     city: Toronto, Ontario, Canada
|   Quova
|     coordinates (lat,lon): 37.56699,-121.98266
|     city: fremont, california, united states
|   Maxmind database
|     coordinates (lat,lon): 39.4899,-74.4773
|_    city: Absecon, Philadelphia, PA, United States


Attachment: ip-geolocation.nse

Sent through the nmap-dev mailing list
Archived at http://seclists.org/nmap-dev/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]