Nmap Development mailing list archives
Re: script for virtual host discovery
From: Carlos Pantelides <carlos_pantelides () yahoo com>
Date: Wed, 3 Nov 2010 16:14:16 -0700 (PDT)
David:
Okay. I did misunderstand how your script works.... request. I'm sorry for the confusion. You can forget what I said earlier because I didn't see what you were doing.
No problem, don't worry. I always have some trouble communicating, even face to face in my native language. 1)
You have a todo to qualify script argument names. That's easy, just pass the qualified name to stdnse.get_script_args.
Done 2)
I don't see the purpose of the "quiet" argument; if someone doesn't want to see the results they should just not run the script.
I thing of this script as a first step that could feed some other http-* script. There is a "persist" functionality to implement. That brings another question I know nothing about. How to give output to those scripts? We can continue with this later in another thread. 3)
You're controlling the Host header by actually changing host.targetname: I suggest that you do it like this instead: http_response = http.head(host, port, resource, {header={Host=makeTargetName(name, domain)}})
It did not work. I'll investigate http.lua and try again later. 4)
Can you explain more what the defineNames function does
defineNames() load names from a system provided file, a user provided file and an user provided command line list. It uses an associative array in order to keep the keys unique. This names are like 'www', 'wiki'. 5)
I don't get what you're doing by assigning the values 0.0, 0.9, and 1.0 to names.
My idea is to give the names some weight so later I can implement something like --version-intensity, consider that there are a lot of names. I gave 1.0 and 0.9 to user provided names to keep them on top, and when and if there is feedback on Host: hits, the system provided names will have their weight, see item 8 below. We can continue with this later. 6)
why it is not working in the portrule?
What I wanted was to setup the names only once, just because they don't change between hosts/ports. So I tried calling it from prerule(), I thought that every thing stored in nmap.registry would become available later, but it seems that it does not apply to prerule(). 7)
For the portrule, just use portrule = shortport.http
My idea is that as you may be searching services outside their normal ports, you can get http and https regardless of what you asked to nmap. If you want to restrict http-vhosts to http or https via script args, shortport can not deal with that, unless there is something I've missed. That is the reason of a previous shameful mail of mine (http://seclists.org/nmap-dev/2010/q4/134). Since then I been modifying the code of service_scan.cc and discovered that my best optimization regarding only identifying selected services run as fast (or slow) as --version-intensity 0. We can continue with this later in another thread. ------------------- 8) Related to 2(quiet arg) and 5(values to names) there is a future argument called "report" that: "after stripping sensitive info like ip, domain names, hostnames and redirection targets from the result, append it to a file that can then be uploaded. If enough info is gathered, the names will be weighted. It can be shared with metasploit"
I think this can be a useful script. Let me know what you think about my suggestions above and we can work on including it.
Thank you a lot for your tips and suggestions. It seems that there are things that are not working as expected, I hope I can help with that. I'll keep working on http.head and prerule suggestions. I am reposting the current version, with your list applied and some minor refactorings, but without the names, as it did not change. Charlie
Attachment:
http-vhosts.nse
Description:
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- script for virtual host discovery Carlos Pantelides (Oct 28)
- Re: script for virtual host discovery David Fifield (Oct 28)
- <Possible follow-ups>
- Re: script for virtual host discovery Carlos Pantelides (Oct 29)
- Re: script for virtual host discovery Carlos Pantelides (Oct 30)
- Re: script for virtual host discovery Carlos Pantelides (Oct 31)
- Re: script for virtual host discovery David Fifield (Nov 01)
- Re: script for virtual host discovery Carlos Pantelides (Nov 02)
- Re: script for virtual host discovery David Fifield (Nov 02)
- Re: script for virtual host discovery Carlos Pantelides (Nov 02)
- Re: script for virtual host discovery David Fifield (Nov 03)
- Re: script for virtual host discovery Carlos Pantelides (Nov 04)
- Re: script for virtual host discovery Ron (Nov 04)
- Re: script for virtual host discovery Martin Holst Swende (Nov 04)
- Re: script for virtual host discovery Carlos Pantelides (Nov 07)