Re: script for virtual host discovery

[David Fifield <david () bamsoftware com>]

On Sun, Oct 31, 2010 at 07:49:53PM -0700, Carlos Pantelides wrote:
> Hi:
>
> Homework done! Thanks Ron for the Sample Script, it was very useful. I switched to the svn, nmap version 5.35DC18.
>
> Still have some trouble with:
>
> *) qualifying argument names
> *) storing values in nmap.registry from prerule() and hostrule()

Your script works by trying a HEAD request for / using each of the
candidate hostnames. But there's no reason this technique should be
limited to hosts running HTTP. What do you think about doing a simple
DNS query for each candidate hostname instead?

Also I'm thinking that this would fit in well as an add-on to the
hostmap script, http://nmap.org/nsedoc/scripts/hostmap.html. In fact,
domain name guessing is one of the techniques supported by the original
hostmap tool (http://hostmap.lonerunner.net/doc/README.pdf).  You would
give the current action function a new name, add your hostname guessing
as a new function, and then add an action function that calls both of
them. You will change the portrule a bit, because your method is
appropriate for even private addresses (when ipOps.isPrivate returns
true), while the current technique should not be done for private
addresses.

If you agree that adding this functionality to hostmap is a good idea,
please do it and send us a patch or script file.

Where does the hostnames.lst file come from?

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/