Nmap Development mailing list archives

Re: script for virtual host discovery

From: Carlos Pantelides <carlos_pantelides () yahoo com>
Date: Fri, 29 Oct 2010 09:18:53 -0700 (PDT)

Thank you, David.

What does the script do? Make calls against a web server changing the http Host: header and watching at the response 
codes.

Usage:
nmap localhost --script http-vhosts --script-args \
'domain=mydomain.com,names={www}'


This will scan target on ports recognized as being serving http or https
PORT      STATE SERVICE
22/tcp    open  ssh
25/tcp    open  smtp
80/tcp    open  http
|_http-vhosts: http-vhosts: http(80)://localhost(127.0.0.1)/ www.mydomain.com: 200 
631/tcp   open  ipp
3306/tcp  open  mysql
5432/tcp  open  postgresql

There are a few options:

ignore_system_names=1 : don't load names from nselib/data/hostnames.lst
names_file=file.txt : load names from file.txt

-------------------------

At this stage, it is better to provide domain. In order to test fast the script, I recommend reducing the ports and 
ignoring system names:

nmap -p 80 localhost --script http-vhosts    --script-args 'domain=mydomain.com,names={http,jira},ignore_system_names=1


PORT   STATE SERVICE
80/tcp open  http
| http-vhosts: http-vhosts: http(80)://localhost(127.0.0.1)/ http.mydomain.com: 200 
|_http-vhosts: http(80)://localhost(127.0.0.1)/ jira.mydomain.com: 200 

-------------------------

To test without installing, start with:
nmap -p 80 --script ./http-vhosts.nse localhost   --script-args 'domain=mydomain.com,names_file=hostnames.lst'

-------------------------

Remember that it is my first contact with lua and with nmap scripting, please have no mercy. I have documented in the 
script the missing parts with @todos, any feedback will be greatly appreciated.

Thank you, "Jacky Jack", for your hint about metasploit equivalent plugin. I will share host names with them.


Carlos Pantelides

Attachment: http-vhosts.nse
Description:

Attachment: hostnames.lst
Description:

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Current thread:

script for virtual host discovery Carlos Pantelides (Oct 28)
- Re: script for virtual host discovery David Fifield (Oct 28)
- <Possible follow-ups>
- Re: script for virtual host discovery Carlos Pantelides (Oct 29)
- Re: script for virtual host discovery Carlos Pantelides (Oct 30)
- Re: script for virtual host discovery Carlos Pantelides (Oct 31)
  - Re: script for virtual host discovery David Fifield (Nov 01)
- Re: script for virtual host discovery Carlos Pantelides (Nov 02)
  - Re: script for virtual host discovery David Fifield (Nov 02)
- Re: script for virtual host discovery Carlos Pantelides (Nov 02)
  - Re: script for virtual host discovery David Fifield (Nov 03)
- Re: script for virtual host discovery Carlos Pantelides (Nov 04)
  - Re: script for virtual host discovery Ron (Nov 04)
  - Re: script for virtual host discovery Martin Holst Swende (Nov 04)

(Thread continues...)