Nmap Development mailing list archives
Re: script for virtual host discovery
From: Carlos Pantelides <carlos_pantelides () yahoo com>
Date: Tue, 2 Nov 2010 19:49:04 -0700 (PDT)
David:
I don't understand. The names have to be in DNS, or else http.head won't work. So they are "registered" in a sense.
Are you sure? I tryed with an ip that does not resolve to any name but does exist and it worked fine: nmap -p 80,443 --script http-vhosts 127.0.0.9 --script-args 'domain=google.com,names={www,aop},ignore_system_names=1' Starting Nmap 5.35DC18 ( http://nmap.org ) at 2010-11-02 22:08 ART Nmap scan report for 127.0.0.9 Host is up (0.000038s latency). PORT STATE SERVICE 80/tcp open http | http-vhosts: | http-vhosts: http(80)://????????(127.0.0.9)/ aop.google.com: 200 |_http-vhosts: http(80)://????????(127.0.0.9)/ www.google.com: 200 443/tcp open https | http-vhosts: | http-vhosts: https(443)://????????(127.0.0.9)/ aop.google.com: 403 |_http-vhosts: https(443)://????????(127.0.0.9)/ www.google.com: 403 aop.google.com does not exist. I got a 200 because my server has a default virtual host. ------------------------------------------------ Check this out: nmap -p 80,443 --script http-vhosts www.google.com --script-args 'domain=google.com,names={www,aop},ignore_system_names=1' Starting Nmap 5.35DC18 ( http://nmap.org ) at 2010-11-02 22:15 ART Nmap scan report for www.google.com (209.85.195.104) Host is up (0.013s latency). rDNS record for 209.85.195.104: eze03s01-in-f104.1e100.net PORT STATE SERVICE 80/tcp open http | http-vhosts: | http-vhosts: http(80)://www.google.com(209.85.195.104)/ aop.google.com: 302 -> http://www.google.com/ |_http-vhosts: http(80)://www.google.com(209.85.195.104)/ www.google.com: 302 -> http://www.google.com.ar/ 443/tcp open https | http-vhosts: | http-vhosts: https(443)://www.google.com(209.85.195.104)/ aop.google.com: 302 -> http://www.google.com |_http-vhosts: https(443)://www.google.com(209.85.195.104)/ www.google.com: 200 ------------------------------------------------ and now with the ip of google: nmap -p 80,443 --script http-vhosts 209.85.195.104 --script-args 'domain=google.com,names={www,aop},ignore_system_names=1' Starting Nmap 5.35DC18 ( http://nmap.org ) at 2010-11-02 22:18 ART Nmap scan report for eze03s01-in-f104.1e100.net (209.85.195.104) Host is up (0.013s latency). PORT STATE SERVICE 80/tcp open http | http-vhosts: | http-vhosts: http(80)://????????(209.85.195.104)/ aop.google.com: 302 -> http://www.google.com/ |_http-vhosts: http(80)://????????(209.85.195.104)/ www.google.com: 302 -> http://www.google.com.ar/ 443/tcp open https | http-vhosts: | http-vhosts: https(443)://????????(209.85.195.104)/ aop.google.com: 302 -> http://www.google.com |_http-vhosts: https(443)://????????(209.85.195.104)/ www.google.com: 200 ------------------------------------------------ and finally a google ip without any domain: nmap -p 80,443 --script http-vhosts 209.85.195.104 --script-args 'names={www,aop},ignore_system_names=1' Starting Nmap 5.35DC18 ( http://nmap.org ) at 2010-11-02 22:19 ART Nmap scan report for eze03s01-in-f104.1e100.net (209.85.195.104) Host is up (0.012s latency). PORT STATE SERVICE 80/tcp open http | http-vhosts: | http-vhosts: http(80)://????????(209.85.195.104)/ aop.1e100.net: 302 -> http://www.google.com/ |_http-vhosts: http(80)://????????(209.85.195.104)/ www.1e100.net: 302 -> http://www.google.com/ 443/tcp open https | http-vhosts: | http-vhosts: https(443)://????????(209.85.195.104)/ aop.1e100.net: 302 -> http://www.google.com |_http-vhosts: https(443)://????????(209.85.195.104)/ www.1e100.net: 302 -> http://www.google.com ------------------------------------------------
I also don't know what you mean about using it in a host without connectivity. If you can't connect to it, how will http.head work?
That you can run against localhost. It is true that if you are there, you can just read /etc/apache/vhost.conf or equivalent, well, if you have the credentials...
Maybe I'm confused about what this script does?
The script tries a list of names concatenated with a domain against a given host, changing the http Host header. The objective is to discover virtual hosts that are not registered with a known DNS server. The difference with the script hostnames.nse that you propose me to merge to, as far as I can tell from the source, is that it looks outside the host ("external", you know) regardless of the services running. It searches for hostnames, not virtual hosts. You can even run it against a powered off host. I read lonerunners' hostmap-0.2.2 README and skimmed over the ruby code (I don't know ruby, but seems clear enough) and it seems to do the same thing, at least regarding the web. BTW: http://hostmap.lonerunner.net/doc/README.pdf -> http://hostmap.lonerunners.net/doc/README.pdf Thank you Charly pd: Jacky Jack told me a few days ago, after I've made my script "I don't know why you guys reinvent the wheel again and again as there have been already tools written for your purpose." and send me a metasploit script, plugin or whatever its called: ## ## Enhancement of /auxiliary/scanner/http/vhost_scanner.rb (Original Author - et) ## ## Enhanced by Aung Khant ## YGN Ethical Hacker Group, Yangon, Myanmar ## http://yehg.net/ ##
From the description and as I can tell from the wireshark trace it seems to do the same as my script. But reporting differs:
Metasploit: Name Current Setting Required Description ---- --------------- -------- ----------- DOMAIN localhost yes Domain name HEADERS no HTTP Headers PATH / yes The PATH to use while testing Proxies no Use a proxy chain QUERY no HTTP URI Query RHOSTS 127.0.0.1 yes The target address range or CIDR identifier RPORT 80 yes The target port THREADS 1 yes The number of concurrent threads VHOST no HTTP server virtual host exploit [*] [127.0.0.1] Sending request with random domain wDmIe.localhost [*] NOT Found admin.localhost nmap: nmap -p 80 --script http-vhosts localhost --script-args 'domain=localhost,names={admin},ignore_system_names=1' Starting Nmap 5.35DC18 ( http://nmap.org ) at 2010-11-02 23:33 ART ... 80/tcp open http | http-vhosts: |_http-vhosts: http(80)://localhost(127.0.0.1)/ admin.localhost: 200 but, it's my first time using metasploit... perhaps it uses the random test to know how a default answer is. _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- script for virtual host discovery Carlos Pantelides (Oct 28)
- Re: script for virtual host discovery David Fifield (Oct 28)
- <Possible follow-ups>
- Re: script for virtual host discovery Carlos Pantelides (Oct 29)
- Re: script for virtual host discovery Carlos Pantelides (Oct 30)
- Re: script for virtual host discovery Carlos Pantelides (Oct 31)
- Re: script for virtual host discovery David Fifield (Nov 01)
- Re: script for virtual host discovery Carlos Pantelides (Nov 02)
- Re: script for virtual host discovery David Fifield (Nov 02)
- Re: script for virtual host discovery Carlos Pantelides (Nov 02)
- Re: script for virtual host discovery David Fifield (Nov 03)
- Re: script for virtual host discovery Carlos Pantelides (Nov 04)
- Re: script for virtual host discovery Ron (Nov 04)
- Re: script for virtual host discovery Martin Holst Swende (Nov 04)
- Re: script for virtual host discovery Carlos Pantelides (Nov 07)