Today I quickly translated a python script i had floating around into a more useful NSE script.
It pulls the consensus data from one of the 9 Tor directory servers (documentation here) and runs a regular expression to extract the ip addresses of the nodes until it finds a matching one.
nmap -p0 -dd -Pn --datadir=. --script=tor-consensus-checker 126.96.36.199 ... NSE: Starting 'tor-consensus-checker' (thread: 0x9a87568) against 188.8.131.52. Initiating NSE at 23:36 NSE: checking if 184.108.40.206 is a tor relay NSE: Final http cache size (674972 bytes) of max size of 1000000 NSE: consensus retrieved from 220.127.116.11 NSE: Finished 'tor-consensus-checker' (thread: 0x9a87568) against 18.104.22.168. PORT STATE SERVICE REASON 0/tcp closed unknown conn-refused Host script results: | tor-consensus-checker: |_ 22.214.171.124 is a tor node Nmap done: 1 IP address (1 host up) scanned in 1.42 seconds
The script can currently be found on my github repository of nmap scripts.