Nmap Development mailing list archives

Re: script for virtual host discovery

From: Carlos Pantelides <carlos_pantelides () yahoo com>
Date: Tue, 2 Nov 2010 19:49:04 -0700 (PDT)

David:

I don't understand. The names have to be in DNS, or else
http.head won't
work. So they are "registered" in a sense.


Are you sure? I tryed with an ip that does not resolve to any name but does exist and it worked fine:

nmap -p 80,443 --script http-vhosts 127.0.0.9   --script-args 'domain=google.com,names={www,aop},ignore_system_names=1'

Starting Nmap 5.35DC18 ( http://nmap.org ) at 2010-11-02 22:08 ART
Nmap scan report for 127.0.0.9
Host is up (0.000038s latency).
PORT    STATE SERVICE
80/tcp  open  http
| http-vhosts:
| http-vhosts: http(80)://????????(127.0.0.9)/ aop.google.com: 200
|_http-vhosts: http(80)://????????(127.0.0.9)/ www.google.com: 200
443/tcp open  https
| http-vhosts:
| http-vhosts: https(443)://????????(127.0.0.9)/ aop.google.com: 403
|_http-vhosts: https(443)://????????(127.0.0.9)/ www.google.com: 403


aop.google.com does not exist. I got a 200 because my server has a default virtual host.

------------------------------------------------

Check this out:

nmap -p 80,443 --script http-vhosts www.google.com   --script-args 
'domain=google.com,names={www,aop},ignore_system_names=1'

Starting Nmap 5.35DC18 ( http://nmap.org ) at 2010-11-02 22:15 ART
Nmap scan report for www.google.com (209.85.195.104)
Host is up (0.013s latency).
rDNS record for 209.85.195.104: eze03s01-in-f104.1e100.net
PORT    STATE SERVICE
80/tcp  open  http
| http-vhosts:
| http-vhosts: http(80)://www.google.com(209.85.195.104)/ aop.google.com: 302 -> http://www.google.com/
|_http-vhosts: http(80)://www.google.com(209.85.195.104)/ www.google.com: 302 -> http://www.google.com.ar/
443/tcp open  https
| http-vhosts:
| http-vhosts: https(443)://www.google.com(209.85.195.104)/ aop.google.com: 302 -> http://www.google.com
|_http-vhosts: https(443)://www.google.com(209.85.195.104)/ www.google.com: 200

------------------------------------------------

and now with the ip of google:

nmap -p 80,443 --script http-vhosts 209.85.195.104   --script-args 
'domain=google.com,names={www,aop},ignore_system_names=1'

Starting Nmap 5.35DC18 ( http://nmap.org ) at 2010-11-02 22:18 ART
Nmap scan report for eze03s01-in-f104.1e100.net (209.85.195.104)
Host is up (0.013s latency).
PORT    STATE SERVICE
80/tcp  open  http
| http-vhosts:
| http-vhosts: http(80)://????????(209.85.195.104)/ aop.google.com: 302 -> http://www.google.com/
|_http-vhosts: http(80)://????????(209.85.195.104)/ www.google.com: 302 -> http://www.google.com.ar/
443/tcp open  https
| http-vhosts:
| http-vhosts: https(443)://????????(209.85.195.104)/ aop.google.com: 302 -> http://www.google.com
|_http-vhosts: https(443)://????????(209.85.195.104)/ www.google.com: 200

------------------------------------------------

and finally a google ip without any domain:

nmap -p 80,443 --script http-vhosts 209.85.195.104   --script-args 'names={www,aop},ignore_system_names=1'

Starting Nmap 5.35DC18 ( http://nmap.org ) at 2010-11-02 22:19 ART
Nmap scan report for eze03s01-in-f104.1e100.net (209.85.195.104)
Host is up (0.012s latency).
PORT    STATE SERVICE
80/tcp  open  http
| http-vhosts:
| http-vhosts: http(80)://????????(209.85.195.104)/ aop.1e100.net: 302 -> http://www.google.com/
|_http-vhosts: http(80)://????????(209.85.195.104)/ www.1e100.net: 302 -> http://www.google.com/
443/tcp open  https
| http-vhosts:
| http-vhosts: https(443)://????????(209.85.195.104)/ aop.1e100.net: 302 -> http://www.google.com
|_http-vhosts: https(443)://????????(209.85.195.104)/ www.1e100.net: 302 -> http://www.google.com

------------------------------------------------

I also don't know what you mean about using it in a host
without
connectivity. If you can't connect to it, how will
http.head work?



That you can run against localhost. It is true that if you are there, you can just read /etc/apache/vhost.conf or 
equivalent, well, if you have the credentials...

Maybe I'm confused about what this script does?


The script tries a list of names concatenated with a domain against a given host, changing the http Host header. The 
objective is to discover virtual hosts that are not registered with a known DNS server.

The difference with the script hostnames.nse that you propose me to merge to, as far as I can tell from the source, is 
that it looks outside the host ("external", you know) regardless of the services running. It searches for hostnames, 
not virtual hosts. You can even run it against a powered off host.

I read lonerunners' hostmap-0.2.2 README and skimmed over the ruby code (I don't know ruby, but seems clear enough) and 
it seems to do the same thing, at least regarding the web. 

BTW: http://hostmap.lonerunner.net/doc/README.pdf -> http://hostmap.lonerunners.net/doc/README.pdf

Thank you

Charly

pd: Jacky Jack told me a few days ago, after I've made my script "I don't know why you guys reinvent the wheel again 
and again as there have been already tools written for your purpose." and send me a metasploit script, plugin or 
whatever its called:

##
## Enhancement of /auxiliary/scanner/http/vhost_scanner.rb (Original Author - et)
##
## Enhanced by Aung Khant
## YGN Ethical Hacker Group, Yangon, Myanmar
## http://yehg.net/
##

From the description and as I can tell from the wireshark trace it seems to do the same as my script. But reporting 
differs:


Metasploit:

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   DOMAIN   localhost        yes       Domain name
   HEADERS                   no        HTTP Headers
   PATH     /                yes       The PATH to use while testing
   Proxies                   no        Use a proxy chain
   QUERY                     no        HTTP URI Query
   RHOSTS   127.0.0.1        yes       The target address range or CIDR identifier
   RPORT    80               yes       The target port
   THREADS  1                yes       The number of concurrent threads
   VHOST                     no        HTTP server virtual host

exploit

[*] [127.0.0.1] Sending request with random domain wDmIe.localhost
[*] NOT Found admin.localhost

nmap:

nmap -p 80 --script http-vhosts localhost   --script-args 'domain=localhost,names={admin},ignore_system_names=1'

Starting Nmap 5.35DC18 ( http://nmap.org ) at 2010-11-02 23:33 ART
...
80/tcp open  http
| http-vhosts:
|_http-vhosts: http(80)://localhost(127.0.0.1)/ admin.localhost: 200


but, it's my first time using metasploit... perhaps it uses the random test to know how a default answer is.





      
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Current thread:

script for virtual host discovery Carlos Pantelides (Oct 28)
- Re: script for virtual host discovery David Fifield (Oct 28)
- <Possible follow-ups>
- Re: script for virtual host discovery Carlos Pantelides (Oct 29)
- Re: script for virtual host discovery Carlos Pantelides (Oct 30)
- Re: script for virtual host discovery Carlos Pantelides (Oct 31)
  - Re: script for virtual host discovery David Fifield (Nov 01)
- Re: script for virtual host discovery Carlos Pantelides (Nov 02)
  - Re: script for virtual host discovery David Fifield (Nov 02)
- Re: script for virtual host discovery Carlos Pantelides (Nov 02)
  - Re: script for virtual host discovery David Fifield (Nov 03)
- Re: script for virtual host discovery Carlos Pantelides (Nov 04)
  - Re: script for virtual host discovery Ron (Nov 04)
  - Re: script for virtual host discovery Martin Holst Swende (Nov 04)
- Re: script for virtual host discovery Carlos Pantelides (Nov 07)