Nmap Development mailing list archives

Re: http-vhosts.nse ready for beta

From: David Fifield <david () bamsoftware com>
Date: Tue, 7 Dec 2010 16:59:26 -0800

On Tue, Dec 07, 2010 at 04:41:05AM -0800, Carlos Pantelides wrote:

David:

I had to use the  bypass_cache option in http.head, otherwise the first
response was
getting cached and no later requests were effective.


weird, did not have this problem

I also changed the  output to show only the tested name and possibly a
redirect.


agree

The first thing I want you to change is that there is way
too much
output.


collapsed


Thanks, it's applied.

The other thing I noticed is that the behavior is
surprising when a name
without a "www" (or other) prefix is used. When scanning
insecure.org
(with a shortened hostname list):

PORT   STATE SERVICE REASON
80/tcp open  http    syn-ack
| http-vhosts:
| org: 200
| www.org: 200
| docs.org: 200
|_images.org: 200

Now that I think about it, this particular case is probably
a side
effect of my using host.targetname to guess the domain, but
I think the
problem stands anyway. A good default behavior would be not
to make a
name shorter than two components. (This will still have
problems with
co.uk names for example.) If the user provides a name then
you always
accept it.


I'll check this. I am not sure, but I think that I've discarded
host.targetname in one of my first attempts. I'd rather prefer not to
be so smart. There is a a script arg http-vhosts.domain as a last
resort.


I think it's important to start with host.targetname, as that is the
name the user typed in. The reverse DNS name host.name might be related,
but might not. To use the mongodb.org example again, the reverse DNS of
www.mongodb.org is ec2-75-101-156-249.compute-1.amazonaws.com. It would
be surprising if the script started testing
bugzilla.compute-1.amazonaws.com etc.

When http.lua makes requests, it uses the same logic in defining the
Host header (when it's not overridden as it is in your script). First
host.targetname, then host.name, then the IP address if all else fails.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Current thread:

http-vhosts.nse ready for beta Carlos Pantelides (Nov 16)
- Re: http-vhosts.nse ready for beta David Fifield (Nov 29)
- <Possible follow-ups>
- Re: http-vhosts.nse ready for beta Carlos Pantelides (Dec 02)
  - Re: http-vhosts.nse ready for beta David Fifield (Dec 05)
- Re: http-vhosts.nse ready for beta Carlos Pantelides (Dec 07)
  - Re: http-vhosts.nse ready for beta David Fifield (Dec 07)