Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: script for virtual host discovery

From: David Fifield <david () bamsoftware com>
Date: Wed, 3 Nov 2010 12:41:39 -0600
On Tue, Nov 02, 2010 at 07:49:04PM -0700, Carlos Pantelides wrote:

I don't understand. The names have to be in DNS, or else
http.head won't
work. So they are "registered" in a sense.


Are you sure? I tryed with an ip that does not resolve to any name but does exist and it worked fine:

nmap -p 80,443 --script http-vhosts 127.0.0.9   --script-args 
'domain=google.com,names={www,aop},ignore_system_names=1'

Starting Nmap 5.35DC18 ( http://nmap.org ) at 2010-11-02 22:08 ART
Nmap scan report for 127.0.0.9
Host is up (0.000038s latency).
PORT    STATE SERVICE
80/tcp  open  http
| http-vhosts:
| http-vhosts: http(80)://????????(127.0.0.9)/ aop.google.com: 200
|_http-vhosts: http(80)://????????(127.0.0.9)/ www.google.com: 200
443/tcp open  https
| http-vhosts:
| http-vhosts: https(443)://????????(127.0.0.9)/ aop.google.com: 403
|_http-vhosts: https(443)://????????(127.0.0.9)/ www.google.com: 403


aop.google.com does not exist. I got a 200 because my server has a default virtual host.


Okay. I did misunderstand how your script works. I thought it was
passing different host names to http.head. Instead, it is passing the
same host name, but causing a different Host header to be sent in the
request. I'm sorry for the confusion. You can forget what I said earlier
because I didn't see what you were doing.

You're controlling the Host header by actually changing host.targetname:
        host.targetname = makeTargetName(name , domain)
        http_response = http.head(host, port, resource)
I suggest that you do it like this instead:
        http_response = http.head(host, port, resource,
                {header={Host=makeTargetName(name, domain)}})
Just because changing targetname is relying on the internal
implementation of the http library. I think doing it this way will make
it work on IP addresses too.

For the portrule, just use
        portrule = shortport.http

You have a todo to qualify script argument names. That's easy, just pass
the qualified name to stdnse.get_script_args. I don't see the purpose of
the "quiet" argument; if someone doesn't want to see the results they
should just not run the script.

Can you explain more what the defineNames function does and why it is
not working in the portrule? I don't get what you're doing by assigning
the values 0.0, 0.9, and 1.0 to names.

I think this can be a useful script. Let me know what you think about
my suggestions above and we can work on including it. 

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: