Nmap Development mailing list archives
Re: script for virtual host discovery
From: Carlos Pantelides <carlos_pantelides () yahoo com>
Date: Tue, 2 Nov 2010 19:49:04 -0700 (PDT)
David:
I don't understand. The names have to be in DNS, or else http.head won't work. So they are "registered" in a sense.
Are you sure? I tryed with an ip that does not resolve to any name but does exist and it worked fine:
nmap -p 80,443 --script http-vhosts 127.0.0.9 --script-args 'domain=google.com,names={www,aop},ignore_system_names=1'
Starting Nmap 5.35DC18 ( http://nmap.org ) at 2010-11-02 22:08 ART
Nmap scan report for 127.0.0.9
Host is up (0.000038s latency).
PORT STATE SERVICE
80/tcp open http
| http-vhosts:
| http-vhosts: http(80)://????????(127.0.0.9)/ aop.google.com: 200
|_http-vhosts: http(80)://????????(127.0.0.9)/ www.google.com: 200
443/tcp open https
| http-vhosts:
| http-vhosts: https(443)://????????(127.0.0.9)/ aop.google.com: 403
|_http-vhosts: https(443)://????????(127.0.0.9)/ www.google.com: 403
aop.google.com does not exist. I got a 200 because my server has a default virtual host.
------------------------------------------------
Check this out:
nmap -p 80,443 --script http-vhosts www.google.com --script-args
'domain=google.com,names={www,aop},ignore_system_names=1'
Starting Nmap 5.35DC18 ( http://nmap.org ) at 2010-11-02 22:15 ART
Nmap scan report for www.google.com (209.85.195.104)
Host is up (0.013s latency).
rDNS record for 209.85.195.104: eze03s01-in-f104.1e100.net
PORT STATE SERVICE
80/tcp open http
| http-vhosts:
| http-vhosts: http(80)://www.google.com(209.85.195.104)/ aop.google.com: 302 -> http://www.google.com/
|_http-vhosts: http(80)://www.google.com(209.85.195.104)/ www.google.com: 302 -> http://www.google.com.ar/
443/tcp open https
| http-vhosts:
| http-vhosts: https(443)://www.google.com(209.85.195.104)/ aop.google.com: 302 -> http://www.google.com
|_http-vhosts: https(443)://www.google.com(209.85.195.104)/ www.google.com: 200
------------------------------------------------
and now with the ip of google:
nmap -p 80,443 --script http-vhosts 209.85.195.104 --script-args
'domain=google.com,names={www,aop},ignore_system_names=1'
Starting Nmap 5.35DC18 ( http://nmap.org ) at 2010-11-02 22:18 ART
Nmap scan report for eze03s01-in-f104.1e100.net (209.85.195.104)
Host is up (0.013s latency).
PORT STATE SERVICE
80/tcp open http
| http-vhosts:
| http-vhosts: http(80)://????????(209.85.195.104)/ aop.google.com: 302 -> http://www.google.com/
|_http-vhosts: http(80)://????????(209.85.195.104)/ www.google.com: 302 -> http://www.google.com.ar/
443/tcp open https
| http-vhosts:
| http-vhosts: https(443)://????????(209.85.195.104)/ aop.google.com: 302 -> http://www.google.com
|_http-vhosts: https(443)://????????(209.85.195.104)/ www.google.com: 200
------------------------------------------------
and finally a google ip without any domain:
nmap -p 80,443 --script http-vhosts 209.85.195.104 --script-args 'names={www,aop},ignore_system_names=1'
Starting Nmap 5.35DC18 ( http://nmap.org ) at 2010-11-02 22:19 ART
Nmap scan report for eze03s01-in-f104.1e100.net (209.85.195.104)
Host is up (0.012s latency).
PORT STATE SERVICE
80/tcp open http
| http-vhosts:
| http-vhosts: http(80)://????????(209.85.195.104)/ aop.1e100.net: 302 -> http://www.google.com/
|_http-vhosts: http(80)://????????(209.85.195.104)/ www.1e100.net: 302 -> http://www.google.com/
443/tcp open https
| http-vhosts:
| http-vhosts: https(443)://????????(209.85.195.104)/ aop.1e100.net: 302 -> http://www.google.com
|_http-vhosts: https(443)://????????(209.85.195.104)/ www.1e100.net: 302 -> http://www.google.com
------------------------------------------------
I also don't know what you mean about using it in a host without connectivity. If you can't connect to it, how will http.head work?
That you can run against localhost. It is true that if you are there, you can just read /etc/apache/vhost.conf or equivalent, well, if you have the credentials...
Maybe I'm confused about what this script does?
The script tries a list of names concatenated with a domain against a given host, changing the http Host header. The
objective is to discover virtual hosts that are not registered with a known DNS server.
The difference with the script hostnames.nse that you propose me to merge to, as far as I can tell from the source, is
that it looks outside the host ("external", you know) regardless of the services running. It searches for hostnames,
not virtual hosts. You can even run it against a powered off host.
I read lonerunners' hostmap-0.2.2 README and skimmed over the ruby code (I don't know ruby, but seems clear enough) and
it seems to do the same thing, at least regarding the web.
BTW: http://hostmap.lonerunner.net/doc/README.pdf -> http://hostmap.lonerunners.net/doc/README.pdf
Thank you
Charly
pd: Jacky Jack told me a few days ago, after I've made my script "I don't know why you guys reinvent the wheel again
and again as there have been already tools written for your purpose." and send me a metasploit script, plugin or
whatever its called:
##
## Enhancement of /auxiliary/scanner/http/vhost_scanner.rb (Original Author - et)
##
## Enhanced by Aung Khant
## YGN Ethical Hacker Group, Yangon, Myanmar
## http://yehg.net/
##
From the description and as I can tell from the wireshark trace it seems to do the same as my script. But reporting differs:
Metasploit:
Name Current Setting Required Description
---- --------------- -------- -----------
DOMAIN localhost yes Domain name
HEADERS no HTTP Headers
PATH / yes The PATH to use while testing
Proxies no Use a proxy chain
QUERY no HTTP URI Query
RHOSTS 127.0.0.1 yes The target address range or CIDR identifier
RPORT 80 yes The target port
THREADS 1 yes The number of concurrent threads
VHOST no HTTP server virtual host
exploit
[*] [127.0.0.1] Sending request with random domain wDmIe.localhost
[*] NOT Found admin.localhost
nmap:
nmap -p 80 --script http-vhosts localhost --script-args 'domain=localhost,names={admin},ignore_system_names=1'
Starting Nmap 5.35DC18 ( http://nmap.org ) at 2010-11-02 23:33 ART
...
80/tcp open http
| http-vhosts:
|_http-vhosts: http(80)://localhost(127.0.0.1)/ admin.localhost: 200
but, it's my first time using metasploit... perhaps it uses the random test to know how a default answer is.
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Current thread:
- script for virtual host discovery Carlos Pantelides (Oct 28)
- Re: script for virtual host discovery David Fifield (Oct 28)
- <Possible follow-ups>
- Re: script for virtual host discovery Carlos Pantelides (Oct 29)
- Re: script for virtual host discovery Carlos Pantelides (Oct 30)
- Re: script for virtual host discovery Carlos Pantelides (Oct 31)
- Re: script for virtual host discovery David Fifield (Nov 01)
- Re: script for virtual host discovery Carlos Pantelides (Nov 02)
- Re: script for virtual host discovery David Fifield (Nov 02)
- Re: script for virtual host discovery Carlos Pantelides (Nov 02)
- Re: script for virtual host discovery David Fifield (Nov 03)
- Re: script for virtual host discovery Carlos Pantelides (Nov 04)
- Re: script for virtual host discovery Ron (Nov 04)
- Re: script for virtual host discovery Martin Holst Swende (Nov 04)
- Re: script for virtual host discovery Carlos Pantelides (Nov 07)
