Nmap Development mailing list archives
Re: script for virtual host discovery
From: David Fifield <david () bamsoftware com>
Date: Wed, 3 Nov 2010 12:41:39 -0600
On Tue, Nov 02, 2010 at 07:49:04PM -0700, Carlos Pantelides wrote:
I don't understand. The names have to be in DNS, or else http.head won't work. So they are "registered" in a sense.Are you sure? I tryed with an ip that does not resolve to any name but does exist and it worked fine: nmap -p 80,443 --script http-vhosts 127.0.0.9 --script-args 'domain=google.com,names={www,aop},ignore_system_names=1' Starting Nmap 5.35DC18 ( http://nmap.org ) at 2010-11-02 22:08 ART Nmap scan report for 127.0.0.9 Host is up (0.000038s latency). PORT STATE SERVICE 80/tcp open http | http-vhosts: | http-vhosts: http(80)://????????(127.0.0.9)/ aop.google.com: 200 |_http-vhosts: http(80)://????????(127.0.0.9)/ www.google.com: 200 443/tcp open https | http-vhosts: | http-vhosts: https(443)://????????(127.0.0.9)/ aop.google.com: 403 |_http-vhosts: https(443)://????????(127.0.0.9)/ www.google.com: 403 aop.google.com does not exist. I got a 200 because my server has a default virtual host.
Okay. I did misunderstand how your script works. I thought it was passing different host names to http.head. Instead, it is passing the same host name, but causing a different Host header to be sent in the request. I'm sorry for the confusion. You can forget what I said earlier because I didn't see what you were doing. You're controlling the Host header by actually changing host.targetname: host.targetname = makeTargetName(name , domain) http_response = http.head(host, port, resource) I suggest that you do it like this instead: http_response = http.head(host, port, resource, {header={Host=makeTargetName(name, domain)}}) Just because changing targetname is relying on the internal implementation of the http library. I think doing it this way will make it work on IP addresses too. For the portrule, just use portrule = shortport.http You have a todo to qualify script argument names. That's easy, just pass the qualified name to stdnse.get_script_args. I don't see the purpose of the "quiet" argument; if someone doesn't want to see the results they should just not run the script. Can you explain more what the defineNames function does and why it is not working in the portrule? I don't get what you're doing by assigning the values 0.0, 0.9, and 1.0 to names. I think this can be a useful script. Let me know what you think about my suggestions above and we can work on including it. David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- script for virtual host discovery Carlos Pantelides (Oct 28)
- Re: script for virtual host discovery David Fifield (Oct 28)
- <Possible follow-ups>
- Re: script for virtual host discovery Carlos Pantelides (Oct 29)
- Re: script for virtual host discovery Carlos Pantelides (Oct 30)
- Re: script for virtual host discovery Carlos Pantelides (Oct 31)
- Re: script for virtual host discovery David Fifield (Nov 01)
- Re: script for virtual host discovery Carlos Pantelides (Nov 02)
- Re: script for virtual host discovery David Fifield (Nov 02)
- Re: script for virtual host discovery Carlos Pantelides (Nov 02)
- Re: script for virtual host discovery David Fifield (Nov 03)
- Re: script for virtual host discovery Carlos Pantelides (Nov 04)
- Re: script for virtual host discovery Ron (Nov 04)
- Re: script for virtual host discovery Martin Holst Swende (Nov 04)
- Re: script for virtual host discovery Carlos Pantelides (Nov 07)